RFIDs: Getting Personal
IT.Can 2006 Annual Conference
Teresa Scassa
(Professor,
Dalhousie Law School)
John D. Gregory
(Policy Division,
Ministry of the Attorney General – Ontario)
What are RFIDs?
Radio-Frequency Identification devices are used to send
signals from the device to a “reader” or “scanner”. They have been around in one
form or the other since the mid-20th century. Recent reductions in
their size and cost have multiplied their potential uses.
RFIDs may be active or passive. Active RFIDs have their
own power source and contain more information than passive devices, which
respond to signals from readers with less information. The latter are smaller
and cheaper than the former.
The tags or devices can carry any information that the
designers of the system choose, within the (expanding) technical limits of the
devices. Thus they can include product descriptions, biometric information for
personal use, provenance data, and more.
Where are RFIDs?
The most frequent use of RFIDs today is in inventory
control, as a replacement for bar codes (UPC, universal product codes). RFIDs
embedded in packages of goods or pallets of boxes of goods can be read by a
scanner without actual physical contact. This allows inventory control, for
example, by a simple radio signal from the aisles of a warehouse. It is
anticipated that in the next few years, RFIDs may be incorporated into each
individual product, giving a much finer control over inventory.
Another common use of RFIDs is as a payment device, either
to signal a transaction that reduces an account, or to create a debt that is
collected by other means (such as a later invoice). Some examples are the
transponders used to levy tolls automatically on highways like Highway 407 north
of Toronto, the cards used to pay tolls on the Macdonald Bridge between Halifax
and Dartmouth, and the SpeedPass that Imperial Oil customers can use to pay for
gas at the station.
Related to this last use are RFIDs used for building
security, often in the form of an employee identity badge or card that is used
to get access to buildings or areas in buildings. There are many such uses
within the government of Ontario and among private employers.
Other security uses include a child-, pet- or
object-finder. Many personal pets are today outfitted with a microchip under
their skin, readable by police or veterinarians, to help recover lost or stolen
animals. A more frivolous use has recently been tried in Spain, where members
of a social club have had tags implanted under the skin of their arms, in order
to facilitate entry to the club premises at crowded hours.
At the individual level, a recently advertised system
includes a reader, a pair of active RFIDs with a ‘panic button’ that can be worn
by a child or other vulnerable person, who can signal the ‘home’ station
(usually a responsible adult) in cases of doubt or emergency; and some passive
tags that can be used so the holder of the scanner can find the objects (car
keys, glasses) to which the tags are attached.
Combining security with inventory control, it is
contemplated that RFID tags could be inserted into all cattle, so that any
individual that is found to carry mad-cow disease can be properly traced to its
origin, including its history from origin to diagnosis.
The public health aspect of this use shows that RFIDs can
straddle the public/private sector border. So does the procurement of inventory
from private sellers by public buyers, such as in the US Department of Defense.
While public sector uses are strictly speaking beyond the scope of this paper,
which focuses on commercial applications, one may mention in passing the use of
RFIDs in US and other country’s passports and in European currency as an
anti-counterfeiting measure, not to mention the more prosaic library-book
security systems.
In short, the uses are limited by imagination as much as by
the technology, and are bound to expand over time.
Privacy issues
Clearly some of the uses of RFIDs raise few if any privacy
concerns, while others either fall within current privacy legislation or appear
to require a policy or legislative framework to protect privacy interests.
There are two categories of concern:
·
Tag-centred concerns: These are based on the presence of tags and
their being read, either knowingly or not, and either with authority of the
person whose information is collected or not. The concerns arise when RFIDs are
used to track products in the hands of consumers, to monitor their use, to
follow the consumer, to associate the purchase of one product with others. This
can happen in digital shopping registers, but also through the use of loyalty
cards or some credit cards, which allow “neutral” product information to be
associated with information attached or attachable to a particular person. At
that point all the information becomes “personal information” within the meaning
of much privacy legislation.
·
Data collection concerns: These focus on the matching of data
from RFID tags with other data. It is related to the concern above about retail
data collection, but considers the resulting data bases and their use and
potential disclosure, as well as the process of collection. Once the
information is in a data base, concerns arise as well about the risk of illicit
access to those data or public-sector compulsory access, as well as about their
intended application. The more the RFID devices in different products are
interoperable, the easier it will be to compile the information from all of them
into comprehensive data bases.
Privacy law
The basic law in Canada on commercial uses of personal
information is the Personal Information Protection and Electronic Documents
Act (Canada) – PIPEDA. Quebec, Alberta and British Columbia have their own
legislation that operates instead of PIPEDA for provincial purposes within those
provinces. Ontario and others have personal health information protection laws
instead or as well. The current brief overview does not purport to raise, much
less dispose of, all the possible applications of these statutes.
PIPEDA limits the collection, use and disclosure of
personal information by organizations in the course of “commercial activity”.
Any such actions must be reasonable, and must also comply with the statutory
rules themselves. On the other hand, PIPEDA implicitly authorizes a balance
between the privacy interests of individuals about their information and the
commercial usefulness of that information. Just where certain uses of RFIDs
will be held to fall is open to discussion.
The clearest case of applicability of PIPEDA would be the
collection of information from RFIDs on consumer products and the linking of
this information to data about the purchaser, taken from vendor records or
loyalty card records. Assuming that the collection and the desired uses of the
information were reasonable, the Act requires that the collection and use be
done only with the informed consent of the individual.
It is possible that the process of applying for the loyalty
card could give an opportunity to secure the consent of the applicant. It is
arguable that more detail would be needed, especially at the time of the
collection. People may need to know what products have RFIDs in them, and when
the information is being read, as well as when it is collected (and ultimately
used). They arguably need to know that the information can be collected
remotely and without their being aware of it at the time. The relation between
the loyalty card and the RFID needs to be spelled out.
These basic principles are relatively easy to apply but may
not go far enough to relieve legitimate concerns of legal policy or real
reservations of potential customers that merchants will not want to alienate.
What else might be done?
It is not just the merchant or loyalty-card issuer who may
collect the information. Product manufacturers may have their own scanners in
the store to collect information about the movement of their products. Again,
if the information is not linked to people, this is not problematic, but if it
is – say a picture is taken when the product is moved – then privacy law is
invoked.
Interesting questions arise about implied consent: if
customers know that goods contain RFIDs, does their purchase of the goods imply
consent to the collection of the information in the products, and association
with the purchasers? It would be bold to assert this without a good deal of
express notice, and arguably even with such notice.
Privacy policy
The law is sometimes said to protect reasonable
expectations of privacy. Here as elsewhere, this protection should not be
subject to whittling away because technology is known to reduce privacy, and
thus people’s reasonable expectation of it. Otherwise technology will
ultimately rule, regardless of how people feel about it or what uses of personal
information the technology enables.
Thus it may be that legislation is needed to ensure that
the legal principles in our law now will cover the uses that the technology will
provide in the foreseeable future. One could legislate that private deployment
of RFIDs would require a privacy impact assessment as a pre-condition, though
the content of such an assessment and the enforcement of such an obligation may
raise problems.
For example, the ability to control the uses of one’s
information may require, or urge, the ability to deactivate the RFIDs on
purchase. However, sometimes the vendors or merchants find it useful to have an
active tag in order to authorize warranty service or return of goods (one can
verify that the product came from that vendor). At present tags cannot be turned
off and on at will. It is possible that such technology will be developed.
Can or should legislation focus on the technology itself,
banning certain results or techniques or promoting others? It is a commonplace
that systems should be designed to support privacy (and privacy concerns arise
because of the systems in which RFIDs are used, not just because the devices
themselves have particular capacities). It is difficult to retrofit privacy
into a system that was not built to protect it.
At what point is it useful to legislate the capacity of a
device, or the capacity of a system for using devices, and at what point does
such legislation simply impede the development of the technology itself? How
legitimate are objections to legislated standards based on the presumed or
anticipated costs of building the system one way rather than another?
For example, California Governor Schwarzenegger recently
vetoed a bill that would have addressed a number of privacy and security
concerns associated with the use of RFIDs. His rationale for vetoing the bill
was reportedly that it was premature. He did not want California legislation to
conflict with national standards, which he anticipated would be enacted in
relation to identification documents. Further, he expressed concerns about the
effect that the bill would have had on state agencies in the process of using
RFID technology to streamline operations.
And how widespread does a legislated standard have to be in
order to create a functioning market for privacy-respecting technology? A
patchwork of inconsistent rules will not promote development of the industry.
Are there risks that such standards might create a backwater that does not enjoy
innovation while other less restricted jurisdictions see a flowering of
technology that manages to respect privacy as well, but in unexpected ways that
legislators could not predict?
This is to some extent an argument for technology
neutrality in policy development and in legislation, to some extent for humility
in drafting, and to some extent nevertheless an appeal to the courage of one’s
principles.
Best practices
Sometimes legislation will not be appropriate, either
because the technology is not sufficiently developed, or because the threats to
privacy are not direct. But in such cases, or even where legislation may be
pending, the users of RFIDs may nevertheless wish to show that they respect
privacy for reasons of customer relations or even sound principle.
In cases where RFID tags are used strictly in inventory
control, and the product information is not associated with personal
information, it may be appropriate to calm customers’ nervousness by making the
RFID system explicit: give notice that the tags are present, identify the
readers, tell people how they work, give options for deactivating tags in
purchased goods or for removing the tags (ensuring that they are affixed in ways
that permit this without damage to the goods, obviously). Merchants could
deactivate the tags at checkout as a practice, unless the customers choose the
contrary. Some of these are arguably beyond the scope of information needed to
support a valid consent under privacy law.
It seems likely that a common identification label will be
developed to indicate the presence of RFID tags, just as there are common labels
for certain hazardous products, or for washing instructions, or for composition
of some products. Whether the use of such labels would be required by
legislation or just adopted by merchants as a marketing advantage like other
sound privacy policies, time will tell.
Merchants could limit their own uses, and say so: no
collecting data before or after a transaction, no tracking of customers in the
store by the RFIDs on products they are buying or have bought, no collection of
data from tags on the customer’s person, limited storage of the personal
information, no sharing of information. They could have someone on the premises
to explain the technology or answer questions, including about the nature of the
information collected, its proposed use, and the rights of the individuals with
respect to it. They should keep the information in the tags and readers and the
communications between the two devices secure and confidential. Some of these
practices are arguably required by law, in the absence of consent, but merchants
who limit themselves rather than seeking broad consent may benefit from
goodwill.
The legal consent to the collection and use of personal
information may satisfy the law, but the desirability of deactivation or removal
may remain. This too could constitute a “best practice”, one adopted by
open-minded merchants though beyond their legal obligation.
The role of public and not-for-profit sector privacy
advocates in educating the public is important, too. Many of the guidelines and
best practices in this field come from such sources today, and this is likely to
continue. Reliable independent sources of information about the technology as
it evolves are crucial to public confidence and ultimately acceptance of RFIDs.
Conclusions
The deployment of RFIDs and their increasing capacities
make their growing impact on privacy inevitable. As with any new technology,
the application of current law to the novel situations will take some time and
analysis, and the real deficiencies of the law to deal with novelty will become
apparent.
Here as elsewhere in legislating with respect to evolving
technology, legislators must take care not to foreclose promising or profitable
developments by overly narrow concepts of how to solve privacy problems.
For this reason many privacy advocates in Canada and
elsewhere have focused on non-legislative recommendations. Just as privacy
principles – “fair information practices” – are very widely accepted, so too it
appears that best practices with respect to RFIDs are becoming harmonized. One
sees the same ideas across many borders.
There will no doubt be inconveniences, worries and even
battles, but it is not at all clear that privacy will have to be a victim of
RFID technology.
Sources
Much of the discussion of the privacy implications of RFIDs
turns on how one applies the known principles of the law, the codes, and the
fair information practices to the technology, or how the technology may invoke
the principles or threaten them. The following discussions explain the
interaction between technology and principle as well as recommend how to protect
the principles in the face of the technology.
Scassa, Chiasson, Deturbide, Uteck, An Analysis of Legal
and Technological Privacy Implications of Radio Frequency Identification
Technologies, prepared for the Privacy Commissioner of Canada, April 2006.
Privacy Commissioner of Canada, Fact
Sheet: RFID Technology, February 23, 2006.
Information and Privacy Commissioner (ON), Tag, You’re
It: Privacy Implications of Radio Frequency Identification (RFID) Technology,
February 2004.
- Privacy Guidelines for RFID Information Systems (RFID
Privacy Guidelines), June 2006.
- Practical Tips for Implementing RFID Privacy
Guidelines, June 2006.
Information Commissioner’s
Office (United Kingdom), Data Protection Technical Guidance, Radio Frequency
Identification, August 2006.
OECD, Radio-Frequency Identification (RFID): Drivers,
Challenges and Public Policy Considerations, February 2006.
EU Working Party 29, Working Document on data protection
issues related to RFID technology (10107/05/EN/WP 105) January 2005.
- Results of the Public Consultation on Article 29
Working Document ON Data Protection Issues Related to RFID Technology
(1670/05/EN/WP 111) September 2005.
Electronic Frontier Foundation: Radio Frequency
Identification (RFID)
Electronic Privacy Information Center (EPIC) Radio
Frequency Identification (RFID) Systems
EPC Global, RFID Implementation Cookbook. September
2006.
|