Information & Ethics Committee on May 8th, 2007

No, I don't think there's any law that addresses that, but you can ask that your number be confidential. You can ask that your number be taken out of the directory.

Before I became the Privacy Commissioner, there was the Englander decision that went up to the Federal Court about how people could choose and how the telcos had to respect their right to be out of a public telephone directory at a minimal cost. That was about the issue of consent and so on.

You're getting to the issue of privacy versus the fact that we do live in communities and we need a certain amount of public information to live in the community. If we're all anonymous in this society, I think that poses other problems. You could also question my colleague Robert Marleau, the Information Commissioner, on that.

Thank you. I was kind of hoping you'd come back to that question, because we didn't get to it the first time.

Radio frequency identification systems typically consist of these components: the tag itself, which may or may not have processing capability; the antenna, which is part of the tag; a reader that emanates radio frequency energy, which is used to power passive tags; and then the software that interprets the information that comes back from the tag to the reader, because usually all that the tag contains is what's known as the electronic product code. You then have to look up in a database what that code is associated to in terms of the product, when it was manufactured, what its pedigree is, etc.

The privacy concerns around RFID stem partly from the fact that it's very small. It can be embedded in virtually anything, and it can give up its code or any other information that's stored on the tag without the individuals being aware that it's actually being read.

The major concern is that even if you can't necessarily associate a particular tag to an identity—in other words, tag number 123456789 is associated to me—you can associate the tag with a person of interest. For instance, it has been rumoured—and I don't know how true the rumours are—that law enforcement agencies have been using surreptitious readers to identify tags that are on objects possessed by individuals. So we get to the point where items of clothing, for example, are tagged. What you end up with is a series of numbers that are associated with a particular individual, and if that particular individual is at anti-war rally or some other form of protest, that marks them as a person of interest. If at some point that individual goes to go through a border control point, for example, and those tags are read again, they've now made the association to a specific identity and can take the individual aside for secondary screening or whatever.

So the notion of the RFID tags as a proxy for an identity is an issue of concern for us.

The tipping point seems to come at the point where the tags come in contact with individuals. For example, supply chain optimization is great technology, and we're all for that simply because it makes things more efficient, more cost-effective, and so on. At the moment, that's where the bulk of RFID use is. We're tagging large items. We're tagging cases and pallets; we're not tagging individual objects.

The concern is that at some point the technology will become cheap enough and small enough that it will be embedded in everything. The way the electronic product code is constructed, every single object on the planet could have a unique identifier. So unlike the bar code, where every can of Coke has the same identifier, every can of Coke could have a unique identifier. If that becomes associated with an individual and then is used for invasive marketing or tracking, or something like that, that's where we have the concern. Up to that point, it doesn't seem to be much of an issue, either at our level or with other commissioners around the world.

For your guidance, we've included the summary of the U.S. study. The Americans are trying to solve this problem, but they don't have laws with standards similar to those of Canada. Credit access conditions in the United States are much more relaxed than in Canada. The problem may be more serious there.

Internationally, we are virtually all dealing—I don't know whether there is one country—

That's correct.

Mr. Watson, I don't know whether you are familiar with white collar crimes, which are a kind of fraud. Is there one country that can serve as a model?

Not really. The Americans, by the size of their population and under the legislation, are on the lookout for the latest investigation technologies and techniques. However, this is an international problem. We can control certain things here at home, but we can't do it elsewhere. We'll eventually have to find an international solution to solve the problem of identity theft. No country will be able to solve it. It's too big a problem.