[LINK] Microsoft tracks people with RFID tags
Geoffrey Ramadan
gramadan at umd.com.au
Thu Aug 21 23:30:24 AEST 2008
Roger Clarke wrote:
> At 15:43 +1000 21/8/08, Geoffrey Ramadan wrote:
>> If you read the rest of the article you will note:
>> "A person's entry will trigger an animated avatar on the big in-room screen
>> using cutting-edge motion detection..
>> No personally identifiable information, such as names, will be displayed
>> alongside the avatar...
>
> An avatar isn't personally identifiable?
>
> How then can the rest of the aims of the scheme be achieved?
>
>
>> Delegates will also be educated on how to opt-out or remove the RFID tag, ...
>
> Good.
>
>
>> ... but Microsoft is hoping most will choose to participate...
>> The network is intended to help delegates see when rooms are filling up,
>> identify personal networking opportunities"
>
> I wonder what measures are being used to ensure that no-one
> interprets that hope as a condition of employment, coercion, or even
> pressure.
>
>
>> i.e. appropriate consideration for peoples privacy has been considered.
>
> It's just a tad more complicated than that, Geoffrey.
>
> Comprehensive risk assessment incl. consultation? Comprehensive risk
> management plan? Genuine consent? Post-implementation audit of the
> key design features? Enforceable undertakings? Enforcement process?
> Sanctions?
>
> And that's off the top of the head, without actually looking at the
> 'Code' that Jan worked on, and that has been comprehensively ignored
> by the industry that used its preparation as evidence that it was
> privacy-sensitive.
>
Roger
If I provided a voluntary service to attendee where:
1) I recorded their personal information (name and mobile phone number)
on a clip board which was then entered into a central database.
2) issues barcoded name badges to attendees
3) have operators scan these bacodes upon entry to a function
4) SMS attendees details of numbers and also allowed access say via a
wap interface (no name just numbers) to their PDA.
and
5) as part of the completed attendee form I had a privacy statement
stating that information was not going to be used for purposes other
than this application. Data will be deleted at the end of the function etc.
Would I also be required to go through
- risk assessment
- consultation
- risk management plan
- post implementation audit
- ensure enforceable undertakings
- ensure enforcement process and appropriate sanctions?
Geoff
More information about the Link
mailing list