Privacy protection paramount with RFID

David Canton - For the London Free Press - June 10, 2006 Read this on Canoe

Radio frequency identification is used in various technologies that use radio waves to identify people or objects. RFID has practical applications that can be of benefit to consumers, businesses and government, but also raises privacy concerns when its use enables parties to obtain personally identifiable information.

Many of us have already used RFID technology for things such as opening parking garage gates, office building locks or to buy gas.

A group of businesses and consumer advocates have recently developed a guideline designed to promote consumer privacy in the implementation of RFID.

An RFID tag is a small object that can be attached or incorporated into a product, animal or person. RFID tags contain microchips and antennas to receive and respond to radio-frequency queries from an RFID transceiver. The reader can be mere inches or several feet away, depending on the technology used.

RFID can be used to keep track of objects, or people, providing services or as an internal component of a product or device. RFID systems can be used just about anywhere, from clothing tags to missiles to pet tags to food — anywhere a unique identification system is needed.

For example, RFID systems are being used in some hospitals to track a patient’s location and to keep track of the location of doctors, nurses and expensive equipment. RFID tags can also be injected in animals – or even people — through a syringe. In the future, it is expected that RFID will be attached to consumer products in order to track the products from manufacturer to a store and right to the consumer’s home.

RFID raises privacy concerns, particularly when its use enables parties to obtain personally identifiable information, such as a person’s location, what products a person has, what services a person uses, or many other possibilities.

Representatives from various consumer groups and businesses, including Microsoft and IBM, under the leadership of the Center for Democracy and Technology (CDT), recently undertook an extensive analysis of RFID and developed guidelines on use of the technology in an effort to address privacy concerns and reduce concerns about using it.

The CDT guidelines are based upon three general principles that can be applied to allay privacy concerns on RFID technology.

The first principle is that of technology neutrality. This principle states that RFID technology in and of itself does not pose threats to privacy, but rather that privacy breaches occur when RFID technology is deployed in an irresponsible way that does not promote privacy protection.

The second principle urges the concept of privacy and security as primary design requirements. It states that privacy and security must be addressed as part of the initial design of the technology, rather than retrofitting RFID systems to respond to privacy and security concerns.

The third principle relates to consumer transparency. It says there should be no secret RFID tags or readers and that use of the technology should be as transparent as possible. Notice to consumers is an essential element of this, but the guidelines go further to say that notice must be supplemented by thoughtful, robust implementation of responsible information practices. Consumers should be given clear, conspicuous and concise notice when information is collected through an RFID system.

While RFID technology may benefit the consumer, the businessperson and the government alike, privacy and security are essential issues that must be addressed. Even the perception that privacy problems exist with the technology will make it hard to implement the technology in consumer applications.