Transparency 'crucial' for RFID systems

Privacy concerns must be addressed if RFID is to avoid the kind of consumer backlash that greeted GM foods, the European Commission has heard

Several consumer organisations on Wednesday called on the European Commission to ensure that there is increased transparency in RFID systems, to ensure that consumers' privacy is protected.

The comments were made during a workshop held by the European Commission that discussed privacy issues around RFID. The workshop, part of the EC's current consulation into the use of RFID tags in Europe, will — along with other workshops — be used to draft a communication for the European Council and Parliament.

Christopher McDermott, the director of UK consumer organisation NoTags, said that transparency is key in the implementation of RFID tags, to ensure that consumers are aware of what information is being gathered and how it will be used.

"Transparency is very important both for governments — what they want to use RFID for — and for retailers and corporations. They need to be honest about what they want to use the data for," McDermott said.

Humberto Moran, the chief executive of UK technology charity Open Source Innovation, agreed that transparency is key, and called for the use of open source software within RFID deployments, to ensure that people can find out what the RFID systems are doing.

"Most privacy threats from RFID result from automatic links between personal and RFID data. The privacy violation occurs at the software level, so we need to do something at this level," Moran said.

"Any advancement in transparency should be reciprocated to guarantee accountability," he continued. "If you apply the principle of reciprocal transparency to RFID, then it is clear to see that this software should be transparent, and software transparency means open source software."

Paula Bruening, who works for US consumer rights organisation the Center for Democracy and Technology, spoke at the workshop about guidelines for RFID deployments recently released by her organisation. The need for transparency is one of the three main principles that the centre claims can be applied to help address concerns about privacy, according to the guidelines.

"There should be no secret RFID tags or readers. Use of RFID technology should be as transparent as possible, and consumers should know about the implementation and use of any RFID technology (including tags, readers and storage of PII) as they engage in any transaction that utilises an RFID system," says the document.

Other steps that can be taken to product consumer privacy include mandatory privacy threat analysis, John Borking, the former data protection commissioner for the Netherlands, said at the workshop.

"Privacy threat analysis is mandatory in Canada and the US, and it should also become legally mandatory in Europe. Not just for a few applications, but for any big RFID applications," he said.

Borking also called for stricter legislation against RFID technologies that infringe consumers' privacy. "Until now, the risks — if companies are caught — are so small, that companies will not be deterred from using privacy-intrusive devices," he said.

McDermott of NoTags warned that if steps are not taken to protect consumer privacy, it could result in a backlash similar to the reaction that many consumers in Europe had to genetically modified (GM) foods.

"[RFID] is a very scary technology — it does bring into peoples' minds an Orwellian society," he said. "If governments looking into RFID screw this technology up, it could become the GM crop of the 21st century."

Viviane Reding, Europe's information society and media commissioner, announced in March that the EC's RFID consultation would focus on standards, interoperability and privacy. Reding said it was important to "answer the reasonable, and in some cases unreasonable, concerns of consumers".