News and Views

- August 6, 2007 -


RFID News: Are We Entering a Period of Consumer “Identity Management?”


Who Has the Power Balance Dictates the Threat in Each RFID Application, New Report Says; Consumer Knowledge is the Key to Limit the Danger



SCDigest Editorial Staff

The News: Scientific Technology Options Assessment (STOA), an arm of the European Parliament, says we can expect more issues around RFID and privacy in the near future, and that consumers will have to be more proactive about making choices and protecting their identities.

SC Digest Says:
 An option must be presented to allow the consumer to “opt out” of some elements of RFID data collection that are specifically tied to them.

What do you say? Send us your comments here

The Impact: While RFID privacy concerns have been rather minimal from the general public thus far, as consumer-based applications have been limited, that could change dramatically over the next few years as RFID gains a foothold in retail. The report recommends that consumers will have to start thinking about “Identity Management” – an awareness and control of who has access to their data, and what that data is used for.  But it’s also clear that the ultimate path will involve industry, government, privacy advocates and others.

The Story: In a recent Scientific Technology Options Assessment (STOA) study of RFID’s impending impact on society, the privacy issue was tackled head on as researchers found that data collected using RFID technology in the future will need to be carefully managed if privacy is going to be maintained.  

In the current environment, the study concluded that the threat to privacy is being somewhat overblown as most organizations currently implementing RFID systems are unschooled regarding its complete capability to track movement, spending, productivity, preferences, habits, etc., and are not utilizing it to its full potential.  (For the full report, see RFID and Identity Management in Everyday Life.

In the past, RFID has been used mainly for logistical purposes to identify cargo and other non-consumer applications (although the widespread use to pay auto tolls generates significant amounts of RFID-based consumer data).  As RFID technology increasingly enters the public sector, however, privacy concerns become increasingly important. The STOA study attempts to take an in-depth look at these concerns, dismiss those with little merit (areas in which the consumer has the leverage of choice), and outline challenges which will need to be overcome in the battle to maintain privacy. 

While examining a number of futuristic scenarios in a number of different business and social environments (retail, public transport, office, etc.), researchers suggest that a valuable framework for considering the validity of RFID privacy issues is to assess for a given application who owns the power balance.

In the retail environment, for example, the power balance belongs to the consumer, who has a choice of retail options.  If a consumer doesn’t like what the retailer is doing with the data their collecting, they can shop elsewhere.  The report argues that this choice limits the danger of privacy abuses.

Conversely, in an office environment or the public transport arena, the power balance tips more towards the maintainer, as users have fewer options and, consequently, less choice.  In this setting, data abuse is a greater threat.

Is this a valid framework? To some extent - yes.  If consumers are given enough information to understand what data will be captured and how it will be used, and if there is a mix of retailers using RFID and those who are not, the consumer can choose whether to participate or not.  But if large retailers, who control an increasing share of total retail sales get together to implement RFID, the consumer, for all practical purposes, may not have much of a choice.  An option must be presented to allow the consumer to “opt out” of some elements of RFID data collection that are specifically tied to them.

In the end, the study’s researchers concluded that the best way for consumers to maintain their privacy in a fully-deployed RFID environment is to possess a better understanding of RFID technology and become adept in the concept of "Identity Management” – the concept of controlling what is known and not known to maintainers of the system and understanding how the data is used by each system.

To initiate the “Identity Management” thought model, the researcher’s compiled a list of challenges to be addressed: 

  • RFID users need to know what maintainers are allowed to do with RFID data.
  • RFID users should play a role in developing new RFID environments.
  • If personal data from different RFID settings are merged, it should remain clear who is responsible for handling these data.
  • The Privacy Guidelines and the concepts of personal data and informational self determination need to be reconsidered in the light of an increasingly interactive environment.
  • Governments should take a clear stance on whether RFID bulk data will be mined for investigation purposes.

Identity Management is also a construct that applies to both business/government (as maintainers) as well as consumers (as users).  Of course, one critical question will be to outline to what extent the rules about the collection and use of RFID-based data will be determined by the “maintainers” versus the “users.”  Can the user selectively disable or inhibit the collection of specific data elements?  For example, should the consumer have the ability to prevent RFID scanning of their movements in a retail store?

In the final analysis, it seems clear that while the privacy of users isn’t currently in grave jeopardy due to the maintainers’ unfamiliarity with RFID’s full capability, true privacy concerns are just around the corner and will need to be addressed to ensure that the technology is used appropriately.

Do you think we will see major privacy concerns regarding RFID arise? Do you believe consumers will actually be able to think in terms of “Identity Management?” How will this get settled in the end? Let us know your thoughts at the Feedback button below.

Send an Email