Privacy as an afterthought

Yet another group has seized on radio frequency identification as the solution to one of its problems while carefully avoiding even thinking about the privacy aspects. This time it's the U.S. Food and Drug Administration, which should know better.

Yet another group has seized on radio frequency identification as the solution to one of its problems while carefully avoiding even thinking about the privacy aspects. This time it's the U.S. Food and Drug Administration, which should know better.

The FDA has been concerned with the potential problem of counterfeit drugs for quite a while. It does not think there is currently too much of a problem in the U.S. (other than when people buy their performance-enhancing and other pills from Internet-based drug distributors), but is worried about what the future might bring. You might have noticed that the FDA has used the potential of counterfeit drugs as one of its main arguments against letting people (and cities and states) import drugs from Canada. This is a big issue for the organization.

The FDA created an internal (not public) Counterfeit Drugs Task Force last July to look into some aspects of the issue. After holding some public meetings and visiting various relevant sites, the task force published an interim report in October. A final report was published in mid-February that takes into account comments the task force received during the process (see the FDA counterfeit drugs site).

The final report explores and mostly dismisses a number of alternative ways to reduce the possibility that counterfeit drugs will reach consumers but then goes all weak-kneed about the potential for RFID tags to mostly solve the problem. The group does acknowledge "there is no single 'magic bullet' technology" that will do the trick, but seems to forget that when it talks about how RFID can be used to track "all drugs" from producer to consumer.

The FDA proposes to subject the drug industry to "mass serialization" (I'll forgo referring to the images that come to mind when I read that term). The organization wants to assign a unique number to every "pallet, case and package" of drugs, and use that number "to record information about all transactions involving the product." The FDA says this "would allow each drug purchaser to immediately determine a drug's authenticity, where it was intended for sale and whether it was previously dispensed." In other words, the agency wants to create a vast database of the life history of each bottle of pills.

Sadly, but not unexpectedly, the word "privacy" appears only once in the 16,000-word report. That one reference reads "lastly, stakeholders will need to ensure that they comply with the patient privacy provisions of the Health Insurance Portability and Accountability Act." That admonition does not exactly show any real thought was given to the privacy ramifications of such a database.

I expect few people would be happy to know that a full history of all the drugs they and their family have ever used will be sitting waiting for the hacker, dishonest employee or insurance company to peruse and publicize. I'm not all that sure that the pharmaceutical industry, which has voiced strong support, really wants investigators to be able to find out how to shut down the vast black market in drugs or to be able to clamp down on unapproved uses for their products. This would cut down significantly on their profits.

Just a terse listing of the privacy issues with this proposal would be longer than the FDA report. I hope somehow the FDA gets the message. The press has not; Google News finds no stories about this report that mention privacy.

Disclaimer: Harvard folk tend to be better at sending than getting messages, but the above message is mine, not the university's.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2004 IDG Communications, Inc.