Do Vendors Make Good Consultants?

Last month, I read an article in The New York Times about IBM’s latest RFID push. The article reported that IBM Global Services would begin selling advice to clients on how to address consumers’ privacy concerns about RFID. I couldn’t help but wonder how IBM could advise companies objectively on such a controversial topic. Frankly, it seemed to me that companies getting counseling on consumer privacy issues related to RFID from IBM (or any tech company for that matter) would be something like going to a temperance meeting with Pete Coors.

To get answers to my questions—and to find out what kind of advice IBM is peddling—I spoke with Michel Bobillier, IBM’s global security and privacy executive, who’s based in Switzerland.

I learned that IBM helps its clients develop privacy policies that explain how and why the client uses RFID technology, how it uses customer data in its business operations and how consumers can opt in and out of sharing their data. IBM instructs its clients in establishing the technical infrastructure, internal controls and business processes necessary to ensure that the company complies with its own stated privacy policy. IBM believes that all companies must have a privacy policy and must communicate their policies with their customers. IBM holds that customers have a right to know what companies do with their data and have a right to access and modify that data if they need to do so. All well and good.

IBM doesn’t prescribe, however, what specifics a privacy policy should cover. Neither does IBM expressly advise clients to place RFID readers in locations where consumers can see them (in part because most of its clients are using RFID at the pallet and case level and are not tagging individual products, according to Bobillier), nor does it advise against linking unique tag numbers with consumer data—as recommended by privacy and consumer advocacy groups. (For more such recommendations, see Consumers Against Supermarket Privacy Invasion and Numbering’s position statement on the use of RFID on consumer products.)

The exact advice IBM proposes, such as whether to disable tags on consumer goods once a purchase is complete or how much information to store on the tag, depends on the client. Bobillier says Global Services helps its customers determine which data they really need to aggregate for their business, as well as who should and shouldn’t have access to it, and cautions them against collecting more data than they realistically need to operate their business.

But Katherine Albrecht, founder and director of Consumers Against Supermarket Privacy Invasion and Numbering (Caspian), a grassroots consumer privacy group, doesn’t think IBM’s advice adequately addresses consumers’ concerns about RFID technology invading their privacy. “They’re giving standard, boilerplate advice,” she says.

Nor does Albrecht believe IBM is qualified to address consumer privacy issues around RFID, given its participation in German retailer Metro Group’s controversial store of the future, which showcases retail applications of RFID technology. She thinks IBM “feel[s] the way the industry wind is blowing but not the way the consumer wind is blowing,” says Albrecht. “I could see paying IBM a whole bunch of money to strategize on some sort of privacy mindset for my company only to find that that’s going to land me in very deep hot water with consumers [because it’s out of touch].”

Her advice to companies is to steer clear of consumer-facing applications of RFID for now, citing as warning the public relations fiascos that have ensnared several companies that piloted or planned to pilot RFID technology (including Benetton, Wal-Mart, Gillette and Metro Group).

When I asked Bobillier why anyone—whether a consumer advocacy group, ardent defender of the fourth amendment or CIO—should take IBM’s advice on this delicate issue, he spoke of IBM’s reputation in the marketplace, its business process and technical expertise and its long-time commitment to privacy and security. IBM has a chief privacy officer, has been offering privacy services to clients since 1998, and doesn’t use or share customer information without its customers’ consent, according to Bobillier. “Our role is not really to play the role of the privacy groups that defend the consumer,” he says. “We position ourselves as the link between privacy issues, IT and business processes.”

I don’t dispute all that, but I personally came away from my conversation with Bobillier unconvinced that IBM was offering a lot of concrete or uniquely insightful advice on the topic of consumer privacy concerns. After all, don’t most companies know they need privacy policies these days?

Of course, I’m picking on IBM as just an example of a trend here. What do you think? I don’t just mean would you look to IBM Global Services for advice on addressing consumers’ concerns about RFID invading their privacy. But would you—or do you—pay someone who has a vested interest in a product to advise you on its use? There may be good reasons to…or not. Let us know your thoughts.

Sound Off is an occasional column about current IT-related issues. Senior Writer Meridith Levinson invites you to respond in the space below.