A set of best practices designed to help address consumers' concerns about RFID (radio frequency identification) tags have been released by a group of technology vendors, RFID users and consumer groups.
The alliance, which operates under the banner of the Centre for Democracy and Technology's (CDT's) Working Group on RFID, recommends that companies using RFID tags on products notify customers that the tags are being used and tell customers whether they can deactivate the tags.
(The CDT is a privacy and civil liberties advocacy group in the US).
The group also recommends that companies collecting personally identifiable information through RFID tags tell customers how that data will be used. If customers can opt out of sharing that information, or destroy the tags, those options "must be readily available", says the working group's draft best practices report.
"There should be no secret RFID tags or readers," the report says. "Use of RFID technology should be as transparent as possible and consumers should know about the implementation and use of any RFID technology ... as they engage in any transaction that utilises an RFID system. At the same time, it is important to recognise that notice alone does not mitigate all concerns about privacy."
The CDT hopes that the guidelines, which took more than a year to develop, will serve as an example to companies rolling out the technology, says Paula Bruening, staff counsel at CDT.
"The document draws from widely accepted and traditional principles of fair information practices," she says. It offers concrete guidance for companies that want to deploy RFID in a way that respects privacy, but also recognises the need for technological flexibility, she says.
The expanding use of RFID has raised concerns with some privacy advocates. RFID uses small processors and antennas that are integrated into a paper or plastic label. Those chips can then be read by an electronic scanner. Unlike barcodes, RFID chips withstand dirt and scratches.
As the range of RFID scanning grows, RFID could allow comopanies and governments to track people's movements and purchases, privacy advocates say.
The report recommends that companies using RFID should provide customers with "reasonable" access to the personally identifiable information they collect using the tags. Also, companies should tell customers of their RFID use before the customer transaction is completed, the report says.
The CDT working group's guidelines will evolve, and the group doesn't expect every company deploying RFID to follow all the recommendations, Bruening says. "I think this document is going to be an important discussion piece," she says.
The standards will be a good starting point for companies that want to consider privacy issues before they launch RFID initiatives, say working group members. "These new guidelines show how RFID can provide great benefit to society, while treating customers' privacy with respect," says Steve Shafer, senior researcher at Microsoft's Vision Technology Group.
Other members of the CDT working group include Cisco Systems, IBM, Intel, the US National Consumers League, Procter & Gamble and VeriSign.