Surpriv: RFID Surveillance and Privacy

Wired News covers the RFID and privacy issues; some attention to Accenture’s activities in promoting “silent commerce:”

Accenture has dubbed its vision for RFID-enabled marketing “silent commerce.” The company’s Silent Commerce Center, which [Accenture Technology Labs associate partner Joseph] Tobolski heads, is one of several research groups worldwide developing kiosks, store shelves, medicine cabinets and even bedroom armoires that read the RFID tags on purchased goods and offer consumers new products to go along with them.

Keeping the RFID tags in working order is in the consumer’s best interest, said Tobolski and others who attended an RFID industry conference in Chicago last week. Furnishings and appliances throughout future “smart” homes and stores will read the RFID tags on purchased goods to ensure consumers never run out of milk or medicine, or even walk out the door wearing the wrong tie, the industry representatives said.

But clearly “silent commerce” facilitates “silent surveillance,” if we wander about festooned with tags.

Wired News reports on RFID and Homeland Security, including the news of former DHS Secretary Tom Ridge’s joining the board of Savi Technology.

At a conference in Chicago that brought together RFID tag manufacturers, software developers and freight-shipping managers, Ridge declared that “biometrics and RFID will make us safer.”

Ridge called a recent test of RFID to identify passengers and cargo “an enormous success.”

Ridge also said the government can be trusted to safeguard the personal data it gathers from RFID tags.

“We struggle with privacy a lot,” said Ridge. “But with political and private-sector oversight (and digital firewall technologies), we can limit access to the data.”

I have certainly asserted that it’s better to have a government that is efficient and effective at intelligence collection, and which is checked by the law, oversight, and appropriate policy, rather than trusting on ignorance (e.g., an inability to perform as well as Wal-Mart in awareness of RFID); on the other hand, we’ve seen a great unwillingness of late by government to institute such checks, and to resort to greater secrecy.

The use of “firewall” also worries me, as it suggests that Ridge (and others) too readily divide things into inside/outside camps, e.g., data are collected within a government agency, and not permitted to outsiders, while in fact there are many outsiders who might have a legitimate need to know, and many insiders who won’t.

From AIM Global’s press release:

AIM’s RFID Experts Group (REG) developed a draft policy statement on privacy issues for presentation to a U.S. Congressional Caucus looking into privacy concerns. This draft policy recognized individuals’ rights and outlined ways in which RFID technology can be used while helping ensure individuals’ privacy. This document was presented to the U.S. Congressional Internet Caucus on March 9, 2005. The full draft statement covering a number of topics is available at: https://www.aimglobal.org/estore/ProductDetails.aspx?productID=306

The American Library Association’s resolution on RFID:

From: owner-member-forum@ala.org [mailto:owner-member-forum@ala.org] On
Behalf Of Don Wood
Sent: Tuesday, January 25, 2005 7:43 AM
To: member-forum@ala.org
Subject: [MEMBER-FORUM:378] RESOLUTION ON RADIO FREQUENCY IDENTIFICATION (RFID) TECHNOLOGYAND PRIVACY PRINCIPLES

RESOLUTION ON RADIO FREQUENCY IDENTIFICATION (RFID) TECHNOLOGY AND PRIVACY PRINCIPLES

WHEREAS, Radio Frequency Identification (RFID) is a technology that uses various electronic devices, such as microchip tags, tag readers, computer servers, and software, to automate library transactions; and

WHEREAS, the use of RFID technology promises to improve library operations by increasing the efficiency of library transactions, reducing workplace injuries, and improving services to library users; and

WHEREAS, many libraries are adopting or in the process of adopting RFID technology to automate library circulation, inventory management, and security control; and

WHEREAS, consumers, consumer groups, librarians, and library users have raised concerns about the misuse of RFID technology to collect information on library users’ reading habits and other activities without their consent or knowledge; and

WHEREAS, protecting user privacy and confidentiality has long been an integral part of the mission of libraries; and

WHEREAS, the ALA Code of Ethics states, “We protect each library user’s right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted”; and

WHEREAS, Privacy: An Interpretation of the Library Bill of Rights states that “The American Library Association affirms that rights of privacy are necessary for intellectual freedom and are fundamental to the ethics and practice of librarianship,” and calls upon librarians “to maintain an environment respectful and protective of the privacy of all users”; and

WHEREAS, the ALA Intellectual Freedom Committee recognizes the importance of developing policies and guidelines for appropriate implementation of RFID technology in light of the profession’s commitment to preserving user privacy and its concern for preserving the trust of library users; and

WHEREAS, the ALA Intellectual Freedom Committee and the ALA Office for Information Technology Policy, recognizing the immediate need to draft privacy principles to protect and promote ALA’s values, joined with the Book Industry Study Group (BISG) to form a working group dedicated to developing a set of privacy principles to govern the use of RFID technology by all organizations and industries related to the creation, publication, distribution, and retail sale of books and their use in libraries; now, therefore, let it be

RESOLVED, that the American Library Association endorse the “BISG Policy Statement Policy #002: RFID – Radio Frequency Identification Privacy Principle” (Exhibit I) developed by the IFC and the OITP with the BISG and other working groups; and be it further

RESOLVED, that ALA affirm established privacy norms within and across the business, government, educational, and nonprofit spectrum, specifically acknowledging two essential privacy norms:

� Data transferred among trading partners related to customer and/or patron transactions shall be used solely for related business practices and no unauthorized transaction shall be permitted.

� Data related to customer and/or patron transactions shall not compromise standard confidentiality agreements among trading partners or information users; and be it further

RESOLVED, that the ALA adopt the following “RFID Privacy Principles” developed by the IFC and OITP with the BISG RFID working group:

All businesses, organizations, libraries, educational institutions and non-profits that buy, sell, loan, or otherwise make available books and other content to the public utilizing RFID technologies shall:

1) Implement and enforce an up-to-date organizational privacy policy that gives notice and full disclosure as to the use, terms of use, and any change in the terms of use for data collected via new technologies and processes, including RFID.

2) Ensure that no personal information is recorded on RFID tags which, however, may contain a variety of transactional data.

3) Protect data by reasonable security safeguards against interpretation by any unauthorized third party.

4) Comply with relevant federal, state , and local laws as well as industry best practices and policies.

5) Ensure that the four principles outlined above must be verifiable by an independent audit; and be it further

RESOLVED, that the ALA continue to monitor and to address concerns about the potential misuse of RFID technology to collect information on library users’ reading habits and other activities without their consent or knowledge; and be it further

RESOLVED, that the ALA develop implementation guidelines for the use of RFID technologies in libraries.

*****************

Adopted by the ALA Council
January 19, 2005
Boston, Massachusetts

How much is Wal-Mart driving the adoption of RFID? When it makes its way into “Dilbert,” it must have achieved a certain weight in the zeitgeist, at least…

According to Government Computer News, the Department of Homeland Security’s chief privacy officer Nuala O’Connor Kelly, and a staff of some 450, is evaluating technologies impact on privacy, to include RFID:

In evaluating new technologies, she said, “we are looking very hard at biometric initiatives in DHS” as well as at other U.S. agencies and foreign governments, especially use of radio frequency identification tags. “Baggage tags out in the world contain personal information,” she said.