Canadian Province's New RFID Privacy Guidelines Could Have The Wrong EffectBy Evan Schuman | Posted 2006-06-22 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
Updated: Warning consumers about anything presupposes that there is something bad with that item, something that should be avoided. This might be a self-fulfilling prophesy.The commissioner for Information and Privacy in Ontario unveiled on June 19 a series of tips and guidelines for using RFID within her part of Canada.
First of all, the fact that a major Canadian province even has an information and privacy commissioner makes me look longingly to the North. But I believe bacon should be served in long narrow strips and that a rectangle is a terrible shape for any food, so we're probably even.
But the guidelines themselves certainly need to be examined seriously because North American products can ill-afford to accommodate two different standards and, besides, neither Mexico nor the U.S. have any material privacy RFID rules at the moment.
Current U.S. views on RFID privacy pretty much comes down to a modified monetary laisez faire policy ("leave campaign contributors alone and the market will take care of itself"), while Mexico's position is closer to "You can capture anything about our citizens that you want as long as you pay a living wage. OK, one-fourth a living wage, but we want a break after 18 hours of work."
The Ontario approach is a bit different. One example: "Organizations should only collect, use or disclose RFID-linked personal information for purposes that a 'reasonable person' would consider appropriate in the circumstances."
It then lists two things that Ontario believes would be unreasonable: "price discrimination" and "tracking and proﬁling individuals without their informed, written consent."
Both sound frightening for retailers and consumer goods manufacturers—and with good reason. The "price discrimination" is aimed at applications that will charge lower prices to customers they want to attract and higher prices for those they want to repel, such as aggressive bargain hunters. There have been unsubstantiated allegations about this on some Web sites, but those allegations involved cookies, not RFID.
Still, the potential exists for RFID to enable the same kind of capability. But isn't this simply a continuation of the time-honored discounts for those with a frequent shopper loyalty card? Aren't those card programs offering discriminatory pricing, in the sense that some customers are being charged different prices than others?
That gets into that second reference: "tracking and proﬁling individuals without their informed, written consent." Is this to be interpreted to mean that such tracking/profiling is permitted in Ontario, as long as it doesn't involve RFID? It would seem silly to permit it for CRM programs as long as they used barcodes, but to somehow find the privacy invasion reprehensible if it involves RFID.
Editor's Note: This story was updated to clarify where in Canada the guidelines apply.
Read the full story on eWEEK.com: Canadian Province's New RFID Privacy Guidelines Could Have The Wrong Effect