The Social Implications of Radio-Frequency IDentification

Moderator, Mr William Herbert, USA

Dr Katherine Albrecht, CASPIAN, USA

Professor Roger Clarke, Xamax Consultancy, Australia

Professor Rafael Capurro, IRIE, Germany

Dr Mark Gasson, University of Reading, England

Mr Amal Graafstra, RFIDToys, USA

Expert panel hosted at IEEE ISTAS13 on the 8 June 2010 at the University of Wollongong



William Herbert: Good afternoon everyone. My name is William Herbert, and for identification purposes only I am the Deputy Chair of the New York State Public Employment Relations Board. You may be wondering why am I here.  In fact, my scholarship has been involved with issues involving RFID, GPS and other forms of technology, as a legal perspective.  I was asked to moderate, I think partially, this panel because of my background in labour relations, in which we have conflicting views frequently in labour, and my agency’s role is frequently brought in to try to bring some kind of bridges between varying positions on issues, at least in the workplace.  We have over the past two days been very fortunate to hear very diverse viewpoints on the issue of RFID.  And I thought it was appropriate that we try to bring those diverging voices together in seeking to bring some degree of bridging of these different ideas to try to aim towards bringing some degree of harmony about a perspective, or at least the first steps towards that perspective.  As Roger Clarke mentioned earlier in his talk, there is a need for this kind of dialogue and I think this panel will be a very good first step or second step in that process.

So the question I'm going to be asking for the panellists today is: can societies develop a balanced response to radio-frequency identification (RFID)?  And when I use the word RFID, I'm discussing both the technology, not limited to implants, but just the technology itself.  So with that question, I'm going to first ask Roger to discuss whether societies can develop a balanced response to RFID technology.

Roger Clarke:  Yes. What I normally do when I start a presentation is to say, “I'm actually an e-business consultant.  Oh, and I also do some research and I'm also an advocate.”  And, so it’s easy for me to say I've been in the IT industry 40 years.  While there are technologies that are designed for evil purposes, to blow people up for example, the vast majority of technologies in the information technology arena are not inherently evil, or indeed inherently good. It’s what we do with technology that matters- it’s the framework, the context, the value systems.  So, the word “balance” is a good one.  There are good applications of RFID tags.  The one that I'm not sure whether everyone will completely agree with me, but the example I frequently use is of RFID in the supply chain, up to the retail shelf… I have a lot of trouble thinking of evil or bad if they can make that work. But from there onwards, I get very, very concerned about it.

William Herbert:  Well, let me follow up with you on the question of the accumulation of data and ways in which you can have a balanced approach on the issues of who controls the accumulation of data and the means by which that data can be then utilised for potentially evil purposes.

Roger Clarke:  Well, I've actually gone beyond that now, because I spent the 80s and 90s on working on data surveillance, and now I believe we’ve reached a point where we have to start saying “no”.  We actually have to build in forgetting into our systems and I think that’s a new departure that I’d never argued in the 1980s and 1990s.  We are now collecting a huge amount of data just in case and we have got to get out of that mentality.  We have got to talk about data destruction, data destruction at the earliest available point, and non-collection.  That is to say, in sensing of data, extraction of that which we might happen to need is part of the processing but the rest we should let go of in the buffer. And so there out it’s gone, been flushed by the next transaction that flowed in and we’ve retained that, which we have demonstrated we have a justification for collecting, and we’re only holding that as long as we’ve got the clear justifications.  We’ve got to get rid of this “just in case” mentality.  We’ve got to teach our technologies to forget.

William Herbert:  Raphael, you discussed yesterday the Article 8 of the European Convention of Human Rights and developments in Europe on the issue of data collection.  I was just wondering what your response is to Roger’s point about the idea of having data that would then essentially disappear and as a means of developing architecture aimed at avoidance of collection of data from RFID sources.

Raphael Capurro:  May I say first that I agree completely with Roger- that good or bad are not properties of things; they are second order categories that we apply to things with properties; not properties of things.  So they are a product of relations between humans and the world and so on.  So they depend on the context.  This is my first answer to your question. The second thing is the number or the amount or the quantity, of these products we are now putting into the market.  I remember the case of cars 100 years ago.  If you have one car, okay, then you don’t need car regulation, but if you have thousands or millions of cars… it happened very soon in Europe that we had to regulate cars, and streets, and so on.  So I agree, again, with Roger that we need probably very soon legal regulations with respect to RFID.  Every technology changes the relationship between humans and between humans and the world.  So no technology is neutral…so something is changing when we create a new technology, the way we are.  So no technology is neutral.  It is not just a question of bad or good use; it is a question that it changes something of our self-understanding, for good or for bad.  So the question of dual use is a secondary question. 

And my last remark is about the opinion of the EGE concerning the use of these kind of devices with regard to acceptance by a court.  This is a speculative case because it is only related to implants as far as they theoretically could be part of an honour system used for surveillance in non-medical settings.  So you know there are a lot of “ifs”, and one important if is that, as far as I know, it is not possible, but please correct me if I am wrong, physically possible, to have implanted devices that can be part of an honour system, say, of hundreds of thousands of kilometres, because the signals going out and into your body will destroy your body.  So this is what I heard some years ago when we discussed this in Brussels, and so this is why this is science fiction, if you want.  But we wanted when we wrote this, we wanted to include this possibility, just because you never know if an engineer finds some way of, you know, in which this kind of system would be possible.  So in this case, only in this case, when you have implants, part of an honour system, for surveillance purposes in non-medical settings, in this and only in this case we said, we didn’t say “no” at all, we said in this case then with the approval of a court.  Okay so this is just an extreme possibility, okay?  In all other cases, we were a little bit, how could I say?... reluctant with regard to surveillance purposes.  But I think that in the case of medical situations, this can be useful and even in the case of non-medical uses.  But the main point we made from an ethical point of view was the question of how invasive the systems are, and if there are less invasive methodologies, for instance, a cell phone, then you’d use that, and so on.  So you see, this is, I still think this is good thinking.  I still think we are not necessarily obliged to use, you know, the whole society, these kinds of invasive technologies.

William Herbert:  Mark, I know you presented the work that you're doing at the University of Reading. I'm just curious: in terms of the work that’s being done there, is your work being done in conjunction with ethicists or people who are studying the issue of RFID and that type of technology, as well as implants, and sort of joint work that is being done, for example, in bioethics? 

Mark Gasson:  Yeah.  I mean, we’ve been involved with several large-scale European projects which are interdisciplinary, because we’ve appreciated for quite some time the benefits of talking to other people outside our own discipline.  Thinking in a very blinkered way is extremely limiting.  So yeah, I mean, certainly we work very closely with legal, ethical, social scientists, but I think the problem with RFID is that it tends to get enormously bad press because the fundamental limitations of the technology are exaggerated.  The idea that you can globally track someone through an implanted RFID tag is fiction.  You could put a reader by a doorway, and if I had an RFID tag and I walked through that doorway, you could read a number.  Well, okay.  You could potentially collate information about when that tag walked through that door, passed through that door, at certain periods during the day.  You could collate that information over months, but actually what use is that data?  It certainly doesn’t necessarily link explicitly to me.  You may be able to data-mine to some degree in order to work out it’s me, but actual, what actual value is there to that?

William Herbert:  In terms of the work you're doing with these, with other disciplines, how is that, the approach from the legal perspective or the ethical perspective, affected your testing and your modelling in terms of the programs that you're doing at the University?

Mark Gasson:  Well, we’re particularly interested in the limitations of the technology.  So what we tend to do is explore the potential applications that they have and then feed this information into the other groups.  So it’s through this mechanism that that goes on to then potentially feed into legislators and other stakeholders.  So through those mechanisms, we’re exploring what is possible.  We’re not necessarily saying, “Well, this is possible and therefore we should commercialise it and there should be a technology that's used in this application.”

William Herbert:  What about Roger’s point about there being always the potential for misuse?  And have you structured any kind of way of examining that?

Mark Gasson:  The problem is, with a lot of technologies, that there's the possibility of function creep.  So if something like RFID that, if you're using it in a warehouse tracking scenario, as Roger was saying, then it has a perfectly valid and safe application.  It’s when the RFID tag isn’t disabled and then it goes out and is used by the people, it may be in their clothing or in their shoes, because it’s then a legacy.  It’s left in there from its previous use.  So that sort of function creep phenomenon isn’t unique to RFID, but certainly there are valid privacy concerns which do need to be addressed, but they need to be addressed in the context of what the reality really is.

William Herbert:  Well, a question I have is then how you expressed concern about the press that the technology is getting.  Do you agree with Raphael that technology is not neutral?  Roger expressed that technology is inherently neutral; it’s just a matter of, the manner in which it’s utilised.  I think Raphael takes a different perspective on that.  What’s your perspective?

Mark Gasson:  I take the perspective really, certainly from our research perspective, that the technology is neither inherently evil, and it’s not inherently good.  It’s how you then go on to apply that technology.

William Herbert:  Now, in terms of your point about the concerns about the way RFID technology is perceived through the media, what steps would you conceive would provide a more balanced presentation of information?  What would be the means to get that information out to the general public to have a more balanced perspective?

Mark Gasson:  The problem is, in part, is that it’s the sensational stories that really capture the imagination, and to say, “Well, basically there are these implants, these RFID chips that you may end up having implanted or you may end up carrying around.  And there's all these problems and it’s going to cause you an enormous amount of privacy, invasive security issues.” Those are the stories that actually the media is more likely to pick up and perpetuate.  So actually I think it’s a very difficult issue.  But certainly if you look in the UK, we’ve got an enormous problem with CCTV cameras.  We’ve probably got more CCTV cameras in the UK than just about any other country on the planet.  Now, this has been discussed quite readily in the press and it really is a problem.  If it’s surveillance on a 24/7 basis and you’ve got automated technologies which can capture your image, there's facial recognition or gait recognition.  It can work out it’s you, where you’ve been, what you’ve done.  There’s an enormous amount of data-mining that you can do there.  In comparison with the problems that we currently have with RFID, that far outweighs the privacy invasiveness of the RFID technologies that we have at the moment.

William Herbert:  Katherine, I know you’ve expressed concerns not just simply about implants but also about the use of RFID technology in general.  So the question I have for you is what means can you see society applying a balanced approach to that technology?

Katherine Albrecht:  I think it’s interesting, because I've been working on this issue since 2002, when I first discovered the Auto-ID Centre at MIT, and it was in 2003 that a group of civil liberties organisations, over 40 of the world’s leading privacy advocates and civil liberties groups, got together and we drafted a document, the Position Paper on the Use of RFID in Consumer Products.  And one of the things we did, and this was the ACLU, this was EPIC, EFF, Privacy International in the UK etc …What we looked at were the applications that we considered to be acceptable uses of RFID, and those that we considered to not be acceptable.  And it’s very interesting that since that time, we have seen RFID where we said, “Go ahead, use it in the back room.  Use it in the warehouse.  Use it in a supply chain.  But when it gets to the point of human beings, that’s where the line needs to be drawn.”

William Herbert:  So the question …

Katherine Albrecht:  There was a pretty universal agreement among those 40 different organisations and individuals that the use of RFID on human beings, to track people, was inappropriate.

William Herbert:  So you're saying then that this group of civil liberties groups took the position that all forms of using RFID with humans should be prohibited?

Katherine Albrecht:  That was the position that was taken in 2004.  And that-

William Herbert:  And is that your position today?

Katherine Albrecht:  Well, that was the position not only of CASPIAN, but that was the position of-

William Herbert:  Is that your position today?

Katherine Albrecht:  It is, but if I could finish my point, that was not only our position; that was also the position of the RFID industry itself.  So EPC Global’s, Kevin Ashton, one of the primary developers of this technology, pretty much everybody across the board who was promoting RFID as a technology at that point, said that they were in absolute agreement.  And in fact, they publicly stated, and you can see this on television and news articles, that they said, “Absolutely, this is only for product tagging.  We’ll never use it for tracking people.”

William Herbert:  So let me just ask you, in terms of this group that you're describing, so for six years, they’ve been advocating prohibiting the use of RFID for entry and exit monitoring in workplaces?

Katherine Albrecht:  I guess I'm trying to make a slightly different point.  And the point that I want to make is maybe the function-creep point that’s been made several times, which is that you can have a point at which even the proponents of the technology say, “Here’s where we draw the line,” and then a year or two goes by, three or four years go by, that line moves.  So I think it’s a moving target.  I don’t know that we can reasonably say at this point whatever restrictions this group or any other group agrees to put on RFID.  I don’t believe that it’s going to stop there because I've watched it not stop there before.

William Herbert:  Okay.  So I just, what would be, right today, what would be your position about a balanced approach to the use of RFID in dealing with humans?

Katherine Albrecht:  I’d probably stand by my earlier position, that RFID is dangerous for use on human beings.

William Herbert:  Period?

Katherine Albrecht:  Should not be used on human beings, correct.

William Herbert:  So that would be inclusive of RFID on tags in entering and exiting …

Katherine Albrecht:  Correct.

William Herbert:  … premises?

Katherine Albrecht:  That’s my position.

William Herbert:  Okay.  Amal, you take, I think, a different perspective on that, and I'm just curious… you're someone who’s taking sort of individualism to a new stage in terms of your approach to RFID.  What would you see as being an appropriate means of balancing your personal desire with a societal approach to developing public policy in the area of the use of RFID with respect to humans?

Amal Graafstra:  Well, actually, I’ve been talking with Mark Gasson a little bit about the body integrity laws in the EU, and I think they’re interesting, that a human has a right to do whatever they want with their own body… that premise.  That concept is really interesting.  I'm kind of sad to say that we don’t have that, not that I know of anyway, in any capacity in the US.  I think that beyond that, when you start talking about, you know, technology, a balanced approach to the technology, I think there is a lot of great uses that it can be used for, even with humans.

William Herbert:  I’m just curious, do you see any rule in regulating limits about the use of RFID by individuals like yourself, or anyone else?

Amal Graafstra:  I would say in a do-it-yourself context, in a non-commercial context, I don’t think there should be any limitations.  I think people should be free to experiment with their bodies in much the same way there are piercing artists or tattoo artists are, you know, applying their craft, so …

William Herbert:  But in most states in the United States, body tattooing is regulated. 

Amal Graafstra:  Yeah.

William Herbert:  So I'm just curious whether or not you would think that, just like body tattooing is regulated, that piercing your body to take an implant should be subject to regulation as well?

Amal Graafstra:  Yes, I think the medical, the procedure of receiving an implant should be regulated, just like any medical procedure.  But the technology itself, I think for the individual and individual’s use, I don't think that should be prohibited.

William Herbert:  So would you be supportive of licensing of people, doctors, to, in terms of people who are going to be doing the implants?  Just like tattoo artists can be licensed in some states?

Amal Graafstra:  I think the concept of licensing to perform the procedure is interesting.  I think that probably doctors are already licensed to do that.  They, you know, perform different various, you know, birth control implants, things like that.  I think their licensing question could be extended to piercing parlours and things, because there has been a lot of confusion in that arena as to whether or not they’re legally able to do this procedure.

William Herbert:  So you support that form of regulation? With respect to who is the one providing the implant?

Amal Graafstra:  Right.  I mean, in today’s world, it’s a confusing time for people that do want to experiment with this technology in themselves.  So yeah, regulating it I think is a good idea.

William Herbert:  Katherine, I think you would agree with that, that at least the minimum, that would be something that you would support, which-

Katherine Albrecht:  I would actually take the opposite position.  As a libertarian, I believe you should have the right to do whatever you want and no-one has the right to regulate or get involved or legislate about that.

William Herbert:  See I thought this was one area where you would agree, but okay.  So from a libertarian perspective: you support the notion of free-

Katherine Albrecht:  Amal, can do whatever he wants.

William Herbert: … he wants to do.

Katherine Albrecht:  He can take a tattoo, he can cut off an arm, he can do whatever he chooses with his own body.

William Herbert:  Okay.  Now, the next question I want to move towards is the question about developing a knowledge base to examine the means of regulation and how this society can approach this problem of conflicting information in the society to develop a framework for having a discussion about regulation on some form with respect to RFID, and I’d like to start with Roger, because I think Roger started talking about that towards the end of his presentation.

Roger Clarke:  Yeah.  It’s certainly essential that professionals take the responsibility to inform the public, so we’ve each got to be writing the papers that are for this kind of a conference, but also for the next level, so the intelligent, interested, educated public, and we’ve got to be prepared to go that bit further and reach out to the great unwashed public who aren’t going to understand the long words and get some simple 15-second grabs out there on television.  But we’ve got to go further than that.  We have got to not just look at each technology in isolation.  Now, that’s my difficulty with Mark and Amal’s position in relation to this proposition that global tracking with RFID is nonsense.  Well, by itself, the technology doesn’t achieve global tracking.  That’s quite clear.  For starters, you’ve got to have readers.  But there's a very simple structure whereby RFID tags do provide a global, a widespread tracking mechanism.  You have got to look at the technology within a context of other technologies, within a context of other social institutions, within a context of other existing databases. 

William Herbert:  So you're now moving more into a question of data collection, going back to your position about the need for the data to disappear through the architecture of design?

Roger Clarke:  That’s going to be one measure that can be taken that will be a big contributor to overcoming some of these problems, but the point I'm making here is that in informing the public, it’s not just the technology, on what range, with how many megahertz and what size is that thing and does it actually hook itself into a location within the body or does it wander?  We need all of those things about the technology, but we need to also put the technology in a context and say that, “You do realise that this intersects with all of the registries and all of the databases, and all of the multiple systems that are capable of picking up signals from this highly promiscuous device?”

William Herbert:  When you referred to professionals getting together, just curious; what professions do you view as being appropriate to be at the table, to have this discussion?

Roger Clarke:  I’ll answer it from an Australian perspective, because it’s easiest that way.  In Australia, there's a couple of engineering organisations, IEEE and IEAUST, and the Australian Computer Society (ACS). And they’re the front three that come to mind in our particular context.  Now, each of the countries has a rather different structure of professional bodies, so in the United States, the ACM isn’t quite the same as the ACS and the BCS.  But it’s those sorts of organisations, plus the engineers.

William Herbert:  Okay.  So, in addition to those professionals, what about advocacy groups like Katherine’s organisation or something similar in Australia to get together and work with the engineers to hear from advocacy groups, concerns about the technology, as well as lawyers, ethicists, people who may not know the technology per se but can add value to the discussion?

Roger Clarke:  Absolutely.  I'm currently chair of the Australian Privacy Foundation. It is absolutely crucial because there are people in the Australian Privacy Foundation who bring a very different perspective to the one I bring, which is an e-business, IT, 40-year professional perspective.  And there are other people who come to it quite differently, and their voices must be heard.  And they sometimes disagree with mine and I have to crawl away and let somebody else do that bit, it’s important.

William Herbert:  Katherine, your organisation, you explained the proposed legislation that you're advocating for, but I'm just wondering, what other professionals do you bring into the discussion as a part of your advocacy to educate the public in terms of discussing with people with legal backgrounds, with philosophical backgrounds?  Is that a part of your organisational structure, to have those different voices spoken before the organisation comes out with a position?

Katherine Albrecht:  Well, as I mentioned yesterday, we’re putting together an organisation to deal with a very specific issue, which is microchip implants in pets.  For that, we’re looking to bring together pathologists, veterinarians, policymakers, people concerned with animal health, hopefully some folks from IEEE.  So obviously when you're creating a new venture, you're looking at all of these kinds of voices.  I would say something like what you're discussing.  I’d like to see historians, philosophers, politicians, lawyers, advocates, I mean, a whole group across the board of people involved.

William Herbert:  And Raphael, I know that in Europe there's the, under the privacy directive, there's the the Article 29 Working Party.  Are you familiar with that?

Raphael Capurro:  A little bit.

William Herbert:  Okay.  Well, in terms of the work that you’ve done with the European Commission, what’s the interaction between, you described yourself working with someone from Italy who has a legal background.  What other voices were heard as you were developing your program, your Opinion?

Raphael Capurro:  Well, we are a multi-disciplinary group, a European group on ethics, so biologists and philosophers and lawyers, theologians and so on.  So there were many voices, but we invited also many experts and so on.  And so we had workshops and open forums..  But it was five years ago, so things change very quickly in this field.  And I think there is no absolute liberty; there's always a question of where to draw the line in specific settings and cultures.  I don’t think this is a, just a universal technology that can be applied, should be applied equally in all cultures, just because people are different and the settings are different and the risks are different, of misuse and so on.  So I think it’s a complex issue.  And also because the question of regulation is not just a question of legal, it’s also a question of moral, it’s a question that I decide for me to use it or not, if law allows this.  And so it’s a question of how much freedom we can allow in our societies, because there is no absolute freedom from nothing.  So it’s just a question of how free individuals in society want to be.  In consideration of the risks, of the issues of control, of surveillance, of bad guys, or bad guys events, and whatever it is we are confronted with.  It’s a complex world, so-

William Herbert:  But in light of globalisation and the fact that we’re all here, many of us travelled very far, we know each other’s works through the Internet, isn’t there going to be, at some point, a need for more of a uniform approach to these questions?  Because for example, if there's a country which prohibits someone voluntarily putting in an implant, he may not be able to get into that country.  This is one example.

Raphael Capurro:  Yes, interesting because we’re discussing this now in Europe, for instance, this body scanning in airports.  And for instance, okay, you're going to some place and want to go to the airplane and they say, “Uh uh, sir, you have something inside.  Either you take it out or you're not allowed to go there.”  So I think there should be an international discussion about this, because if you say, “Okay, we in the States do this and do that, and you in Europe do this and do that.”  And these are not in some way connected, then we’ll have chaos.  So we need some kind of standards about this, basic standards.  And then we need a deep discussion on the application, free application, also free in the sense of legal regulations, dependent on different cultures and different, how could I say, feelings of people with regard to this… because I am half as European, and Latin American European…  So I think it’s a very, you know, the body is something extremely personal, right? I am probably more conservative.  But others are different. So it’s really a very complex thing and I don’t see a possibility of taking a general, you know, kind of standard for everybody and decide it. 

But on the other hand, we have to do something if in case this technology, whatever this technology is, because it’s so complex, it’s not just the implants, but everything we’re using.  And we are seeing this now with the Internet and with all these kinds of technologies we have, cell phones and all these kind of things, robots and bionics and so on.  And I have no simple solution for all these questions, and I think nobody has these.  And this is why I think the most important thing is to keep tracking this discussion internationally and inter-culturally, and this is a start, this conference, I think.  And not fixing positions dogmatically.  That’s the worst thing we can do.  And don’t be afraid.  I think the only thing to be afraid of is bad counselling.  But don’t be naive, of course, again.  So sorry, I have no more solution than that, but I think this can help us to open, to be open to different solutions.

William Herbert:  Mark, and you were describing before you're working with multi-disciplinary structure.  Just wondering whether or not you can envision, in light of your background lab work that Professor Warwick and you are doing, that, for bringing in other disciplines to work together… What perspective do you have on that?

Mark Gasson:  Yeah, I mean, I think there's great value in doing that, but I think when you start a discussion like that, you can’t start from the perspective of, “this technology is fundamentally wrong, implanting it in the body is fundamentally unacceptable, and therefore we can’t do that.”  That’s not a tenable position to start from.  So we have to be realistic.  I mean, certainly the implants that Amal has, and there are probably 200 or 300 other people around the planet that have this sort of implant …

William Herbert:  What, when you say, you use the word realistic, so I just wanted to follow up; what do you mean by realistic?

Mark Gasson:  Well, I think you have to start from a sensible position.  It’s like saying, “Okay, mobile phones.  You can track someone using the mobile phone, therefore, we should all get rid of our mobile phones.”  It’s completely unrealistic.

William Herbert:  I'm not asking the position where someone comes from asking sort of the professional groupings that would be appropriate at the table, to try to develop a consensus about an approach to moving forward.  How you would envision that kind of dialogue?

Mark Gasson:  I think that sort of discussion has to happen between the people developing the technologies, the people that are looking to commercialise the technologies, certainly a lot of the research is driven by commercialisation.  The legislators, we tend to find that there needs to be a flow of information to the policymakers because largely, they don’t understand the technologies and the implications of using and developing the technologies, and the ethicists who are active in the area of technology as well.  I mean, this is a good base for sensible discussion.

William Herbert:  Well, one, I mean, one of the balances that are inherent in this is a question between marketing and regulation, between commerce and regulation.  And you had mentioned that commercial ventures are sort of supporting some of this research.  In light of that, and that’s also turning to the bioethics field as well, but the difference is in bioethics, it seems that there has been far greater concerns and more proactive steps taken in that field.  And I’d like to know whether you see an ability to move from that model in which bioethicists are raising the issues simultaneously with the development of technology.  Do you see that as being something that could work in terms of the research that you're conducting right now?

Mark Gasson:  To some degree, but the type of research that you're talking about there is stemming from some very fundamental research paradigms which people are finding very difficult to cope with anyway.  So for example, stem cell research.  There’s a lot that feeds from that fundamental research, so to say, “Well okay, we need to question whether we should allow that,” when we’re looking at engineering, we’ve got a broad range of technologies that are being developed and a broad range of contexts using a broad range of different research agendas.  The problem is that it seems to be a continual chase to point the finger at the one that actually we should be concerned about now and RFID seems to be the one that currently people are finger-pointing and saying, “Right, well okay, this is the one that’s going to cause us privacy concerns and security concerns, and therefore the one that we need to legislate.”

William Herbert:  Well, you know, the other area where there's been ethical analysis given before the research was conducted is the area of genetics.  The question in the area of RFID is how comfortable you would be with that approach being done now that we know that there is an issue out there in terms of the public, whether it would improve or aid your research to have that kind of dialogue going on simultaneously with your research.  And the understanding that, of course, the ethicists may have a very different perspective from your research and your approach.

Mark Gasson:  Yeah.  I think there is a lot of value in that, but the commercialisation of these technologies is a long, long way down, a lot further down the line than the other technologies that you're talking about- the genetic engineering technologies.  So we’re looking at a technology which is already commercialised, which is already in this room in a variety of contexts.  So to say, “Well, okay, actually we may need to wind back a bit and we shouldn’t be using it in this context,” I think that’s a very difficult position to take.

William Herbert:  Well, we’re discussing RFID generally, but I guess the issue then comes with respect to implants and ethics.  And Katherine, what was the number of people who had implants in the United States?  You gave that number yesterday.

Katherine Albrecht:  Well, it depends.  If you trust the VeriChip Corporation’s numbers, they claim that about 2,000 people worldwide have been implanted.  I know that they tried to implant 200 people at an Alzheimer’s centre and they had about 50 people enrolled in a clinical trial.

William Herbert:  So maximum as far as the information you have is 2,000 people worldwide?

Katherine Albrecht:  Yes, that’s the maximum that I know.

William Herbert:  So it’s relatively fresh issue in terms of marketing.  So the question then comes with respect to RFID implants, whether or not there’s a way of developing this through the IEEE SSIT society or in other forms for there to be discussions with lawyers, ethicists, tied to questions about what happens when it gets rolled out in the commercial field.

Mark Gasson:  Yeah, but we also go back to the idea that, as Amal was saying, that the right to do what you want with your own body, if you want to implant an RFID tag, then I don’t see why there should be legislation that stops you from doing that.  I think that’s what you're talking about …

William Herbert:  I was asking you more about ways in which to have a dialogue over those issues to hear from various experts in the field, rather than allowing for regulation to be developed out of context. 

Mark Gasson:  Well sure, but I think these discussions are happening.  Certainly the European projects that we’ve been involved with, the topic of RFID in general is heavily discussed, and the specific applications to implantable RFID tags is largely discussed as well.  So I don’t think that there's a void of discussion from these disciplines.

William Herbert:  Well, could you just give us some examples in terms of organisations that are working in that field?

Mark Gasson:  Well, largely we’re looking at academic institutions involved in these European projects.  So there are a range of, there were 24 institutions across Europe involved in the last European project that we were involved with, and that includes some enterprises, some small and medium-size enterprises as well.

William Herbert:  Are you involved with the Internet of Things, the project tied with the questions of applying RFID generally?

Mark Gasson:  We’re involved with it in the context that our research falls under that category, but there are some very specific groups which are discussing that specifically.  But I think the Internet of Things is just another label that’s really applied to a technology which can become ubiquitous.  And RFID being cheap enough, it really is that technology.

William Herbert:  With respect to the EU and the EU has the data privacy directive, and also it has the Article 29 working party.  Have they issued reports on the question of privacy in RFID?  How much of their work has influenced your work?

Mark Gasson:  Well actually, I can turn that on its head.  I know that our work has directly influenced what they’ve been doing, so we’ve been directly feeding into those groups.  So on those levels, there's already interaction.

William Herbert:  Amal, in the United States, there isn’t very much dialogue on RFID, as hard as you try and Katherine tries.

Amal Graafstra:  Oh, probably not as much as you’d hope to have.

William Herbert:  Right.  Now, as an advocate for RFID implants, how would you see as being a means of developing a dialogue within the States on this issue, factoring in Katherine’s organisation which takes a very strong position against implants, in trying to develop some kind of a balanced viewpoint towards this technology?

Amal Graafstra:  Actually, I don’t know that I would call myself an advocate of RFID implants.  I would definitely call myself an advocate of personal use of RFID implants.  I do have concerns about commercial use and commercialisation of implantable technology-

William Herbert:  What are those concerns?

Amal Graafstra:  Much the same concerns that Katherine has.  How do you control the data?  How do you control consent?  What happens to the data after it’s been collected?  You know, that’s why I think that any balanced approached to the technology should include legislation or a legal means of recourse for controlling, you know, what happens to your data after it’s collected?  How is it used?  Is it sold or migrated?  And then, you know, Roger’s case, he was talking about building in forgetfulness into systems, and I think that has validity.

William Herbert:  Katherine, technology moves rather rapidly and the law moves much slower… can you think of a means by which societies could develop an approach to regulation with would allow for the regulatory process to move at a faster rate to match the speed by which people like Kevin and Mark do their research?

Katherine Albrecht:  Well, part of the problem with that approach is the only people who really know about RFID are the people who stand to profit from it, the people who are developing it, the people who are the proponents of RFID, outnumber probably 10,000 to one the number of people in the general public who might oppose the technology if they understood more about it.  So I think it’s difficult, whenever you get into a regulatory framework environment, particularly in the US and probably the same in Australia and elsewhere, that the people who come to the table to have the discussions tend to be the people with the very strong agenda in favour of whatever that is.

William Herbert:  Well, how could you change the regulatory paradigm then?

Katherine Albrecht:  Well, I think it would be very challenging to try to do that because, you know, as I've been trying to educate people about this issue for eight years now, people don’t know about it.  And again, you know, I go to testify before a state level body, for example, who might be considering legislation about this.  I walk into the room and there are 15 lobbyists who have been flown in from all over the country at great expense, and then there’s me. So, you know, I would be concerned about any kind of a framework like that being put together, developing policy right now, because the funding is all on the side of the people who want to see less restriction, more, even government funding.  We had this come up back in 2004 where, within the United States, there actually was the General Accounting Office (GAO) that actually sent out a letter to government agencies asking them to spend taxpayer money on ways to enhance, increase and further the RFID industry.  That was within my own government.  So how can I trust those folks to have an honest discussion?

William Herbert:  When you were testifying at various state legislatures, were you testifying in favour of regulation or against regulation?

Katherine Albrecht:  We, well at that point, we were testifying in favour of simply labelling on products containing RFID: shoes, shirts, etc. That-

William Herbert:  So that’s a form of regulation that you would support?

Katherine Albrecht:  That’s pretty much the only form of regulation that we’ve ever called for is labelling so that people have, well that and then for implants, the ability to say “no,” and not been penalised for saying “no”.

William Herbert:  Roger?

Roger Clarke:  In order to get a process to work and to get institutions to reflect information, we need just a couple of simple laws, and after that, things flow.  And the simple law is thou shalt assess, and in the process of doing assessment, thou shall provide information and thou shalt consult, and thou shalt consult all the more widely the more complicated and difficult the technology and its implications become.  Now, we have lots of precedence for this.  Environmental impact assessments have been around for a long time.  The US and Europe used to do technology assessment quite well in the 70s.  It died.  The Office of Technology Assessment was one of the great institutions of the United States, and it died.  Now-

William Herbert:  And let me guess which decade it died in.

Roger Clarke:  Yes.  Look, switch hats again.  I'm an e-business consultant, but about 20% to 30% of my work has been in privacy.  Privacy strategy is hard to get organisations to do.  I try to do that.  But what I can get organisations to do is privacy impact assessment built on all those principles.  Now, take a simple example.  Let’s get it away from implants, because that’s down at the bottom right-hand corner of my diagram.  Let’s get a simple one.  RFID tags applied to road-tolling.  What have we got here in Sydney?  What have got here in Melbourne?  What have we got here in a range of other places?  As a result of the way it’s been done, we’ve got the denial of anonymous travel because of the way they implemented RFID, active RFID tags, rather than simple passive ones, but they just implemented it.  They wanted to get rid of the cash booths and they didn’t want to do anything complicated or think hard about the way in which people would load up or settle up on the bill or pre-pay the chip.  They didn’t want to think about that.  They did no assessment, they did no consultation, and as a result, we’re, well, I pay by cash because I send cash through the mail and break the law and they’ve never called my bluff because they know who I am.  I'm waiting for that court case, because they deny anonymity.  Now, what, roll it back, what should we have done?  We should’ve had a requirement that they do an assessment, provide information to the public about what’s actually going to be going on here, invite and bring in consultation from multiple perspectives, and then it would’ve been apparent to all concerned.  And at the beginning, it would’ve been really cheap to have designed an anonymous option for road transport.

William Herbert:  Well, the question is, in the United States, we do not have privacy commissioners.  In Australia, you’ve got privacy commissioners, in the EU, and in Canada, there are privacy commissioners.  Isn’t a privacy commissioner’s office the appropriate place for those kind of privacy assessments?  Without getting personal?

Roger Clarke:  Without getting personal, we have ample empirical evidence now that privacy commissioners have not been an effective mechanism to achieve that consultation.  They have been used as shields by government agencies and in those jurisdictions where they relate to the private sector, they’ve been used as shields by the private sector.  They’re part of the bureaucracy.  They should exist and they should have more powers than they’ve got, particularly in Australia, but they are not a substitute for that process.  The privacy impact assessment process is needed and the privacy commissioner is merely one of the players.  They’re the bureaucrat that knows the Act and, to some extent, reflect the other bureaucrats’ interests and, to some extent, reflect the interests of the public, but not usually much.

William Herbert:  So have I heard you correct? Do you agree with Katherine’s perspective that trying to get regulation through a governmental process is filled with problems because of the influence of lobbyists from the commercial sector?

Roger Clarke:  That I agree with.  I'm not a libertarian.  So I have a stronger belief in regulation and the responsibility of governments to regulate.  I'm also a professional and I also like technology, so I don’t want stupid regulation and I don’t want too much regulation and I don’t want inefficient regulation, but I want more regulation than Katherine does.  So our positions aren’t quite the same on that, but there's quite a few theories in which we have agreement, yes.

William Herbert:  Raphael, we’re just discussing privacy assessments and I seem to me, I need to go back.  When you were talking about privacy assessments who does the assessments in terms of your vision of going back to the pre-80s?

Roger Clarke:  The organisation that is the sponsor of the project, and obviously it’s now situational, but there's going to be a tolling company or a public private partnership between, say, the New South Wales Government and Toll Roads Inc.  That sponsor has the responsibility, in my perfect legal situation, has the responsibility to undertake that assessment subject to some constraints, of course, on how they go about it.

William Herbert:  So they would view, there would be like an environmental impact statement, they would have to prepare a statement before they implement anything and presumably someone can sue if that privacy and impact statement has not been prepared?

Roger Clarke:  It’s actually beyond a statement, and that’s one of the things that we moved on from.  Environmental impact statements, the history was organisations were required to do that, and of course it became internal and manipulated and supressed the important information, and it became non-credible, the public got upset, so they had to change it.  It was opened out much more to an assessment process.  Sure, there's a report at the end of it, but it’s not the statement that matters, it’s the process.  The product is secondary.  And there's quite well-established documented techniques for doing that.

William Herbert:  Katherine, what’s your view of that process of requiring entities to create privacy assessments that would then be presumably available to the public?

Katherine Albrecht:  I think it’d be terrific.  I think it’d be terrific.

William Herbert:  And Raphael, what’s your perspective on not moving away from the bureaucratic approach to regulation but more towards a self-regulatory process involving, requiring privacy assessments?

Raphael Capurro:  Well, we have in Germany last month, our two or three hot topics.  One topic was about the government allowing to go into your computer, which is sometimes more dangerous than allowing the government to go into your body, because we externalise a lot of our data in our laptops.  So we called it a Trojan horse. The second hot point was about censorship and about, well, we have a big discussion on child pornography and all these things.  What I want to say, is that I think you agree with me, that with this technology, the questions are all connected, more or less.  And so the fear is particularly in Europe and particularly in Germany, if you allow the State to have too much transparency into your privacy, then we learn from our history, okay?  So this is where I say again, there is a context and is history dependent.  And the wounds of the past are still there in Europe.  So, and it is different if we think and talk about this, than about leadership, which has translated into German as “der Führer, which is a German word for “leader”.  So we can’t use this word just as you use the word “leadership”, okay?  I mean this because the language is very specific and it is loaded with wounds and with experiences of the past.  So we use the word “leadership” in English but in Germany when we talk about leaders, we use the word “leaders” and not “Führers”, for good reasons.

So what I mean is that if we want to have a discussion on this, we have to have broad decisions, not just about my body, because my body is just, you know, a point of connection.  I was talking about the body as data.  It is not just that I have decided on this body, but this body is a connection point of a complex system of relationships.  So it is not just that I decide in a Cartesian body, “It is my body, separated from everything else.”  It was a nice Cartesian metaphor, but it doesn’t exist.  The body is a connection of things.  And now, it is a connection with the information technology.  And this is what I count as your point, and I say, “This is my body.  I can do what I want.”  This is an abstraction, okay?  My body is my body and it’s your body and everything is more or less related, particularly through all kinds of devices.

So, and the problem is that on the one hand, we have the State and we have a more or less paternalist State philosophy in Europe, differently to the United States, which is good and bad, it depends, in which we trust the State to take care of some official things.  But we don’t want the State to go too much into our privacy.  And on the other hand, we cannot say we are libertarians, because of our tradition partly, we have libertarians too but our tradition is more that the society’s organised.  So there are some rules that everybody accepts and so on, and so the range of liberty changes, also within Europe, the UK and Germany and Italy and so on. 

And this is what makes this activism and so on so complex in Europe.  As I told you, there's just these two cases about child pornography and about the State.  And we don’t like the State to have too much transparency, so when you speak about open and transparent society, some of us say, “Please, not too much transparency.  Don’t allow the State to mix too many databases and so no, because this transparent society can be the reverse.”  So this is a way we now try in some way to have some intransparent society, opaque, we can say, opaque society, so that it’s not so easy to look through.  And I think this is a challenge- how to have a kind of parts of our society that remain opaque for each other too, so that you don’t have, I don’t want you to look to me too much, okay?  Better if I remain a little bit secret for other people, okay?  Also, for the State,  I think that this is the situation we have.  And it is changing so quickly because of this technology is about transparency.  And so we are putting walls and trying to make opaque some things, and sometimes walls are seen as something bad, but from the other perspective, something good.  So this is, I have no solution again, for that, but the discussion is about this and every month we have a new discussion about new technologies and new things.

William Herbert:  We have to end this here unfortunately because the time is running out, but I want to say that, Raphael, you did a perfect conclusion in terms of laying the framework for how we can step forward towards a balanced approach to RFID.  I want to thank each and every one of you for participating.