ORLANDO, Fla., In an attempt to combat critics and government legislation aimed against RFID technology, the ASSA ABLOY Identification Technology Group (ITG) has released a set of best practices it says can be used to ensure privacy protection for radio frequency identification (RFID) users. The set of guidelines for those that install and use RFID products were announced at the ASIS Int’l Seminar and Exhibits in Orlando, Fla.
The guidelines come as 12 state legislatures are considering legislation regulating RFID products. Among those is a bill before the California legislature that would put a three-year moratorium on the use of RFID technology in health cards, driver’s licenses, and library and school cards. After passing the state’s senate, that bill has stalled in an Assembly committee and won’t be reconsidered until the legislature returns from recess in January 2006.
“We were taken aback that RFID was blanketed as something high risk to privacy,” Denis Hebert – president of smart-card maker HID and co-CEO of ITG – told Campus Safety Magazine. “Security and privacy are not mutually exclusive. There needs to be a balance.”
Hebert cited the incident in California that sparked the state’s RFID bill – where a school put RFID tags on student cards and detectors in student bathrooms without informing students or their parents – as a reason why campus security personnel and administrators need to know how to ensure privacy when instituting RFID security.
“That was not an RFID problem, that was an application problem,” Hebert says.
Among the seven best practices announced by ITG, which it encouraged its buyers to follow, were the following:· Support of industry best practices through self-regulation, certifications and other methods for protecting the security of personally identifiable information and other private data. These practices should be auditable and enforceable.· Implementation of security for personally identifiable user information with protection that is proportional to threats to that data.· Personal data be stored on products subject to review by the user upon request.· Products not be used for sharing of any personally identifiable information.· Products include only the collection of necessary personally identifiable information.· ITG products or services not be used to track any person without their knowledge and consent.· Inform people and have them consent to the use of an RFID tag on any product or personal effect.
ITG will provide upon request consumer education concerning its products.
Also at the Sept. 12 announcement at the ASIS expo, ITG announced it will be holding an RFID Privacy Summit the week of Nov. 27 in San Francisco. Representatives from public entities, legislatures and the American Civil Liberties Union (ACLU) have been invited to meet with industry leaders at the summit to find common ground concerning RFID and privacy.
“We need to lift up the curtain and create transparency,” said ITG company Indala President Marc Freundich to Campus Safety. “It’s time to put everything on the table and have a discussion about it.”
