 |
 |
|
|
 |
| home page |  |
| about TACD | |
| what's new | |
| documents | |
| events |  |
| press | |
| links | |
| workgroup login | |
| search | |
 |
|
|
|
|
|
|
|
RFID AND UBIQUITOUS COMPUTING
|
|
RFID in a nutshell RFID - also called smart radio tags - is a technology based on tags that emit radio signals as identifiers, and devices that pick up the signal and identify the tags. It has a wide range of applications and does not require direct contact or line-of-sight scanning. An RFID reader gives access to data on the tag. The tag can contain large amounts of data: a unique product identifier on a drinks can, for instance, or private and personal details on a bank card or official identity document. Business applications include transport and logistics (tagging pallets, containers, or airline baggage), access control, real-time location, supply chain management, manufacturing and processing, agriculture, and medicine (for instance to impede illicit copying or diversion). In the government sector they are increasingly used in e-government, national defence and security. And in the consumer field they have applications in personal safety, sports and leisure, smart homes and smart cities. Tags can be invisible, because they are small, or because they are deliberately concealed or disguised. Consequently, consumers may not be aware that something in their possession carries a tag. And even where they know an item carries a tag, they do not know what data is on it, because consumers do not normally have access to RFID readers. |
Opening Session
As Jim Murray, director of BEUC, put it in his opening remarks, "RFIDs raise issues of privacy we have to look at". Already data protection is not very robust, and this new technology could put privacy under even greater strain, he warned, since power relationships in the distribution chain will tend to drive wider use of RFID. The most powerful actors will use tags to their own advantage, increasing the capacity of multiple retailers to exercise control over food suppliers, for instance, or helping vehicle manufacturers maintain segmentation of national markets, or enhancing vertical control through distribution chains - where the pretext of combating counterfeiting can mask attempts to constrain competition from independent suppliers.
RFID will intensify the asymmetry of information and power between consumer and suppliers, "giving those who wish to sell us things more information about us, and about what offers we might be more susceptible to", said Murray. The questions that needed serious attention were in part about how to protect consumers and privacy, and in part about how the new technology could advance consumer interests, he suggested. "How can consumers use the technology to advance their own power, and to access advantages? Should consumers be given RFID readers so we can access the data on the chips?", he asked. "You can give your privacy away, but you can't buy it back."
Keynote speaker Rudolf Strohmeier, head of cabinet of European Commissioner for Information Society and Media Viviane Reding, aimed at striking a balance between risks and benefits. "Consumer expectations could be well served by expanding use of RFID under the right conditions", he claimed. But he accepted that this required a precise definition of the right conditions. "This is a challenge and an opportunity to reflect on modern technology and on the model of society we want to construct and live in", he said.
Strohmeier was complimentary about TACD's reflections on how technology can serve consumers and citizens. This can make a valuable contribution to advice for decision-makers, he said: "It is completely legitimate that consumer interests should be given full consideration in policy on new technology. We want it used for the benefit of all".
"We need a new understanding that we are all in this together", underlined Strohmeier. Consumers should not argue there are no RFID applications that could be of value, he cautioned: the technology offers huge possibilities for productivity gains, and abandoning it in Europe or the US would not generate a perfect world - it would merely lead to a lack of competitiveness. Instead, the EU is trying to assure global standards and interoperability, through contacts with US and other major economies.
At the same time, retailers should not presume to push RFID usage by investing in technology and lobbying. Commission consultations on the use of RFID had revealed widespread citizen concerns on privacy, and on the rights of individuals to disable or de-activate product tags at the point of sale. And the EU is also seeking to establish common guidelines on inbuilt privacy. "TACD and the European Commission have a common goal: a safer and more secure information society, in which we have different approaches but work together", concluded Strohmeier.
Session 1: Ubiquitous computing
Dr. Sarah Spiekermann of the Berlin Research Centre on Internet Economics suggested that while RFID is already widely accepted and appreciated for applications such as access services, there is scepticism because of fear that the technology may get out of control. She said research with focus groups had revealed particular concerns on item-level tags on products which are left fully functional at store exits, raising fears of being "tracked" when carrying (or even disposing of) the item purchased. By contrast, however, consumers may appreciate RFID-based after-sales services.
Her recommendations included taking consumer concerns seriously, while also recognising that the service spectrum realizable with RFID is of value to consumers. "Do not let go of the economic potential inherent in RFID through premature or excessive regulation", she urged. There were consumer benefits to be gained from data proliferation, she suggested: "If you're an identified member of Greenpeace, the supermarket could warn you that a product contains GMOs". Instead of outright rejection of the technology, it was sensible to look for effective methods of keeping it under control, she argued. Some consumer concerns, she instanced, could be met by easy-to-use privacy-enhancing solutions at store exits - such as not allowing the full unique product serial number to be retained on goods leaving the shop.
Katherine Albrecht of Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN) provided a comprehensive overview of the threats that item-level RFID poses for consumer privacy. Tags can be hidden - even a six-inch tag can be hidden inside the packaging, sandwiched within layers of cardboard, or embedded in shoes. Many smaller tags can be hidden in fabric labels, checkout labels, or credit cards. By placing a tag on a shopper loyalty card (which already links in to historical data on that individual's previous purchasing behaviour), shops can design a personalised shopping experience, maximising the selling opportunity by offering specific point of sale promotions, discounts, or coupons - all geared to maximising the store's sales. Readers in the shop doorway can identify a customer entering, even reading through their pocket or handbag; others are placed underfloor to read tags in shoes or fabric. At the Alton Towers amusement park in the UK, customers wearing their admission tag are not only photographed repeatedly by batteries of cameras as they pass among the attractions, but they are then automatically offered the opportunity to purchase a personalised selection of photos of their day out as they leave. Gillette even hid tags in its product packaging and used them to trigger cameras to take a mug shot of every customer making a purchase.
The scope for abuse is obvious, said Albrecht. A person carrying an RFID - wittingly or unwittingly, in their wallet or on an item they have purchased - can be tracked (as IBM's own patent applications suggests) by reader devices located in shopping malls, airports, train stations, bus stations, elevators, trains, airplanes, restrooms, sports arenas, libraries, theatres, museums… "We must be careful", she concluded, "so that when we buy a pair of track shoes, they do not become tracking shoes".
Emilie Barrau of BEUC said European consumers were still largely unaware of RFID, which remains principally a business-to-business technology. Yet it had already been widely introduced even before full trials had taken place - with the result that, for instance, some consumers had been given passports using insecure RFID tags that left them vulnerable to unauthorised reading. "We already live in a surveillance society", she said.
Consumers want the right to know and the right to choose, and they want respect for, and enforcement of, existing rules. Consumers cannot make an informed choice unless they benefit from transparency and accountability of RFID usage, with clear and intelligible information on-site, labelling, and balanced information campaigns. They cannot choose unless there is in-built anonymity, consent required for personal data being collected, and the possibility to deactivate or remove a tag. There is a need for a review of existing legislation, for a definition of the limits of self-regulation, and for impact assessments for privacy and security. Industry should expend less energy on fighting new regulations and more on involving stakeholders in the assessment and management of risks to privacy, identity, trust, security and inclusiveness, concluded Barrau.
Session 2: Legislation and voluntary measures
A roundtable discussion session on the need for legislative action and the role of voluntary measures revealed some sharp divisions between representatives of consumers, government and business. Moderating the session, Marc Rotenberg of the Electronic Privacy Information Center set out broad policy choices: the model of EU data protection legislation; or US self-regulation; or an innovative combination or variation. "It's all moving very rapidly with the ideas now entering the market. Nothing is really stable, and we will face different risks and problems two years from now. So let's keep looking ahead in precautionary principle terms - as the EU has shown the US how to do", he said.
Jay Stanley of the American Civil Liberties Union insisted that regulation is badly needed - and not on a case-by-case basis relating just to, for instance, health or retail, but as an all-embracing data privacy approach. "The starting point has to be an overarching data protection law in the US", he said.
David Banisar of Privacy International said campaigns are needed against RFID tags: "They are secretly watching where you go and what you do". He dismissed suggestions of the innocuousness of fridges talking to milk cartons: "It's already been shown that technology can go too far". He demanded a clear framework - comprising elements of law, complemented by codes, and also deploying technical responses such as encryption.
Achim Klabunde of the European Commission said that EU rules were clear: as soon as data are linked to a person, EU data protection rules apply, even if you are going to store data relating only to who bought a RFID-labelled DVD. But, he went on, the data in most cases is no more revealing than that a particular tag has been read by a particular reader, without access to any personal data. The current EU rules could however be complemented by some self-regulation.
Peter Schaar of the Article 29 Working Party said there was a need for binding rules, and some additional regulation may be useful if self-regulation is inadequate. Organisations developing RFID need to learn about EU data protection laws. Because even though the production line for RFID has in itself no data protection implications, RFID users will have to make key distinctions relating to different applications. For passports, tickets, or loyalty cards, customers must be provided with the means to protect their data. But there are grey areas, he indicated. It is difficult to argue that the data are personal if they are merely chips in containers, or on bottles - but more complex when the bottle is purchased and the data on it become linked to personal data, or if the bottle can be tracked as the purchaser moves around with it in their possession. The essential aim is to respect basic principles of transparency, giving early information to consumers that they are buying a RFID product, and what data will be stored and for what purposes.
Robert Cresanti, US Under Secretary of Commerce for Technology, staunchly defended RFIDs, and admitted to concern that consumer rejection of item-level tagging could wreck enormous supply-chain benefits. TACD and consumer organisations therefore do a good job by insisting on effective oversight: "You keep us honest by asking penetrating questions", he said. He also recognised the impact of distinct cultural approaches: in Europe, identity cards are common, he instanced, while they are anathema in the US - leading to different presumptions and expectations.
Armgard von Reden of IBM spelled out how seriously her company takes the privacy issues raised by RFIDs. "We work with our trade unions on RFID tags on identity cards, and we have 80 researchers in Zurich working on privacy issues". The challenge is to retain advantages for consumers while preventing unlawful reading of tags - and one solution is to use tags that consumers can de-activate by removing a clip containing the antenna.
Session 3: Building in security and privacy
The questions of building privacy and security into the technology were addressed by a panel from academia, industry and government. Sarah Andrews of the OECD demonstrated the work of her organisation on RFID privacy and security. Based on OECD's high-level policy principles and its expertise in consumer protection, privacy protection and information security, it had set up a committee on consumer policy, and a working party on information security and privacy.
An RFID forum in October 2005 had taken stock of current and future applications, explored potential economic and social benefits, and discussed critical public policy issues, in particular security and privacy. It had concluded that security and privacy were make-or-break aspects of RFID technology, and that they should be "baked in" to it rather than "bolted on" afterwards. "Internet history should not be repeated with RFID", said Andrews. But it was recognised that solutions would vary widely according to the type of RFID system and how it is deployed.
An OECD working party on the information economy had analysed the drivers of management, quality and cost savings benefits, and had recommended that governments should be "model users", increasing awareness of RFID potential, particularly through demonstration projects and dealing with questions of standards. The Working Party on Information, Security and Privacy had produced a background report and examined potential good practices, and a ministerial-level meeting is planned for June 2008.
Among OECD's principal concerns over information security were availability of remedies (such as detaching the tag from the tagged item, discharging the battery of an active tag, shielding the tag by masking the antenna, and overloading or jamming the reader), the integrity of the system (there could be misuse of a "kill" command that would leave the owner locked out of his property; or unauthorised copying - of, for instance, tagged car keys - which could give new scope for theft), and confidentiality (because of eavesdropping or unauthorised access).
Privacy questions still needing definition included the status of data (in other words, just what is personal data?), invisibility of data collection, absence of user control (with implications not just for consent and notice, but even with a psychological perspective), tracking (with and without "identifying" the individual), and "high-resolution" profiling.
It was possible to enhance security and privacy by design, said Andrews, using technical controls such as systematic use of a "kill" feature, short operating ranges, clipped tags, and data minimisation techniques. There was not going to be any one-size-fits-all measure, and progress would depend on a mix of operational, management and technical controls. Standards can help, she said, and the evolving risks would mean a continuous demand for evolving countermeasures.
For Marc Langheinrich, of the Institute for Pervasive Computing in Zurich, too much RFID security can threaten consumer privacy. Excessive security can get in the way of usability, and excessive choice can baffle the consumer. "If it is too difficult, people will not bother to use security and privacy mechanisms", he said. For obviously important items, like a passport or a credit card, consumers may be prepared to go to some trouble to implement security measures. But consumers are unlikely to spend time and energy to operate complex mechanisms to neutralise tags on a can of soda or a pair of socks - with the risk that they will therefore not de-activate the tags at all. "If we make tagged items too difficult to protect, people will not bother to do it. More technology means more complexity, which means more difficulty, which means less usage. We need zero-effort, zero-management, infrastructureless, deviceless solutions".
His institute had developed a type of tag which offered, he claimed, zero-management privacy protection. These tags require no consumer effort. They deploy available technology to impede unauthorised access to tag data, with sophisticated levels of encryption slowing the process further, while allowing tags to be directly identified by authorised parties. It is not a solution for "important" tagged items (such as passports), which require strong cryptography. But it is a useful building block as part of a comprehensive solution. This approach offers, according to Langenreich, the prospect of more privacy through less security.
"The current systems amount to 'security disaster by design'", remarked Stephan J. Engberg, of Priway, who is also a member of the Strategic Advisory Board of the EU ICT Security and Dependability Taskforce. He argued that it was possible to move from the lack of security that current central command and control systems offered, to security through citizen empowerment and dependability, by using privacy-enhancing technologies in RFID.
Engberg called for systems that allowed control by default. Consent had to be seen as a conscious, deliberate and open act of trust, not something presumed or extracted by subterfuge or a form of blackmail. It was unacceptable for consumers to be faced with a choice between security or service; this is an illusory form of autonomy, amounting to no more than a "take it or leave it" approach from the provider. What consumers are entitled to is security and service - where control and autonomy are default conditions.
Consumers also deserve empowerment in questions of security. Systems should not expose consumers to the risks of fraud and identity theft because they allow upfront identification; they need to become more sophisticated, deploying virtualisation to provide levels of security that are impenetrable without authorisation of the data owner. In this way, by reinforcing the consumer's ownership of personal data, innovation makes an additional contribution to the realisation of advanced democracy.
However, Engberg concluded with a sharp warning to regulators - and to consumers. Because the implementation of user-friendly but security-sophisticated systems depends on constant innovation, it was important that attempts to regulate or standardise (wherever the pressure comes from) should not impede or limit the scope for a constant search for improvement, he said.
Kevin Fu, Assistant Professor in Computer Science at the University of Massachusetts, addressed the risks of the RFID in your pocket (or handbag or wallet). The proliferation of RFID and of RFID readers is an established phenomenon: in the US, McDonalds have installed it at all its 13,500 locations; it is in thousands of locations in leading pharmacy chains, petrol stations, and convenience stores.
But it is also a very recent phenomenon, and undue haste in its introduction has left serious gaps in the integrity it might be reasonably supposed to offer, he argued. Notably, RFID credit cards - that is, "no-swipe" credit cards that can be read by simply coming into proximity to an RFID reader - have had the fastest acceptance of new payment technology in the history of the industry, according to the boast of VISA.
No sooner had no-swipe credit cards been introduced, however, than researchers started to display concerns over possible privacy pitfalls. The RFID in these cards crucially reveal the credit card number, the cardholder name, and the expiration date - all the data needed for fraudulent use. And to obtain these data, the card does not even have to be physically seen. It can remain in a pocket, a purse or a wallet, and still be scanned by any compatible reader - even a small handheld device that someone with criminal intent might carry around with them unobtrusively, and hoover up such data from a lift-full of unwitting victims between the first floor and the tenth floor.
And it isn't easy to disable an RFID credit card, Fu demonstrated graphically, with extensive documentation of attacking one even with a hammer.
These cards may be more convenient - they do allow faster processing of legitimate transactions, thus speeding queues through store checkouts or other payment situations. Questions remain, however, over the adequacy of fraud control, and particular over protection of consumer privacy, which is definitely not yet sufficiently in place.
Fu provided some chilling examples of just how easy it is for consumers and customers to suffer from inadequate privacy protection. They ranged from interception of data by thieves who surreptitiously replaced widely used card-reading devices with their own systems, to "skimming" of data at payment pads in filling stations.
Improving privacy protection has more than one aspect to it, insisted Fu. Naturally it requires technology-dependent advances. But it also requires consumers to be given confidence - and genuine confidence, justified by observable improvements. It is no longer enough for providers to offer promises of secret improvements: this is at risk of being perceived as (and even just being) pure marketing. The technology must be open to public scrutiny. Proprietary methods of security are difficult to defend in RFID credit card suppliers when it is already accepted that secure web sites use public methods.
Session 4: The next steps
The closing session permitted a preview of what needs to be done as the next steps. Gérald Santucci of the European Commission said there was a need for more dialogue. "Today has provided some, but it is obvious that there is not only one definition of privacy but many. Although the concept of privacy was invented at the same time in the US and the EU, different approaches to it were taken, so there is a need for dialogue". He was also insistent that total privacy was unattainable and would never exist: it was a matter of balance, he argued. And he cautioned that the debate on more or less regulation risked missing the point that good regulation can be a stimulus to innovation. The exercise had been instructive, he concluded: "We are more modest at the end than at the beginning".
William E Kovacic, a Federal Trade Commissioner, said that the FTC had a mandate which is "evolutionary and elastic", and that it was able to use unfairness as a reason to initiate prosecutions. The FTC would continue to do so, and will, he promised, "pick up the scenarios we've discussed". Recognising that the US institutional systems are not always evidently interlocked, he observed that "despite the archipelago of US institutions, we do have a better platform for sharing with other countries".
But he wanted to bring a sense of proportion into the approach to be taken. The real risk, in his view, was not in skimming one or two cards in a handbag, but in massive pools of data systematically collected. This is the source of real crime, real fraud, real theft of identity, he argued, and it was fundamentally irresponsible for firms to think of collection and management of large quantities of sensitive data without thinking about safeguarding it against theft.
The industries using this technology were in a situation that suggested an Exxon Valdez or Hindenburg in waiting, with predictable and avoidable disaster just waiting to strike. "You will sink your firm and this technology if you get it wrong", Kovacic warned. "Firms must protect themselves and preserve themselves" - and must do their share in meeting the overwhelming need for education and information. He also urged reflection on how consumers think, so as to be able to take account of public views of privacy, and of the defaults and presumptions that the public wants to see built into law.
Marc Rotenberg too perceived a "veil of ignorance" in which even high-tech company bosses languished. "The people who run RFID companies aren't confident of the impact on their own families if the technology fails", he commented. He regarded privacy rights as being now part of the realm of primary goods - one of those rights that people have to be given to allow them to meaningfully participate in society. Such provision is no longer limited just to questions of welfare, housing, food, or education: "Now, in the information society, we have to give privacy rights. People can't participate in modern society unless they can control their personal details and the release or retention of them", he said. And the attention must focus most on the least advantaged, those most vulnerable from failures to act. The people least able to exercise meaningful consent are likely to be the victims: prisoners, the old, children, job-seekers, immigrants… "In a civilized society we have to share consideration of the rights of the least advantaged", he concluded.
Susan Grant of the National Consumers League believed that everything is possible if there is the will or the money to achieve it. But there is uncertainty about what can be legally done, and there is a difference between action taken in the legal or ethical spheres or out of concerns for customer. She declared herself reluctant to rely on self-regulation: "There should be a baseline for privacy protection in the US", she claimed. And she favoured challenging companies on their efforts to protect privacy, with a range of benchmarks. She also pointed out that use of RFID should not be obligatory, and should always be conditional: "If we choose to use it, we should have the choice over how we use it".
Patrick von Braunmühl of the Federation of German Consumer Organisations noted the wide concern among citizens - particularly over the ethics of implantation of RFID. He recognised the opportunities the technology presents for food safety and in anti-piracy (although he added that for consumer organisations, this raised further complexities in respect of intellectual property protection).
The essence of successful exploitation was to ensure built-in security and privacy. This means, he said, that products with RFID should not be placed on the market until their security is virtually 100% sure - "and we are at present a long way from that". In consequence, there is a need for more regulation - even in Europe, where dangerous ambiguities remain over what constitutes voluntary consent to data collection and management, said von Braunmühl. Judges in Europe are already giving wide interpretations to the consent concept, he warned, citing the terms relating to e-Bay; or many loyalty cards. He also believed it was vital to allow disabling of tags at the point of sale and to assure anonymous methods of payment. For this, legislation may well be necessary: "Codes are only an addition to good regulation, not a substitute", he concluded.
Debate during the workshop turned upon several still-unresolved issues. Numerous participants expressed serious doubts about the effectiveness of codes in protecting consumer interests.
Some of the issues raised had a technical dimension - such as on the modalities of reader/RFID communication: it was suggested the reader should, for instance, be entitled only to ask for confirmation of a hypothetical identification ("Are you xx?"), rather than an open demand for identification ("Who are you?"). Different views emerged on the extent to which subcomponents should be tagged, and on the extent to which consumers should be alerted to tagging - a balance between guarantees of authenticity and creating an overload of information.
Discussion also revealed uncertainties and anxieties - over the scope and nature of information that retailers can store relating to individuals or to individual products, over the physical and health risks from antennas and associated radiation,
Conflicting views emerged on subjects such as time line and cost. While many participants suggested it would be expensive to incorporate RFID widely and difficult to organise seamless links across information systems and privacy protection mechanisms, some industry speakers believed it would not be so hard or expensive to implement.
There was also reflection on the whether people should allow themselves to be "chipped" (as is the case for access to some nightclubs, for instance), or whether the law should protect them - and the majority view to emerge was that summed up by Achim Klabunde: "People have the right to do stupid things". However, Rotenberg maintained that individuals depend on their ability to navigate between the public and private world - so even voluntary implantation of a chip has a sinister undertone, depriving people of their ability to choose. Another of Rotenberg's related valedictory comments serves as a fitting summary to the content and tone of the entire workshop, too: "Don't assume all products will work or are good or will succeed", he said. "And don't work on the assumption that consumers have to be educated to accept them all."
Peter O'Donnell, March 21, 2007
about TACD | what's new | documents | events | press | links | workgroup login