As anxiety grows about the potential threat to data privacy posed by the increasing use of Radio Frequency Identification (‘RFiD’) tags, a group of major brand owners including IBM, Procter & Gamble, Microsoft and Visa has published Guidelines for the Prevention of RFiD misuse.
Topic: Privacy
Who: The Centre for Democracy and Technology
Where: Las Vegas, Nevada
When: May 2006
What happened:
Whilst the European Commission umms and aahs its way through a flurry of workshops on the potential privacy issues raised by the use of Radio Frequency Identification Devices (RFID), a working group led by the Centre of Democracy and Technology has bitten the bullet and produced a set of RFID best practice guidelines. The working group consisted of a variety of players, including major brand owners such as IBM, Visa USA, Intel and Procter and Gamble, and the American Library Association and National Consumers League.
RFID is a generic term for technologies that use radio waves to automatically identify and track physical items. As far as the science goes, an RFID system consists of a tag, which is made up of a microchip with an antenna, and an interrogator or reader with an antenna. The reader sends out electromagnetic waves, which the reader tag antenna is tuned to receive.
RFID tags can be used on shipping crates, warehouses and even livestock and they can later be scanned and identified at a distance by RFID readers. RFID technology offers a number of potential benefits. For example, by using an Electronic Product Code (EPC), EPC tags can identify each item manufactured; bar codes today can only identify the manufacturer and the class of products. This would make it easier to remove perishables that are past their expiry date or defective products that need to be recalled. It has also been suggested that RFID can dramatically reduce human error; instead of typing information into a database or scanning the wrong bar code, goods will communicate directly with inventory systems.
All sound good so far…?
When these highly effective tags are attached to personally identifiable information (PII), consumer privacy issues arise. In particular:
- Will the purchaser of an item containing a tag be aware of the presence of the tag, or be able to remove or deactivate it?
- Can the tag be read at a distance without the knowledge of the individual?
- If a tagged item is paid for by credit card, will it be possible to tie the unique product ID to the identity details of the purchaser?
The versatility, rapid development and increasing use of RFID have necessitated guidelines that address the consumer's concern regarding privacy. These guidelines are designed to identify situations where the tags are linked to PII and lays out the best practice approach for consumers, policy makers and developers alike, based on established data privacy principles of notice, consent, access, transfer and security. The working group discovered that, while many of these established principles could be applied to any system of information collection and storage, the novel RFID technology posed its own challenges.
In summary:
Notice
- Consumers should be provided with clear, conspicuous and concise notice when information, including location information, is collected through an RFID system and linked, or is intended to be linked, to the individual's PII in any way.
- The notice should contain details relating to the how the data will be used and other information, such as, whether the RFID tag can be removed or deactivated.
- In general, the commercial entity, which has the direct relationship with the consumer, is responsible for providing the notice and must give good faith consideration to the likelihood of linkage between PII and/or location information, and the RFID identification number, in determining whether notice is necessary
- Consumers should be notified when entering a commercial or public environment where RFID technology is in use.
Choice and consent
- The consumer should be informed in a clear, conspicuous and concise manner when there is an option to remove, deactivate, or destroy a tag and, when such an option is available, how the option can be exercised.
- By exercising choice to remove, de-activate or destroy a tag, the consumer's ability to return an item, benefit from a warranty, or benefit from the protections of local law should not be compromised.
- Where the consumer's information is used to enable the performance of the device purchased by the consumer or to facilitate the completion of the commercial entity's business transaction with the consumer, the consumer's consent regarding the use of its PII need not be solicited. In all other cases the consumer should be notified and given the opportunity to consent to such use.
Onward transfer
- Wherever practicable, a company collecting PII should contractually oblige all companies with which it shares PII to treat the transferred PII to a level of protection, which is either consistent to or greater than that afforded by the collecting company.
Access
- As a general principle, where it is practical, consumers should be provided with reasonable access to PII, including location information collected using RFID technology.
- In particular, if an individual receives an adverse decision based on her or his linked information, she/he should be given access to the information.
Security
- Companies should exercise reasonable and appropriate efforts to secure RFID tags, readers, and, any corollary linked information from unauthorised reading, logging and tracking, and loss or tampering.
- Companies should establish and maintain an information security program in keeping with industry standards, appropriate to the amount and sensitivity of the information stored on their system.
- In order to enhance the security of information that may be transmitted between tags and the reader, the information stored on RFID tags should be minimised.
Why it matters:
The tracking technology that RFID offers could be an invaluable tool for marketers. According to an analyst at the Butler Group: "I can see RFID eventually appearing in the consumer arena – for example, to tag cereal packages, to speed up responses to promotions, linked to mobiles, to get instant feedback".
However, the combination of both PII and location data raises serious issues regarding security. To put this into context, there are suggestions that RFID tags may be linked to National ID cards. Consumers and legislators are understandably concerned about the more sinister purposes for which this 'big brother' technology can be used.
Viviane Reding, the Information and Media Commissioner, said "we need to build a society-wide consensus on the future of RFID, and the need for credible safeguards. We must harness the technology and create the right opportunities for its use for the wider public good." The results of the European Commission's workshops will be published in September and could lead to revisions to the ePrivacy Directive.
We will keep you posted as to how the Commission proposes to strike the balance!