Canadian Province’s New RFID Privacy Rules Could Have The Wrong Effect

Written by Evan Schuman
June 20th, 2006

Warning consumers about anything presupposes that there is something bad with that item, something that should be avoided. This might be a self-fulfilling prophesy.

The commissioner for Information and Privacy in Ontario unveiled on June 19 a series of tips and guidelines for using RFID within her part of Canada.

First of all, the fact that a major Canadian province even has an information and privacy commissioner makes me look longingly to the North. But I believe bacon should be served in long narrow strips and that a rectangle is a terrible shape for any food, so we’re probably even.

But the guidelines themselves certainly need to be examined seriously because North American products can ill-afford to accommodate two different standards and, besides, neither Mexico nor the U.S. have any material privacy RFID rules at the moment.

Current U.S. views on RFID privacy pretty much comes down to a modified monetary laisez faire policy (“leave campaign contributors alone and the market will take care of itself”), while Mexico’s position is closer to “You can capture anything about our citizens that you want as long as you pay a living wage. OK, one-fourth a living wage, but we want a break after 18 hours of work.”

The Ontario approach is a bit different. One example: “Organizations should only collect, use or disclose RFID-linked personal information for purposes that a ‘reasonable person’ would consider appropriate in the circumstances.”

It then lists two things that Ontario believes would be unreasonable: “price discrimination” and “tracking and profiling individuals without their informed, written consent.”

Both sound frightening for retailers and consumer goods manufacturers?and with good reason. The “price discrimination” is aimed at applications that will charge lower prices to customers they want to attract and higher prices for those they want to repel, such as aggressive bargain hunters. There have been unsubstantiated allegations about this on some Web sites, but those allegations involved cookies, not RFID.

Still, the potential exists for RFID to enable the same kind of capability. But isn’t this simply a continuation of the time-honored discounts for those with a frequent shopper loyalty card? Aren’t those card programs offering discriminatory pricing, in the sense that some customers are being charged different prices than others?

That gets into that second reference: ” tracking and profiling individuals without their informed, written consent.” Is this to be interpreted to mean that such tracking/profiling is permitted in Ontario, as long as it doesn’t involve RFID? It would seem silly to permit it for CRM programs as long as they used barcodes, but to somehow find the privacy invasion reprehensible if it involves RFID.

Tracking/profiling are fighting words. Is it profiling to offer discounts on one brand of peanut butter only for people who regularly purchase a particular competing brand? Is it tracking to note that one consumer spends more than $900/month typically and then to send them E-mail invitations to some event? The wording in the Canadian material doesn’t exclude aggregate data, but isn’t that based on tracking individuals? Is that prohibited as well?

For retailers, Canada has rolled out a series of “notice” guidelines: “organizations should notify consumers if products contain an RFID tag, through clear and conspicuous labeling on the product itself”; “Organizations should notify consumers of RFID readers on their premises, using clearly written signage, prominently displayed at the perimeters”; “signs at the perimeter should identify someone who can answer questions about the RFID system, and include their contact information”; and “consumers should always know when, where, and why an RFID tag is being read. Visual or audio indicators should be built into the operation of the RFID system for these purposes.”

Somehow, I think the immediately prior draft wanted skull and crossbones on those signs and perhaps some imagery representing Satan (I guess for P&G, their old logo would suffice.)

Those are quite subtle notification suggestions. My favorite is the part about identifying someone who can answers about the RFID system. I can see Wal-Mart directing people to an 800 number and instructing them to hit #Sand.

The serious problem with such notification requirements is that, without proper consumer education, the sign won’t mean anything to many consumers. I can see Costco trying to turn the displays into marketing promotions: “Now including the miracle ingredient RFID at no extra cost!”

There’s also that wonderful part about audio indicators on RFID readers. What did Ontario have in mind? Sirens? Maybe the Darth Vader theme music? Or possible just a clip of someone saying “I see you”?

Here’s a well-intentioned one: “Organizations should not use or disclose RFID-linked consumer information for any purpose to which the individual has not consented.” The only problem is that retailers will likely throw such language into the fineprint on the back of every loyalty card, check-cashing card or anything else, including credit card slips. As long as fineprint exists on unrelated documents, such consumer consent will have little value.

It’s certainly a good thing that some government officials are thinking through where RFID could go in terms of consumer protections. But government edicts without industry support won’t help much. Remember those strange commercials that touted the benefits of a particular prescription drug? For years, the government gave the pharmas two choices: either describe the drug and not mention its name or mention the drug’s name but do not say what it does.

I’m no advocate of giving pharmas cart blanche to advertise to consumers however they want, but those particular U.S. government rules did little protect consumers. It just resulted in some very bizarre commercials. I fear the same thing happening with RFID. Through the use of highly technical terms and fineprint, I doubt many consumers would internalize the information that Ontario wants them to have. Will they think it has something to do with pacemaker interference? Is it to get discounts? Does it have something to do with store’s WiFi or maybe Bluetooth?

Back in December 2004, U.S. Senator Chuck Schumer called a news conference to promise legislation to regulate how retailers handle return policies. That legislation was never introduced. Although Schumer’s office has never officially explained what happened, some who were working on the legislation said that it became quite difficult to legislate wording and policy on something so customizable and also so proprietary.

In other words, the exact methodology to determine excessive returns could be thwarted if fraudsters knew the particulars. While Schumer gets credit for ultimately never introducing the legislation, he gets debits for holding a news conference to announce that he would.

There is a common thread between the two. On a surface level, forcing return policies and RFID tracking policies to be public sounds like a good thing, but digging down deeper, it’s very complicated to do it in a meaningful way that will actually advance the public cause. Will government leaders score points by announcing rules and then abandon their efforts without enforcement? I’m not surprised when it happens in the U.S., but I had higher hopes for Canada.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.