Group tells FTC more RFID security guidance is needed

Since the RFID issue has been front and center lately here in California (at least in the eyes of the privacy protection community) - with two landmark bills on the Governors desk - I thought I should post something about the Electronic Privacy Information Center's (EPIC) suggested RFID security measures to the FTC. The idea of course is to address the risks to consumer safety by the unregulated use of RFID tags that reveal personal data .

First, let me get to the short article in SC Magazine on EPIC's reiterated recommendations (pdf) from 2004 to the FTC at their “Transatlantic RFID Workshop on Consumer Privacy and Data Security".

Angela Moscaritolo reports:

Among the guidelines EPIC proposed, RFID operators should make RFID tags and readers visible to customers and should alert customers through a tone, light or other signal when information is being drawn. Tags should be easy to remove and should be anonymous and not collect personal information of customers, if possible.

“We think the FTC has a role to play in safeguarding consumer privacy,” Marc Rotenberg, executive director of EPIC, told SCMagazineUS.com.

EPIC also proposed that RFID operators be prohibited from tracking the movement of RFID subjects without written consent, or using them to snoop on an individual or coercing individuals to keep tags turned on after purchase.

I goes without saying I'm in complete agreement with EPIC on this issue. On that note, here's the general introduction by EPIC explaining their specific list of recommendations taken from their website:

The guidelines are proposed to guide the use of RFID technology in order to protect both private enterprise interests and consumer privacy interests. This means that these guidelines do not address protection of consumer privacy from any governmental action. Rather, they seek to protect consumer privacy from private enterprises. Further, these guidelines focus on use in the retail and manufacturing industry where retailers and manufacturers are beginning to implement item-level RFID tagging to facilitate supply chain efficiency, inventory control, and similar applications.

These guidelines primarily address commercial, private applications which may use RFID tags to draw conclusions about consumers without their knowledge or consent, or that might generate data which could be used for entirely different purposes at a later date.

These guidelines are divided into three parts. Part A addresses the duties of private enterprises that use RFID technology. It imposes minimum requirements on RFID users, recognizing the advantages that RFID technology can provide while at the same time addressing privacy concerns. Part B addresses practices in which the RFID Users should never engage, including tracking, snooping, and coercing consumers to accept live RFID tags or associate their personal data with an RFID application. Finally, Part C states the rights of consumers who are exposed to RFID technology and incorporates some of the Users' duties stated in Part A.

Click here to read the rest of their specific recommendations.