[LINK] US-AMA far too complacent about human RFID tags
Roger Clarke
Roger.Clarke at xamax.com.au
Mon Jul 2 10:51:42 AEST 2007
http://arstechnica.com/news.ars/post/20070628-ama-says-human-rfid-tags-could-pose-serious-privacy-risk.html
AMA says human RFID tags could pose serious privacy risk
By John Timmer | Published: June 28, 2007 - 12:02PM CT
RFID tags operate over short distances to provide a scanner with
basic information about whatever item they're attached to. This is
being used commercially to both identify pricing details at retail
and to allow users to simply wave credit cards in front of
appropriately-configured readers in order to pay for them. But RFID
has also moved into the realm of providing personal information; the
US is making RFID-enabled passports, and the FDA approved human RFID
implants back in 2004. Given the medical and privacy issues
associated with human RFID tagging, the American Medical Association
called for an evaluation (.doc) of their implications; the resulting
report is now available (.doc).
The report makes a distinction between two types of RFID tags.
Passive tags have no power source and store information in read-only
form; the scanner provides them with enough power to transmit basic
information. Active RFID tags contain an internal battery, allowing
them to store more sophisticated information, process data, and
transmit over longer distances. Currently, only passive tags are
approved for human use, but there's no reason to think that current
limitations will stand indefinitely.
The passive tags are currently used for patients with chronic
diseases that may require rapid medical intervention. The report
cites examples such as coronary artery disease, chronic obstructive
pulmonary disease, diabetes mellitus, stroke, or seizure disorder. It
also notes that tags are being used to identify patients with
internal medical devices, such as pacemakers or replacement joints.
Because of privacy concerns, these RFID devices only transmit a
unique identification code; that code can be matched with records to
provide information such as current medication lists and past
diagnostic test results. Of course, all of this only works when the
patient is being treated by someone with access to appropriately
stored medical records, something which is hardly guaranteed.
The report suggests that there are very few concerns regarding
medical implications with RFID tags. The implantation procedure takes
less than a minute and involves nothing more than a needle. Although
there have been problems with the tags migrating away from their
implantation site, it should be possible to design them so that they
become encapsulated by the target tissue. There are some concerns
regarding possible interference with medical imaging and other
medical electronics, but the report does not cite instances of these
actually occurring.
With nothing of medical significance to worry about, the report's
biggest concern is patient privacy. It emphasizes the need for
informed consent in patients receiving these devices, noting that
doctors "cannot assure patients that the personal information
contained on RFID tags will be appropriately protected." It calls for
continual monitoring of the health benefits and privacy problems with
current and future devices, noting that "if objective evidence
demonstrates negative consequences that outweigh the benefits in
relation to health care, the medical profession will bear an
important responsibility to oppose the use of RFID labeling in
humans."
Future tags with more sophisticated capabilities may have greater
potential for abuse, and the report suggests these are not a matter
of if, but when. It also notes disturbing uses for current-generation
tags, such as enforcing a sort of permanent house arrest analogous to
the RFID-based ankle bracelet systems currently in use. Requiring a
medical professional to insert RFID tags for this purpose would place
practitioners in a bad ethical position.
The report's call for further studies may seem like dodging the
issue, but it is appropriate given the state of the art. In their
current form, RFID tags do nothing more than provide a patient
identifier that can be linked to their computerized records; in
effect, this shifts the security burden onto whoever maintains those
records. But the field looks poised to change rapidly, meaning that
if it wants to stay on top of the situation, the AMA will have to act
more quickly than the three-year gap between FDA approval of RFID
tags and this report.
Related Stories
* The RFID Guardian: a firewall for your tags
* RFID being tapped to stifle exam cheaters
* RFID security act passed by California senate again
--
Roger Clarke http://www.anu.edu.au/people/Roger.Clarke/
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au http://www.xamax.com.au/
Visiting Professor in Info Science & Eng Australian National University
Visiting Professor in the eCommerce Program University of Hong Kong
Visiting Professor in the Cyberspace Law & Policy Centre Uni of NSW
More information about the Link
mailing list