Gone in a blink: the overlooked privacy problems caused by contactless payment systems.

• Author: Smith, Shane L.
• Position: Winner of the Computer Law Association 2006 Information Technology Law Writing Competition

INTRODUCTION I. BANKS, MERCHANTS, AND CONSUMERS: PRIMED FOR CONTACTLESS PAYMENT TECHNOLOGY A. RFID in a Contactless Payment System Nutshell B. Why Is Contactless Payment Technology Appealing? II. THE PRIVACY LANDSCAPE A. Very Little Static Has Been Raised Regarding ContactlessPayment Systems B. What Privacy Problems Are Caused by Contactless Payment Systems? 1. Security Flaws Cause Privacy Problems 2. "Big Bucks"--Privacy Rights Take a Back Seat to Profits 3. "Big Brother"--Significant Moves Toward Involuntary Surveillance C. The Giant Sucking Sound Is the Public Policy Vacuum 1. No State Has Enacted Privacy Legislation Directed at Any RFID Application 2. Congress Only Mulls Privacy Legislation Aimed at EPC-Tagged Consumer Products III. IN SEARCH OF AN APPROPRIATE PUBLIC POLICY RESPONSE A. Privacy Advocates Rely on Inapposite Fair Information Principles B. Contactless Payment Proponents Hide Behind the Gramm-Leach-Bliley Act and Self-Regulation Proposals C. A Bill to Protect Individual Privacy Without Stifling Technology CONCLUSION INTRODUCTION

"The free man is the private man...." (1)

More than a century ago, two scholars (2) sparked a debate that will probably never end: whether individuals possess a right to privacy and, if so, the nature and extent to which the law should protect privacy rights. (3) Since that first argument, the debate has ranged--and escalated--from whether such a "right 'to be let alone'" (4) truly exists, (5) to when and under what circumstances a person's privacy rights are violated. (6) The debate seems to crescendo with the introduction of new technologies. (7) The push for global adoption of electronic product code (EPC) tags as replacements for universal product code (UPC) bar codes sparked one of the more recent debates. (8) The chief concern of privacy advocates appears to be that EPC tags would permit individuals to be surreptitiously profiled and tracked. (9) Just like earlier debates involving technology and privacy, the war of words over the planned implementation of EPC tags has become quite robust. In addition, the possible use of radio frequency identification (RFID) technology in certain government-issued identification cards--for example, drivers' licenses, student identification cards, and government health and benefit cards--has received considerable attention. (10)

By contrast, an issue that has received little, if any, attention from privacy advocates is the use of RFID technology in contactless payment devices such as MasterCard's PayPass card, Chase Card Service's (Chase) blink card, or ExxonMobil's Speedpass key fob. (11) The "contactless smart chips" (12) powering these contactless payment devices can be embedded in countless form factors such as mobile phones, wristwatches, or money clips, (13) all for the purpose of replacing customers' traditional credit and debit card plastics with magnetic stripes. Such wearable or pocketable form factors may soon be supplanted by the next generation of contactless payment devices: contactless smart chips implanted subdermally in humans. (14) While the purported technological limitations and security features of the types of RFID-enabled smart chips used in contactless payment devices may appear to mitigate security concerns, (15) the privacy concerns caused by contactless payment devices in any form factor appear to have been overlooked. Such a discussion should not be delayed until, for example, contactless payment systems experience "function creep" to be used for other purposes. What if, for example, contactless payment devices become so widely distributed that the government realizes it can profile and track individuals through their contactless payment devices rather than battle public opposition to RFID-enabled identification cards under the Real ID Act? (16) What if the public so opposes EPC tags as UPC bar code replacements in consumer products that businesses have to scrap the idea, but businesses then realize they can profile and track individuals for marketing purposes just the same by interrogating contactless payment devices? Ultimately, it does not matter whether RFID-enabled smart chips are used in identification cards, whether EPC tags are ever adopted as UPC bar code replacements in consumer products, or whether banks and merchants ever issue subdermal contactless payment devices; contactless payment devices already provide a reliable infrastructure for profiling and tracking individuals.

EPC-tagged consumer products are likely years away from being ubiquitous and no RFID-enabled identification cards have been issued to civilians in the United States. In contrast, more than eight million Americans already carry and use contactless payment devices. (17) Although EPC-tagged consumer products and RFID-enabled, government-issued identification cards may be years away from providing the beginnings of a surveillance infrastructure, contactless payment devices are quietly and quickly creating a surveillance infrastructure today. Contactless payment systems provide a more reliable infrastructure for tracking and profiling individuals than would EPC-tagged consumer products because many product purchases are not for the purchaser's own consumption. Individuals often purchase consumer products as gifts for others, thus any attempt to profile or track the purchaser using EPC tags in those products would be an exercise in futility. Similarly, individuals frequently discard broken or worn-out products and dispose of unwanted products--a reality that would limit opportunities to profile or track the purchaser and, at a minimum, render the collected data questionable since no one would know if or when the purchaser discarded or disposed of any particular product. In contrast, a contactless payment device issued to a particular individual is highly likely to be carried by that individual nearly everywhere he or she goes, never given as a gift or otherwise permanently transferred to another person, and never intentionally discarded. While contactless payment systems may create the optimal surveillance infrastructure, privacy advocates and lawmakers appear not to have noticed. (18)

Part I briefly describes what RFID is and how it works and explains why contactless payment systems are likely to provide the best solution to accomplish the goals of banks and merchants to achieve '"convenience, speed and ease of use to consumers'" and increase profitability as a result of '"faster transaction times and increased spending per transaction.'" (19) Part II briefly describes privacy advocates' focus on the privacy problems caused by every RFID application except contactless payment systems, discusses the privacy problems caused by contactless payment systems, and reveals the resulting hole in the privacy debate. Part III argues that the proposals for self-regulation or legislation that have been developed by privacy advocates and RFID proponents fail to address the privacy concerns implicated by contactless payment systems. The Article concludes with a proposed legislative response sufficient to address privacy concerns without stifling technological development.

1. BANKS, MERCHANTS, AND CONSUMERS: PRIMED FOR CONTACTLESS PAYMENT TECHNOLOGY

   1. RFID in a Contactless Payment System Nutshell

      In the context of a contactless payment system, RFID is the system for transmitting all of the details of a payment transaction between a merchant and the issuer of a contactless payment device. Stripped of technical details, a typical contactless payment transaction flows according to the following progressive steps. At the checkout register, the customer briefly holds his or her contactless payment device near the merchant's point-of-sale terminal (POS terminal), which houses an RFID reader that "connects to, provides power to and communicates with" the contactless payment device. (20) The reader interrogates the contactless payment device, receives the device's EPC and a cryptogram (21) for that transaction, and transmits the transaction details to the merchant's acquiring bank. (22) The acquiring bank, in turn, transmits the transaction data to the issuing bank. (23) The issuing bank uses the contactless payment device's EPC to identify the correct customer's account and uses the cryptogram to confirm the device's validity. (24) The issuing bank then returns an authorization, decline, or other appropriate response, and the customer goes on his or her way.

      A contactless payment system's operation depends primarily on two RFID components: an RFID reader housed in a POS terminal, as described above; and a "contactless smart chip"--a "secure microcontroller or equivalent intelligence, internal memory, and a small antenna," which "communicates with a reader through a contactless radio frequency (RF) interface." (25) These microchips used in contactless payment devices feature either "passive" or "active" RFID. (26)

      Contactless payment devices that employ passive RFID smart chips have no onboard battery, a feature that makes their life span virtually unlimited and their design compact. (27) Because they have no internal power source, they do not continuously transmit data, but rather "wake up" to respond to a radio signal from any RFID reader. (28) Generally, passive smart chips are read-only, meaning the data they contain cannot be altered or written over. (29) Privacy advocates have focused their attention almost exclusively on the type of passive microchips used in EPC tags to replace UPC bar codes (30) rather than on the passive smart chips used in most contactless payment devices. (31)

      The privacy concerns over the passive microchips in EPC tags seem to stem from four factors. First, the tiny size of the passive microchips used in EPC tags could make them difficult, if not impossible, to locate once embedded in an object. (32) Currently, "the smallest ... [passive microchips] measure[] 0.15 mm x 0.15 mm, and are thinner than a...