Pictures of the Future      Spring 2005

Transparency, Not Surveillance

Could radio frequency ID chips and medical chipcards be the first step toward a surveillance society? IT security experts don’t think so. In fact, the new technologies could go a long way toward providing data availabilty while ensuring that access is strictly limited to authorized users.

Yogurt containers that tell the refrigerator they’re about to exceed their shelf life, and a refrigerator that advises us to consume such products before they expire—from a technical point of view, there’s nothing problematic about such a scenario. All that’s needed is a  Radio Frequency Identification (RFID) chip. For people with a refrigerator full of yogurt, milk and other perishables, such technology could be highly practical. Some, however, see a threat to privacy through the potential abuse of such data. After all, even harmless knowledge of this type could, when combined with other information, offer an unwelcome insight into our preferences, particularly if the data falls into the wrong hands.

Many organizations are therefore calling for a more critical approach to technologies that process personal data. Each year, under the umbrella of Privacy International, such organizations present the Big Brother Awards to authorities and companies around the world. And now, data protection advocates are taking aim at RFIDs.

Rena Tangens is spokesperson for Germany’s Association for the Promotion of Public Mobile and Immobile Data Traffic. Her concern is that RFID chips in a supermarket environment will enable retailers to record not only consumers’ preferences, but also their movements. Take, for example, a customer with a bonus card who enters a supermarket. The RFID chip on the card could then radio in the customer’s location and inform the system how long he or she spends at the deli counter. Although seemingly trivial, such a scenario is unacceptable for many who are concerned about data protection.

A related concern is expressed by Markus Gildner from Siemens Business Services (SBS), who suggests that considerable economic damage could be caused if signals from RFID chips in freight containers are intercepted or disabled through interference.

Gildner, who develops complex RFID logistics solutions, believes that sensitive applications require chips with some form of encryption, such as the ones found in Siemens employee passes. Although such chips are still relative­ly expensive, unit costs will fall as their use becomes more widespread. This in turn makes them an option for the everyday applications that are of such concern to data protection advocates. "Ultimately, however, the success of RFID technology will depend on whether people trust it and recognize its usefulness," says Gildner.

Cultural issues also play a role in whether such applications are accepted. Whereas Europeans are traditionally skeptical about technologies that can collect personal data, North Americans are more ready to see the benefits. For instance, the Jacobi Medical Center in New York is already using RFIDs ( Wristband with RFID (Pictures of the Future, Fall 2004). Alegent Health Lakeside Hospital in Omaha, Nebraska (see  High-Speed Health) is also studying RFID implementation scenarios.

According to data protection advocates, the emerging electronic medical record could pose a threat to privacy. But specialists disagree, arguing that such records will actually improve protection because access to them can be easily controlled. Furthermore, the files will automatically record who has accessed what and when—something impossible to guarantee with paper files.

Secure infrastructure. The proposed medical chipcard promises to bring similar benefits for patients. The card helps to network existing IT solutions within an integrated eHealth system (see (Healthy Dividends). Scheduled to be introduced in Germany from 2006 onward, the chipcard is most valuable when used to provide access to information on a patient’s medical history, including medication and treatment. Given the large data volumes involved, such data is deposited in a server rather than in the card itself, which merely bears the code required to access the data.

But what happens when cards or access codes fall into the wrong hands? According to Dr. Uwe Bork, who develops chip card solutions at Siemens Communications, the answer is to integrate appropriate security mechanisms into the infrastructure itself: "To guarantee maximum data protection, the chipcard itself must have its own operating system. This protects the codes that the card uses to verify itself and to log on to the system,” he says. Patient information itself is transferred at an extreme level of encryption. Although, in theory, any code can be cracked, the one on the medical chipcard will be at least 1,024 bits—long enough to keep any current computer busy for hundreds of years to come. Moreover, patients will be expected to identify themselves by means of a PIN whenever the card is used. After three erroneous entries, the card is automatically disabled, just as with any ATM card. But unlike cash cards that use a magnetic strip, it is impossible to extract the PIN from a medical chip. If the card is lost, there is therefore no danger of data being disclosed.

The so-called connector boxes in Germany’s 120,000 or so medical practices—which will provide a link to central medical servers—might also help prevent attacks on the system. Firewalls, for example, could be erected to create an enormous virtual private network. Doctors would then have to log on with similar cards, and the system would authorize data transfers only when both cards—the doctor’s and the patient’s—had been verified together. "Of course, this kind of security procedure will also have to be certified by an independent organization such as the Federal Office for IT Security," Bork explains.

Yet secure data transfer is no guarantee of complete protection. Patients themselves must retain control of their own data. This might mean a patient need only reveal certain information to a doctor—data that is relevant to treatment—whereas in an emergency the full record would be immediately accessible. But what about server data? Insurance companies and others would love to gain access to such information. "There won’t be a central password that provides unlimited access," says Bork. Moreover, clearly defined rules will regulate who can view which information.

A Matter of Choice.Although new technologies such as RFID chips and medical chipcards offer new opportunities for data abuse, the very same research labs that developed them are busy devising ways of preventing unauthorized access. Indeed, experts point out that certain developments in fact reinforce the individual’s control over personal data (see Pictures of the Future, Spring 2003, Interview Security). Ultimately, the introduction of new technologies depends on a spectrum of social and political factors. And, as Markus Gildner explains, each of us today already determines how much privacy he or she wants: "Anyone who pays with a credit card, buys goods online or takes part in a promotional competition already discloses more information than is generally realized. And you don’t need an RFID chip to do any of that."
                                                                                                 Andreas Kleinschmidt