Presentations to ALA Intellectual Freedom Committee
American Library Association
ALA Mid-Winter
San Diego, CA
Beth Givens, Privacy Rights Clearinghouse Director
bethg(at)privacyrights.org
and
Lee Tien, Electronic Frontier Foundation Staff Attorney
tien(at)eff.org
General Issues:
- The selection of a system to automate library functions such as a circulation or an integrated library system (ILS) launches the library into a long-term commitment to that system. If a library selects an RFID-based system, it is likely to retain that system for a long time, primarily because of its high cost as well as the time-consuming structural changes that the library must engage in to successfully use the new system.
- Has the library community examined where the RFID technology is going and how it is expected to evolve? Even though privacy and civil liberties impacts might not be of concern now because RFID systems in libraries are essentially "closed" systems, that may not be the situation forever. For example, the publishing industry is exploring the use of RFID to tag books.
- The library community must monitor and shape the direction vendors and jobbers are taking with RFID. It is important for the library community to resist efforts that move RFID from its present proprietary ("closed") status to that of the RFID standards in the marketplace (the EPC standard developed by MIT's AutoID Center) - or that incorporate the use of marketplace tags with library-specific tags, a situation that could occur if the publishing industry adopts RFID. Also, it is especially critical for the library community to require effective, auditable security of RFID systems.
- We recommend that the library community conduct a comprehensive technology assessment of RFID as soon as possible to enable librarians to make the best possible decisions involving the implementation of this technology. Such a risk-benefit analysis would include an investigation of the potential privacy and civil liberties implications and the best methods to mitigate these harms.
- The library community is a leader in protecting intellectual freedom and user privacy. Libraries have an opportunity to be societal leaders and a "model industry" in the way in which they adopt RFID-based circulation and ILS systems.
Best Practices, based primarily on Principles of Fair Information Practices (resources at end):
- Privacy policy. If the library has not adopted a privacy policy, it should develop one that encompasses its implementation of RFID.
- Notice / Openness. The library must make public its policies and practices involving the use and maintenance of RFID systems, encompassing tags, readers, and the associated database(s).
- Library users have a right to know that items contain RFID tags and generally where readers are located.
They have the right to know the technical specifications of those devices.
Labeling must be clearly displayed and easily understood. - Any tag reading that occurs in the library environment must be transparent to all parties. There should be no tag-reading in secret.
- Library users have a right to know that items contain RFID tags and generally where readers are located.
- Purpose specification. Library users must be given notice of the purposes for which tags and readers are used.
- Collection limitation. The collection of information should be limited to that which is necessary for the stated purpose. There should be no personal data encoded in RFID tags.
- Security safeguards. There must be auditable security and integrity in transmission, databases, and system access, including the use of encryption.
- Accountability. The library must inform its users who they can contact for questions and complaints.
Resources
AutoID Center, "Guiding Principles [for RFID]" posted on the Alien Technology web site, www.alientechnology.com/product/rfid_privacy.html (2003). California Senate, Energy and Utilities Subcommittee hearing, Agenda and Testimony, "RFID Technology -Where Is It Headed?," Nov. 20, 2003. www.senate.ca.gov/ftp/SEN/COMMITTEE/STANDING/ENERGY/_home/11-20-03agenda.htm Vinod Chachra and Daniel McPherson, "Personal Privacy and Use of RFID Technology in Libraries," www.vtls.com/documents/privacy.pdf. (Oct. 2003).
David Dorman, "Technically Speaking: RFID Poses No Problem for Patron Privacy," American Libraries (Dec. 2003).
James Lichtenberg, "Industry Exploring Viability of RFID," Publishers Weekly (Nov. 17, 2003).
Simson Garfinkel, RFID privacy web log, www.rfidprivacy.org (Established 2003)Simson Garfinkel, "An RFID Bill of Rights," MIT Technology Review, www.technologyreview.com/articles/print_version/garfinkel1002.asp (Oct. 2002).Beth Givens, "A Review of the Fair Information Principles," Privacy Rights Clearinghouse, www.privacyrights.org/ar/fairinfo.htm (1997).Beth Givens, "RFID and the Public Policy Void," testimony presented at Joint Committee on Preparing California for the 21st Century, California Legislature, Aug. 18, 2003, www.privacyrights.org/ar/RFIDHearing.htm. "Position Statement on the Use of RFID in Consumer Products," endorsed by 40 consumer, privacy, and civil liberties organizations, www.privacyrights.org/ar/RFIDposition.htm (Nov. 20, 2003). "The RFID Right to Know Act of 2003," proposed by CASPIAN's Katherine Albrecht and developed by Zoe Davidson of Boston University Legislative Clinic. www.nocards.org/rfid/rfidbill.shtml (2003). Karen Schneider, "RFID and Libraries: Both Sides of the Chip," testimony presented at Committee on Energy and Utilities, California Senate, Nov. 20, 2003, www.senate.ca.gov/ftp/SEN/COMMITTEE/STANDING/ENERGY/_home/11-20-03karen.pdf ."Should Libraries Play Tag with RFIDs? Librarians Jackie Griffin and Karen Schneider discuss the benefits and problems of using this hot new technology," American Libraries (Dec. 2003).
Lee Tien, "Privacy Risks of Radio Frequency Identification 'Tagging' of Library Books," testimony first presented to San Francisco Public Library Oct. 1, 2003, and contributed to Committee on Energy and Utilities, California Senate, Nov. 20, 2003, www.senate.ca.gov/ftp/SEN/COMMITTEE/STANDING/ENERGY/_home/11-20-03library.htm.
RFID and Libraries:
EFF Talking Pointsfor ALA IFC
By Lee Tien, Senior Staff Attorney
Electronic Frontier Foundation
- While "closed" or "proprietary" library RFID systems may provide some privacy protection for library patrons today, this is not a viable long-term answer to the civil liberties risks. Closed systems rely fundamentally on "security through obscurity."
Several forces seem poised to erode closed systems.
- Book publishers will eventually use their own RFIDs. It likely won't happen for a few years, but the Book Industry Study Group is looking at RFIDs. See AAP Memo ("RFID may eventually become widely used for identification of products in the book industry"); Japanese Book Tracking Trial: <http://news.zdnet.co.uk/itmanagement/0,1000000308,2134438,00.htm> ("...allows booksellers to gain information such as the range of books a shopper has browsed, how many times a particular title was picked up and even the length of time spent flipping through each book"). To the extent that major retailers like Wal-Mart sell books and want suppliers to use RFIDs, the trend will gain momentum. An individual library would have a strong cost incentive to use whatever RFID system used by book publishers.
Many libraries already are parts of larger library systems or library consortia, and it should be expected that RFIDs will be interoperable within their own systems or consortia.
Today's library RFIDs mainly operate in the high-frequency (HF) 13.56 MHz band, the most widely used of the RFID HF bands (UHF/868-915 MHz and microwave/2.45 GHz or 5.8 Ghz) because it's the global standard frequency for contactless smart cards or proximity cards. HF-band RFIDs have longer read ranges than low-frequency RFIDs, but don't need a power source. As a result, we should expect RFID readers/sensors for this frequency band to be very common, which will increase the likelihood that non-library RFID readers will be able to capture RFID data from library RFID tags.
- Exploiting mass-production scale economies is a key major business goal of the RFID industry. It's unclear how long libraries will have market pull with RFID system vendors, because the industry needs to standardize and consolidate on a discrete set of options in order to sell as many RFID tags as possible for as many applications as possible globally. It's likely that the RFID industry and manufacturers, resellers, system integrators and government agencies will cooperate even more as the industry matures.
- Book publishers will eventually use their own RFIDs. It likely won't happen for a few years, but the Book Industry Study Group is looking at RFIDs. See AAP Memo ("RFID may eventually become widely used for identification of products in the book industry"); Japanese Book Tracking Trial: <http://news.zdnet.co.uk/itmanagement/0,1000000308,2134438,00.htm> ("...allows booksellers to gain information such as the range of books a shopper has browsed, how many times a particular title was picked up and even the length of time spent flipping through each book"). To the extent that major retailers like Wal-Mart sell books and want suppliers to use RFIDs, the trend will gain momentum. An individual library would have a strong cost incentive to use whatever RFID system used by book publishers.
- If libraries wish to influence RFID use and development toward privacy and security, the time is now. EFF urges libraries to act collectively as soon as possible to protect their own and their patrons' interests, as well as to set an example for society.