[LINK] Airport to tag passengers

Geoffrey Ramadan gramadan at umd.com.au
Tue Oct 24 22:59:52 AEST 2006 

Jan Whitaker wrote:
> Others please jump in here.
>
> At 08:36 PM 22/10/2006, Geoffrey Ramadan wrote:
>> Jan I am trying to understand how do you weigh up differing and 
>> conflicting "rights".
>>
>> Does the greater need for safety, outweigh privacy issues?
>
> That is the choice of the individual, I reckon. I may choose to risk 
> 'safety' to retain an ability to travel without being surveilled. The 
> comparison here is a straw man because we have already agreed it is a 
> dumb system and wouldn't achieve the goal anyway. The bargain is a no 
> brainer. I won't trade my privacy for a smoke and mirrors promise of 
> something that won't be delivered. The exchange is unbalanced.
> In other circumstances the choice must be maintained. For example, 
> tagging children may be acceptable to some paranoid parents. But 
> others would never subject their children to being cattle (e-sheep, 
> given the latest stories from the agriculture arena).
This is ok, if you have a choice and looking from an individual 
perspective. What criteria would an organisation use to determine that 
their needs outweigh the need for privacy. (eg. tracking of a person in 
a closed area - eg. Mining companies) given that you cannot give people 
a choice to adopt a system? Either it is in or not.

>
>
>>>> From the RFID privacy perspective, there are guidelines you can 
>>>> turn to. So far from what I can tell, this application meets those 
>>>> guidelines.
>>>
>>> Guidelines are not obligatory. What guidelines are you referring to? 
>>> What about compliance with the Privacy Act, which IS law, and which 
>>> IS obligatory.
>> I indicated in a previous post the guidelines as mentioned in:
>> http://www.privacy.gov.au/news/media/03_17.html
>
> These aren't official, at least what is in the media release. These 
> are from a resolution that binds no one.
>
>> What elements of this, do you think this system does not meet?
>
> I am not convinced that many of the applications follow the first 
> principle listed:
>
> a) any controller – before introducing RFID tags linked to personal 
> information or leading to customer profiles – should first consider 
> alternatives which achieve the same goal without collecting personal 
> information or profiling customers; 

What if the purpose is to collect personal data and profile customers? 
(with their knowledge and consent)


>
> Note this says customers, not staff, but even staff/employee 
> applications should use this as a first decision point. If there are 
> alternatives, use them instead. RFID vendors won't like this, I'm sure.
>
>> Also what element of the privacy act do you think they would not 
>> comply with?
>
> It depends on the implementation. Any of the privacy principles could 
> be breached in the applications. The proposed code coming out of GS1 
> says that the Act must be followed. But you know what? No penalties if 
> they don't. Is that rigorous enough? I don't think so. It's a 
> signatory instrument, not part of the law, so no new players come 
> under the code that aren't already covered by the Act. So again, no 
> penalties unless the Commissioner takes it on. Have you heard of any 
> yet? Me neither.
>
> I also did a bit of reading about the scanning code of practice. Only 
> applies to supermarkets! And yet, if RFID is taking the place of 
> barcode in the scanning, no change there to cover other retail 
> implementations.
>
> I'm still waiting for the answer about the back office use of the 
> data. If there is this supposed benefit for warranty identification, 
> there would need to be a matching record made at time of purchase, right? 
Unlike barcodes, EPC RFID tags proposed for products, is a serialised 
barcode. So a shop would be able to determine that it sold that specific 
product and on what date. No need to know who it was sold to.

> Is that going to be at the choice of the purchaser? What happens when 
> an item with a chip sells the item? Guess what. The database behind it 
> is then wrong.
>
> Can RFID chips be written to? Can the information be changed? At whose 
> discretion?
> How can a person who buys a product with an embedded chip know that it 
> is disabled? Or is this a 'trust us' situation?
It depends on the class of RFID chip used. Some chips are WORM. Write 
Once, Read Many and some a r/w and some a ROM and fixed at the factory. 
I would assume most consumer products would be WORM based.

If verifying that a tag was disable was an issue, then there are simple 
ways of verifying this.

Retails could show the EPC RFID number on a customer display and once 
disabled, the number would be deleted of the list.

>
> from the resolution:
> d) whenever RFID tags are in the possession of individuals, they 
> should have the possibility to delete data and to disable or destroy 
> the tags
>
> Oh, delete data. It doesn't say from where. Will sellers delete my 
> data from their backend systems? How will I know? Who do I tell? Can I 
> do that at time of purchase or can I do it in the future?
They are referring to deleting the data on the tag (disabling it). Thus 
ensuring that the tag is used for its purpose and cannot be used for 
other applications.

The purpose of the RFID is to collect data, so it seams a bit odd that 
anyone would delete it.

Reg
Geoffrey Ramadan

>
> I'm watching a movie...Bourne Supremacy. Lots of comms chips in this 
> one, blue tooth, etc. He uses it to advantage. I'm trying to think of 
> an example where the power is reversed for RFID. Maybe Professor 
> Klerphel has some ideas on that, where the head of the company that 
> implements RFID is the one whose personal activities are exposed - 
> their kids? their wife's buying habits? their visits to the local 
> 'gentleman's club' for the afternoon? hmmmmm..... I know, let's put 
> RFID chips on all the hookers in St Kilda.....then for public health 
> reasons, there can be a database of all of their customers. I like 
> that idea!! Or their GPS data could just be captured by the police 
> automatically, just in case the tax office wants to check if they are 
> paying their proper FBT. I know that's not an RFID application (yet?), 
> but maybe it will get a point across as to why ignoring privacy for 
> the plebs can be a risk to the top dogs, too.
>
> Jan
>
> Jan Whitaker
> JLWhitaker Associates, Melbourne Victoria
> jwhit at janwhitaker.com
> business: http://www.janwhitaker.com
> personal: http://www.janwhitaker.com/personal/
> commentary: http://janwhitaker.com/jansblog/
>
> 'Seed planting is often the most important step. Without the seed, 
> there is no plant.' - JW, April 2005
> _ __________________ _
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link

More information about the Link mailing list