NATIONAL WORKRIGHTS INSTITUTE

Bringing Human Rights to the Workplace

166 WALL STREET, PRINCETON N.J. 08540 *(609) 683-0313 *FAX (609) 683-1787

WWW.WORKRIGHTS.ORG

 

 

 

RFID and Workplace Privacy

Jeremy Gruber

Legal Director, National Workrights Institute

 

 

 

Ten years ago people were adjusting to new and rapidly evolving technologies that monitored workplace computer systems.  Today technologies are proliferating in the workplace that monitor employees directly.  Radio Frequency Identification Devices (RFID) that allow for human tracking and storage of personal information are becoming commonplace in many workplaces.  While RFID is not new, its growing use in the workplace raises significant privacy concerns.  Systematic electronic monitoring in the workplace has grown into the very fabric of American business practice. As technologies become more powerful and easy and inexpensive to install and maintain, the rates of electronic monitoring in this country have skyrocketed. Today, 92% of employers conduct some form of workplace monitoring.[1] This rapid growth in monitoring has destroyed virtually any sense of privacy as we know it in the American workplace. Employers now routinely conduct video surveillance, listen in on employee telephone calls, and review employee computer use such as e-mail and the Internet.   As technology has proliferated in the workplace it has become ever more penetrating and intrusive.  Without legal and policy constraints on their ability to monitor, employers are moving from monitoring communications devices and locations to monitoring employees themselves through such technologies as Global Positioning Systems (GPS) and RFID.  With little to no attempt to balance legitimate employer needs with employee privacy concerns, more and more of the personal habits and lives of employees are being monitored, with very real implications for the very freedoms we cherish as Americans. 

 

 

 

RFID:  The technology and its application

 

RFIDs are essentially computer chips that contain a unique number and which are connected to miniature antennas that can be attached to any object, from consumer goods to ID cards and even people for purposes of identifying that object (and possibly other information as well).  They use wireless communication via radio frequency bands to transmit data to a “reader” which captures this information.  Such data can, then, be uploaded to computers that store and can further analyze the data.  There are a wide variety of types of RFID, some are “passive” and receive their power from the reader. Such RFIDs have a range within a few yards. Other RFIDs are “active” and contain their own power supply and can broadcast for over one hundred feet.  The simplest RFID is incapable of data processing while more advanced RFIDs can store and process significant amounts of data, including real time location and large amounts of personally identifiable information.

 

RFID readers, as opposed to for example bar codes, can read multiple objects at the same time and can be read without contact between the reader and the RFID and without line of sight access.  RFIDs have virtually limitless applications from consumer good and inventory tracking to the delivery of health care and a number of governments including the U.S. and the European Union have promoted RFID use in personal ID documents such as drivers licenses and passports.[2]  Indeed, it has been noted that “there are two big drivers of RFIDs, one of them is Wal-Mart, the other is the Department of Defense.”[3]

 

Its unclear to what degree RFID is currently being used in the American workplace.  We do know that 53% of employers use Smart Card technology in the workplace.[4]  We also know that a large percentage of Smart Cards used in the workplace are contact-less, in which the chip communicates with the card reader through RFID induction technology.  Coupled with other forms of workplace RFID uses, it is clear that RFID use in the workplace is significant and growing.

 

RFIDs in the workplace are most likely to be attached to an employee identification card but can also be found embedded in employee badges and in devices attached to key chains or clothing.[5] In one instance, for example, RFID tags were placed in 80,000 employee uniforms at the Star City Casino in Sydney Australia.[6]  Employers have even begun implanting RFIDs in their employees’ bodies. One company in Cincinnati, Ohio,  Citywatcher.com, recently began implanting RFID chips in their employees’ arms.[7] RFIDs can also be imbedded in objects within the workplace.

 

Employers may want to use RFIDs in the workplace for a number of reasons.  They can compile aggregate data from RFIDs to study workplace patterns and improve efficiency. Because they are individually identifiable RFIDs are a more accurate and easy way of identifying employees.  Tracking employees could help in measuring time, labor and human error.  RFIDs can be used to track workflow and combat employee theft or misconduct.  They can be used to restrict access to sensitive areas.  They can be used in relation to safety and health  issues such as locating personnel in a hospital quickly in an emergency. They can be used for surveillance and even integrated with other surveillance technologies.  Attached to a “smart card,” they can be coupled with other personally identifiable information and used with HR databases and other sources of employee information for efficient identification and integration of employee information.

 

Privacy Implications for RFID Use in the Workplace

 

RFID use in the workplace raises serious privacy concerns.  RFIDs allow employers constant tracking of employees within the workplace and even potentially offsite (though GPS is more likely to be used for tracking employees at long distances because of the inherent range limitations of RFID) robbing employees of any anonymous movement. Indeed RFIDS that are integrated with other surveillance technologies, such as video cameras, can provide a very complete picture of an employee’s activities at work including personal time such as lunch or bathroom breaks and even after hours.  Many times people take for granted the inherent right to go throughout the world undetected. When an employee’s location is tracked in real time, he no longer has any real sense of privacy.  This sort of tracking seems reminiscent of someone who is in servitude, rather than someone who is being paid for his work product.  The introduction of RFID monitoring in the workplace assumes it is no longer sufficient for employees to operate independently as long as they complete their work properly and timely. Such monitoring reduces employees to robots; cogs in a highly managed system designed to maximize worker productivity for every second they are at work. It removes any decision making aspect of the job; any control over the rights that free and rational beings have to act autonomously and with dignity. Employees are left to surrender the very aspects of individuality that often make them good employees.[8] 

 

Employers who introduce RFID monitoring are likely to encourage their employees to favor quantity of work produced over the quality of work as even the most minimal discretion is removed. Even employers who do not intend on placing production increases above quality in order of importance may do so inadvertently, simply because quality is more difficult to monitor electronically. Pressure to increase productivity commonly has adverse effects on the quality of work produced. With the pressure to increase productivity leading to greater use of RFID monitoring, the very humanity of the American employee is becoming even more threatened as the workplace devolves even further into an electronic sweatshop.  Often times it is exerted as a means of control over employees; to intimidate and disempower workers and serves to diminish any sense of trust remaining between employer and employee.  Indeed for these and other reasons a draft report on RFID created for the Department of Homeland Security disfavored RFIDs for purposes of tracking individuals.[9]

 

Because an RFID does not require direct contact to be read, it can be read surreptitiously without the employees consent. This has enormous consequences not only within the employer-employee relationship but security related relationships to third parties and raises very real concerns for identity theft and misuse by law enforcement and other government agencies.  Certain types of RFID are not very secure and are subject to such actions as “skimming,” where an unauthorized reader is used to access information from the RFID or “eavesdropping” where a reader intercepts information passing between an RFID and an authorized reader.[10]  While encryption and other actions can limit and address some of these concerns, it is unlikely in a workplace context that they will be sufficiently utilized.  Particularly alarming is the integration of RFID with other personally identifiable information including biometrics that are of significant interest to third parties.

 

The trend with RFID currently in the United States is to incorporate it into access cards and load them with information that is specific to each employee, such as photo ID, fingerprints, social security number, drivers license number, and the like.[11]

 

Such information then becomes vulnerable to identity theft, where a thief using a personal reader could potentially retrieve personally identifiable information contained within the RFID from employees without their knowledge simply by moving within the broadcast range of the RFID.  In addition it is not altogether unlikely that law enforcement might be interested in such information.  A concern validated by a 2002 Boston Globe survey that found that 64 per cent of US businesses had turned information over to the government following the 9-11 attacks.[12]   Indeed, law enforcement conducted significant surveillance prior to and during the Republican National Convention in New York City in 2004[13]; it is not unlikely that had they thought of it, they might have roamed the crowds of protesters with an RFID reader to identify individuals.  They did in fact use facial recognition technology, a biometric identifier, during these investigations.

 

Employer RFID policies: Are they regulating themselves?

 

As with most technologies RFIDs are privacy neutral on their face.  Employer use of such devices often determines the degree of intrusion.  It is clear that the potential for harm is significant.  Equally significant would be the steps employers are taking to minimize that harm.  A recent study by the RAND Corporation[14], indicates that employers are currently operating RFID systems in the American workplace with little to no regard for employee privacy.  Indeed, the study left its authors to conclude that “any reader who uses an RFID-based access card ought to be uneasy after seeing these results.  We are.”[15]

 

The Rand study looked at six large private sector companies both for profit and not for profit with 1,500 or more employees.  They studied how the RFID technology was used as well as the company policies for retaining and generating records.  They found that all the companies surveyed used RFID to control access by employees to both the exterior workplace as well as areas within the workplace.  All but one of the survey participants integrated their RFID system with some other technology whether it be video cameras, closed circuit television, photo id systems triggered by the RFID or alarm systems.  The majority of organizations used RFID for far more than controlling access, including such uses as “investigations” of workplace incidents or to prove (or disprove) allegations of misconduct and “work culture monitoring” of such things as compliance with corporate policy. Companies also linked their RFID systems to departments other than just security, including Human Resources and Legal Departments.  The majority of the companies used aggregate data from RFIDs to study everything from arrival and departure patterns to providing government related information to an Air Quality Management District. 

 

Every company in the survey retained data collected from RFIDs indefinitely.  The majority of the organizations audit their systems but do so through a self-audit, performed by their corporate security departments or facilities departments, the same departments charged with the monitoring in the first place.  None of the companies surveyed had an officer of the company overseeing RFID use.  This raises significant additional privacy concerns as these departments appear to have no accountability outside their departments for how they manage RFID monitoring.

 

Every organization surveyed linked the records created from RFID monitoring to other databases, including but not limited to personnel and medical records databases. 

Only one of the companies surveyed even had a policy on RFID use and none of the companies surveyed shared any information regarding RFID use or even that RFIDs were being used with their employees.  This led the researchers to conclude that in general employer policies regarding RFID use in the workplace are simply “Don’t ask, Don’t tell.”[16]

 

 

Conclusion:

 

It is clear that employers are making little to no effort at balancing legitimate employer needs with employee privacy concerns.  They are not developing best practices policies to deal with emerging workplace technologies such as RFID.  Nor are they looking to less invasive alternatives to such technologies. The potential privacy implications for RFID location-tracking and its linkage with personally identifiable information are virtually limitless. It is essential that employees and the public understand how the technology works and how it can be used (or misused) in the employment context.  Unfortunately legislatures have completely abdicated their responsibility to legislate in this area and  private sector employers are operating under no legal constraints in employing RFID.  While a number of states have introduced bills governing RFID, none have been successful to date and none have even addressed workplace use of RFID.[17]  Guidelines for responsible use of RFID in the workplace are desperately needed.  Legislation is necessary to govern the practice of workplace RFID use as well other forms of electronic monitoring in the workplace, in order to protect employee privacy and return a sense of fundamental fairness and dignity to the American workplace.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 


[1] 2003 Center for Business Ethics at Bentley College, “Survey ‘You’ve Got Mail…And the Boss Knows’”

 

[2] Jeffrey Silva, “ACLU says RFID in passport leaves Americans vulnerable”, November 29, 2004.  Online : http://rcrnews.com.

 

See also Department of State, the Federal Register February 18, 2005 (Volume 70, Number 33) Proposed rule on Electronic Passport [DOS Proposal] available at:

http://a257.g.akamaitech.net/7/257/2422/01jan20051800/edocket.access.gpo.gov/2005/05-3080.htm.

 

See also Baard, Mark, “RFID  Drivers Licenses Debated”, Wired News, October 6, 2005.

 

[3] “The Next Big Thing for Government”, Online: http://www.csa-dc.org/publications-press/ppc_update/10-1-04/4.htm

[4] 2005 American Management Association Survey, “Workplace Monitoring and Surveillance.”

[5] See EPIC RFID Privacy Page at http://www.epic.org/privacy/rfid/.   

[6] Granneman, Scott  “RFID Chips Are Here”, June 27, 2003, The Register.

[7] Sieberg, Daniel “Is RFID Tracking You?” October 23, 2006 CNN.  Additionally, in Mexico the Attorney-General has required 160 of his staff to have RFIDs inserted in their bodies so that their movements and work habits can be tracked. Weisert, Will “Microchips Implanted in Mexican Officials,” July 14, 2004 MSNBC

[8] For additional discussion of the privacy implications of human tracking see Gruber, Jeremy “On Your Tracks: GPS Tracking in the Workplace.” August 2005. http://www.workrights.org/issue_electronic/NWI_GPS_Report.pdf

[9]The Use of RFID for Human Identification” A DRAFT REPORT from DHS Emerging Applications and Technology Subcommittee to the Full Data Privacy and Integrity Advisory Committee, 2006. http://www.dhs.gov/xlibrary/assets/privacy/privacy_advcom_rpt_rfid_draft.pdf

 

[10] See Id. note 2 at p 9.

[11] Roth, Dr. Paul, “ Workplace Privacy Issues Raised by RFID Technology” Privacy Issues Forum, March 30, 2006 University of Otago

[12] See Bijon Roy, “A Case Against Biometric National Identification Systems (NIDS): ‘Trading-off’ Privacy Without Getting Security,” 19 Windsor Review of Leg. & Soc. Issues 45 (March 2005), at 66.

[13] Dwyer, Jim “City Police Spied Broadly Before G.O.P. Convention” New York Times March 25, 2007.

[14] Balkovich, Edward, Bikson, Tora, Bitko, Gordon, “9 to 5: Do You Know If Your Boss Knows Where You Are? Case studies of Radio Frequency Identification Usage in the Workplace” RAND Infrastructure, Safety and Environment 2005

[15] Id at 20.

[16] Id at 16.

[17] See State legislation and RFID, RFID Law Blog

http://rfidlawblog.mckennalong.com/archives/cat-state-legislation.html