A set of best practices designed to help assuage concerns about RFID tags has been released by a group of technology vendors, users and consumer groups.
Companies using RFID tags on products should notify customers in all cases, should tell customers whether they can deactivate the tags and should build security into the technology as a primary design requirement, the group said.
The Center for Democracy and Technology's (CDT's) Working Group on RFID also recommends that companies collecting personally identifiable information through RFID tags tell customers how that data will be used.
If customers can opt out of sharing that information, or destroy the tags, those options "must be readily available," says the working group's draft best practices report.
"There should be no secret RFID tags or readers," the report says. "Use of RFID technology should be as transparent as possible, and consumers should know about the implementation and use of any RFID technology ... as they engage in any transaction that utilises an RFID system. At the same time, it is important to recognise that notice alone does not mitigate all concerns about privacy."
The CDT hopes that the guidelines, which took over a year to develop, will serve as an example to companies rolling out the technology, said Paula Bruening, staff counsel at CDT, a privacy and civil liberties advocacy group.
"The document draws from widely accepted and traditional principles of fair information practices," Bruening said. It offers concrete guidance for companies that want to deploy RFID in a way that respects privacy, but also recognizes the need for technological flexibility, she added.
The expanding use of RFID, embraced by large retailers Wal-Mart and Target, has raised concerns with some privacy advocates. RFID uses small processors and antennae that are integrated into a paper or plastic label. Those chips can then be read by an electronic scanner, and unlike bar codes, RFID chips withstand dirt and scratches.
As the range of RFID scanning grows, RFID could allow corporations and governments to track people's movements and purchases, privacy advocates have said.
The report recommends that companies using RFID should provide customers "reasonable" access to the personally identifiable information they collect using the tags. Also, companies should tell customers of their RFID use before the customer transaction is completed.
The CDT working group's guidelines will evolve, and the group doesn't expect every company deploying RFID to follow all the recommendations, Bruening said. "I think this document is going to be an important discussion piece," she added.
The standards will be a good starting point for companies that want to consider privacy issues before they launch RFID initiatives, said working group members. "These new guidelines show how RFID can provide great benefit to society, while treating customers' privacy with respect," said Steve Shafer, a principal research for Microsoft.
Other members of the CDT working group included Cisco Systems, IBM, Intel, the National Consumers League, Procter & Gamble, and VeriSign.