SCDigest
Editorial Staff
The
News: Scientific
Technology Options Assessment (STOA), an
arm of the European Parliament, says we
can expect more issues around RFID and privacy
in the near future, and that consumers will
have to be more proactive about making choices
and protecting their identities.
|
SC Digest Says: |
An
option must be presented to allow the
consumer to “opt out” of
some elements of RFID data collection
that are specifically tied to them.
What do you say?
Send
us your comments here |
The
Impact: While
RFID privacy concerns have been rather minimal
from the general public thus far, as consumer-based
applications have been limited, that could
change dramatically over the next few years
as RFID gains a foothold in retail. The
report recommends that consumers will have
to start thinking about “Identity
Management” – an awareness and
control of who has access to their data,
and what that data is used for. But
it’s also clear that the ultimate
path will involve industry, government,
privacy advocates and others.
The
Story: In
a recent Scientific Technology Options Assessment
(STOA) study of RFID’s impending impact
on society, the privacy issue was tackled
head on as researchers found that data collected
using RFID technology in the future will
need to be carefully managed if privacy
is going to be maintained.
In
the current environment, the study concluded
that the threat to privacy is being somewhat
overblown as most organizations currently
implementing RFID systems are unschooled
regarding its complete capability to track
movement, spending, productivity, preferences,
habits, etc., and are not utilizing it to
its full potential. (For the full
report, see RFID
and Identity Management in Everyday Life.)
In the past,
RFID has been used mainly for logistical
purposes to identify cargo and other non-consumer
applications (although the widespread use
to pay auto tolls generates significant
amounts of RFID-based consumer data). As
RFID technology increasingly enters the
public sector, however, privacy concerns
become increasingly important. The STOA
study attempts to take an in-depth look
at these concerns, dismiss those with little
merit (areas in which the consumer has the
leverage of choice), and outline challenges
which will need to be overcome in the battle
to maintain privacy.
While examining
a number of futuristic scenarios in a number
of different business and social environments
(retail, public transport, office, etc.),
researchers suggest that a valuable framework
for considering the validity of RFID privacy
issues is to assess for a given application
who owns the power balance.
In the retail
environment, for example, the power balance
belongs to the consumer, who has a choice
of retail options. If a consumer doesn’t
like what the retailer is doing with the
data their collecting, they can shop elsewhere.
The report argues that this choice limits
the danger of privacy abuses.
Conversely,
in an office environment or the public transport
arena, the power balance tips more towards
the maintainer, as users have fewer options
and, consequently, less choice. In
this setting, data abuse is a greater threat.
Is this a
valid framework? To some extent - yes. If
consumers are given enough information to
understand what data will be captured and
how it will be used, and if there is a mix
of retailers using RFID and those who are
not, the consumer can choose whether to
participate or not. But if large retailers,
who control an increasing share of total
retail sales get together to implement RFID,
the consumer, for all practical purposes,
may not have much of a choice. An
option must be presented to allow the consumer
to “opt out” of some elements
of RFID data collection that are specifically
tied to them.
In the end,
the study’s researchers concluded
that the best way for consumers to maintain
their privacy in a fully-deployed RFID environment
is to possess a better understanding of
RFID technology and become adept in the
concept of "Identity Management”
– the concept of controlling what
is known and not known to maintainers of
the system and understanding how the data
is used by each system.
To initiate
the “Identity Management” thought
model, the researcher’s compiled a
list of challenges to be addressed:
- RFID users
need to know what maintainers are allowed
to do with RFID data.
- RFID users
should play a role in developing new RFID
environments.
- If personal
data from different RFID settings are
merged, it should remain clear who is
responsible for handling these data.
- The Privacy
Guidelines and the concepts of personal
data and informational self determination
need to be reconsidered in the light of
an increasingly interactive environment.
- Governments
should take a clear stance on whether
RFID bulk data will be mined for investigation
purposes.
Identity
Management is also a construct that applies
to both business/government (as maintainers)
as well as consumers (as users). Of
course, one critical question will be to
outline to what extent the rules about the
collection and use of RFID-based data will
be determined by the “maintainers”
versus the “users.” Can
the user selectively disable or inhibit
the collection of specific data elements?
For example, should the consumer have the
ability to prevent RFID scanning of their
movements in a retail store?
In
the final analysis, it
seems clear that while the privacy of users
isn’t currently in grave jeopardy
due to the maintainers’ unfamiliarity
with RFID’s full capability, true
privacy concerns are just around the corner
and will need to be addressed to ensure
that the technology is used appropriately.
Do you think
we will see major privacy concerns regarding
RFID arise? Do you believe consumers will
actually be able to think in terms of “Identity
Management?” How will this get settled
in the end? Let us know your thoughts at
the Feedback button below. |
