D7.7: RFID, Profiling, and AmI

Title: IMPLICATIONS FOR CRIMINAL LAW

Implications for Criminal Law

Bert-Jaap Koops (TILT) 

The implications of RFID for criminal law are an unexplored field. Clearly, numerous issues in both substantive and procedural criminal law may surface. Due to the relatively small and sector-specific scale on which RFID has been implemented so far, however, these issues have not yet been really encountered in practice. Nor do the cases and scenarios sketched in the previous sections pose clear questions with respect to criminal law, at least on the face of it. Perhaps surprisingly, the criminal aspects of RFID have also been little studied in academic literature or in civil-society reports – the main focus in the academic and societal debate so far has been on privacy issues.  

This section sketches the criminal-law implications of RFID in general. It is exploratory and tentative, and should be regarded as a first attempt to list the various criminal issues that may arise when RFID, and ultimately Ambient Intelligence, are implemented on a wide scale. Since criminal law is still to a considerable extent a matter of national legislation, it will not be possible to comprehensively refer to all relevant criminal-law provisions, since these largely depend on the specifics of the laws of the various states. Still, the EU Framework Decision on attacks against information systems (hereafter: Framework Decision) and the Council of Europe’s Convention on Cybercrime (hereafter: Cybercrime Convention), give at least some footing.

Substantive criminal law

As all new technological inventions, RFID can be abused by criminals. It can be used as a means to facilitate crime, such as stalking. On the other hand, RFID is also useful for preventing crime, for instance, forgery or theft. In this respect, RFID is simply another tool to identify people or objects and in that respect, it plays a part in preventing or committing crime. Still, it is important to pay attention to the criminal potential of RFID, since criminals might exploit unsuspected vulnerabilities with considerable damage as a result. For instance, researchers of the Free University in Amsterdam have shown that a virus on an RFID tag* can infect a back-end database through the RFID reader*, depending on certain vulnerabilities in the RFID software (Rieback et al., 2006). More research into the risks that RFID systems* present as a tool for attacking computer systems and networks is therefore recommended, and companies implementing RFID should take care to build in adequate protection.

Equally interesting are the crimes committed against RFID, i.e., that have RFID as an object. Of course, stealing an RFID tag* is theft, and destroying a tag is damage to objects, but there are ways in which RFID as the object of crime raises questions.  

When someone manipulates an RFID tag* with malicious intent, what crime would this constitute? Here, a major issue is whether an RFID tag* qualifies as a computer or information system. This will depend on the type of RFID tag*: some have processing power and would probably fulfil the definition of a computer system. The definition of the Framework Decision of an information system in art. 1(a) is: 

‘any device or group of interconnected or related devices, one or more of which, pursuant to a program, performs automatic processing of computer data, as well as computer data stored, processed, retrieved or transmitted by them for the purposes of their operation, use, protection and maintenance.’ 

The Cybercrime Convention in art. 1(a) of a computer system uses almost the same definition. Arguably, most RFID tags* meet this definition, since they are part of a system of RFID tags* and readers* that use software to process the data on the RFID tag*. It may not even be necessary that the RFID tag* itself contains software, as long as it is part of a ‘group of interconnected devices’ that includes a computing devices (the reader*). Manipulating an RFID tag* therefore qualifies as illegal system interference (art. 3 Framework Decision), provided that it is not a ‘minor’ case, or as illegal data interference (art. 4 Framework Decision). Manipulating the more trivial RFID tags* would not be considered system interference, but it would constitute data interference.

If manipulating the RFID tag* would not in itself be criminal (for instance, because the tag does not qualify as an information system), it might still be illegal if it has certain consequences. For instance, if a price tag is manipulated so that an expensive dress is sold for a much lower price, the tag manipulation would normally be considered as fraud. Similarly, changing an identification tag that has an official registration function, for instance, of a dog or cow, could qualify as forgery. Here, much will depend on how strongly the law requires malicious intent or substantial damage; for instance, when two consumers swap loyalty cards containing RFID tags* to thwart Metro Futures Store’s personalised profiling practice, or perhaps to gain more profitable offers, this can hardly be considered fraud for lack of criminal intent.  

A final way in which RFID manipulation could be considered criminal is when it constitutes an illegal preparatory act. This may be the case in rare instances, for instance, when entry-card RFID tags* are manipulated to enter secured buildings where a terrorist attack is planned. Normally, however, the manipulation of an RFID tag* will not be sufficiently closely connected with a planned crime for it to be considered an illegal preparatory act.  

Apart from manipulating RFID tags*, one can also eavesdrop on RFIDs. Intercepting the communication between an RFID tag* and a reader*, and unlawfully reading an RFID tag* will be a major area of concern. This, after all, is the core of the privacy concerns voiced by the public and civil society: people feel threatened when RFID tags* on bought objects can be read in shops (after the sale) or on the street. It is also a major issue in passports with RFID chips to prevent them from being read without right.  

Intercepting the regular communication between an RFID tag* and an RFID reader* will be considered illegal interception in most legal systems. The Framework Decision does not have a provision on illegal interception, but the Cybercrime Convention in art. 3 criminalizes 

‘the interception without right, made by technical means, of non-public transmissions of computer data to, from or within a computer system, including electromagnetic emissions from a computer system carrying such computer data.’ 

Since the RFID reader*, if not the RFID tag* itself, is a computer system, intercepting the communication between these without right is illegal.  

The same holds for accessing the data on an RFID tag* itself, for instance, by an unauthorised reader*. In this case, the data are not intercepted but illegally accessed. Both the Framework Decision (art. 2), at least for not-minor cases, and the Cybercrime Convention (art. 2) criminalise this. Both provide, however, that states may restrict the prohibition of illegal access to cases where a security measure was infringed. This implies that unprotected RFID tags* can, from the perspective of criminal law, be read by anyone even without right, and only RFID tags* with some security measure are protected by criminal law against unlawful access. 

A final act against RFID that may have criminal implications is blocking the communication between RFID tags* and readers*, for example, by disturbing the electromagnetic radiation field. Such ‘RFID blockers’ are sometimes mentioned as potential measures to thwart privacy-threatening RFID readings. This may not as such be a criminal act, but in certain cases, it can qualify as illegal system interference (‘the intentional serious hindering or interruption of the functioning of an information system,’ art. 3 Framework Decision; likewise, art. 5 Cybercrime Convention), for instance, when a blocker is used to prevent all sales in a luxury-goods shop for several hours, or if animal-rights activists would systematically block the reading of cattle tags on a market. 

Procedural criminal law

RFID will be used in criminal procedure in various ways. First, it may provide an interesting source of general intelligence, particularly if RFID is implemented on a large scale in an AmI world. The treasure-troves of data that may be collected and stored on the transfer of goods and persons and the relationships between objects and people could be data-mined by law enforcement to uncover activities of organised criminals or terrorist groups. Whether and to what extent such data-mining use of RFID data is allowed, depends to a large extent on the national legislation.  

An issue that is likely to surface once RFID is widely embedded in society is a call for registration or retention of RFID data or RFID readings for law-enforcement or national-security purposes, similar to the current European legislation on mandatory retention of telecommunications traffic data. Should RFID data provide a useful source of information for law enforcement or intelligence agencies, which is not unlikely given their potential to provide systematic insight into a person’s goods and travels if RFID data are combined, a debate may start about mandatory retention of RFID data. Similarly, governments could even mandate the tagging of all kinds of objects (cars, luxury goods, mobile phones, perhaps even children) so that they can be monitored more easily. The political trend of recent years does not suggest that an ‘RFID retention’ debate is unlikely to arise. Such a measure would be highly questionable given the serious violation of the right to privacy (art. 8 European Convention on Human Rights) and other fundamental freedoms.

Second, RFID may become an interesting tool for criminal investigation of concrete crimes. The data of RFID tags* may be acquired by intercepting the communications between tags and readers*, for instance, to monitor whether a specific suspect with a known RFID tag* is entering a building. Most countries have laws allowing ‘direct eavesdropping’ or (in US terminology) ‘oral interception’, i.e., to intercept communications with technical means. Whether intercepting RFID communications falls within the scope of such provisions depends on the definition of communications; if a country restricts this to communications between persons, RFID interception will likely not be allowed on this basis. However, if the definition of communications is more liberal, e.g., exchange of data between entities, direct eavesdropping of RFID would be allowed. Alternatively, if an RFID system* qualifies as telecommunications – which might be the case in some jurisdictions – RFID interception can be based on the power to intercept telecommunications (art. 21 Cybercrime Convention).  

The RFID data may also be acquired through accessing the tag itself. The RFID tag* could be searched or seized and subsequently analysed. The legal basis for reading an RFID tag* can thus be sought in the power of a search in general, or a computer search, if the RFID system* qualifies as a computer (art. 19 Cybercrime Convention). An interesting question is, if the RFID tag* does not qualify as a computer or information system, whether and under what conditions a search is allowed on the basis of the generic power to search. This will depend on the circumstances of the tag, for instance, whether it is located in a public space or in a private space, and whether it is tagged to an object or to a person. If the tag is implanted in a person, stronger conditions may apply because in that case, the interior of a body is being searched. 

In case the investigation needs to be done covertly, search and seizure is not an attractive option. It is possible that the police needs to read RFID tags* on a suspect covertly. In that case, the investigation power of observation is likely to apply, again, under potentially different conditions depending on the circumstances and the specifics of the national legislation.  

A third issue is the use of RFID as evidence. This seems fairly straightforward, as RFID can likely be easily fitted in the current mechanisms for allowing computer-related evidence. Most if not all countries allow computer data as evidence in court, and there is no reason to assume that RFID would be excluded on formal grounds as not fitting the allowed categories of evidence. A distinct issue is the evidential value that will be accorded to RFID. This depends very much on the kind of RFID tag* (how easy or difficult it is to manipulate it) and the procedures followed to secure the evidence.  

A fourth issue relates to the use of RFID after the conviction, i.e., in the enforcement stage. Since RFID is a tracking tool, it might be used to keep track of prisoners or other convicts. Some countries might consider to implant chips in prisoners, or at least to tag prisoners’ clothes or shoes. More immediately relevant might be the use of RFID to chips to monitor convicts on leave, to enforce court injunctions forbidding a person to appear in a certain area, or to enforce house arrest (‘electronic detention’).