1. RFID and Public Policy Elliot Maxwell Fellow, Communications Program, Johns Hopkins University and Distinguished Research Fellow, Pennsylvania State University

2. Why Care About Public Policy? RFID is being developed in an environment where privacy & health issues are critical Widespread Adoption Public Acceptance

3. benefits issues + = wake up call widespread adoption

4. Why Care About Public Policy? regulation/legislation public unease inconsistent regulation/legislation: deployment costs $$$ -California -Utah -Massachusetts -Portugal

5. Why Care About Public Policy? Policy issues unavoidable privacy community already engaged forums for debate multiplying New uses—contactless cards, mobile phones Poor implementations- Cal.school, passports Reputational costs of policy failures are huge Doing nothing is not a viable option

6. Existing Laws and Regulations Will Affect Implementation Health rules re: exposure to radio waves Existing Laws and Regulations EU Privacy Directive U.S. Federal Trade Commission Act Japanese Law for the Protection of Personal Information U.S. state consumer protection laws Labor laws and employee contracts Regulations re: radio frequency spectrum Implementation

7. What We’ve Learned So Far Little privacy concern until RFID reaches the consumer “Welcome, Elliot.”

8. What We’ve Learned So Far Consumers perceive threat Information gathered about themselves without their consent and linked to personally identifiable data Post-sale targeting and tracking using RFID Growth of surveillance infrastructure Government access to data Companies want to protect competitive information Employees fear job loss Health impacts unknown

9. What We’ve Learned So Far Many issues aren’t new - there are good policy precedents Customer loyalty cards Fair Information Practices Deactivation options critical But could jeopardize post-sale benefits Clear notices and straight forward consumer education are needed Customer Loyalty Card

10. What We’ve Learned So Far Post-sale issues are new technological fixes are being studied Post-sale consumer and societal benefits are not well understood returns, warranties, recycling, support for disabled, identifying counterfeit pharmaceuticals, ensuring food safety, minimizing medical errors, monitoring the elderly Will take time/effort to build infrastructure for these uses

11. Technical Privacy and Security Measures Can Play an Important Role Issues Tradeoffs in functionality/size/cost Who bears the burden? Impact on post-sale benefits Solutions Kill command Partial kill/on-off switch Randomization and deserialization Encryption Authentication Blocker chips/scanners Database access controls Aggregate data/anonymous data mining

12. Recommendations Be proactive, not reactive Privacy and security by design Use Fair Information Practice as a road map Clear and understandable notices Choice for consumers re. information collected and retained Provide choices for consumers regarding disabling/turning on-off Support the development of technical solutions for post-sale issues

13. Recommendations Consumer education and involvement Industry codes including mechanisms for responding to concerns and enforcement Continue policy outreach/development (health, spectrum, etc.) Help stimulate infrastructure for societal benefits Maintain open standards to allow continued innovation

14. For further information contact: Elliot Maxwell emaxwell@emaxwell.net