This is TikiWiki CMS/Groupware v1.9.11 -Sirius- © 2002–2008 by the Tiki community Sun 23 of Jul, 2017 [00:46 UTC]
Menu
Last actions

RFID versus the EU Charter of Fundamental Rights

RFID
Security
print
Introduction

The European Commission has developed a "Draft Recommendation
on the implementation of privacy, data protection and information security
principles in applications supported by Radio Frequency Identification (RFID)"
and is consulting the public between 15.03 and 25.04.2008.
The link is at http://ec.europa.eu/yourvoice/ipm/forms/dispatch?form=RFIDRec .
There was a similar consultation in 2006.

This Draft Recommendation is eleven articles long. It is suggested that
a twelfth Article should be added to that Recommendation and that it would
be better if it had the force of hard law.

Executive Summary

Radio Frequency Identification (RFID) is an extremely problematic technology from the standpoint of fundamental human rights; the wearer of an RFID tag can be localised and identified by an RFID scanner without his/her knowledge because no physical contact is necessary.

That makes it potentially more troublesome than bar codes, chip-cards and bio-metrics.

The unregulated use of RFID systems on human beings is shown to be contrary
to six articles of the EU Charter of fundamental Rights.

The solution proposed is to limit the range of RFID tags that can identify a human being to five centimetres.
The reader is invited to become part of this solution by opposing the unregulated use of RFID technology on human beings.

Binding EU-level legislation would be the most appropriate way to protect our rights. But any Recommendation beforehand should be clear about the limits to using RFID on human beings.

Throughout, RFID is considered before the background of the employment relationship and human resources management.

The Most Important Technical Facts About RFID

RFID chips (aka tags) send out unique, identifying, radio messages. They have been shrunk down to the size of a grain of rice. The scanners that pick up the RFID signals now are the size of mobile phones and cost 500+ EUROs.

There are "active" and "passive" RFID tags.

The active kind contains a tiny battery that can last for up to ten years. The scanners can pick up an identifying signal from as far as 500 meters away.

The passive kind has no battery at all, instead it draws its electrical power from the radio waves emitted by the scanner. Therefore the passive tags are usable
for as many years as they remain undamaged. However, the scanners need
to be at most 5 meters from a tag in order to still identify it.

Uses of RFID

The strategic goal of RFID is to replace the familiar bar codes one day.
This will allow for economies in the whole process of stocking and transporting products because an RFID tag can be read even if the item it is glued to happens to be buried under others at the bottom of a dark container.

In passing, it should be pointed out that there is no shortage of stock and transport workers in the EU, so the economies generated by RFID will be in the form of increased unemployment leading to lower wages and higher profits.

Another undesirable side effect is that many of the jobs lost are in the
semi-skilled category. This will push society further towards the split into Robert Reich's "symbolic analysts" versus his "routine producers" and "in-person servers".

A more constructive role for this technology is in identifying pets by implanting the tags under their fur so that they can be returned to their families when they get lost.

Most of us carry one RFID tag in our pocket. It is embedded in modern car keys and has made the lives of automobile thieves more difficult.

The Use of RFID for Human Identification

Certainly, the Department of Homeland Security (DHS) of the United States is the above suspicion of being soft on anything, That is what makes the draft report of its Emerging Applications and Technology Subcommittee to the Full Data Privacy and Integrity Advisory Committee so interesting. It would seem that they take RFID as seriously as water boarding.

Here part of the Executive Summary; "Automatic identification technologies like RFID have valuable uses, especially in connection with tracking things for purposes such as inventory management. RFID is particularly useful where it can be embedded within an object, such as a shipping container. There appear to be specific, narrowly defined situations in which RFID is appropriate for human identification. Miners or fire fighters might be appropriately identified using RFID because speed of identification is at a premium in dangerous situations and the need to verify the connection between a card and bearer is low. But for other applications related to human beings, RFID appears to offer little benefit when compared to the consequences it brings for privacy and data integrity. Instead, it increases risks to personal privacy and security, with no commensurate benefit for performance or national security. Most difficult and troubling is the situation in which RFID is ostensibly used for tracking objects (medicine containers, for example), but can be in fact used for monitoring human behavior. These types of uses are still being explored and remain difficult to predict. For these reasons, we recommend that RFID be disfavored for identifying and tracking human beings." (Link to the pdf via www.dhs.gov/xlibrary/assets/privacy/privacy_advcom_rpt_rfid_draft.pdf .)

From the conclusion; "RFID technology may have a small benefit in terms of speeding identification processes, but it is no more resistant to forgery or tampering than any other digital technology. The use of RFID would predispose identification systems to surveillance uses. Use of RFID in identification would tend to deprive individuals of the ability to control when they are identified and what information identification processes transfer. Finally, RFID exposes identification processes to security weaknesses that non-radio-frequency-based processes do not share. The Department of Homeland Security should consider carefully whether to use RFID to identify and track individuals, given the variety of technologies that may serve the same goals with less risk to privacy and related interests." (Link to the pdf via www.dhs.gov/xlibrary/assets/privacy/privacy_advcom_rpt_rfid_draft.pdf .)

RFID and the Charter of Fundamental Rights of the EU

Most people react with spontaneous concern about the future of their privacy when they learn about RFID. There is a nagging feeling that this technology will make life worse, not better.

By considering the practical effect of RFID on the exercise of some of the rights enshrined in the EU Charter of Fundamental Rights, we can see that these persistent doubts have a basis in reality.
(Link at http://europa.eu.int/eur-lex/lex/Notice.do?val=393952:cs&lang=en&pos=1&phwords=charter%20of%20fundamental%20rights~&checktexte=checkbox .)

Article 1 Human Dignity

"Human dignity is inviolable. It must be respected and protected."

This excerpt from the STOA report entitled "RFID and Identity Management in Everyday Life" (IP/A/STOA/2006-22, PE 383.219), Page 23 of 80, gives a practical example of how RFID clashes with Article 1.

"As they bring security in the workplace up to a higher level, RFID systems are currently used in prisons too. Here we can analyze Identity Management on the work floor in what is perhaps its most extreme form. In this case identities are not just based on access or presence, but as a monitoring system on the way people move about – prisoners as well as guards. Penitentiary Lelystad in the Netherlands is one such "smart prison", where RFID not only scans for unauthorized behaviour, but also functions as a reward system.

This prison has been especially built for testing new technologies and detention concepts. A maximum of 150 prisoners who volunteered for the new detention concept have a (remaining) penalty not exceeding four months and share a room with five other prisoners. They all carry a non-removable bracelet containing an active RFID chip. Identity and location of the prisoner is tracked in real-time. The prisoners can design their individual day programme and the RFID systems tracks whether they stick to it, providing information for a crediting and penalty function.

… the warders carry an active RFID chip too, locked on their key-chain.
… After awhile however, some issues arose, for instance about what happens if someone visits the toilets. …

… A visitor of a discussion board commented on an article about the concept:
"I also had a major problem with the fact that failure to pay traffic fines or petty theft could land you in a prison like this.

That means I, and many others in the class, could have our right to privacy legally stripped from us in a very dehumanizing way if we lived in the Netherlands. I think this kind of surveillance, for petty crimes, is completely backwards of the Dutch, who are otherwise liberal". For now, this person may be incorrect, as both wardens and prisoners have a choice to work or serve time in a conventional prison. Yet once this pilot proves to be successful and all prisons start using the system, they will not." (Link to the pdf via www.europarl.europa.eu/stoa/publications/studies/stoa182_en.pdf .)


One comment is that "toilet data" can be more than just embarassing under the wrong circumstances. It can be mined for indications about the unfortunate RFID bearer's possible addiction to tobacco, perhaps his sexual orientation, and whether she is or is not menstruating. Note that a doctor would be legally and professionally bound to treat such personal information as confidential.

Another comment that remains to be made is that unrestricted use of RFID on human beings will make Jeremy Bentham's infamous vision of the "panopticum" real. But it will not be only for criminals, as he foresaw, but also for workers.

A third comment is that those who claim that human dignity is not infringed by restroom surveillance are hereby challenged to draft a code of good conduct for this practices, if they can.

Article 5 Prohibition of Slavery and Forced Labour

"1. No one shall be held in slavery or servitude."

It is true that tagging an employee with RFID does not lead to instant, total enslavement. However, there is some truth in the equation "worker + long range RFID = wage slave", because a boss who knows down to the meter and the second where (and when) his employees are has gained another great advantage over them. Consider that after a quarter of a century of high unemployment in the EU, loss of their job would be a great hardship for many workers while it would present only a temporary inconvenience to their bosses. This has lead European societies towards a state of affairs where workers are sometimes bought and sold along with their (only) jobs.

What is needed in order to restore a social equilibrium is to (re)empower workers, not to place them under surveillance.

One prominent critic of RFID abuse is Mr. Barroso, who had the following exchange at the Staff Forum of 17.12.2007.

Question from Michael Ashbrook ( ESTAT, SID's Secretary General);
"One of the technologies promoted as part of the Lisbon Process is Radio Frequency Identification, RFID for short. RFID chips send out unique, identifying, radio messages. They have been shrunk down to the size of a grain of rice. The scanners that pick up the RFID signals now are the size of mobile phones and cost 500+ EUROs.

Are there any circumstances at all under which RFID chips should be imposed on sane, adult human beings without their prior, informed, freely given consent?
Are there plans to use RFID on Commission staff?"

Answer from Jose Manuel Barroso (President of the Commission)
"... About radio frequency identification, first of all I was looking to Vice President Kallas who is with me, and I am not aware of any plans to have this control of the civil servants of the Commission...

... You know on that point I and Siim Kallas, we are really believers in human freedom and the rights of individuals. You know I am very much for that, I am against control ... I think of the autonomy of every human being ... as a great value in itself ... it is at the core of European values ....

.... Regarding the issue of using these in human beings, indeed this is a question that has been discussed, we are discussing it ... for health purposes also in some kind for security purposes. There is a debate, I participated already in that debate in the Commission. There is the European Group on Ethics in Science and Technology , created by European Commission... " (Link at http://trade-union-sid.freehostia.com/tiki/tiki-index.php?page=Believers+in+Human+Freedom+and+the+Rights+Of+Individuals .)


Article 8 Protection of Personal Data

"1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an independent authority."

In too many practical cases, there will be tacit pressure on employees to accept RFID tags. Few will be in a position to refuse signature of a contract that requires their agreement to radio surveillance. This is why Art 8(1) will need some extra teeth in the future.

It can be noted that the promises held out by Art 8(2) will hardly be fulfilled in practice because a citizen would have to know down to the second and meter when (and where) s/he was in order to criticize the contents of a data base fed by RFID scanners. We can expect pure hardware caused failures of the systems to be rare. The problems will be more with interpreting the potentially huge content of such data bases. Those who seek to harm an employee will often find something usable in the gigabytes of RFID data accumulated.

There is a pilot project on RFID going on at DG INFSO. This opinion, issued by the European Data Protection Supervisor on 2007.10.19, gives a good idea of why the "authority" mentioned in Art. 8(3) needs to be independent from management;

" The EDPS considers that DG INFSO should implement the following changes to the draft of the privacy statement:
Delete the term "registering" in the title of the Privacy statement;
Modify the reference which is made to the EDPS Opinion as regards the wording "who delivered a favourable opinion" and replace it by "who delivered an opinion." The EDPS would also appreciate that the privacy statement contains a link to the opinion;

Delete the sentence: "This is not related to any personal data";
The EDPS would like the category of persons who can be recipients (i.e. delegated controller) to be added in the privacy statement, together with the Data Controller and System Administrator;

Add a paragraph specifying clearly the people or categories of people of DG INFSO who are allowed to use the flexitime application (i.e. the staff members concerned);
Redraft the specific privacy statement on the information which can directly be changed by the data subjects and the information for which the data subjects must contact the system administrator to implement the changes;

Following the EDPS recommendation on a third copy, the Data Protection Coordinator of DG INFSO should also be mentioned in the privacy statement of the system;
Mention whether replies to the questions are obligatory or voluntary, as well as the practical consequences of failure to reply. For instance, the consequences of failure to clock in and out;

Mention the legal basis, besides the Guide to flexitime;
Mention the time-limits (retention period) of the audit trail of 2 months;
Add a specific paragraph on the blocking of data, pursuant to Article 15 of Regulation 45/2001, in line with point 3.8 of the opinion;
Add a paragraph on the right to have recourse at any time to the European Data Protection Supervisor." (Underlining added by SID.)
(Link to the pdf via http://www.edps.europa.eu/EDPSWEB/edps/lang/en/pid/217 .)


When one considers the changes that the EDPS is asking for (replace "delivered a favourable opinion" by "delivered an opinion", for an example) it becomes clear that management was misinforming staff.


Article 12 Freedom of assembly and of Association

"1. Everyone has the right to … freedom of association at all levels in particular in political, trade union and civic matters, which implies the right of everyone to form and to join trade unions for the protection of his or her interests."

RFID data will reveal which colleagues take breaks at the same time and in the same place. Those who socialize with staff representatives and known unionists will be easy to identify. In the abstract, this may not be a breach of Article 12, but in many places of work people will think twice about whom to avoid in order not to be electronically branded as a "potential troublemaker".

It is clear that RFID empowers management. The interesting question is what measures can be taken to block a crushing power-imbalance in its favour.



Article 28 Right to Collective Bargaining and Action

"Workers … have … the right … in cases of conflicts of interest, to take collective action to defend their interests, including strike action."

What was said for Article 12, above, is just as true for Article 28. Formalistically, the right to strike stays in effect. But it will prove very difficult to organize strikes when the would-be strikers feel that every step they take in the corridor may be registered automatically for later use.

Article 31 Fair and Just Working Conditions

"1. Every worker has the right to working conditions which respect his or her health, safety and dignity."

What was said regarding Articles 1, 5, 8, 12, 28 covers Article 31 as well.

The Protection of Personal Data at Work

An additional article should be inserted, perhaps after Article 7 of the Recommendation, which covers RFID-related issues in a retail trade situation.

"Article 6a

The protection of personal data

If an RFID system incorporates information that allows the codes of its tags to be linked to individual humans, and if the legal basis for that system includes an employment contract, then the distance at which the RFID tags can be read must be limited to five centimetres."



Recommendation or Legislation?

Contrary to the urban legend about the ever regulation crazed European Commission, so far it only has plans for a Recommendation. It is the EDPS who disagrees and wants something more substantial, as can be seen in this opinion of 20 December 2007;

"69. However, RFID is not just another technological development as has been underlined in several parts of this opinion. The communication refers to RFID as the gateway to a new phase of development of the Information Society, often referred to as the "internet of things" and RFID tags will constitute key elements of the ‘ambient intelligent’ environments. These environments are also important steps in the development of what is often called the 'Surveillance Society'. Against this background, legislative action in the area of RFID can be justified. RFID may bring about a qualitative change.

75. The EDPS considers that this unfortunate outcome should be avoided. Because current legislation partially - at least for RFID applications that do not process personal data - fails to counter this privacy threat, and taking into account the shortcomings of soft law solutions, it seems necessary to use compulsory legislative measures to ensure a satisfactory result.

92. The EDPS recommends considering the adoption of (a proposal for) Community legislation regulating the main issues of RFID-usage in relevant sectors, in case the proper implementation of the existing legal framework would fail. After it enters into force, such a legislative measure must be considered as a 'lex specialis' vis-a-vis the general data protection framework. … "

(Link to the pdf via http://www.edps.europa.eu/EDPSWEB/edps/lang/en/pid/247 .)
Bibliography and Recommended Reading
In English

The Commission's Draft Recommendation on RFID;
http://ec.europa.eu/yourvoice/ipm/forms/dispatch?form=RFIDRec

General information;
http://en.wikipedia.org/wiki/Rfid

How to protect RFID data
http://www.rfidblockr.com/

Introductory technical information;
http://www.dummies.com/WileyCDA/DummiesArticle/What-the-Heck-Is-RFID-.id-2988.html

Detailed technical information;
http://www.wiley.com/WileyCDA/WileyTitle/productCd-0470844027.html

Advertising RFID products and services
http://www.datascansystems.com

The US Department of Homeland Security on RFID www.dhs.gov/xlibrary/assets/privacy/privacy_advcom_rpt_rfid_draft.pdf

For in depth coverage of the issues, see the European Data Protection Supervisor (EDPS)
http://www.edps.europa.eu ; search this site for "rfid"

The EDPS' Opinion on the RFID pilot project at Directorate General INFSO
http://www.edps.europa.eu/EDPSWEB/edps/lang/en/pid/217

The EDPS on RFID in general;
http://www.edps.europa.eu/EDPSWEB/edps/lang/en/pid/247

Mr. Barroso's views on RFID
http://trade-union-sid.freehostia.com/tiki/tiki-index.php?page=Believers+in+Human+Freedom+and+the+Rights+Of+Individuals

European Parliament study on RFID
http://www.europarl.europa.eu/stoa/publications/studies/stoa182_en.pdf

In German

General information;
http://de.wikipedia.org/wiki/RFID

More general information;
http://de.wikipedia.org/wiki/StopRFID

Criticism; http://www.bfdi.bund.de/cln_007/nn_530436/DE/Themen/TechnologischerDatenschutz/TechnologischeNeuerungen/Artikel/RFID-FunkchipsFuerJedeGelegenheit.html#inhalt

More criticism;
http://www.foebud.org/rfid/eu-umfrage-zu-rfid-2008

Created by: admin last modification: Wednesday 17 of September, 2008 [09:57:47 UTC] by admin


Current events
Powered by Tikiwiki Powered by PHP Powered by Smarty Powered by ADOdb Made with CSS Powered by RDF
RSS Wiki RSS Maps rss Calendars
Powered by Tikiwiki CMS/Groupware | Installed by SimpleScripts