[extropy-chat] RFID smartcard passports and driver's licenses

[BillK]

On Apr 8, 2005 12:31 AM, Mike Lorrey wrote:
> 
> The thing you are missing is that as RFID becomes ubiquitous, a hacker
> doesn't need access to a database anymore to rip off your identity, it
> is ALL sitting on your person in the form of chips ready to transmit
> your personal information like Kitty Kelly playing a crack whore.
> 
<snip>
> 
> Are you getting that cold sinking feeling, yet?
> 


It seems to me that what you are complaining about is the result of a
rampaging free market system. If companies can make a profit, then
they do it. The US government is tagging along years behind, trying to
play catch-up with legislation to stop the wilder excesses.


Here in the cozy, regulated Euro area, the government laws are a bit
more ahead of the game.

See Computer Weekly article this week:
<http://www.computerweekly.com/articles/article.asp?liArticleID=137741&liArticleTypeID=13&liCategoryID=1&liChannelID=2&liFlavourID=1&sSearch=&nPage=1>

Selected quotes from the article:
 From a privacy standpoint, the current simplicity of the tag's
response, which does not differentiate between requests based on
origin or identity, is a flaw. Thieves could use the tags to locate
the whereabouts of valuables and interested persons could obtain
access to another's medical records or passport details, or trace
another's spending habits or physical movements.

The implications are therefore extensive but, at present, many
concerns about RFID are largely theoretical. This is due to the fact
that most RFID applications are not yet widely deployed because they
are being trialled or because of cost.


Protection by law

In terms of protection of data and privacy, the current EU data
protection laws provide some comfort. If an application involves the
processing of personal data, which can be used directly or indirectly
to identify an individual, that application will be subject to certain
core data protection principles contained in the Data Protection
Directive (95/46).

These principles include requirements of fair and lawful processing,
retention of personal data for only as long as necessary and
collection of data which is relevant and not excessive for the
purposes it has been collected.

A further requirement is informed consent, which means in many
circumstances the details of how the information in a RFID tag will be
used will need to be made clear at the outset.

In addition, the requirement of fair and lawful processing is broad
and means that manufacturers and deployers of RFID tags would need to
label those products containing tags, provide information on how to
disable or remove the tags and inform consumers when RFID readers are
within range.

End quotes.


BillK