RFID standards released IT by vendors, privacy groups

A set of best practices designed to help assuage consumers' concerns about RFID (radio frequency identification) tags was released on Monday by a group of technology vendors, RFID users and consumer groups.

Companies using RFID tags on products should notify customers in all cases, should tell customers whether they can deactivate the tags and should build security into the technology as a primary design requirement, the group said.

The Center for Democracy and Technology's (CDT's) Working Group on RFID also recommends that companies collecting personally identifiable information through RFID tags tell customers how that data will be used. If customers can opt out of sharing that information, or destroy the tags, those options "must be readily available," says the working group's draft best practices report.

"There should be no secret RFID tags or readers," the report says. "Use of RFID technology should be as transparent as possible, and consumers should know about the implementation and use of any RFID technology ... as they engage in any transaction that utilizes an RFID system. At the same time, it is important to recognize that notice alone does not mitigate all concerns about privacy."

The CDT hopes that the guidelines, which took over a year to develop, will serve as an example to companies rolling out the technology, said Paula Bruening, staff counsel at CDT, a privacy and civil liberties advocacy group.

"The document draws from widely accepted and traditional principles of fair information practices," Bruening said. It offers concrete guidance for companies that want to deploy RFID in a way that respects privacy, but also recognizes the need for technological flexibility, she added.

The expanding use of RFID, embraced by large retailers Wal-Mart Stores Inc. and Target Corp., has raised concerns with some privacy advocates. RFID uses small processors and antennae that are integrated into a paper or plastic label. Those chips can then be read by an electronic scanner, and unlike bar codes, RFID chips withstand dirt and scratches.

As the range of RFID scanning grows, RFID could allow corporations and governments to track people's movements and purchases, privacy advocates have said.

The report recommends that companies using RFID should provide customers "reasonable" access to the personally identifiable information they collect using the tags. Also, companies should tell customers of their RFID use before the customer transaction is completed. The report is at: http://www.cdt.org/privacy/20060501rfid-best-practices.php.

The CDT working group's guidelines will evolve, and the group doesn't expect every company deploying RFID to follow all the recommendations, Bruening said. "I think this document is going to be an important discussion piece," she added.

The standards will be a good starting point for companies that want to consider privacy issues before they launch RFID initiatives, said working group members. "These new guidelines show how RFID can provide great benefit to society, while treating customers' privacy with respect," said Steve Shafer, a principal research for Microsoft Corp.

Other members of the CDT working group included Cisco Systems Inc., IBM Corp., Intel Corp., the National Consumers League, Procter & Gamble Co. and VeriSign Inc.