RFIDs: Reasons For Infinite Despair?
By: Teresa Scassa

May 17, 2005 

With my colleagues Theo Chiasson, Michael Deturbide and Anne Uteck I have just completed a project on Radio Frequency Identification tags (RFIDs) under the federal Privacy Commissioner’s Contributions Program. As you might imagine, on concluding such a project I am feeling a little bleak about the future of privacy – to be honest, I’m a little bleak about the “present” of privacy.

As you are all probably well aware, RFIDs are tiny chips equipped with antennae. The chips contain data which is transmitted when the tag is activated by an electronic impulse sent to it by a “reader”. The reader in turn is connected to a database. Currently there are plans to place RFID tags in most individual product items within a few years time as a means of improving inventory control. The tags will amount to unique product identifiers, as opposed to the generic UPC codes currently on products. Thus, rather than identifying a product as “Brand X soap”, the RFID can identify the product as that package of Brand X soap manufactured in Mississauga, Ontario on June 12 2004. Tag data can be matched with customer personal information on credit cards or loyalty cards when purchases are made. RFIDs also raise a number of other privacy concerns; if they are not deactivated or removed at point of purchase, they remain active and able to communicate their information long after the initial transaction has taken place.

There are many reasons to be bleak about the future of privacy. The private sector data industry is booming, and it is hard to get through a day without leaving some data droppings to be avidly collected by data-hungry scavengers. Although we have private sector data protection legislation in Canada (and here I’ll just refer to the federal statute PIPEDA for convenience), the law is frankly not up to the task before it. Enforcement and monitoring of the legislation depend on both consumer awareness and the government’s willingness to provide adequate resources to the Office of the Privacy Commissioner. While admittedly much better than nothing at all, the law as drafted is not adequate to respond properly to emerging technologies of surveillance and data gathering. RFIDs are a perfect example of this. There is nothing in PIPEDA that can address the use or deployment of RFID tags in inventory; they only fall within the scope of the legislation when the RFID data is being matched to personal information. Yet the very presence of the tags in consumer items raises privacy issues (industry reassurances notwithstanding). PIPEDA does not apply to either the development or deployment of this technology; it comes into play only at the point where RFID data is matched to consumer data.

In some jurisdictions there have been attempts to specifically address RFID technology and place terms or limits on its use. There is a good case to be made for technology-specific legislation or regulations. In the EU, the privacy issues raised by new technologies such as cookies have been recently addressed in a separate Directive. The Directive does not alter the fundamental fair information practices that apply; rather, it speaks directly to unique issues raised by particular technologies. Canada needs to be more proactive in developing technology-specific privacy norms to go along with the technology neutral ones.

PIPEDA also leaves far too many loopholes for governments and their agents to harvest data from private sector companies, or to receive gifts of data surrendered voluntarily by civic minded companies. Fair information principles only take you so far if your data, collected with your consent for a specific purpose, is passed along to government agents for another purpose without your knowledge or consent. And frankly, innocuous fragments of data change their character when combined with other innocuous fragments of data – consent to collection of the individual fragments is hardly fully informed. The privatization of security and law enforcement through the government use of the huge data resources of private sector companies is a major threat to privacy. One need only look south of the border for lessons in this regard. Adding even more refined data, gathered through product-specific RFID tags, simply sharpens the data picture that can be drawn by private corporations or government agencies. It is possible to shrug off RFID privacy concerns (as many proponents of the technology do) on the basis that the tags only alter the quality and not the kind or volume of data already collected. Yet this attitude relies on a level of complacence about the current data harvesting practices of the private sector that is simply not warranted.

It is true that consumers do seem largely indifferent – both to RFIDs and to the more general data collection practices. This complacence is attributable to a number of factors. It is difficult for most people to comprehend the impact that private sector data collection can and will have on personal privacy. Much of the collection and processing is invisible and undetectable. Further, too much onus is placed on individuals to learn how to protect their privacy. In many cases, the technology moves too quickly, or self-help measures require a degree of technological ability that is beyond most consumers. It is one thing, for example, to talk about using a secure browser and paying attention to one’s security settings, but for many Internet users this is just one more daunting technological project that is not necessary for them to perform in order to get where they want to go on the Internet, and which is not perceptibly rewarding. Placing the onus on consumers to remove, deactivate or block tags will result in a blank apathy towards them.

Consumer complacence has other sources as well. We are all prodded to accept “rewards” in exchange for personal information. For many people such rewards make a difference in terms of what they can afford to acquire. The data provided in exchange for the rewards seems trivial – a fair bargain or even an advantageous one for the consumer. There is also the “nothing to hide” attitude: what is the harm in letting others collect trivial data about oneself if one has nothing to hide? There is even an upside if the collection of trivial data about persons reveals criminal activity by others.

It is also the case that the privacy message does not seem to be getting out to consumers in a very effective manner. Privacy is an amorphous concept, and it is difficult to persuade people of privacy threats in the abstract. Identity theft scares people – when it occurs, it makes for compelling news stories. Ironically, though, identity theft can be used as a rationale for increasing private sector data collection. The more a company knows about you and your habits, the easier it is to detect when some credit card or other activity is not conforming to those habits. The more comprehensively your identity is established, the harder it is for anyone else to assume it.

There is also, of course, the fact that we have a cultural tolerance of privacy invasion that is reinforced at an early age. To some extent this is essential to living in a society with others – we need to accept and even embrace a certain level of benevolent surveillance. However, this cultural tolerance has perhaps not kept up with the times: we teach our children to accept surveillance in a wide variety of contexts, and we have been relatively slow to teach them about privacy beyond privacy of the body and home.

So what do RFIDs add to the mix that was not already there before? Promoters of the technology take the view that RFIDs will lower costs and improve inventory control while having little impact on consumer privacy. Consumers will, in fact, benefit, as better inventory control leads to lower prices. After all, RFID proponents argue, information about shopping habits is already being collected, compiled, used, shared and disclosed. Yet RFIDs allow for the collection of finer detail from transactions – and the finer the detail, the greater the level of surveillance. This is the case, quite apart from any post-transaction collection or use of RFID tag data on items in the possession of consumers. In the context in which we already live, it would be naïve to assume that sophisticated ways to collect, use, and misuse this information will not arise.

What’s to be done? I’m not sure there is much we can do – hence my rather bleak outlook these days. It seems that raising consumer awareness, raising the profile of privacy issues, and developing a political voice that is, if not louder than, at least not entirely drowned out by corporate voices, is a crucial first step. We need to think seriously about placing limits on the sharing of private sector data with government. It may also be time to move away from strict technology neutrality and develop ways in which we can quickly formulate more technology-specific forms of privacy regulation when the need arises.