|Received:||5/12/2008 6:23:41 PM|
|Organization:||David Data, Inc.|
|Agency:||Federal Trade Commission|
|Rule:||Pay on the Go: Consumers and Contactless Payment (Town Hall Meeting)|
Comments:Contactless payment technology is a poor idea, and is open to invasion of privacy and fraud. Despite what the industry claims, the RFID chips can be read from quite a distance and are rarely encrypted - those that are suffer from flaws which are well known. The supposed benefit of being able to wave one's card at a reader vs. the 1-2 seconds spent swiping the card through an actual magnetic stripe reader escapes me. Some may claim that mag stripes are often unreadable and that RFID chips don't suffer from "wearing out". That may be true, but I'd rather have my privacy, be protected from fraud and spend an extra minute manually keying in the credit card # than to have to worry about some criminal capturing my code and using it nefariously. What happens when fraud occurs? Is the consumer to be in the unholy position of proving that THEY had no knowledge of the transaction? What's the ultimate liability of the consumer? As a consumer, I want it to be ZERO, and the only way I guarantee that is by not having RFID chips in my payment cards. Additionally, RFID chips are a terrorist's wet dream - simply capture an RFID tag code from the target (perhaps by standing next to the person in an elevator w/a reader) and then program a device to detonate when that RFID code enters the area... Such a device could be utilized against specific individuals, a group, or simply anyone with an RFID code... As RFID readers become more prevalent, it becomes relatively simple to track one's movements through time and space. This information could be used nefariously, subpoenaed by lawyers for a variety of purposes, or mined for purposes as yet unknown by entities both public and private; as a private individual, I don't have to worry about any of this if I simply don' t have the chip. Accuracy of the data collected is also of particular concern: How is one to correct errors when one discovers that they exist? What if the data is being used in a criminal case; what's the presumption in such an instance? Is one entitled to know ALL of the information collected about oneself? Is all the data stored in one location or multiple locations? One location is just asking for attack... Multiple locations can be difficult to secure as well. What happens when that data is stolen? I fail to see WHY the merchants or anyone need this technology for payment purposes. They already have everything they need, and giving up my privacy and security for a little convenience just isn't worth it. If the FTC were to lean toward endorsing this technology, I'd implore them to: * Require consumers to OPT-IN to it. * Not allow companies or governmental agencies to force consumers to opt-in by increasing costs or fees because they didn't opt-in. * Require consumers to be able to OPT-OUT at any time after opting in, and require companies or governmental agencies to delete all data within 10 days of opting-out. * Allow consumers to be provided with a copy of all data, in human-readable form, maintained by any company or governmental agency upon demand, without limitation or cost. * Require companies or governmental agency to correct errors in said data within 10 days of being notified by consumers. * Require companies or governmental agencies to notify consumers of the risks, both actual and potential, in clear, concise, readable, and large font on the OPT-IN form. * Prohibit sharing of the data without specific written consent by the consumer, and require consumers to OPT-IN to such consent...