I’m attending the American Psychological Association’s (APA’s) annual meeting again this year. I tend to go every few years, as it’s a big convention (over 10,000 attendees) and can be a bit overwhelming. My symposium submission about online mental health interventions also got accepted, so I’m looking forward to chairing a great talk by researchers from around the world (today in Room 29B at 10:00 am).
I pre-registered, so got my registration badge in the mail (hey SXSW, this is a great idea you should implement!). Then all you have to do is go to the registration area and pick up your badge holder and convention bag.
There are two interesting things about the convention this year — the badges come with attached passive RFID chips. And the APA encourages people to use an insecure third-party social networking website to connect with others (which I discussed yesterday — and because of that article, has now had the security concerns I raised addressed by requiring users to enter a unique password they receive by email).
How is the APA using the RFID chip in your badge and where is its use disclosed to attendees?
RFID tags are generally passive devices that allow a scanner within range of the tag to read the information embedded in it. RFID tags are typically used for tracking inventory, products and shipping containers, but have been slowly making their way into other uses — like tracking convention goers and meeting attendees.
How it works is simple. Each tag has a unique identifying number that a special device can read when in the vicinity of the RFID tag. That number is tied into the attendee database for the convention. Unless there are dozens of readers used throughout the convention center, the RFID isn’t generally used to “track” attendees. But it can be used to tell who passed an RFID reader — such as when they enter or leave the exhibit hall or other areas of interest to the convention organizer.
The privacy concern related to the use of an RFID tag is that there’s no notice or notification when someone reads your tag. While that’s fine for a product you’re tracking from manufacturing to the retail store, it has privacy implications when used for individuals.
“With RFID, privacy is really the key issue,” meetings industry tech consultant Corbin Ball, of Bellingham, Wash.-based Corbin Ball Associates told Meetings Focus magazine in a 2006 article. “People today are very sensitive to any notion that they’re being tracked, for any reason whatsoever. If you’re going to use RFID at a meeting, you need to let people know about it, and you need to give people some added conveniences in return for being tracked.”
So I went looking for information about this RFID tag on the APA website and in the registration and convention materials sent to me. I came up empty. I could find absolutely no information about the RFID tag being used with the name badge.
So I sent an email inquiry into the APA Convention and Public Affairs Offices, and received the following response.
“What I can tell you is the RFID will be used for APA to count the number of people who enter the exhibit hall each day,” noted Kim I. Mills, M.A., Associate Executive Director of the Public and Member Communications office at the APA. “We will not be tracking personal information. There will be no RFID readers at exhibit booths.”
Kim Mills did not respond to the specific questions about the use of the RFID tags this year at the convention, nor why members were not informed about their use. “RFID tags will only be used by APA to get an accurate count of people entering the exhibit hall,” she explained. “These are passive tags and only good for up to 6 feet from the reader. The benefit of the tag is to APA but there is no demographic data in the tag, only a unique number.”
I’m no privacy nut (although I do think that choices about our personal information and privacy should be left to individuals, not companies or organizations), but I am a transparency nut. I really don’t care what you do — just let me know you’re doing it and give me a reasonable rationale for your decision. Then give me a choice about how I can respond to your decisions regarding my privacy. So if you want me to give up a little bit of my privacy at a convention — ask me first. Then give me a choice if I want to opt-out of it.
If you don’t want your attendance in certain areas of the convention to be tracked — in any way, shape, manner or form — at this year’s APA, here’s a simple civil disobedience solution. The RFID tag is separate from your actual name badge. If one were so inclined, one could simply remove it before putting the name badge in its sleeve, and toss the RFID tag portion. There are no repercussions for doing so. The APA hopes you won’t do so (as it will affect their counts), but really… They should explain new technologies as they are implemented to the people most affected by the technologies — their own members.
This is an unfortunate oversight, but like the InPsych debacle I detailed in yesterday’s blog entry, an example of where APA member privacy is sometimes seemingly overlooked or forgotten.
I personally don’t think the APA’s use of the RFID tag is that big a deal — it appears more and more larger conventions are using them to track attendee numbers. But I do think it’s a big deal that the APA failed to inform its members about the use of this technology at the convention this year.