Privacy, Security & Governance

David Armstrong

CASAGRAS Open Seminar

1st December 2008

SN

1234

568

Tag

Reader

Host

Introduction

PII Personally Identifiable Information 2

Radio providing the means of wireless interrogation, communication and transfer of data or information.

Frequency defined spectrum for operating RFID devices, low, high, ultra high and microwave, each with distinguishing characteristics.

Identification of items by means of codes contained in a memory-based data carrier and accessed by radio interrogation.

Radio Frequency Identification

ReaderTag

Host Information

Management System

Item

3

Nature of RFID Technologies RFID is an application of object connected data

carrier technology with attributes that are complementary to other machine-readable data carrier technologies.

RFID technologies offer the potential for radical process improvement characterised by tens of percent improvement and fast return on investment.

RFID technologies provide strong potential for improving efficiency, productivity and/or competitiveness.

RFID market increasing significantly, yielding lower costs and higher performance.

4

RFID is a category of Automatic Identification & Data Capture (AIDC) Technologies

Full Matrix

Dot Codes

Linear

Feature Extraction Technologies(Vision, Speech recognition & Biometric Systems)

Data Carrier Technologies

Electronic StorageMagnetic StorageOptical Storage

RFID Transponder

Touch Memory

Magnetic Stripe

MICR

Stacked (or multirow)

Optical Character

Recognition (OCR)

Optical Mark Reading (OMR)

Matrix Codes

Bar Code

Smart Card

Memory Card

Optical Memory (magneto-optic)

Magnetic Resonance Charge

injection

Composites Codes

Contactless Smart Card

5

RFID also supports Contactless Smart Cards RFID is found in a range of card-based

structures, from basic card-based tags to dual entry smart cards

Supported by ISO standards* for contactless smarts cards.

High frequency technology has been primarily applied in card-based technology.

Important in applications for reusable access control and transactions.

6

European Commission Consultation Process on RFID (2006)

The review process revealed that 61% of respondents believed that the public were not sufficiently informed about or aware of RFID. It also revealed privacy to be the biggest concern.

7

Some responses

Kill Function De-activation Federal Legislation Lobbying Negative PR Uninformed Comment

8

RFID 1.0 RFID 2.0Supply Chain to Product Life Cycle Management

Intelligent Barcode Static Single Purpose One Access Point Auto ID Limited Security Use in Supply Chain

RFID is a Computer

Dynamic

Context Aware

Multiple Access Points

Collaborative Usage

Rich Security

Use in Full Product Life Cycle

9

Existing & Proposed RFID Guidelines

Europe - EC Directive 95/46/EC (in the EU the Privacy Directive is mandatory, which means regulatory)

USA - e.g. Center for Democracy & Technology

Japan - Guidelines for Privacy Protection (MIC and METI)

10

A new work item has been proposed by ETSI, linked to the CASAGRAS and GRIFS projects (target completion end 2009).

This will result in:• A protection profile for RFID devices in the context

of the Internet of Things• Development of guidelines for e.g. marking RFID

readers as visible (non-technical aspects of RFID). Also marking RFID enabled products as such.

Internet of Things

11

DESIGN FOR: User Acceptance Legislative Conformance and Governance Protection against Abuse from Potential Attackers Performance

A Standard for Privacy Design

12

Collection Limitation Data Quality Purpose Specification Use Limitation Security Safeguards Openness Individual Participation Accountability

Principles for Privacy Design

13

Multiple Issues Multiple Constituencies Multiple Arenas & Backgrounds

Governace & Politics

14

The Way Forward

?

15

Physical Materials Components and sub-assemblies Products Containers Physical carriers People Locations Documents and other forms information carrier

……….virtually anything tangible that is part of a business process. This is the opportunity………

RFID is about identifying and handling Items…

16

Designers, Manufacturers and users of RFID technology should address the privacy and security

issues as part of its original design. Rather than retrofitting RFID systems to respond to privacy and security issues, it is much preferable that security

should be designed in from the beginning.

Notice - Choice & Consent - Onward Transfer - Access - Security

Privacy & Security as

Primary Design Requirements

17

Ideally, there should be no secret RFID tags or readers. Use of RFID technology should be as transparent as

possible and consumers should know about such implementation and usage as they engage in any

transaction that involves an RFID system.

But……

Consumer Transparency

18

RFID technology, in and of itself, does not impose

threats to privacy. Privacy breaches occur when

RFID, like any technology, is deployed in a way that is

not consistent with responsible management

practices that foster sound privacy protection

Technology Neutrality

19

Thank You