[LINK] RFID Tagging of Children

[Karl Auer]

On Tue, 2006-10-24 at 23:53 +1000, Geoffrey Ramadan wrote:
> > - the holder of data relating to a person should be responsible in law
> > for its accuracy, including consequential damages arising from
> > inaccuracy.
> >   
> How does this work in this case, where the actual data is entered by the 
> participants (via web)

It depends very much on how sure you can be that they (and not someone
else) entered the data. If you do something that harms someone, basing
your actions on particular data, and you cannot show that your made all
reasonable effort to ensure that the data was correct, you should be
prosecutable.

Nothing else will make data collectors careful enough about how and
where they get their data, or careful enough about ensuring it is
accurate.

Data collected via the web, unless there is a decent pre-established
authentication and authorisation system in place, is about as insecure
as you can get.

> > - failing to destroy data when its purpose is served and transferring
> > data to third parties not involved in the purpose for which the data was
> > collected should be a criminal (NOT merely a civil) offence.
> >   
> As they are collecting personal information, I would assume that they 
> would also be subject to the normal privacy laws and would need to 
> include an appropriate statement which would cover these aspects.

My ideas were "shoulds" not references to laws. The current laws are
essentially useless.

The reason I want it to be a criminal offence is so that it will be
followed up by law enforcement on the public purse, not rely on ordinary
people having deep enough pockets to take on misbehaving corporates.

> > 5: For emergencies, you have huge problems of data integrity - how
> > exactly will these RFID chips be physically associated with particular
> > people? 
> Was thinking of a waterproof wristband they would wear all the time.

These are kids. The wristbands will be cut off, pocketed, put on chains
and ribbons, draped around necks, lost, swapped etc with gay abandon. I
guarantee it. Especially with the girls, unless the thing is the height
of fashion and manages to remain so for the entire duration of the
event.

> > How do you know that the tag matches the kid - hasn't been
> > swapped or whatever? 
> You don't. You minimise the risk by having it been worn all the time.

Won't happen.
 
> Also if this was real issue, you could include a photograph in the 
> database.
> 
> He also has a name, which others around him hopefully also know.

These are KIDS. They will say whatever they want, and vouch for
anything.

> > And what about the right of these kids to disable
> > or destroy the RFID chip (as given in the fourth Conference principle)?
> >   
> The principle applies to the "end of use" of the tag... not during. At 
> the end of the conference,  which concludes the purpose for which the 
> RFID tag and data was collected, the wristband would be returned.

No they WON'T be returned. They will be kept a souvenirs etc.  Maybe
some kind of deposit would help, but you'll lose a lot of them. Not that
it matters - it's the data that matters.

> > I see no real benefit
> > here for RFID over a simple printed plastic card.
> >   
> No really, as you can easily loose, misplace or forget the plastic card.

You can easily lose misplace or forget your chip (because believe me,
the will not stay around wrists very long - not on kids and probably not
even on adults).

> > If I could not see that the data would be protected and later destroyed,
> > I would have problems with it, yes.
> >   
> Would it be fair to say that in this case that your concerns revolve 
> more around the data collected and its policy, more so than the RFID tag 
> itself.

Absolutely. And this has always been the problem - it's the same problem
as with the new ID card. 

Regards, K.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)                   +61-2-64957160 (h)
http://www.biplane.com.au/~kauer/                  +61-428-957160 (mob)