Be Careful What Data You Collect

By Mark Roberti

AOL's recent problems related to the release of information on searches done through its Web site is a cautionary tale for those thinking about collecting RFID data on consumers.


By Mark Roberti

Aug. 14, 2006-Data is valuable, so many businesspeople conclude that the more data their company collects, the better off it is. This is not necessarily true, as America Online (AOL) demonstrated last week when it was revealed that AOL employees published on the Web the search histories of 658,000 of the company’s Web site users.

The news created a swell of bad press, and blogs lit up with angry diatribes against the company. Bloggers picked through the search data and revealed that one individual conducted a number of searches for “how to kill your wife” and was also keen to find images of “dead people,” “car crashes” and “decapitation.” The New York Times showed how someone could analyze the search information and link it back to specific AOL users based on information in their profile.

AOL was caught off guard. It said that the decision to release the search information was an effort to provide data for academics, and that the decision had not been properly vetted. The search information was removed from the Web, but it’s not clear whether AOL will no longer collect and store information on searches.

Imagine if the same thing happened with RFID data: A company accidentally releases information on individual purchases and the serial numbers of the RFID tags associated with those purchases. The firestorm would be enormous. Privacy advocates would, no doubt, hype scenarios in which the data could be used to track individuals. Bad press is bad enough, but there could also be scenarios that create real liabilities for retailers.

There are some legitimate reasons to collect and store the unique serial numbers of individual items purchased and associate them with specific customers. There are also some very good reasons not to do this, and companies need to think through these benefits and risks carefully.

It makes sense for companies to link unique serial numbers stored in RFID tags embedded in a product to the purchaser for returns or customer service. For example, say I purchase a DVD player and its serial number is linked to me personally. If I have a problem with it six months later, the store can quickly determine if it is under warrantee. Serial numbers are, of course, used for this purpose, but it is often difficult and time-consuming to enter product serial numbers into point-of-sale systems to track warrantee data.

Here’s another example of how RFID data might be used to eliminate a problem faced by some retailers. If XYZ Retailer Inc. keeps track of the fact that Mr. Smith purchased a pair of black trousers with the serial number 123456789, it would prevent him from purchasing a second pair on sale two months later and returning the second pair with the receipt from the first pair and pocketing the difference.

But for the most part, I see little benefit to embedding RFID transponders in items, and little benefit in linking those items to the purchaser. Retailers and their suppliers already know my buying habits and preferences if I pay with my credit card because they can link information about the items I buy to me personally. If you know I like Levi’s 501 jeans (medium stonewash color, straight leg), how much more do you benefit from knowing I purchased a pair with a particular serial number?

Now, consider some of the downsides to embedding transponders in items and linking their serial numbers to individual customers. I’ve already mentioned the unintentional release of data. Even if your security is top-notch (and few companies can claim that), an employee with access to the data could misuse it. Let’s say an employee uses the information in a tag in a woman’s clothes to identify her as a suitable person to rob. That could create a potential liability.

There’s also the potential for companies to be pulled into lawsuits if specific items are linked to specific customers. A woman suing her husband for divorce might compel an intimate apparel retailer to testify in a divorce case to prove that a specific item of lingerie was purchased by her husband and is evidence of infidelity.

Sure, these are examples of scenarios that are unlikely to be very common. But the point is, companies need to think through the potential liabilities, as well as the potential benefits, that can result from the data they collect on their customers.

Mark Roberti is the founder and editor of RFID Journal. If you would like to comment on this article, click on the link below.