[LINK] Microsoft tracks people with RFID tags

Geoffrey Ramadan gramadan at umd.com.au
Thu Aug 21 23:30:24 AEST 2008


Roger Clarke wrote:
> At 15:43 +1000 21/8/08, Geoffrey Ramadan wrote:
>> If you read the rest of the article you will note:
>> "A person's entry will trigger an animated avatar on the big in-room screen
>> using cutting-edge motion detection..
>> No personally identifiable information, such as names, will be displayed
>> alongside the avatar...
> 
> An avatar isn't personally identifiable?
> 
> How then can the rest of the aims of the scheme be achieved?
> 
> 
>> Delegates will also be educated on how to opt-out or remove the RFID tag, ...
> 
> Good.
> 
> 
>>  ... but Microsoft is hoping most will choose to participate...
>> The network is intended to help delegates see when rooms are filling up,
>> identify personal networking opportunities"
> 
> I wonder what measures are being used to ensure that no-one 
> interprets that hope as a condition of employment, coercion, or even 
> pressure.
> 
> 
>> i.e. appropriate consideration for peoples privacy has been considered.
> 
> It's just a tad more complicated than that, Geoffrey.
> 
> Comprehensive risk assessment incl. consultation?  Comprehensive risk 
> management plan?  Genuine consent?  Post-implementation audit of the 
> key design features?  Enforceable undertakings?  Enforcement process? 
> Sanctions?
> 
> And that's off the top of the head, without actually looking at the 
> 'Code' that Jan worked on, and that has been comprehensively ignored 
> by the industry that used its preparation as evidence that it was 
> privacy-sensitive.
> 

Roger

If I provided a voluntary service to attendee where:
1) I recorded their personal information (name and mobile phone number) 
on a clip board which was then entered into a central database.
2) issues barcoded name badges to attendees
3) have operators scan these bacodes upon entry to a function
4) SMS attendees details of numbers and also allowed access say via a 
wap interface (no name just numbers) to their PDA.
and
5) as part of the completed attendee form I had a privacy statement 
stating that information was not going to be used for purposes other 
than this application. Data will be deleted at the end of the function etc.

Would I also be required to go through
- risk assessment
- consultation
- risk management plan
- post implementation audit
- ensure enforceable undertakings
- ensure enforcement process and appropriate sanctions?

Geoff



More information about the Link mailing list