Menu

To News overview

Retailers combat shrink
Quick Escape
Smart card flexibility
Protecting the priceless

 

 

Watch the video on ASSA ABLOY's view on Privacy in RFID: 



Large version

 

Small version

 

Balancing RFID Use and Privacy Concerns
 Send to a friend     Print this page


By Kathleen Carroll, Director of Government Relations, HID Global

Legislation is pending, public workshops are scheduled, and privacy advocates are vocal in opposing RFID technology.  A technology that has been used around the world to the benefit of millions is now creating headlines across the globe – for privacy concerns.

At the consumer level, RFID speeds and enhances transactions at retailers, airports and highway toll booths. In the commercial and industrial sectors, RFID simplifies and improves the gathering of data in warehouses, retail stores and even on oil rigs where RFID-tagged equipment is inventoried using hand-held readers.

Most current RFID applications raise no serious privacy issues, though. HID, for example, has shipped more than 250 million RFID credentials to customers worldwide and is not aware of any privacy-related issues arising from the use of those credentials.

However, some privacy concerns are emerging in new and proposed uses of the technology.

The main privacy concerns associated with RFID use include the potential for:
• Tracking of individuals
• Profiling consumers’ tastes and/or habits
• Using collected information for purposes other than originally intended
• Identity theft

To address these legitimate concerns, the RFID industry, including manufacturers, retailers and government entities, is examining the issues and intends to develop solutions and policies that protect individual privacy while allowing broad use of the technology.

European Commission Seeks Public Discourse
At the CeBIT Summit held recently in Germany, Vivian Reding who is responsible for Information Society and Media for the European Commission acknowledged the need to “find the right balance between privacy and the public interest.” 

At the Summit, Reding announced a series of public workshops designed to discuss privacy issues relevant to RFID.  The workshops are scheduled through June 2006.

In addition to the European Commission’s efforts, the Organization for Economic Cooperation and Development (OECD), has issued guidelines on the protection of privacy and trans-border flows of personal data.  While these guidelines are not specific to RFID, they do serve as an excellent template for RFID-related privacy guidelines. 

In particular, the OECD’s language regarding personal information collected, is worth noting and could apply to personal information collected by RFID systems as well:

• “Personal data should not be disclosed, made available or otherwise used for purposes other than those specified …except with the consent of the data subject, or by the authority of the law.”
• “Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure of data.”

According to the OECD, the guidelines could help harmonize national privacy legislation and at the same time avert interruptions in international flows of data. 

International flows of data are most visible in passport usage.  Global electronic passport usage is on the rise. New Zealand and Australia have issued e-Passports to citizens and Singapore has issued e-Passports to airline crews.  The United States is currently testing e-Passports with these three countries. 

The passports promise to increase security and speed entry procedures. In the United States, e-Passports incorporate a security feature known as Basic Access Control (BAC) that helps prevent unauthorized reading, or skimming, of personal information, thus protecting an individual’s privacy.  In addition, in the current testing phase the RFID tag cannot be read until the passport is opened by the holder. 

Design Elements Protect Personal Privacy
Technological solutions to privacy concerns, such as BAC, are available today.  Organizations issuing contactless devices, cards or documents also must design information privacy and security into an application at the system level. Issuing organizations should also implement appropriate policies to support the privacy and security requirements.

Privacy and security features available with contactless technology include mutual authentication and encryption.  Some manufacturers of contactless cards, including HID, do not put any personal data that might compromise an individual’s identity or privacy on its cards, badges, key fobs, or other RFID devices. 

HID’s iCLASS cards use cryptographic mechanisms along with mutual authentication techniques to secure the information they contain. 

RFID and Privacy in the United States
Privacy advocates have been active in the United States as retailers have indicated their desire to use RFID to improve supply chain management and inventory control.  At the retail level, there is some concern that that RFID tags attached to consumer products will be used to track a customer’s habits and preferences for future marketing opportunities.

As a result, legislation has been introduced at the state level that would require retailers and/or product manufacturers to affix a notification label on each and every product that contains RFID. Some of the state legislation requires that the RFID tag be deactivated or removed once a product is purchased.

Some of the state level legislation is also directed at identification documents issued by state governments or government entities such as public libraries and universities.  The text of this legislation requires “identification documents, except as specified, that are created, mandated, purchased, or issued by various public entities that use radio waves to broadcast personal information, or to enable personal information to be read remotely, to meet specified requirements.” 

Identification documents are defined to include drivers’ licenses, ID documents for Kindergarten through grade 12, health insurance or benefit cards if state-supported, and public library cards.

To date, no state has passed legislation relating to the use of RFID.  Members of the RFID industry, including HID, are participating actively in the debate. 

HID held a privacy forum in California, one of the states where RFID legislation is pending, for included industry representatives, policymakers, members of academia, and RFID end users. The goal is to create a positive framework that balances public privacy concerns with the rapidly expanding uses for RFID technology in society.
According to Denis Hébert, HID’s Chief Executive Officer, a number of fundamental truths emerged from the forum:
• RFID technology is here to stay
• RFID’s uses and benefits to society will only expand as applications grow
• Public privacy concerns will likewise remain a priority.
HID is naturally committed to protecting privacy, and as all ASSA ABLOY Identification Technology Group (ITG) companies, has adopted corporate principles and practices regarding the use of radio frequency technology and privacy.

These privacy guidelines establish a corporate philosophy that recognizes the rights of all users of HID’s and ITG’s RFID cards. 

Moving Forward
RFID has proven itself to be a useful and beneficial technology for safety and security as well as for consumer convenience.  Reaching a consensus that allows for continued innovation in RFID technology and at the same time protects individual privacy will ultimately benefit all. In all of the debates and discussions taking place around the globe, the goal should be to discover a shared sense of what the problems are and come to agreement about what the facts and issues are – even if differences exist in what to do to resolve them.

To learn more, visit http://www.hidcorp.com.
The OECD’s complete privacy guidelines are available at http://www.oecd.org.

Comments

This article has 0 comments:
Name:
Subject:
Comment: