(1) CDT-Led Working Group Releases RFID "Best Practices"

A working group led by CDT and made up of some of the nation's largest companies, public interest and consumer advocates earlier this month unveiled a set of "best practices" designed to promote respect for consumer privacy in the growing use of Radio Frequency Identification (RFID) technology in commercial applications.

Released at the RFID Journal Live! conference in Las Vegas, May 1, the document offers guidance for companies that use RFID technology to collect data that can be linked to consumers' personally identifiable information. Drawn from widely accepted principles of "fair information practices," the best practices outline how consumers should be notified about RFID data collection, what choice they should have with regard to the uses and sharing of their own personal information, and how that information should be treated by the companies that collect it.

The document is a milestone in the evolution of RFID technology, offering companies and organizations clear guidance on what steps they should take before putting in place RFID technology that can be linked to personally identifiable information.

In addition to CDT, the American Library Association, aQuantive, Cisco Systems, Eli Lilly and Company, IBM, Intel, Microsoft, the National Consumers League, Procter & Gamble, VeriSign and Visa USA all worked for more than a year to develop the document. Elliot Maxwell, an RFID consultant and fellow with the communications program at Johns Hopkins University also worked on the document.

RFID refers to a broad range of technologies that allow users to track and identify physical items using radio waves. RFID "tags" of various types can be placed on shipping crates, livestock, even clothing, where they can be later identified by RFID readers designed to scan the items at a distance. Many of those applications raise no real privacy concerns, but when the data collected from RFID tags is linked to personally identifiable information, privacy issues can arise. The best practices are geared specifically toward those instances.

The best practices described in the document are based on the fair information principles of notice, consent, access, transfer and security.

RFID Privacy Best Practices: http://www.cdt.org/privacy/20060501rfid-best-practices.php

(2) Best Practices Ideal for Evolving Technology

CDT shares the concern of the privacy community that RFID technology deployed without proper transparency and privacy safeguards could undermine consumer privacy. However, CDT does not believe that passing legislation limiting RFID deployment or imposing privacy rules specific to RFID technology are appropriate responses to those concerns. The best practices document offers a means to address legitimate privacy concerns pertaining to RFID, without hobbling the technology.

Government-imposed mandates on specific technologies can be problematic. Technological advancement typically outpaces the legislative cycle, meaning that technology-specific laws can quickly become obsolete, or worse, become impediments to the natural evolution of technology. Those problems are compounded in the case of newer services or devices, like RFID, that evolve at a much faster pace than more mature technologies.

Although technology-specific legislation is probably not the best way to address the privacy concerns associated with RFID, failing to address those concerns systematically would be equally troubling. As RFID becomes increasingly ubiquitous, the potential for the technology to impinge on personal privacy grows exponentially. As RFID sensors proliferate, the abundance of collection points, and the detail of location data that can be gathered, also increases.

If industry adequately addresses those concerns now, before RFID is widespread in consumer applications, companies may be spared challenge of trying to retrofit RFID systems with appropriate privacy protections after the fact. The best-practices document offers companies a blueprint for those considerations. Drawing on fair information principles, the best practices represent a practical response to the privacy issues that arise when personal information is linked to information collected using RFID.

Of course, the real test of any self-regulatory regime is industry uptake and compliance. But the diversity and size of the organizations that participated in drafting the best practices document gives it a solid basis for widespread discussion and adoption. CDT will encourage all organizations planning to deploy RFID in a consumer context to use the best practices as a starting point.

Because the technology continues to evolve, members of the working group dubbed the first public the release of the best practices an "interim draft." As new technological considerations arise, the RFID working group will review the document to determine whether advances in the technology and its applications require changes to the best practices.

(3) Technology-Neutral Consumer Privacy Legislation Still Needed

While CDT believes that it would not be appropriate to enact legislation specially regulating RFID, technology-neutral consumer privacy legislation should require that uses of the technology in conjunction with personal information be bound by fair information practices.

Many of the privacy concerns that arise from deploying commercial applications of RFID would be eliminated or greatly lessened by the existence of a strong, national consumer privacy law. For many years, the multiple laws to protect personal information held by companies have lagged far behind the technological advances that have allowed those companies to collect, store and share ever greater quantities of their customers' personal data.

State and federal lawmakers have traditionally responded to privacy concerns with laws to address symptomatic problems like data breaches and spyware. But the privacy issues that arise when companies collect personal data, create detailed profiles and use those profiles to track their customers' physical or virtual activities are the same regardless of the technology used. The more appropriate and sustainable solution is legislation that focuses on the information collected rather than the technology used to collect it.

In every case, citizens should be properly notified when their data is collected, given more control over how their data is shared, be allowed to know what information a company has on file about them, be allowed to correct inaccuracies, and be assured that the company collecting their personal information is taking serious steps to protect it from being stolen or compromised. Such a law could provide companies deploying emerging technologies with baseline guidance about appropriate data practices, and consumers with a degree of confidence that their information is being collected and handled responsibly.

Congress was nearing passage of a broad, technology neutral consumer privacy measure before the dot-com bust and the September 11 terrorist attacks. Major technology companies including Microsoft, HP and eBay have signaled their support in principle for consumer privacy legislation, and Congress now appears prepared to restart that debate.

If Congress prevails in passing a strong consumer privacy measure, it will address the fundamental concerns privacy advocates have with RFID technology. In the meantime, the best practices provide clear guidance for companies to deploy RFID in a way that protects consumers.

Source: http://www.cdt.org/publications/policyposts/2006/9


Send your comments and discuss.

Labels: cdt, privacy, rfid, security, tag, technology, tracking

 

RFID Videos