Personal Privacy Threatened by FDA RFID Ruling
Get more Privacy News

Privacy advocates, including ACCESS, have been waiving a red flag over the use of RFID (radio frequency identification) in consumer goods ever since Wal-Mart announced that it would require its vendors to start using it. Companies that face supply chain management issues, inclusive of all major retailers, like the idea of being able to use RFID in products. This is because RFID has the potential to significantly reduce their supply chain costs. It eliminates the need to take manual inventories, and it can tell them where every item in their supply chain resides, at any given moment.

But just as with any other tool, RFID can be used for good or for bad. Privacy advocates are worried about the “bad”. Theoretically, RFID can be used to give every product produced a unique identifier. This means that if Coca Cola were to implement RFID on its cans of Diet Coke, and they produced a billion cans per year, the potential exists to track a single can of Diet Coke from the time it leaves the warehouse, to the time that you throw it away and it is recycled. If purchased with a debit or credit card, or if a store loyalty card is used, there is a very good chance that Coke would be able to tie your name to the purchase.

It doesn’t require a lot of imagination to see how this kind of information could be abused.

Unfortunately, on Wednesday the FDA made the RFID privacy battle much worse when it approved a RFID tag that can be inserted under the skin of hospital patients. The chip, which is made by Applied Digital Solutions of Delray Beach, Florida, is being sold as a revolutionary way for doctors and hospitals to decrease problems arising from medical treatment. The chip makes the patients medical records immediately available to doctors. This availability may play a key roll in saving the lives of patients who are incapacitated.

While new to humans, this type of RFID use has been around for years in veterinary circles. Many pet owners have had similar tags, made by the same company, inserted in their dogs, cats and horses. These tags allow animal shelters to identify the pet’s owner if the animal ever gets lost.

Use in the human population raises a variety of concerns. There are currently no laws that would prevent companies from requiring such implants be used for identification purposes. And while it only takes a syringe to insert the chip, it requires an operation to take it out. In other words, losing your privacy is easy, getting it back will be difficult, painful and costly.

Insurance companies would certainly be interested in using RFID because these chips would make it nearly impossible for anyone with a preexisting condition, no matter how old, to get insurance. The federal government would also likely have an interest, as would law enforcement. Once a chip is inserted, the movements of its host can be easily monitored.

While all of this may sound Orwellian, if you are over 40 years old your Social Security Card probably has a line on it that reads “For Social Security and Tax Purposes Only – Not for Identification”. Now, everybody seems to want to use your Social Security Number to identify you. The reason for this is that Social Security Numbers are a unique identifier. Both the government and business started using them as such prior to the time that anyone was paying attention. Our laws have been playing catch-up now for years.

It is very easy to see how this sort of technology could be used to replace Social Security Numbers. And in so doing, every move you make could be monitored by anyone with an interest. This includes retailers, the government and yes, your insurance provider.

The abuse of Social Security Numbers should have taught us by now that you can’t put the genie back in the bottle after it is opened up. Congress needs to begin to pay attention to human RFID implants now, while there is something that can be done to regulate its use. If they don’t, ten years from now it may be too late for them to do anything about it.

by Jim Malmberg

Children’s Privacy Threatened by BabyBlogs
Topic: Children and Privacy
BabyBlogs are web logs, commonly referred to as blogs, that parents put up about their children. Normally considered harmless in nature, parents often include pictures of their kids, along with a variety of stories. What they did on their summer vacation. A picture of baby bob with Aunt Eunice. These BabyBlogs have become the modern day version of the 1960’s slide show. The only difference now is that instead of inviting friends over to bore them to death in person for a couple of hours, we can now perpetually share our pictures with the world. Unfortunately, this has type of activity has a downside which may turn out to be most significant for some children.

When items get posted to the internet, as a rule of thumb you should assume that they will never go away. Even if you put them up on a website that you later remove, the images you post and the stories you tell have probably been indexed and copied by a variety of search engines. This means that they are probably still available to anyone who wants to see them, if they know where and how to look for them.

When parents post their own pictures, that's one thing. When they post pictures and information about their children, it is quite another. Parents need to stop and think before they do this.

Today’s children are having their lives documented like no other generation before them. Digital cameras have made photography much less expensive. And the internet has made digital photographs easy to share.

Before parents post content about their children, they should ask themselves it they would have wanted their parents to post similar content to the internet if that option had been available to them? Taking this thought process one step further, even if they would have liked to see themselves on the internet as a child, would they still want those old pictures to be available today? If the answer to any of these questions is “no”, then parents shouldn’t be posting this kind of information to the internet. Period.

But more importantly, parents should consider that posting information on their children could cause problems more significant than just a little embarrassment later in life. Posting this kind of information of for the world to see can present immediate dangers.

If a pedophile gets their hands on pictures of children, and they like what they see, they may be able to find out who posted the images, and where they live. If an identity thief can find the name and address of a child, there is a perfect opportunity to steal that child’s name and ruin their credit record for life (Note: This type of identity theft is on the rise and it is usually not detected for years). In both of these examples, the perpetrator would never have needed to meet the victim prior to committing the crime. And it would all have been made possible by the victim’s unsuspecting proud parents, just trying to share their pride with the world through their BabyBlog.

by Jim Malmberg

You can read more stories at Guard My Credit File

Canadian Data Protection Laws Significantly Stronger than U.S.
Topic: Financial Privacy
In the United States we have the Social Security Number. Unfortunately, access to Social Security Numbers is all too common, and the results can be devastating. Identity theft and ruined credit. The inability to get or keep a meaningfull job. In the worst cases, severe stress that leads to breakup of families.

Because the banking lobby has its hand so deep in Congressional pockets that it may never see the light of day again, federal lawmakers have been unwilling to implement laws to protect consumers. In fact, late in 2003 both Congress and the White House significantly weakened the ability of the states to protect the personal privacy of their citizens. That’s when a President Bush signed the Fair and Accurate Credit Transactions Act. This law specifically forbids the states from passing any privacy laws that prevent credit grantors from sharing consumer data with their affiliates.

But our neighbor to the north is setting a different example. Like the United States, Canada has its version of the Social Security Number. In Canada it is called a Social Insurance Number (SIN) and there are strict limitations on those who can demand to see it.

Banks, brokerage houses, trust companies and credit unions are required to ask customers for their SIN. The government uses is for tax reporting purposes. In fact, according to the Canadian Privacy Commission, an official branch of the Canadian Government, “No private-sector organization is legally authorized to request customers' SINs for purposes other than income reporting.”

Even credit reporting companies can’t demand a SIN to generate a credit report. Trans Union Canada and Equifax Canada both have the ability to generate such reports without a SIN. If you ask these same companies to generate a credit report in the United States, they both require a Social Security Number.

Companies without a need for access to a Canadian consumer’s SIN can still ask for it. They are however supposed to tell consumers that the information is optional. And they are not allowed to deny consumers services or to refuse sale simply because a SIN is not supplied.

All of this begs the question of whether or not these data protections actually help Canadians control cases of identity theft. The answer is largely dependent upon who you ask. Like Americans, Canadians will tell you that identity theft is out of control. And, just as in the United States, identity theft is the fastest growing form of financial crime. This however appears to be where the similarities end.

Canada is a country with roughly 10% of the population of the United States. Based on that figure, roughly 80,000 Canadians would have had to become identity theft victims last year for them to keep pace with the United States. As it turns out, Canada has not consolidated its statistics for identity theft. Even so, estimates are that Canada only experienced around 20,000 cases of identity theft last year. Moreover, the costs to the Canadian economy are still measured in millions of dollars, rather than the $54 Billion price tag associated with US cases.

The reason for the discrepancy is most likely due to the difficulty that would-be thieves have in getting their hands on Canadian SINs. The black market rate in Canada right now for a SIN along with a copy of a birth certificate is $50,000 CAN (approximately $30,000 US dollars). This means that to be an ID thief in Canada, you have to invest some money to get started. In the United States however, anyone can get their hands on a Social Security Number for less than $100. Experienced thieves can gain access to this information for nothing.

If the United States is serious about wanting to control cases of identity theft, perhaps our legislators should look north of the boarder for assistance. Canada may not have been able to stop all cases of ID theft, but they are far ahead of the United States in enacting policies that favor their citizens rather than caving to business interests.

by Jim Malmberg

Congress Poised to Take Control of Secure Flight
Topic: CAPPS II / Secure Flight
In the wake of public criticism of the TSA’s so called “new” flight screening program, Secure Flight, Congress appears to be poised to take on the responsibility of oversight control. Secure Flight is the successor program to CAPPS II, which was killed by the TSA earlier this year due to the public outcry over privacy concerns. The TSA has attempted to say that Secure Flight is actually a new program but the similarities between it and CAPPS II have made this position difficult to sell.

Organizations dedicated to helping maintain consumer privacy, including ACCESS, have continued to criticize the TSA and its screening programs. And Congress may be getting the message that consumers are not wild about sharing their personal data with the government or with government vendors without strong privacy protection.

Last week, both the House of Representatives and the Senate approved identical language to be included in Section 514 of the Depeartment of Homeland Security Appropriations Act, 2005. While the bill has not been enacted yet, the House and Senate versions are very similar and none of the differences in the two versions of the bill have anything to do with Secure Flight. A compromise bill is expected within the next few weeks.

The language to be included clearly states that Congress views Secure Flight as a part of the CAPPS II program. It reads, in part, “None of the funds provided by this or previous appropriations Acts may be obligated for deployment or implementation, on other than a test basis, of the Computer Assisted Passenger Prescreening System (CAPPS II) or Secure Flight or other follow on/successor programs, that the Transportation Security Administration (TSA) plans to utilize to screen aviation passengers, until the Government Accountability Office has reported to the Committees on Appropriations of the Senate and the House of Representatives that - - “. It then goes on, listing a variety of conditions that must be met prior to implementation of Secure Flight.

The items covered by the language include (a) implementation of a system of due process to appeal the denial of boarding by any passenger, (b) the TSA must “stress test” any version of the system that it plans to implement and show that the error rate is low and, (c) the TSA must implement strict procedures to protect the privacy of individuals whose data is included in the TSA’s database.

The bill clearly states that the TSA may not use Secure Flight to deny boarding of passengers during the testing period. It also requires the TSA to make exceptions to its boarding denial procedures in states that have unique travel requirements. This language was added specifically for Alaska, where a number of people who live in small frontier towns have found themselves on the existing no-fly list used by the TSA. They have filed suit against the government because they have not been able to have their names removed from the list and flying is the only way for these people to enter or leave the towns they live in. It is likely that this language will also impact Hawaii and a variety of island territories in the Pacific and Caribbean.

With the addition of this language to the DHS appropriations bill, there is a very good possibility that it will be some time before Secure Flight can actually be implemented. According to the Government Accountability Office (GAO), Congress’s investigative body, CAPPS II performed very poorly in the areas addressed by the appropriations bill. It is highly doubtful that Secure Flight will perform much better.

by Jim Malmberg