Deutsche Version

To make this contribution, we used a German translation of the paper, made by Harald Manninga.

The paper, published in English by the “Center for Democracy and Technology” in the US, was cited as a “good start” and a possible basis for similar regulations for Europe (not only, but also) at several times during the consultation of the EU Commission on RFID initiated by Vivane Reding. In our view the paper is deficient in many respects, and the US situation that the paper reflects can in our view not be imported into Europe in this way. Criticism has also come from the paper's country of origin.

The points of criticism and suggested improvements that FoeBuD would like to raise about the paper are given below. After a section of points relevant to the paper as a whole, there will be individual remarks following the order of items in the paper. For reasons of brevity and clarity, we will refer to these items by their headlines only.

General remarks

• The paper mostly talks of consumers. But it is an important aspect that the protection of privacy applies to all citizens, independent of their role.

• The text's stated topic is exclusively “personally identifiable information” (abbreviated “PII”). Information that can be linked or potentially linked to persons are not considered. (See the comments of FoeBuD to WP 105 as an example.) Forprivacy, this is one of the major areas to take into account with RFID implementation projects. The EU Commission's Article 29 group must find a clearly understandable definition for these types of data.

• From the middle of the text onwards the phrase “whenever practicable” is often used. But for almost every occurrence, the measures given after of this phrase are mandatory; they must be made regardless how ractical or financially attractive they might be.

  Privacy is a human right. Human rights are absolute; they can not be made to depend on other issues, especially not on commercial interests.

Specifics (ordered after sections in the CDT paper)

Re: Introduction

• Even the ordering of groups in the introduction, where RFID is said to “hold promise”, does not reflect the situation correctly. For government and businesses, many more advantages can be found than for consumers. But it is only advantages that are supposed to be communicated. This is not consistent with a sustainable use of the technology.
• Advantages named in the introduction are not substantiated by reference to relevant studies (let alone independent studies). The statements are thus weak (e.g. safety in medical drug application, prevention of error in hospitals, etc.) and it is easy to find opposing statements and counter-scenarios.
• RFID can not directly aid in care but can be used for monitoring, which in turn will serve to cut staff numbers. This is not what one would understand as “aiding”. Human dignity and human rights go above all commercial interests. (We repeat:) Human rights are an absolute; they can not depend on other issues.

Re: RFID Tags

• The reading range depends on the shape of the antenna and the surroundings, and it mostly shows a wave pattern where communication can occur at distances beyond the given reading range. (For UHF devices, for example, see the presentation by Richard Rees of the British Standards Institution during the ETSI workshop on May 25, 2004, p.17)

Re: Readers and Read Range

• The read range is the only distance mentioned. Also important for privacy is the “snooping range” for a third party to eavesdrop on the communication between reader and tag.

Re: Data and RFID Systems Networks

• Data linking might also occur with data from other sources, as in the case of credit card payments.
• The paper misses a point “2a) keep track of people with objects”

Re: RFID and privacy

• This section deals with data that other parties would otherwise not be able or allowed to access. Not considered, but of great importance for privacy are data that could otherwise not be accessed as easily. RFID makes data much easier to access.
• The first paragraph concludes with a remark on security concerns. Not included are the important concerns of authorised access to the data that is then followed by unauthorised linking with other data or unauthorised storage of accessed and/or combined data.
• The text calls for a detailed analysis of privacy and security issues. It is important that such an analysis is conducted independently.
• About technological neutrality: RFID facilitates abuse - and hiding abuse - on a scale orders of magnitude beyond earlier technologies. This point must be considered clearly in any technology assessment.
• The paragraph on “Consumer Transparency” fails to mention the necessary control by users as they “engage in any transaction” or choose not to do so.
• Warnings, information practices and such must follow a neutral procedure and a use understandable language. This should be subject to independent audits. It must be possible and be made possible for citizens to obtain equivalent, RFID-free products.

Re: The Purpose of these Guidelines

• The paper uses the concept of “fair information practices” with regard to certain interests. But it does not spell out how “fair” can be defined or how the authoring group has reached that assessment, and which precautions apply.
• In these “guidelines”, the hope is expressed that they will be adhered to, but they do not describe even the beginnings of a mechanism for enforcement, such as contract penalties. Enforcement of any (appropriately extended)guidelines should be provided by law.
• The paper states that it does not deal with government applications of RFID. This field as well as others not covered by the paper must therefore be subject of further regulatory work.

Re: Best Practices - Notice

• Notices to consumers must not only be clear, conspicuous and concise, but also neutral and easily understandable. Notices must in our opinion not only be provided for RFID systems where “information is collected [...] and linked, or is intended [...] to become linked, to an individual's personal information either on the RFID tag itself or through a database”. They need to be present with any RFID implementation, because even data originally not designed as personal can be converted to become, or become linked to, personal information.
• The notices must include advice on how the collection of information can be avoided or disabled.
• Any collection of information must follow an opt-in procedure; opt-outs or the absence of any option are not acceptable.
• Data for “additional or subsequent uses” may only be collected after express consent without extra incentives or coercion, such as discounts or items intended to stimulate desires in children.
• Considering the likelihood of linkage with personally identifiable information, as mentioned in the paper, must not be left (solely) to commercial entities. What is required is an assessment by an independent body prior to any RFID implementation as well as (ir-)regular, independent and unannounced data protection audits in the operation phase.
• It should not be a matter of choice whether notices are required or not. If RFID technology is used, appropriate notices must be included (“hazard symbols”).
• The “consumer education efforts” mentioned must not restrict themselves to raising awareness of benefits; drawbacks must also be communicated in a comprehensive way. Such education programs must be designed by independent institutions.

Re: consumer choice on the use of RFID technology

• Citizens must be provided with information on how they can obtain products that do not incorporate RFID technology. Information on this topic as well as “when there is an option to remove, de-activate, or destroy a tag” must be available at no extra (transaction) cost.
• Companies must help and support citizens in acting on the above information, and this too must not lead to (transaction) costs.

Re: Choice and Consent

• A citizen's consent regarding the use of his or her personal data must never be presupposed but explicitly obtained at each instance.
• Even in the last case must there be neutral information, and consent must be obtained through an opt-in procedure.

Re: Onward Transfer

• Not just “wherever practicable”, but always must a possible sharing of data with subsidiary companies etc. occur with the same or a higher level of protection. Citizens must be informed about each case of data sharing. They must be given a veto. The company that is visible to the citizen must be directly liable.

Re: Access

• The paper does not explain what it regards as “reasonable access”. To clarify: Citizens must be given access to their data including any linkages created with it, at minimal transaction cost. There must not be any restraints or coercion to use special forms or devices.

Re: Security

• To require “reasonable and appropriate efforts” is not enough. To minimise the risks for data protection and data security, the extended ALARP principle [1] must be followed. The application must be secured by the best available technological means, final liability must lie with the commercial entity found not to have used the best technology, from the citizens' perspective liability must lie with the entity they are in direct contact with.
• In cases of doubt, companies must demonstrate their security measures and show that they have used the best possible technological means.

Re: Notes

• Note 1: A reader must also authenticate itself to citizens or their tags.
• Note 4: The EPC logo is not conspicuous enough and does not communicate the dangers behind RFID technology. A pictogram based on hazard symbols (black on a yellow triangle) is appropriate.
• Note 6: Enabling or disabling such functions must not restrict free choice by citizens. For example, such a function must not lead to monopolisation or oligopolisation as e.g. with ink cartridges (where only the original manufacturer's cartridges might be enabled).
• Note 7: Citizens' freedom of choice of must be a legally enforceable standard. Regarding the EPC logo see our comment to note 4.

Translation: Sebastian Lisken