Last July, amid tapas and cocktails at a Euroscience Open Forum (ESOF) conference mixer in Barcelona, I was served something far less appetizing: the news that for five days, unbeknownst to me, a radio frequency identification device (RFID) hidden in my name tag had been reporting my conference attendance habits to organizers. Ditto for the rest of the conference's nearly 5,000 participants, many of whom were science journalists.
Last July, amid tapas and cocktails at a Euroscience Open Forum (ESOF) conference mixer in Barcelona, I was served something far less appetizing: the news that for five days, unbeknownst to me, a radio frequency identification device (RFID) hidden in my name tag had been reporting my conference attendance habits to organizers. Ditto for the rest of the conference's nearly 5,000 participants, many of whom were science journalists.
It was a radio reporter from southern Germany who showed me the RFID tag stuck between the front and back sides of my name tag; he had also just discovered the device in his own badge. Suddenly, I had an explanation for the twin pillars at the doorway of every session room and at the main building's entrance: they were the RFID readers.
Although I'm reluctantly getting used to having my buying habits monitored through frequent flyer and supermarket savings cards, at least I am knowingly giving up my private information in exchange for cheap orange juice. But unlike the voice that announces when my conversation with technical support will be recorded "for quality assurance," nobody told me my conference activity would be monitored. I wasn't the only one taken unaware. Many other people at the mixer were likewise surprised and putout by the surveillance. And so they should be: Several law experts have since said the secret surveillance was an infringement of EU privacy regulations.
The morning after discovering the RFID device in my name tag, I went to the conference headquarters and asked to see what information they had acquired about me. Within a minute or two, José Antonio Montes, the technical director of Grupo Desarrollanet, the company managing the RFID monitoring at ESOF, opened up a spreadsheet that contained a potpourri of my personal information: my name, the fact that I was a member of the press, my affiliation (Chemical & Engineering News), my hometown (Berlin, Germany), as well as the precise time — down to the second — that I entered and left every single session I attended. Even a short break to use the WC in the middle of a talk on regulating functional food had been time-stamped.
Flabbergasted, I headed to the press room where I asked Michael Kessler, the ESOF conference's media contact, why delegates were being monitored. He looked incredulous until I showed him the RFID tag in his own name badge. He had also been caught unaware. Kessler promised to find out what was going on.
Back at home in Berlin, a Google search brought me to Tony Melis, the vice president of business development at Laser Registration, a Montreal-based company that specializes in providing RFID services to conferences across North America.
Apparently RFID monitoring is most popular at trade shows and medical conferences, but the technology is slowly starting to catch on at science conferences. As a delegate wanders in to the range of an RFID reader, often placed at the entrance of session rooms or exhibitor halls, the delegate's RFID tag picks up the antenna's signal and sends an encrypted message about their identity, Melis explained.
Conference organizers can employ RFID tags to monitor attendance at competing conference sessions or in exhibition halls, or the tags can be used by employers to track employee participation at professional development seminars.
But all this monitoring comes with a hefty price tag. The cost for an RFID tag is only about $1, but the fees to rent long-range antennas are about $750 per day, Melis said. The ESOF conference in Barcelona lasted five days, had about 5,000 delegates and 14 antennas, Montes said. So the market cost of monitoring the ESOF conference was about $52,500.
It turns out that the ESOF organizers didn't actually pay for the RFID services, but got the surveillance for free as an "in-kind contribution" from one its sponsors, ESOF's Kessler later wrote me in an e-mail. He added that ESOF just wanted to know the total number of people attending concurrent sections.
Interest in the relative popularity of different sessions sounded reasonable — the overkill of using an expensive network of RFID antennas to determine head counts notwithstanding — but the personal data I had seen in the spreadsheet still felt invasive. In fact it was.
Calls to six privacy law experts in Spain, Germany, and the U.K. resulted in a unanimous response: collecting my conference behavior data in Barcelona and storing it with my personal information without my permission contravened a European Union privacy directive.
In the EU, all countries must follow a privacy directive that dates back to 1995. In 1999, the Spanish government applied the EU directive, and based on that law, "consent of the person is necessary before collecting personal information, using that information and especially transferring the information to third parties," said Celia Fernández Aller, a law professor at the Universidad Politécnica de Madrid. "People from the congress should have asked you for consent."
Furthermore, "not only your consent should had been acquired but they should had informed you about any future use of the information they were going to obtain and the name and address of the controller of the data," said Julián Valero Torrijos, an administrative law lecturer at the Universidad de Murcia. He pointed out that the highest penalty for breaking this law was a fine of several hundred thousand euros.
The conference organizers could have used RFID technology to obtain a basic headcount legally, Torrijos continued. If I had been assigned a random number, say Delegate 51, so that my conference behavior data was acquired in an anonymous way, it would have been legal to follow the action of Delegate 51 without consent. But the glitch was that personal information (name and address) was collected along with my conference attendance behavior without first getting my permission.
It was time to contact ESOF and Grupo Desarrollanet again.
In an e-mail exchange, Montes, the technical director at Grupo Desarrollanet the RFID monitoring company, referred me back to ESOF, regarding "the data and its treatment, because the organization [ESOF] is the owners of such data."
He also added, "Grupo Desarrollanet is not the owner of the database, nor responsible for their [sic] treatment. As the event ended Grupo Desarrollanet never keep [sic] such information and therefore does not have access to it."
Laura Marin, ESOF's Director of Operations gave me a fuller account of what had happened. She wrote me to say that she found out a few weeks before the conference began that the technical sponsor planned to do head counts using RFID. "In the rush of the conference organization we did not think about consulting a lawyer on this issue as we were not aware that it had any legal implications," Marin noted. "Most participants were already registered when it was decided to use RFID so we could not have included this information on the registration form."
"We are extremely sorry and we would like to apologize for not have included this information [on the registration form]," Marin continued. She says that ESOF has only received lists with the number of daily attendees at the conference and a breakdown of session attendance. She also noted that ESOF follows the Spanish data protection law with its own databases.
At the time ScienceWriters went to press, Marin had not said whether ESOF would follow up with Grupo Desarrollanet about their collection of private data along with the behavioral data.
The Barcelona experience aside, if secret RFID tagging also makes you feel a bit nervous, the lack of American privacy law governing conference surveillance could make you downright neurotic at your next U.S. symposium. Although EU and Canada regulations require attendee consent for RFID surveillance at conferences, the U.S. is comparatively a free-for-all. This is because American privacy law is "sectoral," explained Chris Hoofnagle, a privacy law professor at the University of California, Berkeley. "Thus, in most situations in the U.S., in order for one to have rights in collection, use, or disclosure of personal information, there must be a specific law regulating the sector at issue — here, conferences, or perhaps the use of RFID." But, there aren't actually any laws regulating conference organizers or RFID use in the U.S.
So in the absence of a specific privacy law, it is "generally legal for a company to collect data on its customers (including their travels), enhance it with information from other sources, and even sell it to third parties," notes Hoofnagle. "In most cases, no privacy notice must be given, nor must the company offer a right to opt out or the like."
Regardless of where I attend my next conference, one thing is certain: When I get my bag of conference goodies at the registration desk, I won't immediately dig into the abstracts. The first thing I'll do is check whether Big Brother is stuck to the underside of my conference badge. And if he is, I hereby give conference organizers permission to track my nametag on its path to the nearest garbage can.
Based in Berlin, Associate Editor Sarah Everts is C&EN's European science, technology, and science policy correspondent.
Newscripts "Conference Surveillance," Chemical & Engineering News, Aug. 4, 2008.
(NASW members can read the rest of the Fall 2008 ScienceWriters by logging into the members area.)