A group of multinational companies including IBM, Intel and Microsoft have issued draft guidelines for Privacy Best Practices for Deployment of RFID Technology.
RFID (radio frequency identification) raises privacy concerns when its use enables parties to obtain personally identifiable information, including location information, about particular individuals that those parties otherwise would be unable or unauthorized to obtain. This information may be a person’s location; it may be that the person has a certain product in his or her possession; it may be that the person has used a particular service. Security concerns arise if unauthorized parties are able to obtain such information either from interception of the radio communications between tags and readers, through unauthorized reading of the tags, or via unauthorized access to the network or the database.
Representatives from various consumer groups and commercial enterprises developed these guidelines in an effort to address current privacy concerns, as well as to limit future concerns regarding the deployment of RFID technology.
The guidelines cover:
- giving of notice when information, including location information, is collected
through an RFID system and linked, or is intended by a commercial
entity to become linked, to an individual’s personal information either
on the RFID tag itself or through a database. - Consumers should be offered such choice before the conclusion of the
transaction to obtain a good or service, wherever practicable, so that,
when coupled with robust notice, consumers are given the tools to
effectively exercise their choice with respect to the use of RFID
technology. - Companies should exercise reasonable and appropriate efforts to secure
RFID tags, readers and, whenever applicable, any corollary linked
information from unauthorized reading, logging and tracking, including
any network or database transmitting or containing that information and
radio transmissions between readers and tags. In addition, companies
should exercise reasonable and appropriate efforts to secure the linked
information from unauthorized access, loss or tampering.