[LINK] Airport to tag passengers

Jan Whitaker jwhit at melbpc.org.au
Sun Oct 22 22:05:56 AEST 2006

Others please jump in here.

At 08:36 PM 22/10/2006, Geoffrey Ramadan wrote:
>Jan I am trying to understand how do you weigh 
>up differing and conflicting "rights".
>Does the greater need  for safety, outweigh privacy issues?

That is the choice of the individual, I reckon. I 
may choose to risk 'safety' to retain an ability 
to travel without being surveilled. The 
comparison here is a straw man because we have 
already agreed it is a dumb system and wouldn't 
achieve the goal anyway. The bargain is a no 
brainer. I won't trade my privacy for a smoke and 
mirrors promise of something that won't be 
delivered. The exchange is unbalanced.

In other circumstances the choice must be 
maintained. For example, tagging children may be 
acceptable to some paranoid parents. But others 
would never subject their children to being 
cattle (e-sheep, given the latest stories from the agriculture arena).

>>> From the RFID privacy perspective, there are 
>>> guidelines you can turn to. So far from what 
>>> I can tell, this application meets those guidelines.
>>Guidelines are not obligatory. What guidelines 
>>are you referring to? What about compliance 
>>with the Privacy Act, which IS law, and which IS obligatory.
>I indicated in a previous post the guidelines as mentioned in:

These aren't official, at least what is in the 
media release. These are from a resolution that binds no one.

>What elements of this, do you think this system does not meet?

I am not convinced that many of the applications 
follow the first principle listed:

a) any controller – before introducing RFID tags 
linked to personal information or leading to 
customer profiles – should first consider 
alternatives which achieve the same goal without 
collecting personal information or profiling customers;

Note this says customers, not staff, but even 
staff/employee applications should use this as a 
first decision point. If there are alternatives, 
use them instead. RFID vendors won't like this, I'm sure.

>Also what element of the privacy act do you think they would not comply with?

It depends on the implementation. Any of the 
privacy principles could be breached in the 
applications. The proposed code coming out of GS1 
says that the Act must be followed. But you know 
what? No penalties if they don't. Is that 
rigorous enough? I don't think so. It's a 
signatory instrument, not part of the law, so no 
new players come under the code that aren't 
already covered by the Act. So again, no 
penalties unless the Commissioner takes it on. 
Have you heard of any yet? Me neither.

I also did a bit of reading about the scanning 
code of practice. Only applies to supermarkets! 
And yet, if RFID is taking the place of barcode 
in the scanning, no change there to cover other retail implementations.

I'm still waiting for the answer about the back 
office use of the data. If there is this supposed 
benefit for warranty identification, there would 
need to be a matching record made at time of 
purchase, right? Is that going to be at the 
choice of the purchaser?  What happens when an 
item with a chip sells the item? Guess what. The 
database behind it is then wrong.

Can RFID chips be written to? Can the information 
be changed? At whose discretion?
How can a person who buys a product with an 
embedded chip know that it is disabled?  Or is this a 'trust us' situation?

from the resolution:
d) whenever RFID tags are in the possession of 
individuals, they should have the possibility to 
delete data and to disable or destroy the tags

Oh, delete data. It doesn't say from where. Will 
sellers delete my data from their backend 
systems? How will I know? Who do I tell? Can I do 
that at time of purchase or can I do it in the future?

I'm watching a movie...Bourne Supremacy. Lots of 
comms chips in this one, blue tooth, etc. He uses 
it to advantage. I'm trying to think of an 
example where the power is reversed for RFID. 
Maybe Professor Klerphel has some ideas on that, 
where the head of the company that implements 
RFID is the one whose personal activities are 
exposed - their kids? their wife's buying habits? 
their visits to the local 'gentleman's club' for 
the afternoon? hmmmmm..... I know, let's put RFID 
chips on all the hookers in St Kilda.....then for 
public health reasons, there can be a database of 
all of their customers. I like that idea!!  Or 
their GPS data could just be captured by the 
police automatically, just in case the tax office 
wants to check if they are paying their proper 
FBT. I know that's not an RFID application 
(yet?), but maybe it will get a point across as 
to why ignoring privacy for the plebs can be a risk to the top dogs, too.


Jan Whitaker
JLWhitaker Associates, Melbourne Victoria
jwhit at janwhitaker.com
business: http://www.janwhitaker.com
personal: http://www.janwhitaker.com/personal/
commentary: http://janwhitaker.com/jansblog/

'Seed planting is often the most important step. 
Without the seed, there is no plant.' - JW, April 2005
_ __________________ _

More information about the Link mailing list