Www.ipc.on.ca Homing in on Privacy: The Challenge for Item Level RFID Deployment Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario MAKING

www.ipc.on.ca

Homing in on Privacy: The Challenge for

Item Level RFID Deployment

Ann Cavoukian, Ph.D.Ann Cavoukian, Ph.D.Information & Privacy Commissioner/Ontario

MAKING TRACKS: RFID

Montreal, Quebec

February 16, 2005

www.ipc.on.cawww.ipc.on.ca Slide 2

Benefits of RFIDs

The benefits of RFID technology:

• More efficient management and tracking of goods and inventory through the supply chain process

• Reduced labour costs (e.g., no manual scanning of individual items is required)

• Better post-sale service for consumers, warranty servicing, etc.


Future of RFID Applications in the Consumer Space

0 – 5 years• Pallets, cases, cartons... • Products not people

5 – 10 years• Improved technology, cheaper to

produce... Item level tracking and tracing potential


RFID future deployment


Broader Future Deployment Trends

0-5 years

• Supply Chain Management

• Retail, back-end

• Warehouse management & automation

• Asset Management

5-10 years

• Track and Trace to item level

– Airline Luggage– Pharmaceuticals– Library Inventory– Animals

• Retail, smart shelves • Customer ‘insight’

(CRM)


Consumer Deployments 0 - 5 Years

Limited deployment in the next 5 years• Retail, Smart Shelves & Electronic Article

Surveillance (Extra Stores, Germany, Benetton 15million tags) very limited deployment

• Pharmaceuticals (Purdue Pharma tagging OxyContin)

• Convenience services (Easy Pay, Mobil, Ski Passes, Vehicle access, Verichip implants as in-house debit cards)

• Consumer Safety (Michelin plans for tires in the wake of Firestone recalls).


Consumer Deployments5 - 10 Years

Broader utilization 2010- 2015• Retail, smart shelves & electronic article

surveillance • Pharmaceuticals • Convenience services ( e.g., road tolls, Easy

Pay gas tokens)• Consumer safety (e.g., car security, smart

goods with post purchase consumer safety issues such as food and vehicle parts)


Privacy and RFIDs

RFID tags contain information about a product, not an individual (e.g., EPC, price, size, colour, manufacture date)

Despite that, many consumers perceive a threat to privacy – why is that?


Consumer Perceptions

Consumers perceive that RFIDs may facilitate tracking:• The ability to track consumers who have

purchased a product

• The establishment of a widespread surveillance infrastructure

• The linking of product information and personal information without consent


Survey Results

Auto-ID Centre/Proctor & Gamble Internal study found:• 78% of respondents had a negative reaction to

RFID use, with the majority claiming to be extremely or very concerned

• Also found that consumers did not want "smart tags" in their homes, and the reassurance that the "tags" could be turned off and privacy guaranteed was not compelling

source: http://cryptome.org/rfid/pk-fh.pdf


Implementing RFIDs

A failure to build privacy into the design and implementation of RFIDs can produce a consumer backlash

This will have an adverse impact on a company’s reputation and ultimately its bottom line


Consumer Backlash

How real are consumer concerns?

Could privacy issues potentially deter the roll-out of RFIDs?


Benetton

Italian clothier Benetton sparked a furor after it announced plans to implant RFID tags in its apparel (April 2003)

Public opposition was seen as forcing the company to cancel its plans


Gillette: Keeping “Tags” on Customers

Privacy groups threatened a consumer boycott after the media reported that Gillette was testing a “smart shelf” at a Tesco store in the U.K., possibly for theft detection purposes (July 2003)

RFID tags embedded in Gillette razor packages triggered CCTV cameras that took a picture of a customer both when he or she removed a package from the shelf and at the check-out


Metro AG

Metro AG, a German company, announced plans to start using RFID chips in supermarket loyalty cards in one store

The purpose of this initiative was supposedly to allow the store to verify the age of shoppers wanting to view DVD movie trailers

Metro AG abandoned its plans after protests from privacy groups (March 2004)


Checkpoint: Tracking Individual Items

Checkpoint Systems Inc. announced that it had developed new RFID solutions for tracking individual consumer items

Checkpoint senior executive: “These RFID applications are prototype designs to demonstrate how the technology will fulfill a customer’s need for greater information and stock availability …”


Get Ready for a Good Fight

CASPIAN, a U.S.-based consumer rights group, claimed that: • Checkpoint was developing RFID “spychips” for three

well-known clothing labels• Consumers wearing the tagged clothing could potentially

be identified and tracked by readers • “[We] will be working with consumers on an aggressive

response to this privacy threat. Roll up your sleeves and get ready for a good fight.”

UK consumer group: ThoughtCrime News: “RFID is not only the harbinger of heavy personal surveillance. It may bring an end to civilization as we know it.”


Information Privacy Defined

Information Privacy/Data Protection

• Freedom of choice; control; informational self-determination

• Personal control over the collection, use and disclosure of any recorded information about an identifiable individual


Fair Information Practices:A Brief History

OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data

EU Directive on Data Protection

CSA Model Code for the Protection of Personal Information

Personal Information Protection and Electronic Documents Act (Canada)


Summary of Fair Information Practices

AccountabilityIdentifying PurposesConsentLimiting CollectionLimiting Use,

Disclosure, RetentionAccuracy

SafeguardsOpennessIndividual AccessChallenging

Compliance


Federal Private-Sector Privacy Legislation

Personal Information Protection and Electronic Documents Act (PIPEDA)

Applies to personal information collected, used or disclosed in the course of commercial activities by all:

• federally regulated organizations and • provincially regulated organizations,

unless a substantially similar provincial privacy law is in force


Build It In

Embed privacy protective measures into the actual design and infrastructure of any new technology, including RFIDs


Building Privacy Safeguards into RFIDs

RFIDs will continue to produce a consumer backlash unless both RFID manufacturers and business users adopt privacy safeguards

Privacy is not a concern at most stages of the supply chain (e.g., tracking items in a warehouse)

However, privacy concerns are triggered at the point when a consumer comes into contact with a product with an RFID tag


Possible Privacy Solutions

RFID tags should be deactivated at the point of sale, or when the consumer comes into contact with the tag (e.g., through blocking technology carried by the consumer or pervasive in the vicinity)

Deactivation at point of sale should be the default, but not without its problems

Deactivation limits post-sale benefits of RFIDs


Addressing the Challenges of Designing in Privacy

Options for Future Designs that address consumer controls (design stage only):• Zombie Chips designed by RSA

– Chips never die, but can be deactivated and then reactivated at a later time

– Could be switched from non-private to private mode

• Smart Blocker Tags designed by RSA– Selective blocking made easy but not likely to be

adopted by tag manufacturers


Mechanical Destruction of Tag

Provide RFID tag structures that permit a consumer to disable a tag by mechanically altering the tag in such a way as to inhibit the ability of a reader to interrogate the tag or transponder by wireless means:• provides visual confirmation that tag has

been deactivated• may be read later on by mechanical contact

if desired by consumer


Example: Consumer Disabled Tag

www.ipc.on.ca

Fair Information Practices

as Applied to RFIDs


Openness and Transparency

Businesses should be open and transparent with consumers about the use of RFID tags and readers

If RFIDs are embedded in a product that makes its way to the retail shelf, proper notice should be provided to consumers


Notice

Notice must be conspicuous to the consumer and explain what an RFID is in plain language (not technical jargon)

Notice must explain where RFIDs are being used and for what purposes

Proper notice could be in the form of signs, labels, brochures, etc.


Choice

Potential reasons for RFID tag deactivation followed by reactivation:

• Facilitating product returns and warranty servicing

• Facilitating recovery of lost or stolen products to consumer

• Enabling interaction with “smart” appliancesConsumers should have the choice to have an

RFID tag reactivated without cost


Use Limitation

Personal information must not be used for purposes other than those for which it was collected, except with the consent of the individual or as required by law


Consent

A business must not merge or link a consumer’s personal information with RFID information about a specific purchased product, without that individual’s knowledge and consent

Consent must be voluntary and informed, which means that the individual understands the nature and consequences of providing or withholding consent


Challenging Compliance

A business should have a clear process in place for resolving privacy complaints from its customers about RFIDs

A business’s chief privacy officer (CPO) and other privacy staff should be key players in the design and launch of any RFID initiative


Staff Education and Training

Both managers and frontline employees must be provided with privacy training that includes information about RFIDs

Employees must be trained to provide clear, honest and informed answers to customers who have privacy concerns about the tracking potential of RFID tags


Conclusions

Many RFID deployments do not presently involve consumers

This is the time to address the privacy issues of the mid-term deployments that will involve consumer-specific RFIDs

You do not have the luxury of time Act now


To Find out More …

The Information and Privacy Commissioner of Ontario has published two RFID papers:• Tag, You’re It: Privacy Implications of Radio

Frequency Identification (RFID) Technology (February 2004)

www.ipc.on.ca/docs/rfid.pdf• Guidelines for Using RFID Tags in Ontario

Public Libraries (June 2004)

www.ipc.on.ca/docs/rfid-lib.pdf


Final Thought

“Anyone today who thinks the privacy issue has peaked is greatly mistaken…we are in the early stages of a sweeping change in attitudes that will fuel political battles and put once-routine business practices under the microscope.”

Forrester Research, March 5, 2001

www.ipc.on.ca

How to Contact UsHow to Contact Us

Commissioner Ann CavoukianCommissioner Ann CavoukianInformation & Privacy Commissioner/Ontario

2 Bloor Street East, Suite 1400

Toronto, Ontario M4W 1A8

Phone: (416) 326-3333

Web: www.ipc.on.ca

E-mail: [email protected]