[LINK] Microsoft tracks people with RFID tags

Roger Clarke Roger.Clarke at xamax.com.au
Fri Aug 22 08:38:16 AEST 2008 

G'day Geoffrey

At 23:30 +1000 21/8/08, Geoffrey Ramadan wrote:
>If I provided a voluntary service to attendee where:  ...
>Would I also be required to go through ...

Fair enough:  I opened my mouth, so I'd better deliver *something*!

Agreed: the scale of investment in the risk assessment activities, 
and in the risk management design, needs to reflect the nature of the 
problem.  (And the 3 or 4 decent sets of PIA Guidelines around the 
world say that).

Working through the list:

- risk assessment
   You need it.  (And you're doing it right now)
   Yours needs to be bigger than the back of an envelope, but not expensive
   You need to see it from the perspective of the diverse array of delegates
   that may turn up.
   And of course you need to think about the potential negative impact of
   unconsented use, data leakage, scepticism, and plain old misunderstanding

   Jan may be able to help with some references to codes or guidelines -
   although I'm not aware of any existing that would get the tick from any
   privacy advocacy organisation

- consultation
   You'd be ill-advised not to check out the ideas on a suitable spread of
   people.  (And you're doing some of it right now)

- risk management plan
   Depending on the outcomes of the assessment, you'll need something, and
   more than just a statement or two.  Training for the people involved so
   that they can provide convincing answers is an important aspect.  The
   design aspects (at a level a bit deeper than the sketch you provided)
   need to be looked at by a sceptical outsider

- post implementation audit
   You'll test that it works as it was intended, and that the database isn't
   open to abuse, and that the staff actually understood what they were told

- ensure enforceable undertakings
   The wording of your statements determines whether you're actually giving
   undertakings or just providing the vacuous waffle your lawyer would write

- ensure enforcement process and appropriate sanctions
   It would be really nice if there were a framework in place, but it's
   pitiful, and you have lots of loop-holes available to you

My quick reaction is that the scale of effort required depends very 
much on whether "voluntary" is meaningful.

Regards  ...  Roger


At 23:30 +1000 21/8/08, Geoffrey Ramadan wrote:
>Roger Clarke wrote:
>>  At 15:43 +1000 21/8/08, Geoffrey Ramadan wrote:
>>>  If you read the rest of the article you will note:
>>>  "A person's entry will trigger an animated avatar on the big in-room screen
>>>  using cutting-edge motion detection..
>>>  No personally identifiable information, such as names, will be displayed
>>>  alongside the avatar...
>>  An avatar isn't personally identifiable?
>>  How then can the rest of the aims of the scheme be achieved?
>>
>>>  Delegates will also be educated on how to opt-out or remove the 
>>>RFID tag, ...
>>  Good.
>>
>>>   ... but Microsoft is hoping most will choose to participate...
>>>  The network is intended to help delegates see when rooms are filling up,
>>>  identify personal networking opportunities"
>>  I wonder what measures are being used to ensure that no-one 
>>interprets that hope as a condition of employment, coercion, or 
>>even pressure.
>>
>>>  i.e. appropriate consideration for peoples privacy has been considered.
>>  It's just a tad more complicated than that, Geoffrey.
>>  Comprehensive risk assessment incl. consultation?  Comprehensive 
>>risk management plan?  Genuine consent?  Post-implementation audit 
>>of the key design features?  Enforceable undertakings?  Enforcement 
>>process? Sanctions?
>>  And that's off the top of the head, without actually looking at 
>>the 'Code' that Jan worked on, and that has been comprehensively 
>>ignored by the industry that used its preparation as evidence that 
>>it was privacy-sensitive.
>>
>
>Roger
>
>If I provided a voluntary service to attendee where:
>1) I recorded their personal information (name and mobile phone 
>number) on a clip board which was then entered into a central 
>database.
>2) issues barcoded name badges to attendees
>3) have operators scan these bacodes upon entry to a function
>4) SMS attendees details of numbers and also allowed access say via 
>a wap interface (no name just numbers) to their PDA.
>and
>5) as part of the completed attendee form I had a privacy statement 
>stating that information was not going to be used for purposes other 
>than this application. Data will be deleted at the end of the 
>function etc.
>
>Would I also be required to go through
>- risk assessment
>- consultation
>- risk management plan
>- post implementation audit
>- ensure enforceable undertakings
>- ensure enforcement process and appropriate sanctions?
>
>Geoff

-- 
Roger Clarke                  http://www.anu.edu.au/people/Roger.Clarke/

Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in Info Science & Eng  Australian National University
Visiting Professor in the eCommerce Program      University of Hong Kong
Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW

More information about the Link mailing list