Will RFID force Consumers towards Personal Identity Management?

In a recent blog post (E-Passports equals E-pportunity for Hackers?), I touched on the security and privacy issues arising from the use of RFID technology in the context on the new e-passports. Now Scientific Technology Options Assessment (STOA), an arm of the European Parliament, has released a report (RFID and Identity Management in Everyday Life) that essentially says that more issues regarding consumer privacy are likely to arise as RFID is adopted more widely in the retail industry. The report has an insightful tagline: Striking the balance between convenience, choice and control. The report draws some interesting conclusions:
1. RFID is currently not associated that much with Privacy

“…relative to the scale of implementation, few Identity Management issues actually occur. In general, both user and maintainer of the RFID settings perceive RFID merely as an electronic key or wallet. The reason for this can be twofold. First of all, in all the cases it is clear who maintains the data and needs to comply with the guidelines on data protection. Second, many systems currently only cover a small area of a specific setting and run parallel to legacy systems. The RFID systems therefore only disclose small fragments of their users’ identity, limiting the maintainers’ possibilities for control.”

2. But this is likely to change

“…citizens increasingly use RFID in daily life, leaving personal data in the system, trusting the maintainer of the system to handle this information with care, protected to some extent by the law. As both the threats and benefits of this increase in the processing of personal data are becoming visible, the public image of RFID risks being caught in the middle of two opposing camps.
On one side, there are pressure groups, journalists and members of the public predicting a dark future with a ‘Big Brother scenario’ unfolding. Their key words are: spy chips, privacy and surveillance. On the other side, there are the business promoters painting colourful pictures of a bright future in which everything is smart, safe and automated. Their keywords: solutions, innovation, efficiency, return on investment and usability.”

3. The challenge is finding the right balance

“Once RFID is used in more settings, exclusively and connected to each other and other technologies, digital footprints will provide a much broader picture of the users, opening up new opportunities for control by businesses and government. This is not just an issue of protecting privacy or personal data, but it is more about securing personal freedom and striking the right balance between choice, convenience and control.”

The report recommends that the solution will involve not just industry, government, privacy advocates and other campaign groups, but the consumers as well, who will have to start thinking about what we essentially call Personal Identity Management. The report seems to put the onus on consumers, asking them (us) to be proactive about understanding what identity data is being gathered, how it will be used, and appropriately authorizing or denying its use.

But as we all know, that is easier said than done. I commented in an aside on my post yesterday about the Facebook data sharing choice not really being a choice at all as it didn’t clearly state what data would be shared with the apps – an all or nothing binary choice. Even the report shares some interesting case study insight (emphasis is my own):

“Secondly, a maintainer of an RFID environment could, in principle, provide full insight into the purpose and process of data gathering, while making this virtually impossible in practice. Notorious examples are the user license agreements, which are very elaborate, unreadable and impossible to find. The Dutch Railways, for example, sent holders of seasonal tickets an RFID replacement of their card, accompanied with a letter stating that the act of use will be interpreted as an agreement with the terms stated on a website with a very long address. In case of the Italian SI Pass, the agreement literally states the data will be used for marketing. The agreement on the American version of the Exxon Mobile Speedpass informs about the marketing function too and even states the data can be sold to ‘any bidder’ and the agreement can be changed by the maintainer at any time without informing the users.”

Read the report if you have some time, as it makes for a fascinating read. The case studies focus on Europe, where RFID in the consumer space is in far greater use than here in the US, and are especially interesting. And draw your own conclusions as to whether we are ready for the 5 challenges the STOA outlines:

1. RFID users need to know what maintainers can and are allowed to do with RFID data.
2. RFID users should play a role in developing new RFID environments.
3. If personal data from different RFID settings are merged it should remain clear who is responsible form handling these data.
4. The Privacy Guidelines and the concepts of personal data and informational selfdetermination need to be reconsidered in the light of an increasingly interactive environment.
5. Governments should take a clear stance on whether RFID bulk data will be mined for investigation purposes.