Saturday's Globe & Mail had an interesting article on RFID, which is now online in the Globe's technology section: globeandmail.com : Who's watching the watchers? I find these articles to be interesting, but often overstate the threat that RFID poses in Canada. Most of the concern is that item-level tagging of purchased items will lead to the ability to track individuals once they have left the store. While this might theoretically be possible, the advent of a new technology does not mean that Canadian laws go out the window.

Every retail operation in Canada is governed by privacy laws, either PIPEDA or a substantially similar equivalent. Among other things, these laws require that the collection of personal information be reasonable and that personal information only be collected with the knowledge and the consent of the individual. I have no doubt that the unique identifier in a purchased item's RFID tag, when attached to any other information about an individual, is personal information for the purposes of these statutes. Therefore, in Canada:

1. Any retail operation using RFID in Canada has to inform customers;
2. Any retail operation that matches an RFID serial number to any personal information has to get the consent of the consumer; and
3. You cannot require a consumer to consent to a collection, use or disclosure of personal information that is unreasonable or is for a purpose not identified to the individual.

Essentially, this means that retailers cannot covertly use RFID to track consumers in this country. The situation is entirely different in the US where no general privacy law covers the retail sector.

If you want any more information on RFID and Canadian privacy law, check out this great report by Teresa Scassa, Michael Deturbide, Theodore Chiasson and Anne Uteck of Dahousie's Law and Technology Institute: An Analysis of Legal and Technological Privacy Implications of Radio Frequency Identification Technologies. This report was funded by the Privacy Commissioner's contributions programme.

Update:

In a letter to the editor in today's Globe & Mail (July 25, 2006), Anne Cavoukian responds to the article from Saturday's paper:

globeandmail.com : RFIDs track products:

"RFIDs track products

ANN CAVOUKIAN Information and Privacy Commissioner of Ontario

Toronto -- The article Who's Watching The Watchers? (July 22) suggests that Katherine Albrecht was invited 'back' to brief my office on Radio Frequency Identifiers (RFIDs). I would like to make this perfectly clear -- she was never there, nor was she ever invited. Meanwhile, the article's characterization of RFIDs as spy chips is misleading.

Let's have a reality check. Currently in Canada, RFID tags are used in the supply-chain process for inventory control (tracking products, not people), which involves no privacy issues. But in future, if and when RFIDs are embedded into consumer products and linked to personal identifiers, we must remain vigilant to ensure that they are deployed in a manner that does not threaten privacy.

I have been studying RFIDs since 2003 and recently issued RFID privacy guidelines to address the future prospect of item-level, potentially privacy-invasive, RFIDs. I am a fierce protector of privacy but also believe in describing issues fairly and evenly. What we need is public education about this technology rather than fear mongering.

Misrepresenting RFIDs only serves to keep the public in the dark."

Labels: privacy, rfid