Thursday, July 06, 2006

RFID Privacy Guidelines - Like Catching JELL-O.

Jell-O Trivia: March 17, 1993, technicians at St. Jerome hospital in Batavia test a bowl of lime Jell-O with an EEG machine and confirm the earlier testing by Dr. Adrian Upton that a bowl of wiggly Jell-O has brain waves identical to those of adult men and women. Image and Information Credit: LeRoy Historical Society/JELL-O Museum

The Canadian province of Ontario recently issued guidelines on how companies, using RFID in consumer based applications, should always consider the privacy of the individual consumer's information gathered and how it can or should be used.

The guidelines were issued by the Information and Privacy Commissioner/Ontario - Ann Cavoukian, Ph.D., Commissioner, in June - and were intended to serve as privacy "best practices" guidance for organizations when designing and operating Radio-Frequency Identification (RFID) information technologies and systems.

The problem comes when a company is already using information gathered via barcode, how does one square these privacy guidelines with the company's current loyalty program and advertising methods.

There's more.

Excerpts from an opinion issued by eWEEK -

Canadian Province's New RFID Privacy Guidelines Could Have the Wrong Effect
By Evan Schuman, Ziff Davis Internet - June 22, 2006

The commissioner for Information and Privacy in Ontario unveiled June 19 a series of tips and guidelines for using RFID within her part of Canada.
The guidelines themselves certainly need to be examined seriously, because North American products can ill afford to accommodate two different standards, and besides, neither Mexico nor the United States has any material privacy RFID rules at the moment.

Current U.S. views on RFID privacy pretty much come down to a modified monetary laissez-faire policy ("leave campaign contributors alone and the market will take care of itself"), while Mexico's position is closer to "You can capture anything about our citizens that you want as long as you pay a living wage. OK, one-fourth a living wage, but we want a break after 18 hours of work."

The Ontario approach is a bit different. One example: "Organizations should only collect, use or disclose RFID-linked personal information for purposes that a 'reasonable person' would consider appropriate in the circumstances."

It then lists two things that Ontario believes would be unreasonable: "price discrimination" and "tracking and profiling individuals without their informed, written consent."

The "price discrimination" is aimed at applications that will charge lower prices to customers they want to attract and higher prices for those they want to repel, such as aggressive bargain hunters.

There have been unsubstantiated allegations about this on some Web sites, but those allegations involved cookies, not RFID.

Still, the potential exists for RFID to enable the same kind of capability. But isn't this simply a continuation of the time-honored discounts for those with a frequent shopper loyalty card?

Aren't those card programs offering discriminatory pricing, in the sense that some customers are being charged different prices than others?

That gets into that second reference: " tracking and proļ¬ling individuals without their informed, written consent."

Is this to be interpreted to mean that such tracking/profiling is permitted in Ontario, as long as it doesn't involve RFID?

It would seem silly to permit it for CRM programs as long as they used barcodes, but to somehow find the privacy invasion reprehensible if it involves RFID.

Tracking and profiling are fighting words. Is it profiling to offer discounts on one brand of peanut butter only for people who regularly purchase a particular competing brand?

Is it tracking to note that one consumer spends more than $900 per month typically and then to send them e-mail invitations to some event?

The wording in the Canadian material doesn't exclude aggregate data, but isn't that based on tracking individuals? Is that prohibited as well?

Here's a well-intentioned one: "Organizations should not use or disclose RFID-linked consumer information for any purpose to which the individual has not consented."

The only problem is that retailers will likely throw such language into the fine print on the back of every loyalty card, check-cashing card or anything else, including credit card slips.

As long as fine print exists on unrelated documents, such consumer consent will have little value.

It's certainly a good thing that some government officials are thinking through where RFID could go in terms of consumer protections.

But government edicts without industry support won't help much.

Back in December 2004, U.S. Senator Chuck Schumer called a news conference to promise legislation to regulate how retailers handle return policies. That legislation was never introduced.

Although Schumer's office has never officially explained what happened, some who were working on the legislation said that it became quite difficult to legislate wording and policy on something so customizable and also so proprietary.

In other words, the exact methodology to determine excessive returns could be thwarted if fraudsters knew the particulars.

There is a common thread between the two. On a surface level, forcing return policies and RFID tracking policies to be public sounds like a good thing, but digging down deeper, it's very complicated to do it in a meaningful way that will actually advance the public cause.

Will government leaders score points by announcing rules and then abandon their efforts without enforcement?

Updated: Opinion: Warning consumers about anything presupposes that there is something bad about that item, something that should be avoided. This might be a self-fulfilling prophecy.
Read All>>

Consumer based RFID applications will always require critical review of their intended results and eventual consent by consumer privacy advocacy groups as to the benefits derived.

No comments: