The Times: Op-ed - Beware, your pullover may be watching you
Comment: The privacy risks of RFID chips. By David Rowan
When British Airways hit a spot of turbulence last week over an unremarkable plan to record staff attendance with swipe cards, it was perhaps inevitable that union activists would denounce the airline for introducing a "Big Brother technology". I have news for them. If BA were really serious about breaching workers' privacy, there are some far more powerful products on the market that it would be using to track staff electronically. For while the rest of us have been busy in recent years learning to text-message and filter out junk e-mails, the IT industry has quietly been developing a fearsome array of technologies designed to learn more about you than you could ever guess.
BA could, for instance, invest in Computer Associates' 20/20 workplace monitoring system, launched last week as a way to give employers, you've guessed it, "20/20 vision" of their workers' behaviour. From their physical movements to their computer use and phone calls, the software maps out "a three-dimensional view" of an individual's entire working day -flagging up "suspicious" activity such as extended toilet breaks, and logging their every keystroke on a database.
Or if that all sounds too complicated for a reluctantly modernising airline to grasp, it could instead track staff simply by scanning their iris patterns or logging the radio signals emanating from smart-cards in their pockets. The beauty of progress is that, as all that data is automatically scooped up, the worker need remain none the wiser.
Information, more than ever before, represents power to those who have access to it. In the 21st century, as ever-larger chunks of our lives are being mapped out on databases about which we may know nothing, the notion of personal privacy is rapidly being diluted by our acquiescence in the pervasiveness of automated data collection. It may suit employers, retailers, governments and marketers to record unlimited amounts of information about us, but there is no way of knowing where that data will finally end up. No matter how ambitious the data protection laws - and Britain's are vastly superior to those in the US -they never quite manage to keep up with the speed of innovation.
Even at the simplest level of employee monitoring, your personal trail may be being analysed in unexpected quarters. The syndicated American newspaper columnist Dear Abby two weeks ago printed an enlightening letter from a member of an unnamed firm's IT department who confessed to accessing workers' online bank details, tracking their eBay auction bids, and studying their personal e-mails. "I will never look at certain employees the same way again," he wrote.
But it is with the larger commercial and governmental databases that the power games really begin: as one database gets "mined" alongside others, detailed patterns emerge about you that analytical software can crunch to predict your behaviour and profile your lifestyle. Your health insurer may wish to know about your sexual proclivities; the security services may want to know about any suspicious book purchases you may have made with your credit card. And when terrorism alerts cause public officials to justify mining your private data, who knows what they will do with it all.
Once information is collected for one purpose, however legitimate, there is no way for you to prevent it from being used for another, even if that secondary usage prejudices you. The practice is known as "data creep". Fine, you may think; you have nothing to fear beyond a bit of junk mail or cold-calling. Britain's extensive CCTV network, after all, is a technology that may breach personal privacy -but if it helps to protect you from crime, that may be a trade-off worth making.
But how would you feel about a rather more pervasive technology that used radio signals to track your movements whether at home or on the streets, and through tiny microchips embedded in everyday products could identify almost everything you were wearing or carrying? Imagine, furthermore, that a huge global network of computers linked to scanners was monitoring these radio signals and recording your progress on databases for corporations or governments to study in real time. Would you see that as a breach too far of your privacy?
The question is not theoretical. Such a technology is already here -and is starting to be used on the British high street by retailers such as Asda, Marks & Spencer and Woolworths. The technology relies on "smart tags" being fitted to individual items, from cereals to CDs, as a cost-effective way of monitoring product lines and automating the reordering process. The tags, based on microchips smaller than a grain of sand, can be read by scanners up to 10 metres (33ft) away, and their presence recorded over an internet-linked computer network. And unlike barcodes, which merely identify a product line, smart tags are specific to an individual item such as a can of Coke, and can convey detailed information about its manufacturing history and sell-by date.
If you buy a DVD from Tesco this week, you may not realise that it may come with one of these smart tags, known as a Radio Frequency Identification, or RFID tag.
The technology is backed by some of the world's most powerful organisations - Gillette has just ordered half a billion of them, and the European Central Bank wants to put them in euros -and it is a safe bet that they will, within a decade, be fitted to almost every branded product. At MIT in Boston, where the Auto-ID Centre is working with global corporations to develop the common standard, executives are so confident that RFID is about to enter widespread use that they talk of "trillions of tagged items" soon being trackable via a computer network they are calling "the internet of things".
Unless they are deliberately "killed", RFID tags are designed to remain active through a product's life. Anyone with a suitable scanner could "read" the tag to identify that item and, if they had access to the underlying computer network, could track its history. There are, as you may imagine, some "Big Brother" privacy concerns about this technology much greater than those voiced by the BA unions.
After news emerged last March that Benetton planned to embed RFID chips in millions of its Sisley pullovers, an international boycott of the chain was organised under the slogan "I'd rather go naked" to highlight the technology's potential use to track individuals. Benetton subsequently emphasised that it had no immediate plans to put tagged sweaters into its stores.
Katherine Albrecht, the organiser of the Boycott Benetton campaign, claims that it has "the potential to track people from the time they get up in the morning to the time they go to bed". If the information collected via signals from your personal items were matched to CCTV images, you would, she says, "be surveilled at every turn". The police, criminals and marketers would all be motivated to scan your property to learn more about you -since everything from your earrings to your glasses would be identifiable.
At MIT, they are advising companies to warn consumers that they are using RFID tags and to give them the option of having them "killed" at the checkout. That is not being done in practice: Tesco, for example, is not warning customers that its DVDs contain the tags, which remain active long after they have left the store.
Certainly the technology has the potential to bring greater efficiencies in stock tracking, and perhaps even to herald the day when your shopping trolley can be automatically scanned, saving you from queueing at the checkout. But before we allow a tiny wireless computer to be fitted into almost every manufactured product, as the MIT visionaries would like, should we not at least debate how all this data will be regulated?
The Office of the Information Commissioner says it would have "serious data protection concerns" if information gathered using RFID tags was used to track individual consumers without their knowledge. It is a reassuring view, tempered only by the reality that in fact there are no adequate regulatory resources to prevent a tidal wave of data falling into the wrong hands.
That is the trouble with new technologies. They will not simply wait until you are ready to deal with them. By the time you realise that, yes, you did once value your privacy, it may be too late to retrieve it.
(The Times, July 29 2003)
When British Airways hit a spot of turbulence last week over an unremarkable plan to record staff attendance with swipe cards, it was perhaps inevitable that union activists would denounce the airline for introducing a "Big Brother technology". I have news for them. If BA were really serious about breaching workers' privacy, there are some far more powerful products on the market that it would be using to track staff electronically. For while the rest of us have been busy in recent years learning to text-message and filter out junk e-mails, the IT industry has quietly been developing a fearsome array of technologies designed to learn more about you than you could ever guess.
BA could, for instance, invest in Computer Associates' 20/20 workplace monitoring system, launched last week as a way to give employers, you've guessed it, "20/20 vision" of their workers' behaviour. From their physical movements to their computer use and phone calls, the software maps out "a three-dimensional view" of an individual's entire working day -flagging up "suspicious" activity such as extended toilet breaks, and logging their every keystroke on a database.
Or if that all sounds too complicated for a reluctantly modernising airline to grasp, it could instead track staff simply by scanning their iris patterns or logging the radio signals emanating from smart-cards in their pockets. The beauty of progress is that, as all that data is automatically scooped up, the worker need remain none the wiser.
Information, more than ever before, represents power to those who have access to it. In the 21st century, as ever-larger chunks of our lives are being mapped out on databases about which we may know nothing, the notion of personal privacy is rapidly being diluted by our acquiescence in the pervasiveness of automated data collection. It may suit employers, retailers, governments and marketers to record unlimited amounts of information about us, but there is no way of knowing where that data will finally end up. No matter how ambitious the data protection laws - and Britain's are vastly superior to those in the US -they never quite manage to keep up with the speed of innovation.
Even at the simplest level of employee monitoring, your personal trail may be being analysed in unexpected quarters. The syndicated American newspaper columnist Dear Abby two weeks ago printed an enlightening letter from a member of an unnamed firm's IT department who confessed to accessing workers' online bank details, tracking their eBay auction bids, and studying their personal e-mails. "I will never look at certain employees the same way again," he wrote.
But it is with the larger commercial and governmental databases that the power games really begin: as one database gets "mined" alongside others, detailed patterns emerge about you that analytical software can crunch to predict your behaviour and profile your lifestyle. Your health insurer may wish to know about your sexual proclivities; the security services may want to know about any suspicious book purchases you may have made with your credit card. And when terrorism alerts cause public officials to justify mining your private data, who knows what they will do with it all.
Once information is collected for one purpose, however legitimate, there is no way for you to prevent it from being used for another, even if that secondary usage prejudices you. The practice is known as "data creep". Fine, you may think; you have nothing to fear beyond a bit of junk mail or cold-calling. Britain's extensive CCTV network, after all, is a technology that may breach personal privacy -but if it helps to protect you from crime, that may be a trade-off worth making.
But how would you feel about a rather more pervasive technology that used radio signals to track your movements whether at home or on the streets, and through tiny microchips embedded in everyday products could identify almost everything you were wearing or carrying? Imagine, furthermore, that a huge global network of computers linked to scanners was monitoring these radio signals and recording your progress on databases for corporations or governments to study in real time. Would you see that as a breach too far of your privacy?
The question is not theoretical. Such a technology is already here -and is starting to be used on the British high street by retailers such as Asda, Marks & Spencer and Woolworths. The technology relies on "smart tags" being fitted to individual items, from cereals to CDs, as a cost-effective way of monitoring product lines and automating the reordering process. The tags, based on microchips smaller than a grain of sand, can be read by scanners up to 10 metres (33ft) away, and their presence recorded over an internet-linked computer network. And unlike barcodes, which merely identify a product line, smart tags are specific to an individual item such as a can of Coke, and can convey detailed information about its manufacturing history and sell-by date.
If you buy a DVD from Tesco this week, you may not realise that it may come with one of these smart tags, known as a Radio Frequency Identification, or RFID tag.
The technology is backed by some of the world's most powerful organisations - Gillette has just ordered half a billion of them, and the European Central Bank wants to put them in euros -and it is a safe bet that they will, within a decade, be fitted to almost every branded product. At MIT in Boston, where the Auto-ID Centre is working with global corporations to develop the common standard, executives are so confident that RFID is about to enter widespread use that they talk of "trillions of tagged items" soon being trackable via a computer network they are calling "the internet of things".
Unless they are deliberately "killed", RFID tags are designed to remain active through a product's life. Anyone with a suitable scanner could "read" the tag to identify that item and, if they had access to the underlying computer network, could track its history. There are, as you may imagine, some "Big Brother" privacy concerns about this technology much greater than those voiced by the BA unions.
After news emerged last March that Benetton planned to embed RFID chips in millions of its Sisley pullovers, an international boycott of the chain was organised under the slogan "I'd rather go naked" to highlight the technology's potential use to track individuals. Benetton subsequently emphasised that it had no immediate plans to put tagged sweaters into its stores.
Katherine Albrecht, the organiser of the Boycott Benetton campaign, claims that it has "the potential to track people from the time they get up in the morning to the time they go to bed". If the information collected via signals from your personal items were matched to CCTV images, you would, she says, "be surveilled at every turn". The police, criminals and marketers would all be motivated to scan your property to learn more about you -since everything from your earrings to your glasses would be identifiable.
At MIT, they are advising companies to warn consumers that they are using RFID tags and to give them the option of having them "killed" at the checkout. That is not being done in practice: Tesco, for example, is not warning customers that its DVDs contain the tags, which remain active long after they have left the store.
Certainly the technology has the potential to bring greater efficiencies in stock tracking, and perhaps even to herald the day when your shopping trolley can be automatically scanned, saving you from queueing at the checkout. But before we allow a tiny wireless computer to be fitted into almost every manufactured product, as the MIT visionaries would like, should we not at least debate how all this data will be regulated?
The Office of the Information Commissioner says it would have "serious data protection concerns" if information gathered using RFID tags was used to track individual consumers without their knowledge. It is a reassuring view, tempered only by the reality that in fact there are no adequate regulatory resources to prevent a tidal wave of data falling into the wrong hands.
That is the trouble with new technologies. They will not simply wait until you are ready to deal with them. By the time you realise that, yes, you did once value your privacy, it may be too late to retrieve it.
(The Times, July 29 2003)
posted by David Rowan at Tuesday, July 29, 2003
<< Home