LuminousVoid

I recently came across two articles that could serve as a beginning of an exploration of the differences in how the US and the EU approach the issues of RFID privacy: FTC Asks RFID Users to Self-Regulate, and Privacy Laws: Europe Protects Against RFID Abuses.

The US approach right now is one of “self-regulation.” Which appears to mean that people who deploy RFID in a consumer setting will make their own decisions about consumer’s privacy. This could just mean that the FTC is happy with what they see happening right now, given the low deployment rates, rather than it meaning that they don’t care to ever regulate to protect consumer’s privacy.

The US approach also seems to ignore the promiscuity feature of RFID tags — that many will be able to be scanned by anyone and will respond to any scan, not just those of the manufacturer:

The agency has also concluded that many of the potential privacy issues associated with RFID are inextricably linked to database security. Companies using RFID to collect and augment personal consumer data must therefore adhere to existing FTC guidelines on implementing reasonable and appropriate measures to protect that data.

I must admit I don’t know much about what those FTC guidelines on implementing reasonable and appropriate measures to protect that data mean right now. But we can take from this that it doesn’t appear that the FTC is too concerned with people other than the deployer of the RFID tags reading them. Reading the tags and making their own data collection or other conclusions based upon the presence of the tags on a consumer or products.

The EU article didn’t address this specific point, but it does have regulators providing minimum requirements before widespread adoption by industry:

Under European law, any company that uses RFID must notify the consumer the tag is on the product and provide details on how to discard the tag and access the information held on it. The company must also disclose how any information will be collected and used.

This doesn’t address third party reading of tags (other than by giving notice to consumers of the tags and it’s information) but does go towards providing some minimum standards that companies have to follow towards alerting consumers. My guess is this will provide a good incentive for consumers to demand better regulation — whether government imposed or self imposed. Consumers on notice will be able to exert both public and market power to control the information they create and is gathered on them via RFID on consumer products.

UPDATE. Here’s another article I just ran into about the US approach: Rep. Senators Vow to Protect RFID.

A group of Republican U.S. Senators said they will work to ensure that RFID deployments stay free of regulation, according to a new policy platform that has already won the support of RFID, technology and retail organizations while drawing concern from privacy groups.

So its not just the FTC that believes in “self regulation.” It’s also the GOP technology folks, which probably means that there is no chance for any RFID regulation in this Congress.

UPDATE II. Just in time for this piece, here is a recent EPIC report: Privacy Self Regulation: A Decade of Disappointment. Citing the success of the Do-Not-Call Registry:

FTC’s success in the telemarketing field demonstrates that it can protect Americans’ privacy effectively and fairly. However, telemarketing was a 20th century problem. This report argues that it is time for the agency to move into the 21st century. It is time for the agency to apply the principles of telemarketing privacy regulation into the online world.