Ask the Experts: Cédric Laurant, Policy Counsel, EPIC
Cédric Laurant is Policy Counsel with the Electronic Privacy Information Center. He concentrates on international privacy issues, comparative policy, as well as the legal aspects of European and US privacy regimes.
What factors have contributed to the news media’s negative portrayal of RFID technology?
Various recent stories in the media have revealed that RFID users have generally not been transparent about how they intend to make use of RFID tags in consumer products and for consumer marketing and tracking purposes, despite consumer’s strong fears about the intrusive surveillance schemes that RFID tags could enable. Some stories even reported that a few consumer product manufacturers and retailers had secretly installed RFID tags on individual consumer products coupled with video surveillance devices, despite repeated assurances by those companies that they had not conducted such tests on consumers.
The RFID industry itself is also aware of the threats to privacy that the development and installation of tags in commonplace items raises. Documents on a RFID technology consortium’s website have shown that the industry was planning a public relations campaign in order to offset public opposition to the pervasive use of RFID technology, while acknowledging that “consumers are very concerned about invasions of their privacy,” are “cynical about the government and private sector’s commitment to protecting privacy,” and are “inclined to believe that businesses have little incentive to protect consumers’ personal information.” The documents detailed how such a campaign may unfold, citing the need for the development of a proactive plan that would “neutralize opposition” and “mitigate possible public backlash.”
Should there be federal legislation limiting the use of RFID technology and the information it is able to gather?
We think it is too early to legislate on RFID tags until an adequate technology assessment has been carried out (see question 3 below) that clearly reveals all potential uses of RFID tags and related risks to consumers’ privacy. This means that RFID technology should not be further implemented in a way that presents risks to consumers’ privacy until that technology assessment has been made.
Legislation would be the best solution if RFID users could not ensure that the guidelines or principles they would choose to abide by make them legally responsible for complying with principles of fair information practice (such as the ones detailed below), and consumers obtain effective judicial redress and compensation mechanisms in case of abuse.
What steps should companies exploring item-level RFID programs take to protect their customers from perceived or actual violations of privacy?
Before companies can implement item-level RFID programs, three steps have to be reached:
- RFID technology must undergo a formal technology assessment to determine which risks the deployment of such technology could raise for consumers’ privacy. This assessment must be made by an independent entity and involve all stakeholders, including consumers.
- RFID implementation must be guided by Principles of Fair Information Practice. The 1980 OECD Privacy Guidelines provide a useful model as minimum guidelines:
- Openness, or transparency: RFID users must make public their policies and practices involving the use and maintenance of RFID systems, and there should be no secret databases. Individuals have a right to know when products or items in the retail environment contain RFID tags or readers. They also have the right to know the technical specifications of those devices. Labeling must be clearly displayed and easily understood. Any tag reading that occurs in the retail environment must be transparent to all parties. There should be no tag-reading in secret.
- Purpose specification: RFID users must specify the purposes for which tags and readers are to be used not later than at the time of data collection and the subsequent use must be limited to the fulfillment of those purposes.
- Collection limitation: the collection of information should be limited to that which is necessary for the purpose at hand.
- Accountability: RFID users are responsible for implementation of this technology and the associated data. RFID users should be legally responsible for complying with the principles. An accountability mechanism must be established. There must be entities in both industry and government to whom individuals can complain when these provisions have been violated.
- Security safeguards: there must be security and integrity in transmission, databases, and system access. These should be verified by outside, third-party, publicly disclosed assessment.
- Certain uses of RFID must be flatly prohibited:
- Merchants must be prohibited from forcing or coercing customers into accepting live or dormant RFID tags in the products they buy.
- There should be no prohibition on individuals to detect RFID tags and readers and disable tags on items in their possession.
- RFID must not be used to track individuals absent informed and written consent of the data subject. Human tracking is inappropriate, either directly or indirectly, through clothing, consumer goods, or other items.
- RFID should never be employed in a fashion to eliminate or reduce anonymity.
We are therefore requesting manufacturers and retailers to agree to a voluntary moratorium on the item-level RFID tagging of consumer items until a formal technology assessment process has been carried out involving all stakeholders.
More information on EPIC’s position on RFID tags is available at http://www.epic.org/privacy/rfid/ and http://www.privacyrights.org/ar/RFIDposition.htm.