The discussion of RFID privacy will continue to roll for some time yet. The publication of the EC's privacy draft is another marker in how this technology will eventually be viewed: as a benefit in terms of tracking and tracing or as a nightmare in terms of privacy.
I must admit I do at times find the EU's continual approach to new technology on behalf of its' citizens nanny-ish. In this article about the EC's proposals, Gérald Santucci, head of the Information and Communication Technology (ICT) for Enterprise Networking unit of the Information Society and Media Directorate-General is quoted as saying, "In Europe, there is a visible lack of trust in new technologies," Santucci says. "That is a fact."
A fact. Really? Any more so than anywhere else? The US, for example? Talk to anyone in the street - or at a dinner party - about RFID, and you'll get a blank look. Most people haven't heard about the technology, and don't know what it's for. So an EU public consultation exercise, what will that achieve? It will be another consultation for the initiated: the RFID industry, the privacy campaigners, and businesses. And that has been going on for the last six months, according to Santucci. Will the public really be able to add any more about RFID than we know already? I doubt it, though I'd be happy to be wrong. A balance must be struck because the RFID industry too must not be sold short by politicians and policymakers.
Where I do agree on RFID, however, is that this is not about dealing with RFID now. It is about the future, and learning the lessons from the Internet.
The Organisation for Economic Co-operation and Development (OECD) covers this in its excellent recent report on RFID. (It has the involvement of Nick Mansfield who I first came across ten years ago when we were discussing the implications of the Internet for security, privacy etc. It is no surprise that Nick would be involved in the writing of such a cogent report)
The report makes the fair point that privacy and security should be integrated in the RFID infrastructure before widespread deployment of the technology, rather than having to deal with it afterwards, as has been required for the Internet, where security has had to be 'bolted on' rather than 'baked in'. I agree: we don't want that history repeated with RFID.
The report is well worth a read. You can find it here.
So perhaps all the discussion over privacy is necessary, and the RFID industry, the privacy campaigners and businesses have to agree - painful though that might be - to make RFID more effective down the road. That's fine with me - as long as Mr Santucci doesn't assume 'as a fact' that every European citizen has a visible lack of trust in new technologies.
'As a fact', I don't.
Comments (3)
The report at first glance seems very good, and your takeaway point that privacy needs to be addressed at the time of implementation and not bolted on as an afterthought is both accurate and timely. However, the report would appear to be inaccurate in that it states that vicinity read RFID has a normal read range of 1m, when in fact it is 10m. I do not know if this error is due to changes in technology or is an editing error. The laws of physics won't change, but technology will make some RFID "limitations" temporal in nature. This is neither surprisig nor alarming, but must be kept in mind as the issue is discussed.
Posted by researcher | February 27, 2008 7:51 PM
Posted on February 27, 2008 19:51
One of the easiest methods for consumers to protect their privacy with RFID cards and RFID enabled Passports is to keep them shielded when not in use. This would eliminate a huge percentage of the vulnerability.
These sleeves are very inexpensive.
You can buy them from www.idstronghold.com or in the UK at www.smartcardfocus.com/skimstopper
I think the issuers themselves though should provide these with their cards and get bulk savings on them.
Posted by Walt | February 27, 2008 8:36 PM
Posted on February 27, 2008 20:36
I am a little confused about why the EC has opened this particular topic again, when we thought that a final decision favouring self-regulation was made last year.
RFID is a 'lightning rod' technology for privacy issues: one that can bring together personal information and location data, and facilitate aggregation with other data about the individual to create a detailed personal profile.
If systems are to respect privacy and comply with data protection laws, then they need to have that as a design requirement at the time of inception, rather than - as you rightly point out - bolted on afterwards.
Self-regulation would be the right approach for this space, there really is no need for another layer of controls over the technology, otherwise we'll be regulating every new technology that comes on the market. Consumers will quickly make their wishes felt if private organisations or public authorities abuse RFID systems.
I published a suggested code of conduct for RFID privacy management a while back, a copy is available here: http://www.privacygroup.org/downloads/fl0000196.pdf
Posted by Toby Stevens | February 28, 2008 11:09 AM
Posted on February 28, 2008 11:09