Vendors and implementers considering even the most benign RFID programs are painfully aware of the negative portrayal of the technology in the mainstream media. Frightening articles linking warehouse inventory systems to science fiction’s visions of ubiquitous and invasive personal advertising abound. Consumer groups picket the moment RFID moves to the point of sale, whether tags are in use or not. Despite this, while the vast majority of systems reside deep in the supply chain their development steadily moves toward the storefront. American commerce has become a powerful advocate of the technology, and companies looking to benefit from RFID’s steady progress are obligated to address its negative image. Because of its emergent status and wide misunderstanding of its basic mechanisms, the press has singled out RFID to highlight the inadequacy of contemporary privacy protections.
Hidden Transactions
The inherent nature of RFID makes it difficult to determine if and when a transaction between a chip and a reader is taking place. Tags are very small. Required read distances vary depending on any number of factors. Solid state hardware enables systems to work silently. Identification, the name (and purpose) of the technology makes people uneasy because it is unclear, begging the question, “What is being identified?” Technical complexities of RFID systems leave individuals to make connections to only loosely related concepts– driver licenses, authorization cards, student IDs. While it seems almost absurd to base a policy or strategy on systematic misrepresentations of a technology, this is the very crossroad at which RFID implementers now find themselves.
Consumer Trust
As the ability of companies to collect and store data races forward, American consumers are finding themselves in the unenviable position of having to make choices to protect their own privacy. According to research by Accenture in late 2003, most business respondents cite positive customer service as the most important factor inspiring trust in a company. Yet, 62% of consumers cite a company’s reputation as the major factor determining its trustworthiness. Consumers’ perceptions of a corporation’s reputation are similar to that of an individual. Most executives (60%) participating in the survey deemed privacy to be the least important factor influencing a consumer’s trust, but more than 51% of consumer respondents said they had not done business with a company because of its inadequate privacy protections. Organizations that ignore privacy concerns gamble not only the consumer’s trust, but their business.
Safe Harbor
Countries have widely disparate laws governing the use of personal information. As mentioned in the RFID News feature “What is Privacy,” the United States has a sectoral system of regulations and legislation. Simultaneously, the European Union has a broad privacy directive individually enforced by its members. U.S.-based multinational corporations can choose to participate in the U.S. Department of Commerce’s (DoC) “Safe Harbor” framework, which mandates that they abide by a set of privacy principles.
Privacy Guidelines
The Center for Democracy and Technology and a number of other advocate organizations promote generic principles to guide the use of personal information. These basic principles strongly coincide with the EU’s privacy directive and the DoC’s “Safe Harbor” principles. Though the breadth of these guidelines expands considerably beyond that which can be gathered with contemporary RFID systems, an adherence to the spirit of these guidelines in the form of carefully outlined corporate policies should help shield companies from a dangerous consumer backlash. In a general form, they are the principles of:
- Openness: The existence and purpose of databases containing personal information should be clear to consumers
- Access: An individual must be able to view and correct any collected information pertaining to him
- Consent: Information must be collected with the consent of the subject
- Quality: Stored information should be timely and accurate
- Finality: Data gathered should only be used for purposes specified at the time of collection
- Transfer: Data should only be transferred to parties with verifiably equivalent data protection policies
- Security: Data should be protected against unauthorized access, modification, or disclosure
JetBlue’s Data Protection Gaffe
In September of 2002, JetBlue Airline provided the Transportation Security Administration with 5 million customer records. The data included income level, Social Security Numbers and itineraries. The TSA subsequently transferred this data to Torch Concepts, a private defense contractor. Torch then purchased matching records from a large data-aggregation company—including individuals’ occupations, vehicle ownership information, and number of children. The airline had blatantly violated its own privacy policy, leaving its passenger’s information in the hands of an unaccountable third party. This misstep left the company open to prosecution for unfair business practices by the Federal Trade Commission. It also generated a number of class action lawsuits from angry customers. JetBlue’s decision to stray from its own policy and employ unacceptable data management practices alienated some of its best customers. Companies using automated data collection systems must define and protect personal data or face a similar consumer backlash.
Planning for the Future
Corporations can take solace in the fact that, according to Accenture’s study, 69% of consumers are willing to exchange personal data for discounts or rewards. A vague uncertainty surrounding a new technology will diminish as major retailers are able to reduce prices and enhance customer service with advances in supply chain technology. Abiding by broadly accepted privacy guidelines will help companies avoid embarrassing and costly missteps until then.