Picking Apart RFID Privacy

June 24, 2005

Yesterday I was at an RFID conference in Wisconsin and the lunch speaker gave a very convoluted privacy talk which basically told the audience (mostly consumer goods companies and suppliers to them) that a) RFID is going to be misused by some company or the other, b) people will freak about privacy, and c) ignorant lawmakers would then regulate the whole thing out of existence. Oh, and by the way, it was going to be the fault of everyone in the room for not heading this off. (I’m purposefully leaving off a link to the speaker for a variety of reasons.)

While this was probably the wrong audience (I don’t picture Sargento Cheese and Master Lock being in any position to alter the proposed scenario), I’d like to tease out some points from this argument about the privacy issues of RFID.

Consumer RFID is already here. Consumers have shown a consistent ability to tolerate new, potentially invasive technologies if there is perceived value. I’m amazed at the lack of outcry about the privacy issues, but its just not there. An even more startling example is cell phones. Here’s RFID by any definition: a device invisibly sending it’s ID (the magic number in your CIM card) over radio waves. Cell carriers are now required by law (E911) to track users’ locations to assistant emergency services.

The “public” is more discriminating than people give it credit for. On the other side, we (the public) have shown recently that we aren’t willing to accept just any random thing that’s thrown at us. The outcry over the RFID-enabled passports was well-founded and stopped the proposal (at least for now).

The real issue is general data privacy and security. The main issue underlying this is really a) can I control who gets data about me, and b) are the people who collect it going to keep it securely. RFID does pose some new challenges for (a), but as far as I can tell it doesn’t bring new issues to (b) which feel like a huge issue for this country right now. I have doubts that we have the right legal structure in place (some European countries may be closer to the right direction here), but I haven’t gone deep enough to understand that yet.

Over the new few weeks I’ll write some more about RFID and the ability to control who gets to see what data – this feels like the crux of the problem that is specific to RFID.