RFID Working Guidelines Issued
On May 1, 2006, a collaboration of consumer privacy advocates and industry organizations under the leadership of the Center for Democracy and Technology (CDT) issued an interim draft of Privacy Best Practices for Deployment of RFID Technology. These guidelines are a first step in balancing the concerns of consumer privacy and industry’s use of radio frequency identification (RFID) technology. While privacy is the focus of the guidelines, another major consideration in the use of RFID technology is also touched upon – security.
RFID technology contains three elements: (1) a tag; (2) a reader; and (3) a database. A tag is a microchip that can be placed on goods, labels, or packaging. Tags are active or passive and each tag has a unique identification number. A passive tag does not have its own power supply. It is powered by the electromagnetic waves of the reader. Active tags have their own power supply and can transmit much greater distances than passive tags. Readers receive information from tags and then that information can be transmitted to a database where the information is processed and analyzed.
The four main purposes of RFID are: (1) keeping track of objects (such as inventory); (2) keeping track of people; (3) providing services; and (4) serving as an internal component of product. Because there are different purposes, there are varying degrees of concern regarding privacy and security. Regardless of these differences, one overarching best practice in the guidelines is that “[t]here should be no secret RFID tags or readers.” This concept is referred to as Consumer Transparency in the guidelines.
Two other umbrella concepts in the guidelines are Technology Neutrality and Privacy and Security as Primary Design Requirements. Technology Neutrality is simply a statement that RFID is neither inherently good nor bad. Just as a hammer can be used to build a house or hit a head, RFID can be used for beneficial or harmful uses, depending on how the user implements it. Privacy and Security as Primary Design Requirements encourage users of RFID to incorporate privacy and security considerations as part of their initial design, rather than wait to respond to government regulation or consumer feedback.
The guidelines offer five main best practices to RFID users: (1) notice; (2) choice and consent; (3) onward transfers; (4) access; and (5) security. As noted above, how these best practices should be implemented depends on the level and type of information being collected. Privacy concerns are greatest when personally identifiable information (PII), including location, is being collected. The guidelines use the term “linked information” to refer to an individual’s PII collected on the RFID tag itself or stored in a database.
Notice should be “clear, conspicuous, and concise.” When PII information is collected, the notice should specify several items, including the presence and purpose of RFID, how the information will be used, and whether subsequent and additional uses may occur. Importantly, the notice should also state if the RFID tag can be deactivated or removed. Finally, notice of RFID use is the responsibility of the company with a direct consumer relationship and should be provided prior to completion of the transaction when practicable.
The guidelines expressly state that the notice requirement becomes increasingly more discretionary “[a]s the attenuation between PII and RFID identification number becomes greater” because the privacy concerns decrease. Thus, while setting out stringent notice requirements for RFID collecting PII, the guidelines provide RFID users the discretion to develop notice policies in accordance with the use.
Choice and Consent
In conjunction with the notice requirement, “consumers should be clearly notified when there is an opportunity to exercise choice” as to either the use of RFID altogether or the use of linked information. Sometimes RFID is used solely to allow a product to function, such as EZ-Pass. In these circumstances, the consumer would not have a choice as to the use of RFID because it is an integral part of the product. On the other hand, when RFID is used for purposes other than the functioning of the device, consumers should be given the opportunity to choose to consent to such uses, preferably prior to completion of the transaction.
When RFID users share collected information with third-parties or affiliates, contracts between these parties should include a provision requiring the third-parties to maintain “a level of protection consistent with or greater than that afforded by the company collecting the information.”
Consumers should have reasonable access to information collected when PII is stored on the tag itself. One rationale provided in the guidelines is that individuals should be afforded the ability to access linked information when an adverse decision, such as the ability to obtain credit, is based on the linked information.
“Government access to linked information should be allowed only upon service of process under applicable law.”
As with the notice requirements, the security requirements vary with the amount of PII collected. The less PII collected, the less security protection is required. Security requirements “should include processes to identity reasonable foreseeable internal and external risks to the security, confidentiality, and integrity of linked information, and address those risks.”
While the CDT brought together a diverse collaboration in drafting the guidelines – for example, American Library Association, Eli Lilly and Company, Microsoft, National Consumers League, Visa U.S.A. – many agree that these guidelines are the first step in this quickly developing and expanding field. Paula Bruening, staff counsel for CDT is quoted as stating that these guidelines are called “an interim draft for a reason” and that “[t]here’s a clear sense the guidelines will have to be reconsidered in the future.” Lee Tien, from the Electronic Frontier Foundation called the guidelines a good “first step,” but that they provided too much “wiggle room” for industry. Sandy Hughes of Procter and Gamble – a member of the CDT working committee – stated that P&G is “committed to building and retaining consumer trust and that’s why we’ve been at the forefront of establishing clear guidelines for the use of product code technology.”
These guidelines are available at: http://www.cdt.org/privacy/20060501rfid-best-practices.php