New Report on RFID and Privacy
Radio frequency identification remains a hot topic at the crossroads of privacy and technology. In May, the Center for Democracy and Technology together with several private sector companies and some others offered a set of privacy best practices for deployment of RFID technology.
Anyone who is considering using RFID in products needs to think about the privacy and consumer issues. The CDT Working Group document is definitely worthy of attention. You can find it at <http://www.cdt.org/privacy/20060501rfid-best-practices.php>.
Signatories include Microsoft, IBM, Eli Lilly and several other generally large companies. The American Library Association and the National Consumers League also signed the document. It's an impressive group, but a little light on the consumer side. More about that in a minute.
The three core principles for privacy best practices are technology neutrality, privacy and security as primary design requirements, and consumer transparency. These are good starting points for a policy.
The detailed best practices are organized under the themes of notice, choice and consent, onward transfer, access and security. The document calls for consumers to receive clear, conspicuous, and concise notice when information, including location information, is collected through an RFID system. Importantly, this includes when information is linked to an individual's personal data either on the RFID tag itself or through a database.
The Working Group does not take a fixed position on the issue of removing or disabling an RFID tag. This isn't a surprise because it is likely that no agreement is possible on this point. Even privacy advocates can't agree among themselves whether killing tags is enough. The best practice is for clear notice to the consumer when there is a removal or deactivation option, and the option must be readily exercisable.
The document explicitly states its limitations. First, the principles target commercial and private sector consumer applications. Use of RFID by government and in business-to-business contexts are among the applications excluded.
Second, because RFID technology and its uses are still developing, the document identifies itself as an interim draft. Location tracking via RFID tag is something that will require more consideration, for example.
Third, the document says that it is not a blueprint for legislation. That is a fair assessment, but there is always a danger that someone will take a draft and turn it into legislation in a way that wasn't intended. It's an unavoidable risk of developing policy.
One thing apparent from the best practices document is the essential complexity of RFID applications. Simple, clear, unambiguous policy statements won't work. There are too many different ways that RFID can be used. A retailer faces one set of issues, and a healthcare provider faces different issues. RFID tags are tiny, but one size does not fit all when it comes to RFID policy.
One recent application of RFID that benefited from consultations is the State Department's impending use of the technology in passports. Extensive discussions among the department, technologists and privacy groups resulted in a more secure design. I think it is fair to say that all sides, including the State Department, see the result as an improvement, even if it isn't perfect. The CDT best practices paper is clearly premised on the notion that talking helps achieve better outcomes.
CDT is a leading privacy and civil liberties organization focusing on digital issues. However, CDT tends to stand apart from most other privacy groups. CDT works with, and is funded partly by, companies in Internet and technology spaces. CDT also seeks to work with consumer and privacy groups, but many other privacy groups do not want to play in the CDT sandbox. I believe that there is a place for everyone. Different perspectives and methods of operations are appropriate within the privacy community.
I have worked with CDT often, and I find the group to be useful. The RFID best practices document is a good example of a product that seeks to advance the ball without resolving every last question and controversy. The document necessarily contains compromises and uncertainties. It's impossible to find common ground otherwise.
The scope and limits of the RFID document are well-defined. However, CDT does not always do a good job in defining its role for any given project, and that fuels disquiet in the privacy community. It also contributes to the frequent identification of CDT with its funding sources, something that is pervasive and somewhat unfair.
One objection I have is to CDT's misstating of fair information practice (FIPs) principles. It did so in the RFID document by citing choice and consent as a FIP principle. The proper principles are use limitation and purpose specification. CDT's failure to represent FIPs accurately is an inappropriate revision of basic privacy doctrine for any privacy group. The RFID report isn't the only time that CDT has done this. Choice and consent can provide the basis for compromise, but calling them core principles is a distortion.
For those interested in using RFID, the best practices document offers a reasonable analysis and a good starting point for how to think about privacy when implementing a developing technology. Those who fail to address privacy in advance will be forced to do so later in a manner that is more expensive, more controversial and more damaging to reputation.