Doing Privacy in Public

With most state legislatures back in session, another season of policy-making is under way. The usual suspects -- namely, the runaway cost of educating, medicating and incarcerating -- dominate deliberations as the executive and legislative branches again try to reach a balanced budget compromise.

Conventional wisdom is that technology issues are likely to get short shrift in such an environment -- except radio frequency identification (RFID) chips, which are touted to be the successor to the bar code. On the upside, proponents argue that RFID -- designed as an Internet for things -- could be helpful in securing and tracking everything from shipping containers to toxic materials. On the downside, opponents are concerned that RFID could compromise the privacy and civil rights of people who buy and use the things being tracked -- from shoes to cans of Coke.

At the consumer product level, critics argue that RFID is too much technology for too little effect in many cases. They contend that there are less intrusive means of doing the same things, and that the process for disabling RFID after a sale to protect privacy puts too heavy a burden on consumers while holding those driving the implementation of RFID harmless -- including its largest commercial advocate, Wal-Mart.

That has been enough to get the attention of a number of legislators who have held hearings (or plan to) to examine the privacy implications of these technologies. In testimony in statehouses and before Congress, the Privacy Rights Clearinghouse and other privacy-rights advocates -- including the American Civil Liberties Union, the Electronic Privacy Information Center, the Electronic Frontier Foundation and Junkbusters -- are calling for a comprehensive assessment of RFID that would document the good and the bad, including its "impacts on labor and the economy, environmental and health implications, and of course, threats to privacy and civil liberties."

A comprehensive assessment of that scale is unlikely, given that Congress dismantled the federal agency for doing just such analysis a decade ago.

The results of a recent BearingPoint survey of public-sector IT executives underscore the need for policy guidance from somewhere in some form. Fifty-five percent of respondents said they were deferring RFID implementations until they received policy direction on security and privacy. At the same time, 48 percent said their organizations had investigated RFID and believed it was strategically important to the future of government. Still,16 percent of the public agencies covered by the survey had deployed RFID technology -- including the FDA and several pharmaceutical companies, which are using RFID to combat drug counterfeiting and to protect consumers.

Taking a page from Wal-Mart, the U.S. Department of Defense (DoD) made RFID mandatory in all contracts for the delivery of materiel on or after Jan. 1, 2005. And like Wal-Mart, the DoD had to make allowances for aerospace and other key providers who could not retool in time.

All this puts policy-makers in an unenviable position. Too much intervention, and they can be blamed for thwarting innovation and causing a market failure. Too little intervention, and they can be blamed for a policy failure that undermines personal security.

And you can bet their decisions will be tracked.