As the use of RFID technology increases, so do the concerns from consumer privacy advocates. A trade group recently unveiled a set of best practices that they say promotes respect for consumer privacy, but at least one group calls the guidance a ruse.
“This is like asking foxes to make up rules for the hen-house,” says Liz McIntyre, co-author of “Spychips: How Major Corporations and Government Plan to Track Your Every Move with RFID.”
The Center for Democracy & Technology said its document offers guidance for companies that use RFID technology to collect data that can be linked to consumers’ personally identifiable information. It said the best practices outline how consumers should be notified about RFID data collection, what choice they should have with regard to their own personal information, and how that information should be treated by the companies that collect it.
“This is one of the most important steps yet taken to ensure that developing RFID technology is not deployed in a manner that threatens the privacy of individuals,” said Paula Bruening, staff counsel for the CDT, which led the working group.
“This document establishes a carefully crafted balance: recognizing the core privacy needs of citizens while acknowledging that early-stage technology needs the flexibility to change as it evolves,” Bruening said.
CDT’s roster includes the American Library Association, aQuantive, Cisco Systems Inc., Eli Lilly and Co., IBM Corp., Intel Corp., Microsoft Corp., the National Consumers League, Procter & Gamble, VeriSign Inc. and Visa USA, all of whom worked for more than a year to develop the document.
“This is a who’s who of spychippers,” remarked McIntyre. “Many of these companies have very bad plans for RFID on the books, on their patent applications, which are a matter of public record. Yet, they want consumers to believe that they will respect their privacy. This is nothing more than a PR stunt. There are not any serious privacy organizations on board, and frankly, this document just doesn’t hold water. So what if a bunch of companies agree to a few guidances-it doesn’t mean they will actually behave responsibly. All it means is that they want you to think that they will.”
McIntyre said that in order to protect people’s privacy, legislative measures are needed to control the use of RFID technology.
The CDT explained that RFID tags of various types can be placed on shipping crates, livestock, even clothing, where they can be later identified by RFID readers designed to scan the items at a distance. The CDT said many of those applications raise no real privacy concerns unless the data collected from RFID tags is linked to personally identifiable information. The group says its new document lays out clear responses based on the fair information principles of notice, consent, access, transfer and security.
“RFID is a fast-evolving technology that may soon become ubiquitous in our lives,” Bruening said. “While it offers great promise, it also raises serious privacy concerns. This document is a vital first step toward addressing those concerns in a manner that respects the pace and uncertainty of technological advancement.”
McIntyre disagrees, pointing out that item-level tagging is on the rise even though more than 40 of the world’s leading privacy and civil liberties organizations have called for a moratorium on the practice. The quandary is that the only way to know whether an RFID tag is active or passive is to scan the tag with an RFID reader, but the only people who have the readers are the people who put the RFID tag into the merchandise in the first place. Consumers, unless they have RFID readers for all the various brands and types of RFID tags, have no way of knowing whether their privacy is being invaded through RFID tracking or not.
In late April, McIntyre uncovered information about Levi Strauss & Co.’s plan to place external RFID hang-tags on Dockers pants and Levi’s jeans as part of a test in a specific market in the United States, but the company declined to identify the test market.
“RFID is tracking technology, and it shouldn’t be attached to our clothing,” McIntyre said.
Much of the clothing at Gap Inc. stores contains RFID tags sewn into the seams. When asked about its use of RFID tags, a Gap spokesperson said: “The tag only has capabilities as an anti-theft device and is deactivated once a purchase has been made. Our store associates advise customers to remove the tags before wearing, and the tags are very visible with specific instructions telling customers to remove the tags.”
Perhaps consumers should wonder why The Gap doesn’t just train its store associates to cut off the tags once a purchase is made.
