Terra Incognita logo OPC logo  
Canada
    
montreal images
date and location  
 
 
 

dragon

TERRA INCOGNITA
Privacy Horizons

29th International Conference of
Data Protection and Privacy Commissioners

Information Session
"Ubiquitous Computing" Dragon
Radio Frequency Identification (RFID)

September 26
15h00 – 16h00

Terra Incognita, workbook series # 8

Table of contents

Biographies

  • Mr. Stephen Lau — Chair
  • Dr. Katherine Albrecht
  • Mr. Laurent Bernat
  • Dr. Ann Cavoukian
  • Mr. Pankaj Sood

Background Paper: "RFID — Applications Based Approach to Policy" (P. Sood and T. Sadek)

  • Introduction
  • Technical background
  • Technical approaches to Security / Privacy issues
  • Non-technical approaches to Security / Privacy issues
  • RFID Privacy / Security threats
  • Discussion
  • Recommendations and Suggestions
  • Conclusion
  • References

"Bodily Integrity Act" (K. Albrecht)

IPC Privacy Guidelines for RFID Information Systems (RFID Privacy Guidelines)
(A. Cavoukian)

  • Introduction
  • Scope
  • RFID Privacy Guidelines
  • Practical Tips for Implementing RFID Privacy Guidelines

Biographies

Mr. Stephen Lau
Stephen K.M. Lau was the first Privacy Commissioner for Personal Data for Hong Kong (1996-2001). Mr. Lau has 30+ years' experience in the information technology and banking industries in both the government and private sectors. He has a long and distinguished career, having held a variety of senior positions with International Computer Limited, Citicorp, EDS and the Hong Kong Government where he was head of the Government Data Processing Agency. In 1984, Mr. Lau was awarded Member of the British Empire (MBE) for his outstanding service to the Hong Kong Government and the community in the area of information technology. In 1986, he was made a Fellow of the Hong Kong Computer Society. In June 2001, he was made a Justice of the Peace. Active in community affairs, he holds chairmanships/memberships of a number of advisory committees of the Government and Universities. He is also the Vice President (External Affairs) of the Hong Kong Computer Society and a director of the Hong Kong Internet Registration Corporation.

Dr. Katherine Albrecht
Dr. Katherine Albrecht is the director of CASPIAN (Consumers Against Supermarket Privacy Invasion and Numbering), an organization she founded in 1999 to advocate free-market, consumer-based solutions to the problem of retail privacy invasion. Katherine is widely recognized as one of the world's leading experts on consumer privacy. She regularly speaks on the consumer privacy and civil liberties impacts of new technologies, with an emphasis on RFID and retail issues. She has testified on RFID technology before the Federal Trade Commission, state legislatures, the European Commission, and the Federal Reserve Bank, and she has given over a thousand television, radio and print interviews to news outlets all over the world. Her efforts have been featured on CNN, NPR, the CBS Evening News, Business Week, and the London Times, to name just a few. Katherine is co-author of Spychips: How Major Corporations Plan to Track your Every Move with RFID.

Mr. Laurent Bernat
Laurent Bernat is Principal Assistant at the OECD in charge of technology issues and related policies in the areas of information security and privacy protection. Prior to joining the OECD in 2003, he was Associate Director of Projetweb, an agency specialized in Internet communications strategy, in particular in the health sector. He was previously in charge of information and communications at the French data protection authority (Commission nationale de l'informatique et des libertés - CNIL). Mr. Bernat has a Master’s degree (DEA) in political science and has graduated from the French Institut d’étude des relations internationales (ILERI).

Dr. Ann Cavoukian
Dr. Ann Cavoukian was appointed Ontario's Information and Privacy Commissioner in 1997, and is the first to be reappointed for a second term. Dr. Cavoukian is recognized as one of the foremost privacy experts in the world and widely regarded as a distinguished speaker, frequently appearing at major forums around the globe. Dr. Cavoukian is the recipient of many awards including ones from the Ontario Bar Association, the Ontario Psychological Association, and the International Association of Privacy Professionals, for privacy leadership and innovation. Noted for her seminal work on Privacy Enhancing Technologies in 1995, her mantra of "privacy by design" seeks to embed privacy into the design specifications of technology, thereby achieving the strongest protections. Dr. Cavoukian’s published works include Who Knows: Safeguarding Your Privacy in a Networked World (1997), written with Don Tapscott, and, The Privacy Payoff:  How Successful Businesses Build Customer Trust (2002), written with Tyler Hamilton.

Mr. Pankaj Sood
Pankaj Sood is the founder and Manager of the McMaster RFID Applications Lab (MRAL). As the manager of MRAL he is responsible for leading some of the key projects and developing and maintaining collaborative partnerships with industry partners, key government organizations and other academic institutes. He has worked on and provided advice on RFID projects in multiple industries including Healthcare, Retail and Transportation. He is also actively engaged in looking at the privacy and security issues surrounding proposed RFID applications. Pankaj Sood holds a MEEi (Masters of Engineering in Entrepreneurship and Innovation) and a BEng (Computer Engineering) from McMaster University. Prior to leading the setup of the RFID Lab Mr. Sood worked as a consultant at Deloitte where he had served clients in Healthcare and Financial Services.

TERRA INCOGNITA
Privacy Horizons

29th International Conference of
Data Protection and Privacy Commissioners

RFID – Applications Based Approach to Policy
by: Pankaj Sood and Tarek Sadek

RFID - Applications Based Approach to Policy

Pankaj Sood and Tarek Sadek
McMaster RFID Applications Lab
McMaster University
soodp2@mcmaster.ca, tarekss@mcmaster.ca

Abstract

Considered one of the fastest expanding technologies in the world, Radio Frequency Identification (RFID) can touch every aspect of our daily lives. RFID technology is expected to revolutionize business intelligence by making asset management more visible. Many industry sectors including Healthcare, Retail and Transportation have started developing business cases for applying RFID in their activities. However, there are growing concerns about the technology’s invasiveness of end users’ privacy. This paper will discuss some of the technical solutions and policies which have been proposed to address some of the problems, followed by recommendations on crafting a policy that facilitates RFID applications without sacrificing users’ privacy.

I. INTRODUCTION

Radio Frequency Identification (RFID) technology refers to using radio waves to identify, track and sort objects, products or assets. With cost of the tags falling—and industry interest rising—RFID is expected to penetrate most aspects of our lives. Considered one of the world’s fastest expanding technologies, the number of RFID applications is growing daily. For example, between 2003 and 2006, the number of U.S. patents issued with the word "RFID" reached 2787, of which 220 were issued during the first two months of 2007. Just to appreciate how fast these applications are growing, 197 U.S. patent applications were published in the first week of March 2007 alone. Table 1 identifies some possible applications that can touch our daily life—automated check-out (receipt-less) in retail stores, automated access to residential and business premises, livestock identification, asset tracking and drug administration in hospitals, and warehouse management.

Over five billion barcodes are scanned daily worldwide, yet most are scanned only once during the item’s lifetime—namely at the checkout. RFID systems (if strategically deployed) can be a single platform on which many supply chain management applications can be implemented simultaneously.  The result benefits manufacturers, retailers, users, and even regulatory bodies seeking to protect consumers. Among the benefits are an ability to speed up identification in the event of a product recall, identify product history and main ingredients. Using RFID systems in automated item-level inventory identification is poised to revolutionize supply chain management by enabling applications such as automated real-time inventory monitoring, automated quality control, and automated check-out. Different applications of RFID in supply chain management are shown in Table 2[2].

In Canada, the RFID market for automotive, aerospace and industrial manufacturing is expected to grow from $18.7 million in 2005 to $61.0 million in 2012, at a CAGR1 of 18.3 per cent. As Fig. 1 shows, the growth rate is expected to increase over time. However, some argue that to realize this growth, technology costs, including deployment and support costs, have to drop and RFID technology standards and public policies have to be set [3].

Figure 1

Figure 1: Growth and market Size of the RFID market in Canada.

By 2020, RFID technology is expected to be in the top-16 list of a technology assessment study carried out by RAND2 [4]. The study included technical feasibility on a commercial basis, potential marketability and the number of societal sectors influenced.

Table 1: DIFFERENT RFID APPLICATIONS IN DIFFERENT INDUSTRIES (SOURCE [1]).
Transportation Manufacturing Security Financial Other Medical
Airline Transponder Automated Guided Vehicle control Access Control Electronic Cash Animal Identification Asset Management
Container ID Assembly Line ID Auto Immobilizer Automated Fueling Tournaments Finish Line Patient Management
Global Positioning Configuration Management Baggage Tag Payphone Token Gambling Token Staff Management
Pallet Identification Factory Automation Boarding Pass Ski Tickets Gas Cylinder ID Drug Administration
Parking Control Forklift Positioning Electronic Keys University Cards Laundry Tracking Drug Dispensing
Toll Collection Inventory Control Fleet Management Food Services Loyalty programs  
Traffic Management Maintenance People Locating Time & Attendance Medical Device ID  
Truck Fleet Tracking Paint Shop Security Areas Document Control membership Cards  
Rail Car Identification Process Control Theft Prevention   Mining  
Parcel Logistics Brand Identification Vehicle Access Control   Patient ID/tracking  
Vehicle Movement Supply Chain Management Counterfeiting   Library Tracking  
Passenger Tracking        
Luggage Tracking          
Table 2: RFID APPLICATIONS IN SUPPLY CHAIN MANAGEMENT [2].
Manufacturers Logistics Providers Retailers
Source: Shutzberg, L. (2004), Radio Frequency identification (RFID) in the Consumer Goods Supply Chain: Mandated Compliance or Remarkable innovation? Industry White paper, Rock-Tenn, Norcross GA. P51.
Shorter shipment loading times More efficient order selection Better store planning, programming & merchandizing with real-time data
Greater Shipment Accuracy Better order fill rates Improved point-of-sale productivity and accuracy at checkout
Better consumer sales data from retailers Less inventory shrinkage More accurate returns
Reduced counterfeiting/diversion Fewer administrative & other human errors Improved reverse logistics
Improved support for vendor-managed inventory Lower labour requirements Greater inventory accuracy & velocity
Easier product safety recalls Les vendor fraud Optimized store in-stock levels
More accurate demand planning More accurate inventory Reduced internal and external shrinkage
Shorter order lead times Less time &lower cost for managing inventory Lower labour requirements
less need for safety stock high routing efficiency Automated receiving, vendor payments & shipments to store
Better use of labour better security for distributing medical products Better use of reusable assets (e.g. pallets
Higher sales Automated receiving, vendor payments and shipments Lower detention/demurrage charges
Less time and lower cots of cycle counting, receiving, picking & shipping Increased capacity through more efficient operations Better grey-market containment
Fewer charge-backs for inaccurate deliveries Fewer penalties for execution errors Better ways to measure the execution & effectiveness of display programs

However, there are significant and growing concerns about RFID technology’s potential threat to its users’ security and/or privacy. Intuitively, the appeal of RFID technology is its ability to enable tracking objects and people remotely, collecting and updating the related data, and more importantly, enabling systems that can share this data among different parties. Therefore, the main privacy question becomes: how can we ensure that only authorized personnel will have access to this data and that it will be used only for its intended purposes?

For example, a manufacturer seeks to improve its inventory control by storing data about its suppliers on RFID tags. But the manufacturer does not want its competitors to know who its suppliers are. Similarly, a consumer might want to locate an item lost in his/her house but might not want the neighbour to know what she/he owned. The dilemma is that the more open the RFID technology, the greater its usefulness and the greater the potential for abuse.

In order to protect consumer privacy, the Organization of Economic Cooperation and Development (OECD) published Fair Information Practices (FIP) in 1980 [5]. The OECD elaborated on the principles to facilitate cross-border transfer of customer information as a means of enhancing trade among its member states. The eight principles can be summarized as follows:

  1. Collection limitation: Data collectors should only collect information that is necessary, and should do so by lawful and fair means, i.e., with the knowledge or consent of the data subject.
  2. Data quality: The collected data should be kept up-to-date and stored only as long as it is relevant.
  3. Purpose specification: The purpose for which data is collected should be specified (and announced) ahead of the data collection.
  4. Use limitation: Personal data should only be used for the stated purpose, except with the data subject’s consent or as required by law.
  5. Security safeguards: Reasonable security safeguards should protect collected data from unauthorized access, use, modification, or disclosure.
  6. Openness: It should be possible for data subjects to learn about the data controller’s identity, and how to get in touch with him/her.
  7. Individual participation: Data subjects should be able to query data controllers whether or not their personal information has been stored, and, if possible, challenge (i.e., erase, rectify, or amend) this data.
  8. Accountability: Data controllers should be accountable for complying with these principles.

There is already considerable political and media turmoil surrounding RFID privacy. Several consumer advocacy groups have launched campaigns against deploying RFID in retail settings. In 2003, for example, a boycott caused Benetton to disavow RFID-tagging of its garments amid misconceptions about the company’s plans. In the same year a group of privacy protection organizations signed a position statement on the use of RFID in consumer products [6].

In this paper, we outline the technical basics of RFID technology, highlighting the interdependencies of different design parameters of an RFID application. We then discuss different technical and non-technical approaches used to tackle the privacy/security issues. Finally, we propose a set of suggestions and recommendations to solve these issues.

II. TECHNICAL BACKGROUND

All RFID systems are comprised of three main components:

  • RFID tag, or transponder, which is located on the object to be identified and is the data carrier in the RFID system,
  • RFID reader, or transceiver, which may be able to both read data from and write data to a transponder, and
  • Data processing subsystem which employs the data obtained from the transceiver in some useful manner.

Typical RFID tags consist of a microchip that stores data and a coupling element, such as an antenna, to communicate via radio frequency. Tags may be either active or passive. Active tags have a power source (such as a battery) and actively send an RF signal, while passive ones obtain all their power from the reader’s interrogation signal. Using the interrogation signal to power the passive tag restricts its functionality. Nevertheless, most tags—whether passive or active—communicate only when interrogated by a reader. The type of tag used and the data stored on the tag varies from application to application.

The reader usually consists of a radio frequency transceiver, a control unit, and a coupling element to interrogate electronic tags via radio frequency communication. Using radio frequencies to communicate with tags allows RFID readers to read passive RFID tags at small to medium distances, and active ones at small to large distances.

In general, the greater the interrogation signal power and the higher the interrogation signal frequency, the larger the interrogation zone. Sending power to the readers via the reader-to-tag communication signal is the bottleneck in achieving large read range with passive tags. Active tags do not suffer from this drawback and, thus, typically have larger communication ranges.

Knowing the read range of the reader or tags is not enough to assess RFID privacy in passive tags. There are four main ranges that need to be known in order to appreciate the complexity of privacy and the security issues in RFID systems [6]:

  • Nominal read range: RFID standards and product specifications generally indicate the read ranges at which they intend tags to operate. These ranges represent the maximum distances at which a reader, with an ordinary antenna and power output, can reliably scan tag data. ISO 14443, for example, specifies a nominal range of 10cm for contact-less smartcards.
  • Rogue scanning range: The range of a sensitive reader equipped with a powerful antenna can exceed the nominal read range. High power output further amplifies read ranges. A rogue reader may even output power exceeding legal limits. For example, [7] suggest that a battery-powered reading device can potentially scan ISO 14443 tags at a range of as much as 50cm, i.e., five times the nominal range. The rogue scanning range is the maximum range at which a reader can power and read a tag.
  • Tag-to-reader eavesdropping range: Read-range limitations for passive RFID result primarily from the requirement that the reader power the tag. Once a reader has powered a tag, a second reader can monitor resulting tag emissions without itself outputting a signal, i.e., it can eavesdrop. The maximum distance of such a second, eavesdropping reader may be larger than its rogue scanning range.
  • Reader-to-tag eavesdropping range: In some RFID protocols, a reader transmits tag-specific information to the tag. Because readers transmit at much higher power than tags, they are subject to eavesdropping at much greater distances than tag-to-reader communications–perhaps--even kilometres away. Also of concern in some special cases are detection ranges; that is, the distance at which an adversary can detect the presence of tags or readers.

Passive RFID systems are the most promising means of providing smart low-cost tagging capability with adequate performance for most supply chain management, business intelligence and general retail applications. These low-cost RFID systems are, of necessity, very resource limited, and the extreme cost pressures make the design of these RFID systems a design problem that is highly coupled with sensitive trade-offs. Unlike modular computation systems, almost every aspect of an RFID system affects every other aspect. In this section, we present a brief overview of the critical components of RFID technology and summarize some of the trade-offs in passive RFID system design.

When multiple tags respond simultaneously to a reader’s signal, their communication signals can interfere with one another. This interference is referred to as a "collision" and typically results in a failed transmission. In order for a reader to successfully communicate with multiple tags, anti-collision methods must be employed

Anti-collision methods (or algorithms) in tags are similar to anti-collision algorithms in networking [8]. However, unlike standard networking, RFID tags pose a number of problems that arise from their very limited computational resources.

First, they can afford only limited computation power. Moreover, collisions may be difficult to detect due to widely varying signal strengths from the tags. A common classification of anti-collision algorithms, either probabilistic or deterministic, is based on how the tags respond during the anti-collision algorithm. In probabilistic algorithms, the tags respond at randomly generated times. There are several variations of probabilistic protocols depending on the amount of control the reader has over the tags. Many probabilistic algorithms are based on the Aloha scheme in networking [9]. Readers can respond at slotted times or continuously. Deterministic schemes, on the other hand, are those in which the reader sorts through tags based on their unique identification numbers. The simplest deterministic scheme is binary tree-walking scheme in which the reader traverses the tree of all possible identification numbers. At each node in the tree, the reader checks for responses. Only tags whose identifier is a child of the checked node respond. The lack of a response implies that the sub-tree is empty. The presence of a response gives the reader an indication as to where to search next. The performance metrics that are traded-off by these algorithms and their variants include: the speed at which tags can be read, the outgoing bandwidth of the reader signal, the bandwidth of the return signal, the amount of state that can be reliably stored on the tag, the cost of the tag, the cost of the reader and the range at which tags can be read.

The impact of regulated reader-to-tag bandwidth on the anti-collision protocol can be severe. In the U.S., for example, two common operating frequencies for RFID systems are the 13.56 MHz and the 915 MHz ISM bands3. The regulations on the 13.56 MHz band offer significantly less bandwidth in communication from the reader to the tag than the regulations in the 915 MHz band. For this reason, Aloha-based anti-collision algorithms are more common in systems that operate in the 13.56 MHz band and deterministic anti-collision algorithms are more common in the 915 MHz band [8].

In practice, most RFID anti-collision algorithms tend to be an amalgam of probabilistic and deterministic concepts. Almost all require a unique ID to sort through the tags. The interplay between the anti-collision algorithm, the identifier, and the bandwidth available has an impact on all transactions between the reader and the tag. Any technical solution or design to address different security and privacy issues must consider these subtle trade-offs. Protocols to secure the tag at 13.56 MHz, for example, will have to use far less signalling from reader-to-tag than at 915 MHz.

Generally, the so-called Industrial-Scientific-Medical (ISM) bands are freely available for use by low-power, short-range systems. The ISM bands are designated by the International Telecommunications Union (ITU) [10]. A comprehensive summary of the standards is available in [11]. The most commonly used ISM frequencies for RFID are 13.56 MHz and 902-928 MHz (in the U.S. only). In addition, the low frequency band 9 kHz-135 kHz is available for unlicensed use in most regions, and the 868 MHz - 870 MHz band is available for use by non-specific short-range devices in Europe. Each band has its own radiation power and bandwidth regulations.

III. TECHNICAL APPROACHES TO SECURITY/PRIVACY ISSUES

We now enumerate the various proposed technical approaches to the consumer privacy problem [6].

A. "Killing" and "Sleeping"

EPC tags address consumer privacy with a simple approach: Tag "killing". When an EPC tag receives a "kill" command from a reader, it renders itself permanently inoperative. To prevent unauthorized deactivation of tags, this kill command is PIN4 protected. Obviously, killing is a highly effective and extreme privacy measure. It is envisioned that point-of-sale devices will kill the RFID tags on purchased items to protect consumers’ privacy. Removable RFID tags support a similar approach. Marks and Spencer, for example, includes RFID tags on their garments [12]. Since these RFID tags reside in price tags, they are easily removed and discarded. Killing or discarding tags enforces consumer privacy effectively but eliminates all of the post-purchase benefits of RFID to consumers. Applications such as the receipt-less item returns, smart appliances, aids for the elderly, and other beneficial systems will not work with deactivated tags. Moreover, in applications such as in libraries and rental shops, the tags cannot be killed because they must survive over the lifetime of the objects they track (beyond the check out point). Thus, we need to look beyond killing for more balanced approaches to consumer privacy.

Instead of killing the tags at the point of sale, why not put them to "sleep," i.e., render them temporarily inactive? Clearly, sleeping tags would confer no real privacy protection if any reader could "wake" them. Therefore, some form of access control would be needed to waken tags [6]. The main drawback of such a system is that consumers would have to manage the access control for their tags. Tags could bear their unique number (PIN) in printed form, but then consumers would need to key in or optically scan these serial numbers in order to use them. Assuming that the access to the tags is secured, surrendering the responsibility of securing the RFID communication to the customers is expected to be troublesome. The average person already has enough difficulty managing his/her passwords.  Secondly, all the proposed mechanisms of relinquishing control of the killing/sleeping features to the customer suffer from two fundamental drawbacks. First, they assume a much higher level of technological skills than average. And second, they put the whole responsibility on the public, absolving suppliers or retailers of accountability. To avoid the first drawback, some have suggested using a physical trigger such as a direct trigger probe[13]. Obviously this approach would turn the RFID tag into just a barcode, thereby losing all the advantages and benefits discussed earlier. The main argument behind this approach is that consumers do not need to scan the same quantities as do retailers.

B. Cryptography

Cryptography is one of the most popular techniques manufacturers used in dealing with the security issues related to RFID technology. Many algorithms and methods have been suggested. Nevertheless, most of these algorithms were too complicated, too slow or too easy to break. In fact, there have been cases already in which weaknesses in vulnerable authentication protocols were exploited. For example, Texas Instruments (TI) manufactures a low-frequency, cryptographically enabled RFID device called a Digital Signature Transponder (DST). The DST serves as a theft-deterrent in millions of automobiles such as Ford and Toyota [6]. Present as a tiny, concealed chip in the ignition key, the DST authenticates the key to a reader near the key slot as a precondition for starting the engine. The DST is also present in SpeedPass™ wireless payment devices, used by millions of customers primarily at ExxonMobil gas stations in North America.

The DST executes a simple challenge-response protocol which contains a secret key ki. In response to a random challenge R from a reader, the DST executes an encryption function e and outputs C = eki [R]. The challenge R is 40 bits long, the response C is 24 bits long. Of particular note is the length of the secret key ki which has only 40 bits. As cryptographers know this is quite short by today’s standards: A key of this length is vulnerable to brute-force computational attack.

In late 2004, a team of researchers at Johns Hopkins University and RSA Laboratories set out to demonstrate the security vulnerability of the DST. They succeeded in fully cloning DST tokens--cracking their keys and exactly simulating them in separate devices. The JHU-RSA team demonstrated their attack in the field. Simulating the DST present in an ignition key (and using a copy of the metal portion), they "stole" their own car. They also purchased gasoline at a service station using a clone of their own SpeedPass™ token [14].

In applications dealing with a large volume of items in a short period of time, using a longer secret key ki will significantly slow down the reader-tag communication. Slowing down the reading rate will hinder high volume automated applications which tend to drive business value. On the other hand, encryption secures the data on the tag, but it does not address consumers’ privacy issues. Even if the identifier emitted by an RFID tag has no intrinsic meaning, it can still enable tracking. For this reason, merely encrypting a tag identifier does not solve the privacy problem. An encrypted identifier is itself just a meta-identifier. It is static and, therefore, subject to tracking like any other serial number. To prevent tag tracking, the encryption has to be dynamic (changing over time). Again, this will add complexity to the reader-tag communication, slowing down the reading rate.

C. The Renaming Approach

To tackle the problem of tracking, it was proposed to erase the unique identifiers in the tags at the point of sale [8], retaining only product-type identifiers (traditional barcode data) for later use. Taking this idea to the next level, it was suggested to provide the customers with a way to re-label the tags themselves [15], keeping the old tag identifiers for a possible re-activation for later public uses 5. Also, as a remedy for clandestine scanning of library books, Good et al. [16] proposed the idea of re-labelling RFID tags with random identifiers on checkout.

Obviously, the main drawback to this approach is that even if tags emit only product-type information, they may still be uniquely identifiable in constellations, i.e., fixed groups. Use of random identifiers in place of product codes addresses the problem of inventory, but does not address the problem of tracking. To prevent tracking, identifiers must be refreshed frequently.

 "Minimalist" cryptography was introduced for that purpose. While high-powered devices like readers can re-label tags for privacy, tags can alternatively re-label themselves. In [17], A. Juels introduced the idea of a "minimalist" system in which every tag contains a small collection of pseudonyms. This technique rotates these pseudonyms, releasing a different one on each reader query. The minimalist scheme can offer some resistance to corporate espionage, like clandestine scanning of product stocks in retail environments. Finally, Juels and R. Pappu introduced other techniques based on re-encryption and ciphering to deal with special applications such as RFID-enabled banknotes [18].

D. The "Proxying Approach"

Rather than relying on public RFID readers to enforce privacy protection, consumers might instead carry their own privacy-enforcing devices for RFID. As already noted, some mobile phones include RFID functionality. 6. They might ultimately support privacy protection. Researchers have proposed several systems along these lines. In [19], researchers proposed a "Watchdog Tag" which monitors ambient scanning of RFID tags and collects information from readers, such as their privacy policies. The consumer would decide which reader is authorized to communicate with his/her tags.

Rieback, Crispo, and Tanenbaum [20] and Juels, Syverson, and Bailey [21] propose very similar devices, called respectively "RFID Guardian" and "RFID Enhancer Proxy" (REP). The main advantage of these techniques is, contrary to killing the tag, the tag holder continues to enjoy the benefits of an operating tag without compromising his privacy. Nevertheless, this approach still assumes a high level of customer knowledge.

E. Distance measurement

Recognizing the practical constraints of the RFID tags, such as cost and computation resources, this technique assumes that distance can be used as a metric for allowing tag-reader communication. The signal-to-noise ratio of the reader signal can provide a rough estimate of the distance between a reader and a tag. Knowing that, a tag might release general information ("I am attached to a bottle of water") when scanned at a distance, but release more specific information--like its unique identifier--only at close range [6]. Nevertheless, a relay attack undermines proximity assumptions in an RFID system. In this type of attack, two communicating devices are involved: a "leech" and a "ghost". The attacker situates the leech physically close to the target RFID device and the ghost close to a target reader. Intercommunication between the leech and ghost creates the appearance of physical proximity between the target RFID device and a target reader when, in fact, they may lie far apart [7].

F. Blocking

This scheme depends on incorporating a modifiable bit called a privacy bit into the tags. A ‘0’ privacy bit marks a tag as subject to unrestricted public scanning; a ‘1’ bit marks a tag as "private." Consider a supermarket scenario. Before the point of sale, tags would have their privacy bits set to ‘0’. In other words, any reader may scan them. When a consumer purchases an RFID-tagged item, a point-of-sale device flips the privacy bit to ‘1’. The tag would enjoy the protection of the blocker. Supermarket bags might carry embedded blocker tags to protect items from invasive scanning when shoppers leave the supermarket. When shoppers arrive home, they remove items from the shopping bags and put them in the refrigerator. With no blocker tag inside, an RFID-enabled "smart" refrigerator can freely scan RFID-tagged items [6].

These techniques mainly exploit the anti-collision protocols that RFID readers already use to communicate with the tags. As we mentioned earlier, one type of RFID anti-collision protocol is known as tree-walking. Assuming the RFID reader is using the tree-walking algorithm for anti-collision, the blocker would impede RFID scanning by simulating collisions along the tree. For example, the blocker could prevent scanning of all tags simply by emitting both a ‘0’ bit and ‘1’ bit in response to every reader interrogation, forcing the reader to traverse the whole tree. Given that a typical tag identifier is, say, 96 bits long, such a tree has many billions of leaves. So such a blocker would always cause a reader to stall. Blocking here relies on designating the leading bit of a tag identifier as the privacy bit. The blocker does not interfere with the normal scanning of tags with ‘0’ privacy bits. Blocking can also be adapted for use with ALOHA protocols. The main drawback is that this approach depends on introducing physical hardware that can block as needed. Moreover, it would be premature to assume that algorithms would not evolve to get around these blocking techniques [6].

IV. NON-TECHNICAL APPROACHES TO SECURITY/PRIVACY ISSUES

Even at this relatively early stage (pallet level), RFID privacy issues have attracted the attention of policymakers and legislators. RFID-privacy bills have been issued in several U.S. states. The U.S. Federal Trade Commission presented a report that addresses the impact of RFID on consumers, emphasizing privacy, but has not yet expressed an intention of issuing regulations [22].

EPC Global Inc. has published guidelines for its members on privacy for consumer products [23]. These guidelines emphasize consumer education about the presence and functioning of EPC tags, and the need to provide means of disablement or removal. Good public RFID policies are likely to prove hard to craft because RFID tags, having essentially no form of access control, offer no obvious points of liability for information leakage. A healthcare provider, for instance, can issue a privacy policy describing the ways in which it grants or denies access to its customer databases; if a database is compromised, the target of liability is (more or less) clear. In contrast, a retailer cannot offer any guarantees about the tracking of RFID tags on items that leave its premises. RFID privacy is only fully meaningful if all entities with RFID readers subscribe to it or if consumers do not carry live RFID tags [6]. Given the inevitable technological deficiencies and policy acting in isolation, good RFID privacy enforcement demands the cooperation of technologists, legislators and consumer advocacy groups. Some technologists have already turned their attention to RFID policy and legislation issues. Garfinkel published a five point "RFID Bill of Rights" with broad, pithy provisions for consumer notice and choice [24]. Floerkemeier et al. [19] have considered using watchdogs for enforcing RFID compliance with the OECD Fair Information Practices mentioned earlier. Their work aims particularly at informing consumers about the existence and purposes of RFID data collection.

V. RFID PRIVACY/SECURITY THREATS

RFID technology poses unique privacy and security concerns, mainly because tag holders cannot sense the RF radiation used to read the tags, and the tags do not maintain a log of past readings. As a result, tags are intrinsically vulnerable from security and privacy perspectives.

There are many ways to categorize RFID applications. For example, in a review paper published by IEEE computer society [25], the applications were categorized as follows (Fig. 2):

  • Inside the supply chain, including factories where tagged objects are manufactured, transportation systems, and retail store back rooms,
  • The transition zone, including customer-facing portions of retail stores, where tagged items change hands from the vendor to the customer, and
  • Outside the supply chain, including all locations up to and including customer homes.

In this paper, we categorize RFID applications differently. From a public policy perspective, we believe that it is more convenient to classify them as follows:

  • Non-invasive Applications: Applications in this category use RFID for asset management or process control where humans are not tracked. For example, the Wal-Mart asset tracking project which was limited to case and pallet tracking level would fall under this category. Other applications would include asset management within an organization, transit ticketing, livestock identification and tracking applications.
  • Invasive Applications: Applications in this category use RFID to either identify or track people. Some examples of these applications would be patient identification in a healthcare institution, staff tracking in an organization, premise access or toll collection based on unique user identifiers.

Some of these applications, such as premise access and toll collection, have been in place for many years. Several factors have helped stem the privacy concerns; the perceived value of the applications, limited public knowledge about the technology, and some possible individual control over the technology. For example, an informed driver not wanting to use RFID-enabled tags for tracking tolls, could opt to either pay the toll on the spot, or the authority could use alternate technologies such as image processing of license plates to provide the necessary information for the billing purposes, providing users with a chance to opt into using RFID.  However, growing public awareness of RFID has raised privacy concerns about new applications of this technology for innovative purposes. Some proposed applications that have recently prompted concern are staff tracking for productivity or pandemic planning purposes as these applications do not provide an opt in mechanism. Organizations have also not been good at defining or communicating the reasons for exploring these applications and the policies on preventing abuse of information collected.

Accordingly, threats can be further divided into those primarily affecting corporations and other organizations, those primarily affecting the public works and, finally, other threats such as cloning that can impact both [25].

Figure 2

Figure 2: Different Categories of RFID Applications [25].

A. Corporate Data Security Threats

Security and privacy issues in RFID applications pose a threat to corporate data security. For example, tagged objects in the supply chain make it easier for competitors to remotely gather supply chain data which is some of industry’s most confidential information. Also, tagged objects make it easier for competitors to gain unauthorized access to customer preferences and use the data in competitive marketing scenarios.

Generally, sharing huge volumes of data electronically between different parties exposes any system, not just RFID technology per se, to security risks [25].

B. Personal Privacy Threats

Most personal privacy threats arise from a tag’s ability to associate unique IDs with a person’s identity. A customer purchasing an RFID tagged item can be associated with the item’s electronic serial number. This type of association can be clandestine and even involuntary. This means that individuals carrying unique tags can be tracked if the monitoring agency knows the tags associated with those individuals7.

C. The Cloning Threat

As we mentioned earlier, researchers at Johns Hopkins University and RSA Laboratories recently identified a serious security weakness in the RFID tag in Speed-pass devices and many automobile immobilizer systems. By demonstrating that such tags could be cloned, researchers revealed the possibility of payment fraud and new modes of automobile theft. Although their discovery does not directly undermine consumer privacy, it demonstrates that RFID tags could have security consequences beyond merely tracking or profiling consumers [14]. 

VI. DISCUSSION

RFID privacy is already of concern in several areas of everyday life [6]:

  • Toll-payment Transponders: Automated toll-payment transponders--small plaques positioned in windshield corners–-are commonplace worldwide. In at least one celebrated instance, a court used the data gathered from such a transponder in a divorce case, undercutting the defendant’s alibi[26].
  • Libraries: Some libraries have implemented RFID systems to facilitate book check-out and inventory control and to reduce repetitive stress injuries in librarians. However, concerns about monitoring book selections have fuelled privacy concerns about RFID.
  • Passports: The International Civil Aviation Organization (ICAO) has promulgated guidelines for RFID-enabled passports and other travel documents [27]. The U.S. has mandated the adoption of these standards by 27 "Visa Waiver" countries as a condition of entry for their citizens. The mandate has seen delays due to its technical challenges and changes in its technical parameters, partly in response to lobbying by privacy advocates [28].

* Human Implantation: Human implantation of RFID tags dates back to at least 1998, when Kevin Warwick, a professor of cybernetics at the University of Reading, England, implanted an RFID tag above his left elbow, which he used to control doors, lights, and computers around his office. In 2004, VeriChip Corp., in Delray Beach, Fla., had a chip approved for implantation in people. Since then, according to the company, approximately 220 people in the United States (more than 2000 worldwide) have willingly had VeriChip tags implanted in their upper arms. Typically, the implant is used to alert doctors to medical conditions (such as diabetes) if a person is admitted to a hospital unconscious. By scanning the tag, doctors can identify the patient and access personal medical information. There are more frivolous uses too: some nightclubs have used them to let patrons enter VIP rooms and bill drinks directly to their accounts. Physical access control is another application in view for the VeriChip [29].

Considering all the advantages that both businesses and consumers can enjoy, there is a fierce battle between such RFID advocates as retailers, wholesalers, manufacturers and health industry practitioners, and consumer protection advocates and human rights groups.

Obviously, both the technology’s advocates and opponents are positioned at the extreme ends of the spectrum. For example, opponents of using RFID technology in keyless car entry systems are ignoring the fact that breaking into a car that uses RFID for access and authentication is far more difficult than into one that uses a conventional key.

A completely secure electronic business transaction is a myth. Banking is one application that consumers perceive to be highly secure. Consumers and organizations conduct millions of transactions every day despite the high numbers of reported breaches and fraudulent transactions in the banking system. Banks and credit card organizations facilitate customer confidence by assuming responsibility for safeguarding customer information and protecting customers in case of an information breach or a fraudulent transaction. Customers are not held accountable for protecting their cards 8. Both banks and major credit card companies, such as Visa, MasterCard or American Express, also assume responsibility for any fraudulent transaction. A similar stance needs to be explored for RFID applications; safeguarding the consumer’s information becomes the responsibility of the party collecting this information.

Technology advocates counter that the direct and indirect benefits to consumers should compensate for the "insignificant" infringements on their privacy. They usually compare RFID to cell phones when considering privacy issues. But users voluntarily purchase a cell phone and hence willingly accept the slight privacy invasion for the inherent convenience. And individuals can either turn off the cell phone or opt not to carry one. However, consumers are never given a chance to opt in or out of using RFID tags. This forms the basis of most privacy debates--users are not offered a less invasive option.

It is interesting to note that the IBM-Harris Multi-National Consumer Privacy Survey carried out in 1999, found that 90 per cent of Americans were worried about "possible misuse" of their personal information, and 80 per cent thought that "consumers" had lost control over how personal information about them was collected and used [30].

Privacy advocates such as the Electronic Privacy Information Center (EPIC) or Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN) are
concerned that details of what consumers buy and how they buy it may be held in databases and potentially used for undisclosed purposes. Several well-known public campaigns such as those against Benetton, Gillette and TESCO were effective at halting the companies’ RFID trials [31].

After surveying the proposed technical approaches, it is clear that all the suggested solutions suffer from one or more of the following drawbacks:

  • Some of the suggested methods assume a very high level of technological skills on the consumers’ part9 such as the re-labelling and the re-encryption techniques.
  • Assuming that the encryption algorithms being used are sufficiently secure, an adversary would still be able to track the tag holder if the encryption key is not dynamic, i.e. changing each time a reader tries to communicate with the tag.
  • Most of the above mentioned approaches are looking for one magic security solution that fits all applications. The level of security needed for an invasive application differs from that required for a non invasive application. For example, the level of security needed for tags to track animals is not as high as tags used to track staff in an organization 
  • The computational resources available for the tag itself are different in technologies used for different applications. For example, the tag-reader communication in a warehouse or a distribution centre has to be fast enough to achieve a high reading rate, thus restraining the available resources (bandwidth and memory) for a technical solution of security issues. On the other hand, more resources could be available for an implanted tag as the read time could be longer.
  • Finally, most of these solutions have been adopted from other technologies such as wireless networking or mobile phone networks. These techniques ignore the uniqueness of RFID technology. They can, however, be used as guidelines for developing new techniques for RFID technology.

The indirect benefits of using RFID in daily activities are considerable--some of them just too undeniably beneficial to ignore. For example, according to the U.S. governments’ official energy statistics10, only 31 per cent of U.S. waste gets recycled. Any incremental enhancement of this percentage will lead to significantly lower waste of natural resources11. RFID coupled with other technologies like weight sensing could track waste management behaviour in communities.  In cases where the recycling program is not being used, training could be provided to increase awareness about the benefits of recycling.

Furthermore, RFID systems provide great benefits to organizations by enabling them to assess their business processes and improve efficiency by providing means to both track assets and processes.

A recent healthcare pilot project at the McMaster University Medical Centre (MUMC) implemented an RFID asset tracking system in a test ward.  The results of the project have anticipated direct and indirect benefits to MUMC if an RFID based asset management system were implemented:

  • Cash Savings: It is estimated that the hospital will realize $10,000 - $20,000 in direct savings per ward per year in reduced lost equipment.
  • Quality of Patient Care: Depending on the ward, it is estimated that two to 10 events per ward per month occur when missing equipment causes either a delay or denial of patient care. This has especially significant consequences for the patients.
  • Time Savings: It is estimated that 30 – 90 minutes per nurse/per week are consumed searching for equipment. This time could be better directed towards patient care. Some savings may be captured directly by reducing overtime.

RFID technology offers undeniable benefits that should not be ignored. Privacy advocates are mistaken to treat this technology as hype that might just disappear. On the other hand, businesses that try to force the technology on consumers will not only risk losing business—they might also violate existing privacy regulations. Increasingly there is constructive dialogue and discussion underway on lessons learnt among all stake-holders in order to achieve a balance between the needs of industry, governments, and civil society.

Most RFID innovations are relatively new. It is both naïve and misleading to claim that risks associated with the use of this technology have been studied. Intensive research needs to be done on each application, followed by actual pilot projects to verify the research conclusions. This research and the scope of these pilots need to include assessments of social behaviour, policy and the economic environment. Trying to transfer the knowledge gained from other technologies to RFID could prove misleading and costly.

VII. RECOMMENDATIONS & SUGGESTIONS

In the lifecycle of any new technology, there are early adopters who are comfortable with new technologies and are willing to take greater risks than an average person. An example of an early adopter would be a person who has had an RFID tag implanted in himself and programmed it to open his own doors. This is someone who is both technically capable of understanding the functionality and limitations of the technology, and is exploiting it for his benefit. However it would be naïve to base policy decisions about implanting RFID tags into people based on the experience of this early adopter. Society at large is not comfortable with having RFID tags implanted in humans even if it is used for medical identification or premise access. The current methods of human identification requiring identification cards are a more accepted and non-invasive form that serve the same purpose. Nevertheless, you must remember to carry your documents with you at all times.

Instead of having these early adopters influence policy decisions, we must work to understand the implications of this technology on society as well as businesses. A thorough understanding of the technical capabilities and limitations and social aspects should provide a solid foundation on which to base any changes to the policy environment.

Given the vast range of RFID uses, RFID applications have different implications based on the application and the user group. Therefore, the policy environment needs to be flexible enough to allow different guidelines for different applications of the technology. Before setting any policies, thorough analysis should be done on the social, technical and economic aspects of these applications to ensure the privacy of end users and customers is adequately protected without disadvantaging industry in this global economy. Our recommendations can be summarized as follows:

  • The use of RFID technology in non-invasive applications should be allowed, provided that all stakeholders are officially informed. For example, those using RFID technology for supply chain management must clearly state their intention and notify all partners in the supply chain about the use of RFID for automated data collection. Retailers whose primary goal is inventory management should either deactivate or remove the tags at the checkout counter. Simply notifying partners about the use of RFID is not enough. Information that is being gathered and the proposed usage of such information should also be disclosed to the stakeholders.
  • Use of RFID technology in invasive applications should not be allowed without the authorization of a regulatory office or party. Currently, the techniques used to ensure the tags’ security and policies to prevent abuse of gathered information are not sophisticated enough to protect end users on their own. Regulations are needed to protect the end users when they cannot opt out. For example an organization might force the use of RFID enabled identification tags to enable applications like pandemic planning. While the intent of such an application is generally good, policies would need to put into place to prevent abuse of any information gathered for this purpose. Such processes will need to be put in place to closely monitor the protection of this information and to ensure it is accessed only as needed—and only by authorized personnel. In a Healthcare organization this could mean that the team responsible for pandemic planning should have access to information about employee whereabouts for the time period required, generally a few days before an outbreak.  However, this information should not be routinely accessible to managers. Moreover this policy should be openly communicated and penalties for abuse of such information should be clearly defined.
  • Military and healthcare applications should be considered on a case by case basis.

IX. CONCLUSION

RFID applications are too diverse to be approached by one set of policies. In this paper, we differentiated between invasive and non-invasive applications from a privacy perspective. FIP guidelines should be followed to protect the end users’ privacy. Applying these guidelines should be flexible and broad enough to take into considerations the uniqueness of the technology and the nature of the application itself.

REFERENCES

  1. G Frank, N Tsougas and S Bennett, March 2006. [Available Online]
  2. "Radio-Frequency Identification (RFID): Drivers, Challenges and Public Policy Considerations," an unclassified report published by the committee for Information, Computer and Communications Policy.
  3. "North American RFID Markets For Automotive, Aerospace & Industrial Manufacturing," Publisher: Frost & Sullivan, May 2006.
  4. A brief research done by RAND "Global Technology Revolution 2020: Technology Trends and Cross-Country Variation." [www.Rand.org]
  5. Organisation for Economic Co-operation and Development (OECD). Recommendation of the Council concerning Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data, September 1980.
  6. A. Juels, "RFID Security and Privacy: A research Survey," RSA laboratories, September 2005.
  7. Z. Kfir and A. Wool, "Picking virtual pockets using relay attacks on contactless smart-card systems," IEEE, 2005.
  8. S. E. Sarma, S. A. Weis, and D.W. Engels, "RFID systems, security and privacy implications," Technical Report MIT-AUTOID-WH-014, AutoID Center, MIT, 2002.
  9. B. Bing. Broadband Wireless Access, Boston, Kluwer Academic Publishers, 2000.
  10. International Telecommunications Union. Radio Regulations, Vol. 1, 1998.
  11. T. Scharfeld, "An Analysis of the Fundamental Constraints on Low Cost Passive Radio-Frequency Identification System Design," MS Thesis, Department of Mechanical Engineering, Massachusetts Institute of Technology, Cambridge, MA 02139, 2001.
  12. J. Collins. Marks & Spencer expands RFID retail trial. RFID Journal, 10 February 2004. Referenced 2005 online.
  13. F. Stajano and R. Anderson, "The resurrecting duckling: Security issues for ad-hoc wireless networks," In 7th International Workshop on Security Protocols, volume 1796 of Lecture Notes in Computer Science, pages 172–194. Springer-Verlag, 1999.
  14. S. Bono, M. Green, A. Stubblefield, A. Juels, A. Rubin, and M. Szydlo, "Security analysis of a cryptographically-enabled RFID device," 14th USENIX Security Symposium, pages 1–16. SENIX, 2005. Dedicated Web site at [www.rfidanalysis.org].
  15. S. Inoue and H. Yasuura, "RFID privacy using user-controllable uniqueness," In RFID Privacy Workshop, MIT, Massachusetts, USA, November 2003.
  16. N. Good, J. Han, E. Miles, D. Molnar, D. Mulligan, L. Quilter, J. Urban, and D. Wagner, "Radio frequency identification and privacy with information goods." In Workshop on Privacy in the Electronic Society – WPES, pages 41–42. ACM, ACM Press, 2004.
  17. A. Juels, "Minimalist cryptography for low-cost RFID tags," In C. Blundoand S. Cimato, editors, The Fourth International Conference on Security in Communication Networks – SCN 2004, volume 3352 of Lecture Notes in Computer Science, pages 149–164. Springer-Verlag, 2004.
  18. A. Juels and R. Pappu, "Squealing Euros: Privacy protection in RFIDenabled banknotes," In R. Wright, editor, Financial Cryptography ’03, volume 2742 of Lecture Notes in Computer Science, pages 103– 121. Springer-Verlag, 2003.
  19. C. Floerkemeier, R. Schneider, and M. Langheinrich, "Scanning with a purpose - supporting the fair information principles in RFID protocols," 2004. Referenced 2005 online.
  20. M. Rieback, B. Crispo, and A. Tanenbaum, "RFID Guardian: A battery powered mobile device for RFID privacy management," In Colin Boyd and Juan Manuel Gonz´alez Nieto, editors, Australasian Conference on Information Security and Privacy – ACISP 2005 , volume 3574 of Lecture Notes in Computer Science, pages 184–194. Springer-Verlag, 2005.
  21. A. Juels, P. Syverson, and D. Bailey, "High-power proxies for enhancing RFID privacy and utility," In G. Danezis and D. Martin, editors, Privacy Enhancing Technologies (PET), 2005.
  22. United States Federal Trade Commission. Radio frequency identification: Applications and implications for consumers, March 2005. Workshop report from FTC staff. Referenced 2005 at [Available Online].
  23. Guidelines on EPC for consumer products, 2005. Referenced 2005 at [Available Online].
  24. S. Garfinkel, "An RFID Bill of Rights," Technology Review, page 35, October 2002.
  25. A Juels, R. Pappu and S. Garfinkel, "RFID Privacy: An overview of Problems and Proposed Solutions," IEEE Computer Society, 2005.
  26. S. Stern, "Security trumps privacy," Christian Science Monitor, 20 December 2001.
  27. International Civil Aviation Organization ICAO. Document 9303, machine readable travel documents (MRTD), part I: Machine readable passports, 2005.
  28. R. Yu., "Electronic passports set to thwart forgers," USA Today, 8 August 2005. Referenced 2005 online.
  29. [Available Online]
  30. Michael E. Staten & Fred H. Cate, "The Impact of opt-in Privacy Rules on retail Credit Markets: A Case Study of MBNA," Duke Law Journal, volume: 52, page 745.
  31. Frederic G. thiesse, Auto-ID Lab Workshop, Sep, 23rd, 2004 [Available Online]

TERRA INCOGNITA
Privacy Horizons

29th International Conference of
Data Protection and Privacy Commissioners

Bodily Integrity Act
by: Dr. Katherine Albrecht/CASPIAN

Bodily Integrity Act

An act prohibiting forced implantation of identification and tracking devices in individuals

DEFINITIONS

  • "Entity" means an individual, corporation, business trust, estate, trust, partnership, limited liability corporation, association, foundation, joint venture, government, government subdivision, agency or instrumentality, public corporation or any other legal or commercial entity.
  • "Individual" means a unique, separate human being.
  • "Identification/Tracking Device or Mark" means any item, application, device, marking, or other technology capable of storing or passively or actively transmitting an individual's identity, characteristics, status, group membership, travel history, or location, or capable of storing or transmitting a number, symbol, signal, pattern, or other identifier that could be linked with any such information.
  • "Track" means to locate, follow, monitor.
  • "Discriminate" means to make distinctions, have bias, prejudice, or partiality.

PROHIBITIONS

Requiring Human Identification/Tracking Device or Mark Prohibited

No entity shall require an individual to have an identification/tracking device or mark implanted or permanently or semi-permanently incorporated into or on the body, skin, teeth, hair, or nails of that individual.

Consent

In no instance shall an identification/tracking device or mark be implanted or incorporated into or on the person of an individual without that individual’s informed written consent. Consent of a guardian, guardian ad litem, attorney-in-fact, parent or other agent shall not be considered adequate consent. 

The individual undergoing implantation or incorporation of an identification/tracking device or mark must be at least eighteen years of age and of sound mind to grant consent.

Implanting Identification/Tracking Device or Mark in the Deceased Prohibited

In no instance shall an identification/tracking device or mark be implanted or incorporated into or on a human corpse.

Identification and Tracking Prohibited

No entity may use an identification/tracking device or mark in or on the person of an individual to identify that individual or as a means of, or aid to, tracking that individual, without the consent of the individual being identified and/or tracked.

Discrimination Prohibited

No entity shall use the absence of an identification/tracking device or mark as a basis for discriminating against an individual for any purpose whatsoever, including, but not limited to, employment, housing, insurance, medical care, voting, education, travel, and commerce.

Penalties

[To be determined by the legislature]

To learn more about RFID and human implants or to request expert testimony related to this bill, please see CASPIAN Consumer Privacy  www.antichips.com

TERRA INCOGNITA
Privacy Horizons

29th International Conference of
Data Protection and Privacy Commissioners

IPC Privacy Guidelines for RFID Information Systems
by: Dr. Ann Cavoukian

Commissioner Ann Cavoukian gratefully acknowledges the work of Fred Carter, of the IPC’s Policy and Compliance Department, in the preparation of these Guidelines.

INTRODUCTION

This document is intended to serve as privacy "best practices" guidance for organizations when designing and operating Radio-Frequency Identification (RFID) information technologies and systems.

The Information and Privacy Commissioner of Ontario (IPC) has a mandate to educate the public and address privacy questions raised by new information technologies, with a view to encouraging effective solutions.

Accordingly, the IPC has developed these Guidelines in partnership with industry and other stakeholders1. The Guidelines are not intended to supersede any applicable privacy law or regulation.

We recognize that RFID tags are becoming more prevalent in our everyday lives, and offer many benefits and conveniences, such as from security access cards to ignition immobilizers to highway toll systems and other electronic pass systems.

RFID tags deployed in the supply chain process pose little threat to privacy – they are not linked to any individual but rather, placed on crates, pallets and cases to track products. They act as a unique identifier that uses Radio Frequency Identification for the automatic identification of products in the supply chain. These tags contain standard information pertaining to the products and do not include any personal information.

In order to allow RFID technology to realise its potential for consumers, retailers and suppliers, it is vital that we address privacy concerns prompted by the current state of the technology, while establishing principles for dealing with its evolution and implementation. Accordingly, we encourage organizations to observe and adopt the Guidelines contained in this document whenever deploying RFID technology with consumer-facing implications.

As indicated in the Commissioner’s accompanying DVD, the use of RFID tags in the supply chain management process is not the problem. The problem arises with their use at the consumer item-level. RFID tags, when linked to personally identifiable information, present the prospect of privacy-invasive practices relating to the tracking and surveillance of one’s activities. The goal of these Guidelines is to alleviate the privacy-related concerns associated with such data linkages, while increasing the openness and transparency associated with RFID systems. The use of these Guidelines will ultimately facilitate the preservation of trusted business relationships with existing customers, and perhaps assist in attracting new ones.

SCOPE

These RFID Privacy Guidelines apply to any organization that operates an information system involving the use of RFID technology on consumer products involving or potentially linking to, personally identifiable information.

"Organization" refers broadly to associations, businesses, charitable organizations, clubs, government bodies, institutions, and professional practices. In most instances, these Guidelines will be especially relevant to retailers.

"Information system" refers to any combination of RFID tags, readers, databases and networks that serve to collect, transmit, process and store RFID and RFID-linked information.

"Personal information" refers to any recorded information about an identifiable individual. In addition to one’s name, contact and biographical information, this could include information about individual preferences, transactional history, record of activities or travels, or any information derived from the above, such as a profile or score, and information about others that may be appended to an individual’s file, such as about family, friends, colleagues, etc. In the context of item-level RFID tags, the linkage of any personally identifiable information with an RFID tag would render the linked data as personal information.

These Guidelines are based upon the ten principles of the 1996 Canadian Standards Association (CSA) Privacy Code, which were formulated by a wide range of stakeholders, including business, industry and consumer groups. The principles of the CSA Privacy Code now serve as the basis for Canadian privacy laws and regulations across Canada. They are observed by Canadian organizations in their day-to-day policies and practices, and are widely recognized as being one of the strongest and clearest expressions of privacy "fair information practices."

The Guidelines and their application are informed by the following three overarching principles:

  1. Focus on RFID Information Systems, not Technologies: The problem does not lie with RFID technologies themselves; it is the way in which they are deployed that raise privacy concerns. For this reason, we prefer to speak broadly of RFID information systems. These Guidelines should be applied to RFID information systems as a whole, understood in their broader contexts, rather than to any single technology component or function.
  2. Privacy and Security Must be Built in from the Outset – at the Design Stage: Just as privacy concerns must be identified in a broad and systemic manner, so too must technological solutions be addressed systemically. A thorough privacy impact assessment is critical. Users of RFID technologies and information systems should address the privacy and security issues early in the design stages, with a particular emphasis on data minimization. This means that wherever possible, efforts should be made to minimize the identifiability, observability and linkability of RFID tags with personal information and other associated data.
  3. Maximal Individual Participation and Consent: Use of RFID information systems should be open and transparent, and offer individuals as much opportunity as possible to participate and make informed decisions.

This document provides voluntary, consensus-based guidance that recognizes the great variety of uses and applications for RFID technologies and information systems. Because of this heterogeneity, a degree of flexibility in its interpretation and application may be necessary.

We encourage organizations to adopt and to adapt these Guidelines for use in their own policies, procedures and applications, according to their own specific circumstances and needs.

RFID PRIVACY GUIDELINES

1. Accountability

An organization is responsible for personal information under its control and should designate a person who will be accountable for the organization’s compliance with the following principles, and the necessary training of all employees. Organizations should use contractual and other means to provide a comparable level of protection if the information is disclosed to third parties.

Organizations that typically have the most direct contact and primary relationship with the individual should bear the strongest responsibility for ensuring privacy and security, regardless of where the RFID-tagged items originate or end up in the product life cycle.

2. Identifying Purposes

Organizations should clearly identify and communicate to the individual the purposes for collecting, linking to, or allowing linkage to personal information, in a timely and effective manner. Those purposes should be specific and limited, and the organizations and persons collecting personal information should be able to explain them to the individual.

3. Consent

Organizations must seek individual consent prior to collecting, using, or disclosing personal information linked to an RFID tag. To be valid, consent must be based upon an informed understanding of the existence, type, locations, purposes and actions of the RFID technologies and information used by the organization. Individual privacy choices should be exercised in a timely, easy and effective way, without any coercion. Consumers should be able to remove, disable or deactivate item-level RFID tags, without penalty.

Automatic deactivation of RFID tags, at the point of sale, with the capability to re-activate, should be the ultimate goal. Consumers should be able to choose to re-activate them at a later date, re-purpose them, or otherwise exercise control over the manner in which the tags behave and interact with RFID readers.

4. Limiting Collection

Organizations should not collect or link an RFID tag to personally identifiable information indiscriminately or covertly, or through deception or misleading purposes. The information collected should be limited to the minimum needed to fulfil the stated purposes, with emphasis on minimizing the identifiability of any personal data linked to the tag, minimizing observability of RFID tags by unauthorized readers or persons, and minimizing the linkability of collected data to any personally identifiable information.

5. Limiting Use, Disclosure and Retention

Organizations must obtain additional individual consent to use, disclose or link to personal information for any new purposes. Personal information should only be retained to fulfil the stated purposes, and then securely destroyed. Retailers should incorporate the data minimization principles outlined above, into and throughout their RFID information systems.

6. Accuracy

Organizations should keep personal and related RFID-linked information as accurate, complete, and up-to-date as is needed for the stated purposes, especially when used to make decisions affecting the individual.

7. Safeguards

Organizations should protect personal information linked to RFID tags, appropriate to its sensitivity, against loss or theft, and against unauthorized interception, access, disclosure, copying, use, modification, or linkage. Organizations should make their employees aware of the importance of maintaining the confidentiality of personal information through appropriate training. Although physical, organizational and technological measures may all be necessary, technological safeguards should be given special emphasis.

8. Openness

Organizations should make readily available to individuals specific information about their policies and practices relating to the operation of RFID technologies and information systems, and to the management of personal information. This information should be made available in a form that is understandable to the individual.

9. Individual Access

Organizations should, upon request, inform the individual of the existence, use, linkage and disclosure of his or her personal information, provide reasonable access to that information, and the ability to challenge its accuracy and completeness, and have it amended as appropriate.

10. Challenging Compliance

Organizations should have procedures in place to allow an individual to file a complaint concerning compliance with any of the above principles, with the designated person accountable for the organization’s compliance.

Practical Tips for Implementing RFID Privacy Guidelines

Organizations have expressed a particular interest in receiving practical tips to complement their current consideration and use of Radio Frequency Identification (RFID) technology.

RFID technology is seen as a means to improve business process efficiency levels by, for example speeding up inventory checks and minimizing "leakage."

Organizations must balance the advantages of using RFID technology with the potential privacy intrusions such technology can pose.

Even if an RFID tag does not contain any personal information, personally identifiable information may be created if the tag data is linked to a particular individual.

The use of an RFID system (as with other technologies) in retail and commercial environments, is appropriate within limited, controlled and well-defined circumstances.

The following practical tips are intended to help organizations develop retail RFID projects that address privacy issues and preserve consumer trust and confidence.

These practical tips will also help organizations comply with privacy legislation and other best practices, such as the IPC RFID Privacy Guidelines.

  1. Accountability
    • Organizations should have an effective privacy policy in place which recognizes the unique issues presented by RFID technology.
    • Organizations with the most direct and primary relationship with the consumer, usually retailers, bear the strongest responsibility to protect consumer privacy.
    • Organizations are accountable to the individual consumer for all disclosures of personal information to partners, affiliates, and third parties.
  2. Identifying Purposes
    • Organizations should only collect, use or disclose RFID-linked personal information for purposes that a "reasonable person" would consider appropriate in the circumstances. A reasonable purpose excludes tracking and profiling individuals without their informed, written consent.
    • Notice:
      • Organizations should notify consumers if products contain an RFID tag, through clear and conspicuous labelling on the product itself.
      • Organizations should notify consumers of RFID readers on their premises, using clearly written signage, prominently displayed at the perimeters.
      • Signs at the perimeter should identify someone who can answer questions about the RFID system, and include their contact information.
      • Consumers should always know when, where, and why an RFID tag is being read. Visual or audio indicators should be built into the operation of the RFID system for these purposes.
  3. Consent
    • Organizations should have a clear policy for obtaining consent to collect, use and disclose RFID-linked personal information, taking into consideration the nature, sensitivity and intended use of the products.
    • Unless the consumer chooses otherwise, removal, destruction, or de-activation of RFID tags should be the default actions at the time of purchase for products that are worn or carried by the consumer, or which may reveal sensitive information (e.g., medications).
  4. Limiting Collection
    • Before introducing RFID tags linked to consumer information, organizations should first consider alternatives which achieve the same goal, without collecting any personal information. A Privacy Impact Assessment (PIA) is critical.
    • Wherever possible, organizations should seek to limit collecting RFID-linked consumer information to the minimum necessary.
  5. Limiting Use, Disclosure, and Retention
    • Organizations should not use or disclose RFID-linked consumer information for any purpose to which the individual has not consented.
    • Organizations should not disclose RFID-linked consumer information to third parties who may profile or perform surveillance on individuals.
    • Organizations should delete all RFID-linked consumer information as early as possible.
  6. Accuracy
    • Organizations that use RFID-linked consumer information for the purpose of making decisions affecting individuals should ensure that the information is as accurate, complete, and up-to-date, as is necessary for that purpose.
  7. Safeguards
    • Organizations linking RFID tags to personal information should take appropriate measures, beginning with a thorough PIA, to ensure that:
      • RFID tags do not contain personal information
      • RFID tags are not read by unauthorized parties, either within or outside the organizations’ premises; and
      • all linkages between RFID tags and consumer information are minimized and kept secure.
    • Whenever RFID tags are in the possession of consumers, such as at the time of purchase, they should:
      • be able to choose to have RFID tags removed, destroyed or de-activated easily and without penalty or consequence; and
      • have the ability, upon return of a product, to ensure that their personal information is de-linked from the product item.
  8. Openness
    • Organizations should publish, in compliance with applicable laws, information on their policies respecting the collection, retention, and uses of RFID-linked consumer information.
    • Organizations should make available to the public general information about the RFID technology in use and the meaning of all symbols and logos used.
  9. Individual Access
    • Consumers should have a right to know what personal information, if any, is stored inside their RFID tags, or else linked to them.
    • Upon demand, organizations should provide the consumer with an account of all uses and disclosures of RFID-linked personal information.
    • If RFID-linked information is incorrect or unnecessary, there should be a means by which to correct or amend it.
  10. Challenging Compliance
    • Organizations should inform consumers of their rights and available procedures to challenge that business’ compliance with these privacy principles.
    • Organizations may wish to ensure that the use and security of any RFID technology or system is subject to regular audits. For example, the audit could address the company’s compliance with the operational policies and procedures.
  

Date modified: 2007-09-14   Important Notices