RFID Tags for School-Children
Playing Tag? Or Taking Stock?
Michael and Dawn Cantrall live in a small rural farming community called Sutter, in Northern California. In January 2005, they learnt that the Principal of the only local public school, Brittan Elementary School, had decided to require all students from Kindergarten to Grade 8 (5-13 years of age) to wear an ID badge with a passive RFID tag, in a plastic pouch on a lanyard around the neck.
The technology provider was a small, local start-up called Incom, and the product was called “the InClass™ attendance taking, reporting and security system … the first complete RFID based system for taking, recording and reporting attendance in schools”.
The program was implemented without consultation with parents, and without parental consent. The Principal and the School Board told them that parents had no voice in the matter, and and that children who didn’t comply would be expelled from the school. The school’s legal counsel stated at a public meeting that children’s privacy cannot be violated because they do not have rights. One lawyer that the Cantralls talked to didn’t believe anything that the school was doing was illegal.
Unsure where to turn to for assistance, Michael did an Internet search. An article in an industry magazine in the U.K. mentioned a privacy advocate in Australia (an APF Board member), who had spoken out against privacy-abusive uses of the technology.
On 28 January 2005, Michael emailed him. Within a few hours, Michael had received a small set of hot-links to legal resources, and to organisations that were likely to help. They ranged from San Francisco, to San Diego, to Washington DC.
Michael continued investigating the technology and possible sources of legal assistance. On 30 January, he and his wife also filed a formal complaint against the actions of the Principal and School Board. “Our children are not inventory”, they said. The response was a threat of disciplinary action if the children continued to refuse to wear the ID card.
Meanwhile, the Australian privacy advocate had also alerted his list of 50 or so privacy glitterati around the world. Within four days, six had responded with legal references and suggestions. One was the Providence-based publisher of Privacy Journal. Another was the Washington-based publisher of Privacy Times, who asked Michael to contact him. Michael did so, and the publisher went to press.
On 7 February, several civil liberties groups, including the ACLU of Northern California (ACLU-NC), Electronic Frontier Foundation (EFF), and the Electronic Privacy Information Center (EPIC), jointly sent a letter to the school, expressing alarm at its use of mandatory ID badges that include an RFID device to track students’ movements. The media releases issued by each organisation were quickly and widely distributed, and gave rise to nationwide press coverage.
On 12 February, the response of the attorney for the school district, Paul Nicholas Boylan, was to welcome the publicity, laud the virtues of RFID tags, and declare that “The concerns about privacy are beyond my understanding”. (It appears that Boylan also acts for InCom).
The matter was scheduled for discussion at the School Board Meeting on 15 February. It appears that the company was not under contract, but was offering the scheme gratis, as a pilot of its product. (Indeed, the LA Times later reported that the company had paid the school to install the scheme). By the time the meeting was held, the supplier had pulled the plug on the program, thankful for the notoriety and hoping to avoid the furore destroying any future their product may have had.
By seeing the proposal for what it was, preparing a clear description of it, and setting out on a search for likely allies, one family unleashed a movement via London and Canberra, to Washington and San Francisco, and back into Sutter CA.
It took a total of 17 days for the supplier, fearing a nasty precedent, to withdraw from the scene. That’s the power that individuals have, when they detect privacy-abusive behaviour, and act early and quickly.
ACLU-NC found a sponsor in the Californian legislature to bring a bill before the Senate that would prohibit the State and local governments from issuing identification documents containing a Radio Frequency Identification (RFID) tag. The Identity Information Protection Act of 2005, SB 682, passed the State Senate in May, with broad bipartisan support.
On 28 June 2005, the Bill got through the Assembly’s Judiciary Committee 6-3. But it had already been signficantly amended, with the permanent ban reduced to a 3-year “time-out” and immediate use of the technology allowed in certain cases. In any case, it was anticipated that the Assembly would be hostile, having last year “derailed a proposal for restrictions on the commercial use of … RFID chips” (CNET News, 28 June 2005).
Industry interests did indeed weigh in heavily, and “the Assembly Appropriations Committee, without discussion, shelved the measure for the year, though Sen. Joe Simitian, who has been pushing the proposal, vowed to try to revive it before the Legislature adjourns for the year on Sept. 9” (SiliconValley.com, 26 August 2005).
CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering)