Resources
Identity Use Cases & Scenarios.- FIDIS Deliverables.
- Identity of Identity.
- Interoperability.
- Profiling.
- D7.2: Descriptive analysis and inventory of profiling practices.
- D7.3: Report on Actual and Possible Profiling Techniques in the Field of Ambient Intelligence.
- D7.4: Implications of profiling practices on democracy.
- D7.6 Workshop on AmI, Profiling and RFID.
- D7.7: RFID, Profiling, and AmI.
- D7.8: Workshop on Ambient Law.
- D7.9: A Vision of Ambient Law.
- D7.10: Multidisciplinary literature selection, with Wiki discussion forum on Profiling, AmI, RFID, Biometrics and Identity.
- D7.11: Kick-off Workshop on biometric behavioural profiling and Transparency Enhancing Technologies.
- Forensic Implications.
- HighTechID.
- Privacy and legal-social content.
- Mobility and Identity.
- Other.
- IDIS Journal.
- FIDIS Interactive.
- Press & Events.
- In-House Journal.
- Booklets
- Identity in a Networked World.
- Identity R/Evolution.
D7.7: RFID, Profiling, and AmI
 |
Title: SOCIAL IMPLICATIONS AND POLICY OPTIONS FOR RFID AND PROFILING AS AMI ENABLING TECHNOLOGIES |
 |
Social implications and policy options for RFID and Profiling as AmI enabling technologies
Sabine Delaitre (IPTS)
Introduction
As we said in deliverable D7.3, profiling activities are essential to achieve the objectives of delivery of services in an AmI environment. Profiling activities require, use, and process data, which are related to a user’s identity, his/her activities, characteristics, and preferences in specific contexts.
In general, profiling in AmI facilitates applications of interest to society enhancing social inclusion (cp. scenario 1, section ), or enabling services making the everyday life easier (see Smart Home concept in D7.3). In addition, when it is applied on objects, profiling can help to fight against counterfeiting and fraudulent use, thus providing more security for the consumer. Moreover, a wide range of beneficial applications using RFID technology (Mullen, Moore, 2005), especially in the healthcare domain are announced by the private sector.
However, a series of social issues stem from profiling in AmI. The main issues are:
Loss of control: The proliferation of automatically generated profiles could have a profound impact on a variety of decisions that influence the life of European citizens. At the same time, it seems unclear, whether and how a person could trace back (identify or determine) the sources of decision-making (answer to the question of when and what decisions are taken on the basis of such profiles).
Erosion of individual liberties: Indeed, profiles can limit freedom of choice of users by confining them within the limited set of options on offer by the providers. Profiles tend to govern opaque decisions about individuals concerning their access to services, such as obtaining credit or a position.
Erosion of privacy - right balance between security and privacy: In the context of AmI profiling may for example require some monitoring or surveillance of the users for the detection of physical activity. Monitoring and surveillance as well as other AmI-related technical solutions, procedures and business processes may erode privacy. Perhaps most people view privacy as a right that can be sacrificed, at least to some extent, if it leads to greater personal security.
Individual (personalised*) profiling vs. distributive* and non-distributive group* profiling (cp. D7.2, section 3): Individual and group profiling capacities have grown exponentially as a result of both the huge advances in technology and the increasing availability of readable data and traces, which can be processed and correlated.
Function creep: The fact that technology and processes introduced for one purpose will be extended to other purposes, which were not discussed or agreed at the time of their implementation, is yet another important concern.
Thus, social issues related to privacy and security concerns arise, when profiling activity is carried out in an AmI environment. In this chapter, we will develop a part focused on privacy issues, a part focused on ethical issues and a part focused on societal issues, arising from RFID usage for AmI profiling. As explained in Chapter 2, RFID can be regarded as one instance of the technologies enabling profiling in AmI environment. So, all of the above mentioned issues also apply to RFID in a general manner. However, we will study to which extent these issues are applicable and what social implications may be expected of RFID usage, i.e., whether RFID technology may strengthen some issues and smoothen some others. In addition, we will explore the specific RFID related social implications so as to make a contribution to the debate on the likely benefits of RFID technologies to the European society.
Focus on RFID
Identified social implications will be described and organised around three topics: privacy, ethical and societal issues. Specific implications related to the respect for the individual, his/her identity, and personal data will be introduced, and societal issues related to more general implications on the information society will also be revealed.
Privacy issues
RFID tags* are potentially ubiquitous, almost invisible, may be embedded into or attached to objects without the knowledge of the individual that uses these objects; moreover, they can be read from a distance. However, regarding RFID related privacy threats, we have to distinguish two classes of RFID usage due to the diverse threats implied by their distinct uses, which are described below. The scenarios introduced in Chapter 3 are mentioned to show how they cover the different usages.
Fixed or handheld reader* with mobile tag
When the RFID tag* is embedded into clothes, items etc. and can be bought and carried by a user, the tag is mobile and the individual is named a tag-carrying user. In this class of RFID usage the reader* can be at a fixed location, such as at the entrance of the shop (see scenario 3) or mobile when it is embedded in a laptop (see scenario 2). Most of the privacy threats are considered in this context of usage.
Fixed tag with handheld reader*
The Korean Information Security Agency (KISA) exposes new applications using a mobile phone as an RFID reader*, in order to access new services (Lee et al., 2006). For example, each movie poster is equipped with an RFID tag*, which when read by the user may enable a ticket purchasing service. In this type of application, RFID tags* are at fixed locations and the reader* is mobile and potentially identifies a reader*-carrying user. This kind of mobile service is defined as a Mobile RFID service (cp. especially scenario 1 for a description of this type of application). Additional privacy concerns may arise in this context, particularly due to the mobile aspect of the reader*. Such privacy issues are those stemming from mobile end-to-end data communications and wireless communications; for example privacy invasion due to the possibilities of sniffing, active intrusions (e.g. carried out by non-authorised reader* attacking the database or matching application) etc.
Personal privacy threats
In the article “RFID privacy: an overview of problems and proposed solutions” (Garfinkel et al., 2005), a list of personal privacy threats is described that mainly corresponds to the usage of RFID in the context of all that is outside the supply chain. This list of threats relates to the possible misuse of personal data as a result of the RFID tag* having a unique ID which can be associated to personal identity information. This list is composed of the following threats:
Action threat, related to the individual’s behaviour,
Association threat, related to the customer’s identity,
Location threat, related to the tag location,
Preference threat, related to the customer’s preferences,
Constellation threat; RFID network makes possible people tracking,
Transaction threat makes possible to determine transactional information between users, and
Breadcrumb threat, consequence of the association threat, related to personal information aggregation; this threat may lead to crime, or other malicious act.
From this list, almost all aspects of an individual’s activity, the participation in everyday life (what you do, who you are, where you are and what you prefer) is threatened with disclosure. In addition, other threats appear by combination of the first ones due to the presence of network and information aggregation capacity in RFID systems*.
Societal privacy threats
Erosion of individual liberties
The main concern over the use of RFID technology in terms of data protection is that a lot of stored data needs to be transferred across different networks, organisations and stakeholders. The concern increases as information related to a variety of objects becomes linkable to the identity of their users thus adding data of a personal nature to the data that is being stored and exchanged. In addition, if such data is used to create profiles their use may limit the freedom of choice of users and lead to opaque decision making about individuals. It seems that RFID may worsen the loss of liberties because of the silence aspect. So, the likelihood becomes high that any action, such as participation in manifestations or rallies or strong preference for a specific brand, is collected and aggregated into a person’s profile, usually without agreement. As a result and again without one’s awareness or consent, some services may be denied with unpredictable consequences; for example one is denied a service because it is sponsored by a rival brand.
Function creep
As the RFID tag* becomes more commonplace through the deployment of diverse applications in many areas, so the possibility of ‘function creep’ increases. For example, embedded RFID tags* in casino chips designed to improve security against counterfeiting, could together with personal identifiers, be used to covertly track how people play each time they visit, recording stakes placed along with winnings and losses. Such RFID applications combined with profiling activities over which the user has no or limited control are considered by many to simply be an intrusion of privacy.
Another important aggravating factor stems more specially from the passive tag; indeed, this tag may exacerbate function creep in the temporal dimension because of its long operational life (about 10 years).
Surveillance
The wide use/adoption of RFID may lead to a new means of surveillance. In this case, RFID is an additional instance of surveillance technologies, such as video cameras, access badges, the Internet, etc. However, RFID technology seems to arouse more reaction, compared with other technologies, because it seems that RFID use may strengthen surveillance misuse due to its power of information aggregation. Indeed, Locquenghein (2006) discusses about the possible emergence of a surveillance state through the use of RFID and the role of surveillance in a democratic society. After September 11, new policies move the nations towards an increasing need to secure and control, in order to combat terrorism. Consequently, some new processes could appear following the example of the social sorting. So another question is to know, whether the integration of RFID in the current surveillance context will cause a new quality of surveillance in view of the possibility to combine different surveillance technologies and new consequences.
Ethical issues
This part will focus on specific ethical issues stemming from the misuse of data generated using profiling techniques, such as discrimination and victimisation, but also caused by possible but non acceptable uses of RFID implants to profile people.
Discrimination
The misuse of profiling data by companies or other organisations may lead to discrimination of people according to their race/ethnicity or socio-economic status. RFID systems* have the potential to aggravate this threat, because of its capacity to allow the aggregation of a wide range of personal data. The omnipresence of such data may also make the common origins of stigmatisation (cultural, ethnic, socio-economic) more obvious and even generate new forms of discrimination. In that case, we can imagine a similar process like social sorting (Lyon, 2004), now based on RFID.
Victimisation
Citizens have a democratic right not to be treated as criminals in case they are not, otherwise, they will be unfairly victimised. Victimisation can be regarded as an AmI impact by describing a disproportionate reaction based on unfounded suspicions. Indeed, AmI technologies could jeopardise the presumption of innocence to the extent that decision-making is delegated to a computer, which interprets rules in a mechanical way, as black and white. Moreover, the possibility of wishing to maintain anonymity may be considered a suspicious reaction and may be perceived as out of the norm procedures. The victimisation threat may appear in the RFID profiling context not only because RFID is an instance of AmI technology, but also because RFID tags* are subject to malicious actions, so subsequent inadequate profiling is a real threat. Indeed, RFID tags* are vulnerable to viruses and worms, and can be cloned. So, RFID worsens the victimisation threat because it gives attackers more options of modifying data and corrupting profiles. In addition, RFID cloning allows identity usurpation if RFID is used as a proof of identity; so an attacker may act under another identity or even sell cloned identities to criminals.
Special focus on RFID implants
Information and communication technology implants (ICT implants) in the human body have important ethical consequences particularly when these devices are accessible via digital networks. Subcutaneous RFID implants make people-tracking possible without the need for any correlation of profiling data or misuse of data. Consequently, this threat may cause a direct conflict with individual liberties. In addition, this threat may lead to non-authorised profiling because in this case the RFID implant can be used as an identifier of people.
The misuse of information then becomes easier and some ethically unacceptable instances (European Group on Ethics of Science and New Technologies, 2005) might be the following:
ICT implants used as a basis for cyber-racism.
ICT implants used for changing the identity, memory, self perception and perception of others.
ICT implants used to enhance capabilities in order to dominate others.
ICT implants used for coercion towards others who do not use such devices.
RFID implants are able to clearly encompass some of those adverse instances.
Societal issues
This part will introduce some societal issues generated by the implementation of new technologies, such as awareness and perception, adoption by the private sector, voluntary exclusion, or others stemming from profiling activities in AmI, such as loss of control. We will analyse how RFID influences those societal issues.
Awareness and perception
The public at large is not well informed as to RFID technology usage and consequences. The Capgemini report (2005) presented results on the awareness of consumers and only 18% of European consumers were aware of the existence of RFID tags* and applications. Public debates, workshops and consultations are being launched in order to diffuse correct information, deter false ideas (myths) on RFID technology and collect the opinion of the citizens. It is expected that awareness will be achieved only if even more efforts are implemented in view of the prospective challenges and opportunities for the European society out of wide-RFID deployment. However, the public debate is planned only through electronic means. There is a need to find a way to reach all potential users. An interesting way to involve citizens in the debate is participatory Technology Assessment (pTA), which integrates a learning process with a process of evaluation. In section 5.2 a more detailed analysis of factors for social acceptance of RFID in retail will be presented.
Adoption by the private sector
RFID adoption by companies is a key factor of the current and future uses of RFID and directly impacts consumers. Indeed, it is also the responsibility of the industry to address customers’ privacy issues. Consumers need to know how the enterprises, companies want to implement and put in practice RFID technology, what are their strategies and rationale. A wide adoption by the private sector may prove favourable to help establish industry specific privacy guidelines (Department of Commerce Washington D.C, 2005).
Voluntary exclusion: no longer an option
A radical measure in order for individuals to protect themselves is to voluntarily exclude themselves, i.e. by not participating in order to preserve their private sphere. This refusal to adopt new technologies or resistance to important changes is often caused by lack of trust or insufficient awareness of users for new technologies and their implications. However, in case of a wide RFID adoption, it would become difficult or even impossible to not participate, consequently not to be subject to any collection of personal data via RFID. In addition, as was repeated above failure to participate may imply some form of non-legal behaviour.
Loss of control
Decision support systems (DSS) (the decision is taken by the human) can be considered as convenience but when the user is excluded, the feeling of loss of control logically appears. In profiling as an enabling technique for AmI, the user is not directly involved in the decision making – only his/her preferences and information on his/her activities are taken into account – and this may lead to a feeling of loss of control above all when the decision does not fit the user’s expectations. RFID technology may intensify the feeling of loss of control because of its “silent” character (when the tags are read and which information is used) combined with its “invisible” character (which tags among a possible wide numbers of tags have been taken into consideration). These characteristics create problems for the user’s awareness and understanding of the decision, consequently may cause the user to feel excluded in the decision making. For instance, in a Smart Home, a common example is the purchases based on the fridge contents, the preferences of the users, their activities and so on. RFID technology may be used, not only for checking the contents but also to monitor the users’ activities. So, numerous RFID tags* may influence the decision. What type of purchases can I expect if I organise a party and each of participants brings special food (which I obviously need to put on my fridge), or what can I expect after having accepted to keep the children and the cat of my sister during the holidays?
Contribution to the debate
Privacy and security concerns arise when profiling activity is carried out. The main fears are related to the theft of personal data, related abuse, misuse, and ‘silent’ and ‘invisible’ surveillance; it is expected that suitable solutions will be implemented in order to protect the users against those threats. Considering the monitoring of private spaces (such as a bathroom) as a form of intrusive surveillance one could propose to forbid this. However, this type of monitoring might be beneficial for some users who, for medical purposes, require specific medical care. Therefore, it has to be up to the user to dictate preferences and requirements which any profiling application will have to respect.
It is preferable that solutions for appropriate usage of RFID should promote an ‘opt-in’ policy. Thus users will have to decide whether they want to participate and at which level they want to participate. Moreover, for any human decision making process, the users have to possess access to the information that enables decision making. This essential background information encompasses important requirements, such as:
Transparency for the users’ comprehension of the RFID usage context,
Privacy options for the users’ choice of their level of participation,
Accessibility for the inclusive participation, awareness and learning of users, and
Trust for the willingness of users’ participation.
Achieving the above requirements is only one pillar of an “opt-in” policy. Indeed, in order to establish policies, technical aspects as well as legal and economic have to be studied. Therefore, some technical aspects are also described such as technical solutions or security options. So the following part will provide different key elements related to the above requirements, i.e. protection of the private sphere, accessibility and trust in order to open a discussion on how to achieve an “opt in” policy.
Protection of the Private sphere
In section 4.1.2 the legal framework of data protection has been analysed. This concerns the protection of personal data. As indicated some of the most challenging threats – dealt with in 5.1.2 – regard societal issues that result from the application of group profiles that allow for practically invisible but sophisticated social sorting. In this section the practical requirements that follow from the privacy threats discussed in section 5.1.2 are discussed. Many of these requirements were elaborated by experts, for example the so called “RFID bill of rights” published by S. Garfinkel in 2003. Other requirements were developed by expert groups, including industry partners, for example the “Guide RFID and data protection” published in 2006 by the European Expert Group for IT-Security (EICAR) or current EPC* standards (see Annex, chapter ).
Transparency
A consumer has to be capable to evaluate the RFID usage context. And this implies transparency. For example, the users have to be aware how the RFID devices operate, understand the objective of any RFID system* and be represented by consumer protection organisations when RFID design decisions have to be made.
Right to Know
This policy concerns the fact that each individual has the right to be informed if a product contains an RFID tag*, what information is stored in the RFID tag*, when the tag is being read, with which type of reader*, where are the readers* positioned and so on. There have been calls for a mandatory label on any product equipped with an RFID tag*.
Clarity of purpose
This refers to the need to clarify the purpose of any implementation of RFID-based systems. Therefore, the information contents, the storage and the use have to be defined in a clear way and the user has to be informed. This recommendation directly focuses on the prevention of function creep (cp. section 5.1.2.1.2).
Include the consumer’s point of view in the RFID design decision
Important priorities for the consumers are to obtain the possibility and the conditions to freely choose the services in accordance with their needs and the protection of their interests. Designers have to take into account the position and point of view of the consumers represented by the consumer protection organisations.
Moreover, more trust in the system may be anticipated by associating consumers in the design decision loop.
Privacy options
Interesting solutions should give the possibility to provide users with the means to select, among several privacy options, one option in accordance with their needs.
Spectrum of privacy options
So the first point is to determine a range of privacy options in accordance with the user needs but also those that the existing legal framework allows, and define each of the desired and allowed options.
Below, a first spectrum of privacy options provided by EPCglobal (Electronic Product Code* industry-lead standardisation):
Figure : Spectrum of Privacy Options for RFID
| |
   |
|
| Denis Royer | 24 / 43 |
