The following text is copyright 2004 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.
Privacy as an afterthought
By Scott Bradner
Yet another group has seized on RFIDs as the solution to one of their problems while carefully avoiding even thinking about the privacy aspects of their RFID-based solution. This time it's the U.S. Food and Drug Administration (FDA) who should know better.
The FDA has been concerned with the potential problem of counterfeit drugs for quite a while. They do not think that there is currently too much of a problem in the U.S. (other than when people buy their performance enhancing and other pills from Internet-based drug distributors) but are worried about what the future might bring. You may have noticed that the FDA has been using the potential of counterfeit drugs as one of the their main arguments against letting people (and cities and states) import drugs from Canada. This is a big issue for them.
The FDA created an internal (i.e. not public) Counterfeit Drugs Task Force last July to look into some aspects of the issue. After holding some public meetings and visiting various relevant sites the Task Force published an interim report last October. A final report was published in mid February that takes into account the comments the Task Force received during the process. (http://www.fda.gov/oc/initiatives/counterfeit/report02_04.html)
The final report explores and mostly dismisses a number of alternative ways to reduce the possibility that counterfeit drugs will reach consumers but then goes all weak-kneed about the potential for radio-frequency identification (RFID) tags to mostly solve the problem. The report does admit that "there is no single 'magic bullet' technology" that will do the trick but seems to forget that fact when it talks about how RFIDs can be used to track "all drugs" from producer to consumer.
The FDA proposes to subject the drug industry to "mass serialization." (I'll forgo referring to the images that come to mind when I read that term.) They want to assign a unique number to every "pallet, case and package" of drugs then use that number "to record information about all transactions involving the product." They say that this "would allow each drug purchaser to immediately determine a drug's authenticity, where it was intended for sale, and whether it was previously dispensed." In other words, they want to create a vast database of the life history of each bottle of pills.
Sadly, but not unexpectedly, the word privacy appears only once in the 16,000 word report. That one reference reads "lastly, stakeholders will need to ensure that they comply with the patient privacy provisions of the Health Insurance Portability and Accountability Act." That admonition does not exactly show that any real thought was given to the privacy ramifications of the existence of such a database.
I expect few people would be happy to know that a full history of all of the drugs they and their family have ever used will be sitting waiting for the hacker, dishonest employee or insurance company to peruse and publicize. I'm not all that sure that the pharmaceutical industry, which has voiced strong support to date, really wants investigators to be able to find out how to shut down the vast black market in drugs or to be able to clamp down on unapproved uses for their products, since it would cut down significantly on their profits.
Just a terse listing of the privacy issues with this proposal would be longer than the FDA report. I hope that somehow the FDA gets the message. The press has not, google news finds no articles about this report that mention privacy.
disclaimer: Harvard folk tend to be better at sending than getting messages but the above message is mine, not the university's.