Library RFID and Patron Privacy

by Dorothy Hemmo

RFID, or Radio Frequency Identification has been implemented, or is being considered for implementation in libraries across the United States. This technology has come under fire from privacy advocates due to a perceived potential for abuse. This paper looks at RFID technology and its impact on patron privacy.

A Radio Frequency Identification system uses radio waves to identify individual items. Each item is affixed with an RFID Tag, a paper-thin microchip that has an antenna attached to it (Lichtenberg, 2003). The tag stores data, which can be read when the tag comes within range of a “reader”. The reader emits radio waves which activates the tag and sends information to or receives information from a computer. The RFID software interfaces with the library automation system. In a library setting, the tag would store information such as an identification number (similar to a barcode), a security bit (similar to magnetic security strips), and maybe shelf location information. The read range on a tag is very small, a maximum of 18 inches.(Chachra, 2003).

Libraries use RFID systems for quicker, easier checkout and return of materials, quicker inventory procedures, and to stop theft. ( Oder, 2003). Privacy advocates have concerns about some aspects of RFID. Because the tags are read via radio waves, could the tags be read by an unauthorized third party? Also, what data are stored on the tags? The library community has always had a commitment to patron privacy and confidentiality; and it is important for us to seriously consider the impact of new technology on these areas before the technology is implemented.

The primary controversy has been whether or not these privacy concerns are valid. Dorman (2003) points out that most tags contain innocuous data: the equivalent of a barcode, and an indication of checkout status. Also, an RF reader would need to be very close to the item to read the tag. But Molnar and Wagner (2004) explain that tracking a book (and the person carrying it) is within the realm of possibility, as is “hotlisting”, or keeping tabs on who is checking out particular titles by tracking ID numbers associated with those titles. Each tag has a collision-avoidance protocol to ensure multiple tags do not confuse the RF reader; this protocol could allow tags to be individually identified. Clearly, it is possible to breach the security of today’s RFID tags. New standards are being adopted by manufacturers, although the new products are not yet available (Ayre, 2004).

Is it ethical for libraries to adopt this new technology? Does the need for patron privacy and confidentiality override a library’s need for efficiency, cost-savings and loss prevention?

The right to privacy is a fundamental human right in that it is necessary to the exercise of other individual rights. Freedom of speech and thought require privacy. If a person is being watched, either by other individuals or by authorities, that person may not truly feel free to make his own decisions or to speak his mind (or to access desired information). This freedom from surveillance, this right to be left alone, does have limits, however. If a person infringes on the rights of others, he may in turn lose some of his rights. For example, if a person is planning to commit a crime, his right to privacy may be infringed upon in an effort to stop the crime, assuming probable cause has been established. The bar should be set fairly high in determining probable cause; a person’s right to privacy should not be violated casually.

In the United States, people have a legal right to privacy, through Constitutional amendments, Supreme Court decisions and Federal laws. The Fourth Amendment protects people against “unreasonable searches and seizures,” the Fourteenth Amendment states that a person cannot be deprived “of life, liberty, or property, without due process of law.…” The Ninth Amendment says that people have additional rights not specified in the Constitution. The Fourteenth and Ninth Amendments are often sited as important points in court decisions on privacy. Words such as “unreasonable” and “due process” underscore the conditional nature of the right to privacy: this right can be violated for compelling reasons, such as preventing harm.

Patron confidentiality is an aspect of the right to privacy. As such, patron confidentiality should be kept in nearly all circumstances. In exceptional cases, for instance when a subpoena is issued by the courts after probable cause has been determined, infringing on patron confidentiality may be acceptable; the rights of society can override individual rights in some cases.

Now that we have defined the normal course of action (respecting patron confidentiality), and exceptions (intervention by the court is one example), what about RFID? It seems that this technology, as it stands today, has a terrific potential to nullify patron confidentiality, and should not be implemented in public libraries. In their paper Privacy and Security in Library RFID (2004), Molnar and Wagner point out a myriad of ways that tags can be detected and read, and library items tracked. This provides opportunities for authorities and just about anybody else with the technical know-how to casually abuse this fundamental right to privacy. It seems strange to me that the library community would embrace a technology without fully investigating it and thinking it through. The fact that an institution generally well-thought of has embraced this technology may give RFID automatic legitimacy in the mind of the public. RFID technology has other applications and uses, and it needs to be questioned thoroughly, not given a free pass into everyday life. The library community needs to recognize the potential for abuse in RFID, and not put its desire for “faster and cheaper” ahead of its patrons’ right to privacy.

RFID is bound to become more common in everyday life, and libraries will continue to implement it. The good news is that the technology continues to improve and the library community is beginning to get involved in its development. Lori Ayre (2004) suggests “best practices guidelines” for library RFID use. These guidelines include: notify the public of RFID use; use updated, more secure systems; do not store personal information on tags; all information transmitted between tag and reader should be encrypted. She also suggests that the library community get involved in developing standards and public policy regarding RFID. This is surely good advice. Libraries should avoid this technology until safeguards are in place to protect the patron’s right of privacy.

Bibliography

• Ayre, L. B. (2004) RFID and Libraries. Draft chapter for Wireless Privacy; RFID, Bluetooth and 802.11. Retrieved July 21, 2005.
• Chachra, V. & McPherson, D. (2003, October 31). Personal privacy and use of RFID technology in libraries. Retrieved from http://www.vtls.com/documents/privacy.pdf
• Dorman, D. (2003). RFID Poses No Problem for Patron Privacy. American Libraries, 34,(11), 86.
• Lichtenberg, J. (2003). Industry Exploring Viability of RFID. Publishers Weekly250 (46), 14-17.
• Molnar, D. & Wagner, D. A. (2004, June 8). Privacy and security in library RFID: Issues, practices architectures. Retrieved July 23, 2005 from http://www.eff.org/Privacy/Surveillance/RFID/molnar_paper.pdf
• Oder, N. (2003). RFID Use Raises Privacy Concerns. Library Journal128 (19), 19-20.

(photo: Den Norske Dataforening [The Norwegian Data Organization], Oslo, Norway. http://dataforeningen.no/)

How to cite this document:
Hemmo, D. (2005). Library RFID and personal privacy.. BiblioTech, 3(2). Retrieved [insert date here], from: http://www.sir.arizona.edu/lso/bibliotech/2005nov_vol3_no2