Best privacy practices for RFID

A working group of corporate giants including Microsoft, IBM, Proctor & Gamble, as well as consumer bodies, have agreed and published a set of best practices designed to promote respect for consumer privacy in the growing use of RFID technology.

RFID (Radio Frequency Identification) refers to a broad range of technologies that allow users to track and identify physical items using radio waves. RFID "tags" of various types can be placed on shipping crates, livestock, even clothing, where they can be later identified by RFID readers designed to scan the items at a distance. Many of those applications raise no real privacy concerns, but when the data collected from RFID tags is linked to personally identifiable information, privacy issues can arise. The best practices are geared specifically toward those instances.

This week's publication offers guidance for companies that use RFID technology to collect data that can be linked to consumers' personally identifiable information. Drawn largely from widely accepted principles of "fair information practices," the best practices outline how consumers should be notified about RFID data collection, what choice they should have with regard to their own personal information, and how that information should be treated by the companies that collect it.

"This is one of the most important steps yet taken to ensure that developing RFID technology is not deployed in a manner that threatens the privacy of individuals," said Paula Bruening, staff counsel for the Center for Democracy &Technology (CDT) which led the working group. "This document establishes a carefully crafted balance: recognizing the core privacy needs of citizens while acknowledging that early-stage technology needs the flexibility to change as it evolves."

The compromise struck in the document is remarkable considering the diversity of the organisations participating in the working group. In addition to CDT, the American Library Association, aQuantive, Cisco Systems, Eli Lilly and Company, IBM, Intel, Microsoft, the National Consumers League, Procter & Gamble, VeriSign and Visa USA all worked for more than a year to develop the document, a first of its kind for RFID technology.

Identifying situations in which information linkage may raise concerns, the document lays out clear responses based on the fair information principles of notice, consent, access, transfer and security.

"RFID is a fast-evolving technology that may soon become ubiquitous in our lives," said Bruening. "While it offers great promise, it also raises serious privacy concerns."

She described the document as "a vital first step toward addressing those concerns in a manner that respects the pace and uncertainty of technological advancement."

The document will be treated as a draft that can be updated to respond to changes in the way RFID functions and is deployed, according to the working group.