Dan Swartwood is a Data Privacy Officer for Hewlett-Packard’s World Wide Customer Privacy Office.
Should there be federal legislation limiting the use of RFID technology and the information it is able to gather?
HP has been and continues to be an advocate for omnibus privacy legislation. In the U.S., we continue to legislate privacy in a sectoral process that complicates the privacy landscape. The full benefits of RFID to consumers would likely never happen if a law was enacted on the use of RFID technology, and was enacted prematurely. It would likely either be ineffective or too restrictive to provide any benefit to business or the consumer.
We are too early in the development cycle to restrict this promising technology. Imagine where we would be today if we had passed privacy legislation on the use of credit cards, mobile phones or even the telephone, when those technologies were in their infancy.
What factors have contributed to the news media’s negative portrayal of RFID technology?
To date, the RFID privacy issue has been framed by those with legitimate, but also some extreme views of the capabilities of the technology. These extreme views also include conspiratorial aspirations for both industry and government to use this technology to further limit the privacy of individuals. There has also been a less than consistent effort on the part of industry to inform the public and government officials about the capabilities, limitations and benefits of RFID, but this is now changing.
RFID has been around for sometime. Its implementation has been somewhat transparent to the general population as there was no announcement that the EZ pass tags used on toll roads to expedite traffic flow and the Speed Pass used by at least one gas/oil company to expedite gasoline purchases were RFID-based solutions. Later this year, almost all tires made in the US will have embedded RFID tags. This as a decision made jointly by the tire and automobile industry without government intervention. Soon every herd of cattle in the US will carry RFID tags to allow a timely and targeted solution to react to the possibility of a mad cow situation. These developments have and will continue to improve the average person’s quality of life.
In the corporate supply chain area, RFID is a relatively new technology. It was initially adopted by the logistics, IT, and manufacturing organizations within corporations. These organizations are not customer facing and do not have processes in place normally to anticipate consumer reaction to technology implementations thought to be transparent to consumers.
Last year, as HP began pilot efforts around RFID in our own supply chain, we recognized the potential impact of privacy on our internal implementation and asked for direct support from HP’s Privacy Office. Dan Swartwood, HP Privacy Officer, has been a full member of the HP RFID Program and has been providing guidance to the rest of the core HP RFID team to deal with any privacy concerns around HP’s RFID deployment.
EPCglobal, the relatively new international standards body created to ensure globally consistent implementations of RFID, has begun to address privacy concerns. EPCglobal anticipates starting a broad consumer education program in the near future. To date, this organization has provided guidance on providing notice and choice to consumers when item level tags are used in retail. To further HP’s leadership in RFID, HP has joined the board of EPCglobal and is represented by Dick Lampman, HP senior vice president of research, and director, HP Labs. HP’s support of EPCglobal is part of our company’s effort to promote broad adoption standards that will be necessary to secure the position of RFID as a cost effective and readily available technology.
What steps should companies exploring item-level RFID programs take to protect their customers from perceived or actual violations of privacy?
Specifically, consumers should be given notice about the presence of RFID tags on store shelves and on individual items; consumers should have the choice about removing or deactivating RFID tags on individual items; and as the technology allows, there should be a practical way to offer choices for linking PII with other RFID data. Organizations that collect and store PII with RFID data should take appropriate security protection measures to prevent ID theft.
Businesses need to do more to educate the general public on the uses, benefits and issues about the use of RFID, fostering constructive solutions to their concerns. HP is a global thought leader in privacy, working with other industry leaders and the EPC-Global, we will do our part in educating, industry, consumers and governments on ways to successfully implement the technology and safeguard privacy.