CASAGRAS Open Seminar

1st December 2008

Privacy, Security & Governance

David Armstrong

 
 Introduction

Tag Host

8
SN123456

Reader

PII  Personally Identifiable Information 2

 Radio Frequency Identification
 Radio providing the means of wireless
interrogation, communication and transfer of data
or information.
 Frequency defined spectrum for operating RFID
devices, low, high, ultra high and microwave,
each with distinguishing characteristics.
 Identification of items by means of codes
contained in a memory-based data carrier and
accessed by radio interrogation.
Host
Item Information
Tag Reader
Management
System
3
 Nature of RFID Technologies
 RFID is an application of object connected data
carrier technology with attributes that are
complementary to other machine-readable data
carrier technologies.

 RFID technologies offer the potential for radical process

improvement characterised by tens of percent improvement and
fast return on investment.
 RFID technologies provide strong potential for improving
efficiency, productivity and/or competitiveness.
 RFID market increasing significantly, yielding lower costs and
higher performance.
4
RFID is a category of Automatic Identification & Data
Capture (AIDC) Technologies
Feature Extraction Technologies Data Carrier Technologies
(Vision, Speech recognition & Biometric Systems)

Optical Storage Magnetic Storage Electronic Storage

Magnetic MICR
Stripe Magnetic
Resonance Charge
RFID
Touch injection
Transponder
Memory Memory
Card

Bar Matrix Optical Optical

Optical
Code Codes Character Memory
Mark
(magneto- Smart
Reading Recognition
(OCR) optic) Card
(OMR)
Linear Stacked (or
multirow)
Contactless
Full Matrix Smart Card

Composites Dot Codes

Codes
5
RFID also supports Contactless Smart Cards
 RFID is found in a range of card-based
structures, from basic card-based tags to dual
entry smart cards
 Supported by ISO standards* for contactless
smarts cards.
 High frequency technology has been primarily
applied in card-based technology.
 Important in applications for reusable access
control and transactions.

6
European Commission Consultation
Process on RFID (2006)

The review process revealed that 61% of

respondents believed that the public
were not sufficiently informed about or
aware of RFID. It also revealed privacy
to be the biggest concern.

7
Some responses
 Kill Function
 De-activation
 Federal Legislation
 Lobbying
 Negative PR
 Uninformed Comment

8
 RFID 1.0  RFID 2.0
Supply Chain to Product Life Cycle Management

 Intelligent Barcode   RFID is a Computer

 Static   Dynamic
 Single Purpose   Context Aware
 One Access Point   Multiple Access Points
 Auto ID   Collaborative Usage
 Limited Security   Rich Security
 Use in Supply Chain   Use in Full Product Life
Cycle
9
Existing & Proposed RFID Guidelines
 Europe - EC Directive 95/46/EC (in the EU
the Privacy Directive is mandatory, which
means regulatory)
 USA - e.g. Center for Democracy &
Technology
 Japan - Guidelines for Privacy Protection
(MIC and METI)

10
 Internet of Things
A new work item has been proposed by ETSI, linked
to the CASAGRAS and GRIFS projects (target
completion end 2009).

This will result in:

• A protection profile for RFID devices in the context
of the Internet of Things
• Development of guidelines for e.g. marking RFID
readers as visible (non-technical aspects of RFID).
Also marking RFID enabled products as such.
11
 A Standard for Privacy Design
DESIGN FOR:
 User Acceptance
 Legislative Conformance and Governance
 Protection against Abuse from Potential Attackers
 Performance

12
Principles for Privacy Design
 Collection Limitation
 Data Quality
 Purpose Specification
 Use Limitation
 Security Safeguards
 Openness
 Individual Participation
 Accountability
13
Governace & Politics

 Multiple Issues
 Multiple Constituencies
 Multiple Arenas & Backgrounds

14
The Way Forward

15
RFID is about identifying and handling
Items…
Physical Materials
Components and sub-assemblies
Products
Containers
Physical carriers
People
Locations
Documents and other forms information carrier
……….virtually anything tangible that is part of a business
process. This is the opportunity………
16
 Privacy & Security as
Primary Design Requirements
Designers, Manufacturers and users of RFID
technology should address the privacy and security
issues as part of its original design. Rather than
retrofitting RFID systems to respond to privacy and
security issues, it is much preferable that security
should be designed in from the beginning.

Notice - Choice & Consent - Onward Transfer -

17
Access - Security
 Consumer Transparency

Ideally, there should be no secret RFID tags or readers.

Use of RFID technology should be as transparent as
possible and consumers should know about such
implementation and usage as they engage in any
transaction that involves an RFID system.

But……
18
 Technology Neutrality

RFID technology, in and of itself, does not impose

threats to privacy. Privacy breaches occur when
RFID, like any technology, is deployed in a way that is
not consistent with responsible management
practices that foster sound privacy protection

19
Thank You