[LINK] US-AMA far too complacent about human RFID tags

Roger Clarke Roger.Clarke at xamax.com.au
Mon Jul 2 10:51:42 AEST 2007


http://arstechnica.com/news.ars/post/20070628-ama-says-human-rfid-tags-could-pose-serious-privacy-risk.html

AMA says human RFID tags could pose serious privacy risk
By John Timmer | Published: June 28, 2007 - 12:02PM CT

RFID tags operate over short distances to provide a scanner with 
basic information about whatever item they're attached to. This is 
being used commercially to both identify pricing details at retail 
and to allow users to simply wave credit cards in front of 
appropriately-configured readers in order to pay for them. But RFID 
has also moved into the realm of providing personal information; the 
US is making RFID-enabled passports, and the FDA approved human RFID 
implants back in 2004. Given the medical and privacy issues 
associated with human RFID tagging, the American Medical Association 
called for an evaluation (.doc) of their implications; the resulting 
report is now available (.doc).

The report makes a distinction between two types of RFID tags. 
Passive tags have no power source and store information in read-only 
form; the scanner provides them with enough power to transmit basic 
information. Active RFID tags contain an internal battery, allowing 
them to store more sophisticated information, process data, and 
transmit over longer distances. Currently, only passive tags are 
approved for human use, but there's no reason to think that current 
limitations will stand indefinitely.

The passive tags are currently used for patients with chronic 
diseases that may require rapid medical intervention. The report 
cites examples such as coronary artery disease, chronic obstructive 
pulmonary disease, diabetes mellitus, stroke, or seizure disorder. It 
also notes that tags are being used to identify patients with 
internal medical devices, such as pacemakers or replacement joints. 
Because of privacy concerns, these RFID devices only transmit a 
unique identification code; that code can be matched with records to 
provide information such as current medication lists and past 
diagnostic test results. Of course, all of this only works when the 
patient is being treated by someone with access to appropriately 
stored medical records, something which is hardly guaranteed.

The report suggests that there are very few concerns regarding 
medical implications with RFID tags. The implantation procedure takes 
less than a minute and involves nothing more than a needle. Although 
there have been problems with the tags migrating away from their 
implantation site, it should be possible to design them so that they 
become encapsulated by the target tissue. There are some concerns 
regarding possible interference with medical imaging and other 
medical electronics, but the report does not cite instances of these 
actually occurring.

With nothing of medical significance to worry about, the report's 
biggest concern is patient privacy. It emphasizes the need for 
informed consent in patients receiving these devices, noting that 
doctors "cannot assure patients that the personal information 
contained on RFID tags will be appropriately protected." It calls for 
continual monitoring of the health benefits and privacy problems with 
current and future devices, noting that "if objective evidence 
demonstrates negative consequences that outweigh the benefits in 
relation to health care, the medical profession will bear an 
important responsibility to oppose the use of RFID labeling in 
humans."

Future tags with more sophisticated capabilities may have greater 
potential for abuse, and the report suggests these are not a matter 
of if, but when. It also notes disturbing uses for current-generation 
tags, such as enforcing a sort of permanent house arrest analogous to 
the RFID-based ankle bracelet systems currently in use. Requiring a 
medical professional to insert RFID tags for this purpose would place 
practitioners in a bad ethical position.

The report's call for further studies may seem like dodging the 
issue, but it is appropriate given the state of the art. In their 
current form, RFID tags do nothing more than provide a patient 
identifier that can be linked to their computerized records; in 
effect, this shifts the security burden onto whoever maintains those 
records. But the field looks poised to change rapidly, meaning that 
if it wants to stay on top of the situation, the AMA will have to act 
more quickly than the three-year gap between FDA approval of RFID 
tags and this report.

Related Stories
	*	The RFID Guardian: a firewall for your tags
	*	RFID being tapped to stifle exam cheaters
	*	RFID security act passed by California senate again

-- 
Roger Clarke                  http://www.anu.edu.au/people/Roger.Clarke/

Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in Info Science & Eng  Australian National University
Visiting Professor in the eCommerce Program      University of Hong Kong
Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW



More information about the Link mailing list