Sunday, July 23, 2006

RFID privacy in Canada

Saturday's Globe & Mail had an interesting article on RFID, which is now online in the Globe's technology section: globeandmail.com : Who's watching the watchers? I find these articles to be interesting, but often overstate the threat that RFID poses in Canada. Most of the concern is that item-level tagging of purchased items will lead to the ability to track individuals once they have left the store. While this might theoretically be possible, the advent of a new technology does not mean that Canadian laws go out the window.

Every retail operation in Canada is governed by privacy laws, either PIPEDA or a substantially similar equivalent. Among other things, these laws require that the collection of personal information be reasonable and that personal information only be collected with the knowledge and the consent of the individual. I have no doubt that the unique identifier in a purchased item's RFID tag, when attached to any other information about an individual, is personal information for the purposes of these statutes. Therefore, in Canada:

  1. Any retail operation using RFID in Canada has to inform customers;
  2. Any retail operation that matches an RFID serial number to any personal information has to get the consent of the consumer; and
  3. You cannot require a consumer to consent to a collection, use or disclosure of personal information that is unreasonable or is for a purpose not identified to the individual.

Essentially, this means that retailers cannot covertly use RFID to track consumers in this country. The situation is entirely different in the US where no general privacy law covers the retail sector.

If you want any more information on RFID and Canadian privacy law, check out this great report by Teresa Scassa, Michael Deturbide, Theodore Chiasson and Anne Uteck of Dahousie's Law and Technology Institute: An Analysis of Legal and Technological Privacy Implications of Radio Frequency Identification Technologies. This report was funded by the Privacy Commissioner's contributions programme.

Update:

In a letter to the editor in today's Globe & Mail (July 25, 2006), Anne Cavoukian responds to the article from Saturday's paper:

globeandmail.com : RFIDs track products:

"RFIDs track products

ANN CAVOUKIAN Information and Privacy Commissioner of Ontario

Toronto -- The article Who's Watching The Watchers? (July 22) suggests that Katherine Albrecht was invited 'back' to brief my office on Radio Frequency Identifiers (RFIDs). I would like to make this perfectly clear -- she was never there, nor was she ever invited. Meanwhile, the article's characterization of RFIDs as spy chips is misleading.

Let's have a reality check. Currently in Canada, RFID tags are used in the supply-chain process for inventory control (tracking products, not people), which involves no privacy issues. But in future, if and when RFIDs are embedded into consumer products and linked to personal identifiers, we must remain vigilant to ensure that they are deployed in a manner that does not threaten privacy.

I have been studying RFIDs since 2003 and recently issued RFID privacy guidelines to address the future prospect of item-level, potentially privacy-invasive, RFIDs. I am a fierce protector of privacy but also believe in describing issues fairly and evenly. What we need is public education about this technology rather than fear mongering.

Misrepresenting RFIDs only serves to keep the public in the dark."

3 comments:

Captain Guyliner said...

I also read the Globe piece this afternoon and remain somewhat skeptical of the technology. The three points listed above do not convince me that consumers should not worry about RFID tags infringing their privacy. The technology is improving and the costs are declining as with any other product in the technology sector.

Consent and notice would seem to be ineffectives restraint on bad RFID practice because those two requirements are so easily satisfied through standard forms + generic labelling. Furthermore, while ideally RFID tags are not to be used for a purpose not presented to the consumer, how long until this technology is compromised by crackers? Or worse yet, individuals with malicious intent?

Canadian law may not go out the window but that should not suggest that RFID tags are not a significant encroachment upon personal privacy. This appears to me as a classic "boiled frog" scenario.

privacylawyer said...

Thanks for the comment, Mike. You raise some interesting points.

Go ahead and worry. But I just suggest keeping it all in perspective and avoiding hysteria.

RFID certainly has a potential to be a grave threat to personal privacy, particularly as the technology improves and if government-issued identity documents have insecure RFID built-in.

And given that the retail sector is generally in poor compliance with existing privacy laws, I'm not convinced that because retailers shouldn't do it they will not do it.

Perhaps the best response will be consumers holding retailers accountable for their practices. Companies will not be able to ignore requests for access to consumers' files. A little bit of sunshine can go a long way.

And I don't expect it will be too long before RFID zappers will be in the hands of those consumers who care about it.

Jorge Olenewa said...

Although it appears that I am very late in responding to this, I feel that I need to repeat what I have been saying to my students for quite a long time. Worried about privacy? Then you live in the wrong planet! Even if you get rid of your telephone, debit cards, credit cards, news paper and magazine subscriptions, Internet provider, e-mail accounts, investments, bank accounts, in essence, everything that connects you to the world we live in today, the government and many other organizations can still track you. My advice to you is: get with the times and try to enjoy yourself while you can.

Don't like it? Then try to catch the earliest available mission to Mars and move there soon. The only other possible alternative is for you to move to the middle of a desert and travel there on a donkey, after you attempt to disconnect yourself from everything else in planet Earth.

Don't believe me? Then go ahead, be my guest and give it a try!

Jorge Olenewa
Toronto, Canada