Winner of the Computer Law Association 2006 Information Technology Law Writing Competition: Gone in a Blink: The Overlooked Privacy Problems Caused by Contactless Payment Systems

Article excerpt

INTRODUCTION
I. BANKS, MERCHANTS, AND CONSUMERS: PRIMED FOR
  CONTACTLESS PAYMENT TECHNOLOGY
  A. RFID in a Contactless Payment System Nutshell
  B. Why Is Contactless Payment Technology Appealing?

II. THE PRIVACY LANDSCAPE
  A. Very Little Static Has Been Raised Regarding
    ContactlessPayment Systems
  B. What Privacy Problems Are Caused by Contactless
    Payment Systems?
    1. Security Flaws Cause Privacy Problems
    2. "Big Bucks"--Privacy Rights Take a Back Seat to
      Profits
    3. "Big Brother"--Significant Moves Toward
      Involuntary Surveillance
  C. The Giant Sucking Sound Is the Public Policy Vacuum
    1. No State Has Enacted Privacy Legislation
      Directed at Any RFID Application
    2. Congress Only Mulls Privacy Legislation
      Aimed at EPC-Tagged Consumer Products

III. IN SEARCH OF AN APPROPRIATE PUBLIC POLICY RESPONSE
  A. Privacy Advocates Rely on Inapposite Fair Information
    Principles
  B. Contactless Payment Proponents Hide Behind the Gramm-Leach-Bliley
    Act and Self-Regulation Proposals
  C. A Bill to Protect Individual Privacy Without Stifling
    Technology

CONCLUSION

INTRODUCTION

"The free man is the private man...." (1)

More than a century ago, two scholars (2) sparked a debate that will probably never end: whether individuals possess a right to privacy and, if so, the nature and extent to which the law should protect privacy rights. (3) Since that first argument, the debate has ranged--and escalated--from whether such a "right 'to be let alone'" (4) truly exists, (5) to when and under what circumstances a person's privacy rights are violated. (6) The debate seems to crescendo with the introduction of new technologies. (7) The push for global adoption of electronic product code (EPC) tags as replacements for universal product code (UPC) bar codes sparked one of the more recent debates. (8) The chief concern of privacy advocates appears to be that EPC tags would permit individuals to be surreptitiously profiled and tracked. (9) Just like earlier debates involving technology and privacy, the war of words over the planned implementation of EPC tags has become quite robust. In addition, the possible use of radio frequency identification (RFID) technology in certain government-issued identification cards--for example, drivers' licenses, student identification cards, and government health and benefit cards--has received considerable attention. (10)

By contrast, an issue that has received little, if any, attention from privacy advocates is the use of RFID technology in contactless payment devices such as MasterCard's PayPass card, Chase Card Service's (Chase) blink card, or ExxonMobil's Speedpass key fob. (11) The "contactless smart chips" (12) powering these contactless payment devices can be embedded in countless form factors such as mobile phones, wristwatches, or money clips, (13) all for the purpose of replacing customers' traditional credit and debit card plastics with magnetic stripes. Such wearable or pocketable form factors may soon be supplanted by the next generation of contactless payment devices: contactless smart chips implanted subdermally in humans. (14) While the purported technological limitations and security features of the types of RFID-enabled smart chips used in contactless payment devices may appear to mitigate security concerns, (15) the privacy concerns caused by contactless payment devices in any form factor appear to have been overlooked. Such a discussion should not be delayed until, for example, contactless payment systems experience "function creep" to be used for other purposes. What if, for example, contactless payment devices become so widely distributed that the government realizes it can profile and track individuals through their contactless payment devices rather than battle public opposition to RFID-enabled identification cards under the Real ID Act? (16) What if the public so opposes EPC tags as UPC bar code replacements in consumer products that businesses have to scrap the idea, but businesses then realize they can profile and track individuals for marketing purposes just the same by interrogating contactless payment devices? …

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.