New information technologies have created unprecedented opportunities to collect, store, analyze, and transfer information. Technologies that can be applied to make our lives both easier and safer can also diminish our privacy and civil liberties.
One such technology is Radio Frequency Identification (RFID), a technology on a path to pervasiveness, thanks to high-profile commitments in both the public and private sectors. The commitments are based on perceived benefits including improved logistics and supply chain management, enhanced retail sales and product management and increased security.
These expected benefits need to be balanced against privacy concerns that have spurred legislative proposals governing RFID use in at least 15 U.S. states, as well as substantial debates in Europe and Asia. The concerns often center around retail uses of RFID tags where an individual does not know that he or she has been associated with the tag or who may be reading the data gathered and for what purpose.
Although such “non-cooperative” uses of RFID technology are only just entering wide deployment, their scope has yet to be defined, let alone understood, whereas cooperative uses of RFID are widespread in workplace access cards, credit cards, and toll tags. In these cases, individuals agree to uses of RFID technology as a condition of employment, or as a clear personal convenience, and are generally active participants when an RFID tag is scanned. Despite these differences, what can we learn from that experience that is applicable to the current debate?
RAND Corporation researchers sought to answer this question by undertaking a replicated case study of six private-sector companies with 1,500 employees or more to understand their policies for collecting, retaining, and using records obtained by sensing RFID-based identification cards used to control access to each organization's facilities.
We selected the six companies to represent a cross-section of industries: two are non-profit organizations, two are advanced technology manufacturers, and two are media services (content creation) firms. We chose to study access cards since, as with other uses of RFID, they offer benefits to individuals and institutions (convenience and cost-effectiveness when compared to keys), at the price of changes to individual privacy within the workplace environment. However, RFID-based access cards have been used in workplace environments for some time, and there are well-established practices related to their use. Thus, they provide a good opportunity to study how policy is formulated, and to explore how access data, linked to individuals, are handled.
Figure 2 shows the typical elements of an RFID access control system. Each system comprises a number of antennas used to interrogate RFID tags embedded in access cards; electronics for data acquisition and control; a lock or some other physical security feature under the control of the system; network integration of the distributed electronics; and a centralized database that records the details of the use of access cards. After scanning an access card, the system determines whether the individual is authorized to enter (or exit) and unlocks the barrier (if authorized to do so). A record of the transaction is (optionally) captured in the database. A collection of transaction records can provide a history of an individual's card use. In some systems, transaction records can be linked to other records about an individual.
In all six cases, we found that RFID access cards were used both to control peripheral access to facilities and to limit access to specific internal areas, and that the RFID systems collected data including card user, time, and location. However, we also noted that five of the six companies did not exclusively rely upon RFID; they allowed access through certain manned access points at specific times of the day (e.g., through a main entrance during typical working hours), without requiring the electronic recognition of an ID card. The surveyed access control systems are commonly integrated with other sensors in all cases but one, such as closed-circuit TV systems, and used with required additional verification, such as a Personal Identification Number (PIN), to gain entry to sensitive areas.
While RFID access cards are primarily used to open doors, five of the six companies interviewed said the records collected were used in both a personally identifiable form (e.g., to understand the movements of an individual) and in aggregate form (e.g., to describe the behavior of many individuals without identifying any of them). Personal identifiable uses included investigating allegations of work rule violations (e.g., misreporting time spent working, or workplace theft) and, in one case, monitoring all former employees of an acquired company to ensure they adopted enterprise norms for work hours. Aggregates of records were used in logistics and cost analyses (e.g., refining building evacuation plans) and to generate required government reports (e.g., an air quality report characterizing the number of employees at the workplace). These investigations and analyses were performed not only by security departments, who were the owners and operators of all of the surveyed access control systems, but in some cases also by line management, human resources, or legal departments.
Lack of Explicit Policies Raises Concerns
As shown in the table, only one of the companies interviewed has explicit, written policies governing the use of RFID in the workplace, and that one (D) provided them only to the security function in the organization, not the whole company. Further, in all cases, policy-making about the operation of the access control system and the use of personal information resides with a security or facilities department. Consequently, actual decision-making is ad hoc and driven by circumstances, not by established guidelines. None of the companies regarded the policy for access control system data retention and use to be a company-wide one that should be managed and overseen by a corporate officer. Thus, these studied organizations have no true enterprise-wide process to maintain or change rules for using data.
This lack of broad oversight is perhaps reflected in the de facto policies followed by each organization. None of the companies has a limited data retention policy; they keep the records indefinitely. And although most companies do audit their system records, only one undergoes an external audit. Finally, in all cases, records were linked to other company databases (mostly to personnel records in human resources), which is inevitable since individual employees are generally assigned uniquely identified cards. In one case (F), the company linked the database to medical records to allow first responders to scan an employee's badge to call up relevant medical records in the event of an emergency. In two cases (C and F), the linkage is fully automated.
Policies Are Not Communicated to Employees
While the policies being followed raise some concerns, none of the companies communicates to their employees that data collected with access cards are used for more than simply controlling locks.
To the extent that we understand applicable workplace laws, monitoring and recording employees' use of access cards to enter and/or leave facilities seems to be well within the rights of private sector companies. But nothing prevents them from making their policies known, and fair information practices codes would encourage them to do so. The RAND study suggests that policies about access control records are invisible to most employees but are otherwise similar to email or phone monitoring policies. Surveys suggest that most corporate systems, such as e-mail and Internet usage, have explicit policies and that those policies are communicated to employees.
Access cards clearly have benefits for both individuals and for security and public safety. They are certainly easier to use than a conventional key, particularly if designated areas or rooms within a facility remain locked and require separate keys.
However, the use of RFIDs in access control systems is an example of how technology has led to the loss of “practical obscurity.” That is, conventional (anonymous) keys and/or guarded entrances to facilities provide a degree of privacy that can only be circumvented by physical surveillance of an individual.
Without something like an RFID access control system, this is an expensive manual process supporting the expectation that individuals enjoy a degree of privacy about their everyday movements in the workplace. RFID tags and fine-grained access controls within a building make it possible to observe the movements of any employee all the time, at little cost.
Moreover, the use of such systems has modified the traditional balance of personal convenience, workplace safety and security, and individual privacy. These case studies suggest that security and public safety trump personal privacy that securing the workplace, investigating instances of theft or misconduct, accounting for employees after emergencies, and providing effective responses to medical problems are the priorities favored in designing and operating the systems. Employer policies also trump personal privacy: We found that the organizations studied used such collected data to enforce rules governing employee conduct (A, B, C, D, and F) and to monitor collective behavior (C).
These concerns suggest the importance of developing an explicit policy for the use of data associated with any access control system. Such a course offers several advantages: it eliminates the need for “on the fly” policymaking; it provides an opportunity to establish limits on the use of data; and it helps to ensure that multiple individuals will both operate the system and respond to data requests in a reliable and consistent manner. We think that such a policy should be the responsibility of an individual with the same scope as the access control system. If the system is used across the entire enterprise, then an officer of the company should be accountable. Likewise, if only a single department uses an access control system, then the individual responsible for that unit's operations should be accountable.
We suggest that such a policy should be cognizant of a number of factors including:
- The scope of the system
- The data that will be collected by the system
- What links can and cannot be established with other records, and the broader implications of those links
- The retention schedule for system records
- Organizational units and role incumbents allowed access to data, and the form of that access
- Procedures for allowing new and unanticipated uses of system records
- Procedures for managing external requests for records
- Procedures for managing unauthorized use of records
- An audit plan
Finally, fair information practices argue that employees should be informed about uses of access control system records and should have the right to inspect and correct records about their activities but implementing such practices in the context of RFID-generated data in work places would be impractical for some situations, such as an employee's ability to correct an erroneous record. After the passage of time, could an employee reconstruct the details of daily movements to challenge an automated system? Based on these issues with RFID, and given other emerging sensor technologies that enable the collection and analysis of fine-grained details about an individual's behavior, we see the need to rethink elements of fair information practices and policies.
Gordon Bitko, Tora K. Bikson and Edward Balkovich are researchers at the RAND Corporation, a non-profit research organization.
This commentary originally appeared in Security World International on June 1, 2007. Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.