Title: SUMMARY AND CONCLUSIONS

Summary and Conclusions

Mireille Hildebrandt (VUB), Martin Meints (ICPP) 

RFID is one of the enabling technologies for Ambient Intelligence and the ‘Internet of Things’. It may provide us with a new experience of things and space, as the offline world goes online, connecting everything everywhere, turning Weiler’s ubiquitous computing* into Greenfields ‘everyware’. In itself a tagged environment only produces an unlimited amount of machine-readable data. To make sense of this profusion of information we will need techniques and technologies to filter and select what is relevant at a specific moment in a specific context. RFID can only turn a tagged environment into an adaptive or even intelligent environment with the use of profiling technologies. To achieve seamless real time adaptation on the basis of real time inferred profiles, we will need what has been called autonomic computing, which will restrict human intervention to a bare minimum. This evidently poses big questions around the feasibility of privacy and the capacity of data protection legislation and PET’s* to provide such protection. If the ‘Internet of Things’ builds on pro-active computing, one of the challenges of the age of ‘everyware’ may be how to design a legal and technological framework for renewed interactive computing.

In this deliverable, the objective has been to provide a multidisciplinary description of the state of the art of RFID as an AmI enabling technology and to anticipate some of the scenarios that could develop if the technology takes on.  

In Chapter 2, after outlining the relationship between RFID, profiling and the ‘Internet of Things’, the report starts with a technological description to explain how - from a technical perspective - RFID systems* can be understood as forerunners of AmI systems. They share to a large extent the infrastructure that is also needed for profiling purposes – and in fact early prototypes combining RFID, AmI and profiling have already been tested. This integration is clearly economically motivated: Why not use an already installed infrastructure for RFID systems* to add additional functionality such as early AmI (adaptive displays), why not use already collected data for profiling purposes?  

In the three case studies of Chapter 3 different business targets for the introduction of RFID, characteristics and existing problems of the technical implementation, relevant legal grounds that were taken into consideration and privacy aspects have been described. Among these case studies in particular the Metro Future Store is remarkable, as it shows characteristics of AmI environments and uses profiling techniques. In all case studies a centralised management of security and privacy is possible, though along supply chains privacy and security have to be enforced based on appropriate contracts. 

In the three scenarios of Chapter 3 aspects are highlighted that need to be taken into consideration when RFID systems* become an integral part of AmI environments. In this case an infrastructure controlled by one enterprise and thus suitable for a centralised management of security and privacy is transferred to an open accessible infrastructure with the need of a decentralised, multilateral management of security and privacy. This situation can be compared to the internet we know today. In the scenarios different threats typical for such infrastructures, like e.g. as technical failure of RFID systems*, intended attacks leading to loss of confidentiality of data processed and multiple use of collected data are described with their potential consequences for users.  

Based on the use cases and the scenarios three legal aspects are analysed in Chapter 4:  

1. The applicability of the European data protection framework,  

2. Liability issues caused by RFID and,  

3. Implications of RFID for criminal law.  

As long as data are not anonymised, data collected from RFID in AmI environments can be used directly or indirectly to identify a person – in which case the European data protection framework applies. However, in complex RFID systems* it can be difficult to determine from the user’s (or data subject’s) perspective who is the data controller and thus responsible for the implementation of data protection and security. In most of today’s examples (see use cases) this is the ‘tag deployer’. The possibility to deploy and read RFID tags* without the data subject’s awareness is an inherent problem of RFID technology; the respective use of RFID in the Metro Future Store use case is clearly unlawful. Among others, the application of proper user information and clearly visible signs to indicate that RFID tags* and readers* are in place or used, may help to solve this problem. In general we have to expect three trends with respect to data protection and RFID in AmI environments:  

• All tagged objects become a collector of personal data, 

• The ‘presence’ of these smart objects as well as individuals who carry them is characterised by its ‘always on’ nature, and 

• The resulting cascade of data continuously feeds an enormous amount of stored data. 

Besides that, data protection seems to restrict itself to the protection of personal data, while in an environment that depends on autonomous profiling we need to focus on protection against the automated application of profiles that we are not aware of. Though one has a legal right to contest automated decisions based on automated profiles, this right seems ineffective as long as the technological infrastructure does not provide access to the profiles that may impact our lives. 

Liability issues of RFID systems* in AmI environments have already been analysed with respect to violation of data protection legislation in the SWAMI project. But in addition to this aspect liability caused in a different way and by other reasons such as technical failure or deliberate attack has to be taken into account. In addition to potential difficulties to address liability issues properly (who is liable for what damage caused how?) there is no generally unified European legislation on contractual and non-contractual liability, apart from partial common grounds set up by Directives such as the Directive on Defective Products (99/34/EC). Service providers and users depend on national law. Approaches to harmonise legislation so far have not been successful.

In the context of liability the ‘always on’ nature of RFID tags* raises a number of questions with respect to liability. Questions of interest for future legislation in the context of liability are for example: 

• Should there be a right to withdraw from the RFID system* and to switch off RFID tags*? 

• Should the mere ‘participation’ in AmI environments using RFID already be interpreted as ‘consent’ by the users or customers of the services for processing of any kinds of personal data? 

The implications of RFID for criminal law are largely unexplored. In this context, areas of interest are: 

• The manipulation of RFID tags* and systems in different ways, where in most cases existing legislation - for example based on the Cybercrime Convention - can be applied 

• The use of RFID as a tool to facilitate (already defined) crime such as stalking, fraud, theft etc.  

• The use of RFID to prevent crime such as forgery or theft 

• The use of RFID in criminal procedure such as 

  • Use of RFID and AmI-systems as a source of general intelligence 

  • Use of RFID for specific criminal investigations 

  • Use of RFID as evidence  

  • Use of RFID in the enforcement stage after conviction 

With respect to liability issues European harmonisation of legislation is needed. As many questions in the legal context of RFID are still open, further research is needed with respect to: 

• Implementation and enforcement of data protection legislation 

• Giving and withdrawing consent in the context of liability and 

• The use of RFID in criminal procedure 

Chapter 5 starts with an overview of the social aspects. The most relevant issues are introduced and discussed as follows: 

• Discrimination, exclusion and victimisation as consequences of inadequate profiling  

• Loss of control by the user 

• Erosion of individual liberties 

• Erosion of privacy 

• Shift in knowledge as a consequence of the use of profiling technologies 

• Function creep of already introduced RFID systems* can increase these issues 

To develop an acceptable way to using RFID in AmI environments it is argued that a public debate is needed. Relevant aspects of this debate could be: 

1. 1. Transparency for users / citizens on the usage of RFID,  

   2. Privacy options for different levels of participation of users in RFID and AmI systems,  

   3. Accessibility of an inclusive and well informed participation, and  

   4. Appropriate trust models from both the perspective of users and operators of the systems. 

Several concrete measures have been suggested at the social as well as the technical level to achieve a balanced result in this debate.  

The next section of Chapter 5 provides a more detailed account of social acceptance, by the use of a technology acceptance model that is applied, tested and revised in relation to RFID and profiling in the context of retail. Technology acceptance models target at the optimisation of products and services and to detect and lower barriers for their acceptance from the perspective of the users. Since the 1980s technology acceptance models have been applied for IT in general, mobile technologies and services and lately also RFID in the context of AmI environments. In addition to established key factors for the acceptance of new technologies in general such as (1) perceived usefulness, (2) perceived ease of use and (3) trust in the product or service provider, perceived control seems to play an important role for RFID in AmI environments. Important elements from the perspective of the users that can be influenced by service providers are:

• To be informed and to have knowledge about the system (information control) 

• The knowledge that his behaviour changes the (re-)action of the system (behavioural control) and 

• To have different options (choices) to interact with the system (decision control) 

Taking these aspects into account when designing AmI systems, the resulting solutions will likely have an increased user acceptance and thus promote diffusion of RFID into the market.  

In the following section of Chapter 5 a set of social theories is discussed to provide a better understanding of the study of interactions of society with new technologies. In general one can discriminate two ways of looking at the relationship between technology and society: 

• Technological and economic deterministic theories assuming that new technologies or economic rationality determine social behaviours and 

• Constructivist theories assuming that the design and use of technologies is always a construction.  

While some – social - constructivist theories seem to reduce technological development to social developments, others take note of the complex interactions between the human and the nonhuman players in the field, attributing actions to nonhuman actants without falling prey to the determinist perspective. Special attention is given to Actor Network Theory (ANT), which allows a pertinent insight in the way specific technologies meditate the way we act, by inducing certain kinds of behaviour and inhibiting others. ANT research can trace the way in which technologies are in fact constructed as a result of the continuous interaction of human and nonhuman actants. In the case of an emerging ‘Internet of Things’ it is thought to be particularly important to trace the development of such construction, in order to allow adequate assessment at an early stage. Such assessment and subsequent action should take place, before a technological infrastructure settles down that renders empowerment of citizens virtually impossible, because they do not have the technological and legal means to access and contest the knowledge that interconnected THINGS have of them.

In the next section the so called TFI model is presented, which discriminates three layers of systems: the technical, formal and informal layer. These layers can be used to categorise relevant aspects of RFID in AmI environments and to identify potential areas of action. Relevant aspects as a result of this analysis are: 

• On the technical layer: 

  • Security, compatibility and the gap between laboratory and practical implementations of RFID 

• On the formal layer: 

  • Aspects of addressing and implementation of legislation especially in the context of data protection  

• On the informal layer: 

  • Analysis of groups of potential users shows at least at two of them a significant awareness and information deficit with respect to chances and risks of RFID.  

Finally, in Chapter 6, the implications for democracy and rule of law have been explored in reference to deliverable 7.4. First of all it is established that a viable constitutional democracy both presumes and produces empowered citizens that have an adequate sense of being in control of their own lives. As has been explained in D7.4, in the context of democracy and rule of law privacy is a public good that needs to be protected to safeguard the central tenets of democracy. If widespread, ubiquitous and autonomous profiling proliferates - as it must in the case of AmI - we need to reinvent the legal and technological tools for transparency (of those in power) and opacity (for individual citizens). Data protection legislation focuses on information (data) instead of knowledge (profiles, electronic footprints), PET’s* focus on anonymisation / pseudonymity instead of counter-profiling which would allow some anticipation of the profiles that may be applied. To cope with RFID as an enabling technology for the age of ‘everyware’ the focus of both legal and technological tools needs to extend their protection of personal data to an effective access to knowledge. We need to complement PET’s* with TET’s* (transparency enhancing technologies).