New Report on RFID and Privacy

Share this content:

Radio frequency identification remains a hot topic at the crossroads of privacy and technology. In May, the Center for Democracy and Technology together with several private sector companies and some others offered a set of privacy best practices for deployment of RFID technology.

Anyone who is considering using RFID in products needs to think about the privacy and consumer issues. The CDT Working Group document is definitely worthy of attention. You can find it at <>.

Signatories include Microsoft, IBM, Eli Lilly and several other generally large companies. The American Library Association and the National Consumers League also signed the document. It's an impressive group, but a little light on the consumer side. More about that in a minute.

The three core principles for privacy best practices are technology neutrality, privacy and security as primary design requirements, and consumer transparency. These are good starting points for a policy.

The detailed best practices are organized under the themes of notice, choice and consent, onward transfer, access and security. The document calls for consumers to receive clear, conspicuous, and concise notice when information, including location information, is collected through an RFID system. Importantly, this includes when information is linked to an individual's personal data either on the RFID tag itself or through a database.

The Working Group does not take a fixed position on the issue of removing or disabling an RFID tag. This isn't a surprise because it is likely that no agreement is possible on this point. Even privacy advocates can't agree among themselves whether killing tags is enough. The best practice is for clear notice to the consumer when there is a removal or deactivation option, and the option must be readily exercisable.

The document explicitly states its limitations. First, the principles target commercial and private sector consumer applications. Use of RFID by government and in business-to-business contexts are among the applications excluded.

Second, because RFID technology and its uses are still developing, the document identifies itself as an interim draft. Location tracking via RFID tag is something that will require more consideration, for example.

Third, the document says that it is not a blueprint for legislation. That is a fair assessment, but there is always a danger that someone will take a draft and turn it into legislation in a way that wasn't intended. It's an unavoidable risk of developing policy.

One thing apparent from the best practices document is the essential complexity of RFID applications. Simple, clear, unambiguous policy statements won't work. There are too many different ways that RFID can be used. A retailer faces one set of issues, and a healthcare provider faces different issues. RFID tags are tiny, but one size does not fit all when it comes to RFID policy.

One recent application of RFID that benefited from consultations is the State Department's impending use of the technology in passports. Extensive discussions among the department, technologists and privacy groups resulted in a more secure design. I think it is fair to say that all sides, including the State Department, see the result as an improvement, even if it isn't perfect. The CDT best practices paper is clearly premised on the notion that talking helps achieve better outcomes.

CDT is a leading privacy and civil liberties organization focusing on digital issues. However, CDT tends to stand apart from most other privacy groups. CDT works with, and is funded partly by, companies in Internet and technology spaces. CDT also seeks to work with consumer and privacy groups, but many other privacy groups do not want to play in the CDT sandbox. I believe that there is a place for everyone. Different perspectives and methods of operations are appropriate within the privacy community.

I have worked with CDT often, and I find the group to be useful. The RFID best practices document is a good example of a product that seeks to advance the ball without resolving every last question and controversy. The document necessarily contains compromises and uncertainties. It's impossible to find common ground otherwise.

The scope and limits of the RFID document are well-defined. However, CDT does not always do a good job in defining its role for any given project, and that fuels disquiet in the privacy community. It also contributes to the frequent identification of CDT with its funding sources, something that is pervasive and somewhat unfair.

One objection I have is to CDT's misstating of fair information practice (FIPs) principles. It did so in the RFID document by citing choice and consent as a FIP principle. The proper principles are use limitation and purpose specification. CDT's failure to represent FIPs accurately is an inappropriate revision of basic privacy doctrine for any privacy group. The RFID report isn't the only time that CDT has done this. Choice and consent can provide the basis for compromise, but calling them core principles is a distortion.

For those interested in using RFID, the best practices document offers a reasonable analysis and a good starting point for how to think about privacy when implementing a developing technology. Those who fail to address privacy in advance will be forced to do so later in a manner that is more expensive, more controversial and more damaging to reputation.


Next Article in Marketing Strategy

Sign up to our newsletters

Company of the Week

Since 1985, Melissa has helped thousands of companies clean, correct and complete contact data to better target and communicate with their customers. We offer a full spectrum of data quality solutions, including global address, phone, email, and name validation, identify verification - available for batch or real-time processes, in the Cloud or on-premise. Our service bureau provides dedupe, email/phone append and geographic/demographic append services for better targeting and insight. For direct mailers, Melissa offers easy-to-use address management/postal software, list hygiene services and 100s of specialty mailing lists - all with competitive pricing and excellent customer service.

Find out more here »

Career Center

Check out hundreds of exciting professional opportunities available on DMN's Career Center.  
Explore careers in digital marketing, sales, eCommerce, marketing communications, IT, data strategies, and much more. And don't forget to update your resume so employers can contact you privately about job opportunities.

>>Click Here

Relive the 2017 Marketing Hall of Femme

Click the image above