www.ipc.on.ca how privacy could affect the future roll-out of rfids: take note ann cavoukian, ph.d....
Post on 20-Dec-2015
220 views
TRANSCRIPT
www.ipc.on.ca
How Privacy Could Affect the How Privacy Could Affect the Future Roll-Out of RFIDs: Future Roll-Out of RFIDs:
Take NoteTake Note
Ann Cavoukian, Ph.D.Ann Cavoukian, Ph.D.Information & Privacy Commissioner/Ontario
Symposium on Supply Chain Management
September 30, 2004
www.ipc.on.cawww.ipc.on.ca Slide 2
Just What is an RFID?
Radio Frequency Identification (RFID)
Generic term for technologies that use radio waves to automatically identify individual items
www.ipc.on.cawww.ipc.on.ca Slide 3
RFIDs and Supply Chain Management
Products are embedded with an RFID tag, which includes a microchip and tiny radio antenna
The microchip may contain data about the product, including a unique identifier called an Electronic Product Code (EPC)
Cases and pallets of products may also include their own RFID tags
www.ipc.on.cawww.ipc.on.ca Slide 4
RFID Readers
RFID readers at various points in the supply chain (e.g., factory loading docks) “wake up” the tags, which transmit the EPC and other data to the readers at a short distance (passive RFIDs)
www.ipc.on.cawww.ipc.on.ca Slide 5
Benefits of RFIDs
RFID technology offers benefits for supply chain management:
• More efficient management and tracking of goods and inventory
• Reduced labour costs (e.g., no manual scanning of individual items is required)
www.ipc.on.cawww.ipc.on.ca Slide 6
EPCglobal
Non-profit organization that is leading the development of industry standards for the Electronic Product Code (EPC), including the use of RFID technology
Public Policy Steering Committee is responsible for setting privacy standards
www.ipc.on.cawww.ipc.on.ca Slide 7
Privacy and RFIDs
RFID tags contain information about a product, not an individual (e.g., EPC, price, size, colour, manufacture date, etc.)
But many consumers perceive a threat to privacy
www.ipc.on.cawww.ipc.on.ca Slide 8
Consumer Perceptions
Consumers perceive that RFIDs may facilitate:• The merger and linking of product information
and personal information without consent• The ability to track consumers who have
purchased a product• The establishment of a widespread surveillance
infrastructure
www.ipc.on.cawww.ipc.on.ca Slide 9
Implementing RFIDs
A failure to build privacy into the design and implementation of RFIDs can produce a consumer backlash
This can have an adverse impact on a company’s reputation and affect the bottom line
www.ipc.on.cawww.ipc.on.ca Slide 10
Consumer Backlash
How real is this?
Could privacy truly affect the roll-out of RFIDs?
www.ipc.on.cawww.ipc.on.ca Slide 11
Benetton
Italian clothier Benetton sparked a furor after it announced plans to implant RFID tags in its apparel (April 2003)
Public opposition forced the company to cancel its plans
www.ipc.on.cawww.ipc.on.ca Slide 12
Gillette: Keeping “Tags” on Customers
Privacy groups threatened a consumer boycott after the media reported that Gillette was testing a “smart shelf” at a Tesco store in the U.K., possibly for theft detection purposes (July 2003)
RFID tags embedded in Gillette razor packages triggered CCTV cameras that took a picture of a customer both when he or she removed a package from the shelf and at the check-out
www.ipc.on.cawww.ipc.on.ca Slide 13
Metro AG
Metro AG, a German company, announced plans to start using RFID chips in supermarket loyalty cards in one store
The purpose of this initiative was supposedly to allow the store to verify the age of shoppers wanting to view DVD movie trailers
Metro AG abandoned its plans after protests from privacy groups (March 2004)
www.ipc.on.cawww.ipc.on.ca Slide 14
Checkpoint: Tracking Individual Items
Checkpoint Systems Inc. announced earlier this month that it has developed new RFID solutions for tracking individual consumer items
CASPIAN, a U.S.-based consumer rights group, claimed that: • Checkpoint was developing RFID “spychips” for three
well-known clothing labels• Consumers wearing the tagged clothing could potentially
be identified and tracked by readers
www.ipc.on.cawww.ipc.on.ca Slide 15
Get Ready for a Good Fight
Checkpoint senior executive: “These RFID applications are prototype designs to demonstrate how the technology will fulfill a customer’s need for greater information and stock availability …”
CASPIAN: “[We] will be working with consumers on an aggressive response to this privacy threat. Roll up your sleeves and get ready for a good fight.”
www.ipc.on.cawww.ipc.on.ca Slide 16
Information Privacy Defined
Information Privacy/Data Protection
• Freedom of choice; control; informational self-determination
• Personal control over the collection, use and disclosure of any recorded information about an identifiable individual
www.ipc.on.cawww.ipc.on.ca Slide 17
Fair Information Practices:A Brief History
OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data
EU Directive on Data Protection
CSA Model Code for the Protection of Personal Information
Personal Information Protection and Electronic Documents Act (Canada)
www.ipc.on.cawww.ipc.on.ca Slide 18
Summary of Fair Information Practices
AccountabilityIdentifying PurposesConsentLimiting CollectionLimiting Use,
Disclosure, RetentionAccuracy
SafeguardsOpennessIndividual AccessChallenging
Compliance
www.ipc.on.cawww.ipc.on.ca Slide 19
Federal Private-Sector Privacy Legislation
Personal Information Protection and Electronic Documents Act (PIPEDA)
Applies to personal information collected, used or disclosed in the course of commercial activities by all:
• federally regulated organizations and • provincially regulated organizations, unless a
substantially similar provincial privacy law is in force
www.ipc.on.cawww.ipc.on.ca Slide 20
Provincial Private-Sector Privacy Laws
Québec: Act respecting the protection of personal information in the private sector
B.C.: Personal Information Protection Act
Alberta: Personal Information Protection Act
Ontario: draft Privacy of Personal Information Act, 2002 – not introduced…so PIPEDA applies
www.ipc.on.cawww.ipc.on.ca Slide 21
How The Public Divides on Privacy
26
64
10
0 20 40 60 80
Feb 2003(%)
PrivacyUnconcerned
PrivacyPragmatists
PrivacyFundamentalists
The “Privacy Dynamic” - Battle Dr. Alan Westinfor the minds of the pragmatists
www.ipc.on.cawww.ipc.on.ca Slide 22
Importance of Consumer Trust
In the post-9/11 world:• Consumers either as concerned or more concerned about online
privacy• Concerns focused on the business use of personal information,
not new government surveillance powers
If consumers have confidence in a company’s privacy practices, they are more likely to:• Increase volume of business with company…….... 91%• Increase frequency of business……………….…... 90%• Stop doing business with company if PI misused…83%
Harris/Westin Poll, Nov. 2001 & Feb. 2002
www.ipc.on.cawww.ipc.on.ca Slide 23
Damage Caused by Privacy Breaches
The Information Security Forum reported that a company’s privacy breaches can cause major damage to brand and reputation:• 25% of companies surveyed experienced some
adverse publicity due to privacy• 1 in 10 had experienced civil litigation, lost
business or broken contracts• Robust privacy policies and staff training were
viewed as keys to avoiding privacy problems
The Information Security Forum, July 7, 2004
www.ipc.on.cawww.ipc.on.ca Slide 24
Building Privacy Safeguards into RFIDs
RFIDs will continue to produce a consumer backlash unless both RFID manufacturers and business users adopt privacy safeguards
Privacy is not a concern at most stages of the supply chain (e.g., tracking items in a warehouse)
However, privacy concerns are triggered at the point when a consumer comes into contact with a product with an RFID tag
www.ipc.on.cawww.ipc.on.ca Slide 25
The Privacy Solution
RFID tags should be de-activated at the point of sale
De-activation should be the default
Customers should be able to choose to have an RFID tag re-activated
www.ipc.on.cawww.ipc.on.ca Slide 26
Openness and Transparency
Businesses should be open and transparent with consumers about the use of RFID tags and readers
If RFIDs are embedded in a product that makes its way to the retail shelf, proper notice should be provided to consumers
www.ipc.on.cawww.ipc.on.ca Slide 27
Notice
Notice must be conspicuous to the consumer and explain what an RFID is in plain language (not technical language)
It must explain where RFIDs are being used and for what purposes
Proper notice could be in the form of signs, labels, brochures, etc.
www.ipc.on.cawww.ipc.on.ca Slide 28
Choice
Potential reasons for RFID tag re-activation:• Facilitating product returns and warranty
servicing• Facilitating recovery of lost or stolen products
to consumer• Enabling interaction with “smart” appliances
Consumers should have the choice to have an RFID tag re-activated without cost
www.ipc.on.cawww.ipc.on.ca Slide 29
Use Limitation
Personal information must not be used for purposes other than those for which it was collected, except with the consent of the individual or as required by law
www.ipc.on.cawww.ipc.on.ca Slide 30
Consent
A business must not merge or link a consumer’s personal information with RFID information about a specific purchased product, without that individual’s knowledge and consent
Consent must be voluntary and informed, which means that the individual understands the nature and consequences of providing or withholding consent
www.ipc.on.cawww.ipc.on.ca Slide 31
Challenging Compliance
A business should have a clear process in place for resolving privacy complaints from its customers about RFIDs
A business’s chief privacy officer (CPO) and other privacy compliance staff must be key players in the design and launch of any RFID initiative
www.ipc.on.cawww.ipc.on.ca Slide 32
Staff Education and Training
Both managers and frontline employees must be provided with privacy training that includes information about RFIDs
They must be trained to provide clear, honest and informed answers to customers who have privacy concerns about the tracking potential of RFID tags
www.ipc.on.cawww.ipc.on.ca Slide 33
To Find out More …
The Information and Privacy Commissioner of Ontario has published two RFID papers:
• Tag, You’re It: Privacy Implications of Radio Frequency Identification (RFID) Technology (February 2004)www.ipc.on.ca/docs/rfid.pdf
• Guidelines for Using RFID Tags in Ontario Public Libraries (June 2004)www.ipc.on.ca/docs/rfid-lib.pdf
www.ipc.on.cawww.ipc.on.ca Slide 34
Final Thought
“Anyone today who thinks the privacy issue has peaked is greatly mistaken…we are in the early stages of a sweeping change in attitudes that will fuel political battles and put once-routine business practices under the microscope.”
Forrester Research, March 5, 2001
www.ipc.on.ca
How to Contact UsHow to Contact Us
Commissioner Ann CavoukianCommissioner Ann CavoukianInformation & Privacy Commissioner/Ontario
2 Bloor Street East, Suite 1400
Toronto, Ontario M4W 1A8
Phone: (416) 326-3333
Web: www.ipc.on.ca
E-mail: [email protected]