Like any information technology (IT), radio frequency identification (RFID) presents security and privacy risks that must be carefully mitigated through management, operational, and technical controls in order to realize the numerous benefits the technology has to offer.

When practitioners adhere to sound security engineering principles, RFID technology can help a wide range of organizations and individuals realize substantial productivity gains and efficiencies. These organizations and individuals include hospitals and patients, retailers and customers, and manufacturers and distributors throughout the supply chain.

RFID is a form of automatic identification and data capture (AIDC) technology that uses electric or magnetic fields at radio frequencies to transmit information. An RFID system can be used to identify many types of objects, such as manufactured goods, animals, and people. Each object that needs to be identified has a small object known as an RFID tag affixed to it or embedded within it.

The tag has a unique identifier and may optionally hold additional information about the object. Devices known as RFID readers wirelessly communicate with the tags to identify the item connected to each tag and possibly read or update additional information stored on the tag. This communication can occur without optical line of sight and over greater distances than other AIDC technologies. RFID technologies support a wide range of applications—everything from asset management and tracking to access control and automated payment.

Every RFID system includes a radio frequency (RF) subsystem, which is composed of tags and readers. In many RFID systems, the RF subsystem is supported by an enterprise subsystem that is composed of middleware, analytic systems, and networking services. RFID systems that share information across organizational boundaries, such as supply chain applications, also have an inter-enterprise subsystem.

Each RFID system has different components and customizations so that it can support a particular business process for an organization; as a result, the security risks for RFID systems and the controls available to address them are highly varied. The enterprise and inter-enterprise subsystems involve common IT components such as servers, databases, and networks and therefore can benefit from typical IT security controls for those components.

Source: Karygiannis, T., Eydt, B., et al. (2007). Guidelines for Securing Radio Frequency Identification (RFID) Systems. Recommendations of the National Institute of Standards and Technology. NIST Special Publication 800-98.


Send your comments.

Labels: business, payment, privacy, rfid, scm, security, tag, technology, tracking

Read more »

 

by Adi Tedjasaputra

The aggressive marketing campaign for RFID standards led by EPCglobal has been successful. At least, many who have heard about RFID, most likely have also heard about Electronic Product Code (EPC), EPCglobal standards or EPCglobal. Some even falsely identify RFID with EPC. There is no doubt that the EPC branding is in the mind of many people, for better or for worse.

5-Cent RFID Tags
Ideally, a marketing power should come with a responsibility to fulfil promises advertised in the marketing campaign. Unfortunately, in the real world, promises do not always come true in time and people often get disappointed, and sometimes confused and frustrated.

How many times have you heard or read people talk about 5-cent RFID tags?

Here, instead of discussing whether the 5-cent tag is a myth or a feasible vision, it is necessary to point out that 5-cent price target was originally introduced by Sanjay Sarma and his colleagues, who are also involved in the development of EPC. Riding the 5-cent buzz, EPC, a unique numbering scheme endorsed by EPCglobal, has gained popularity in the recent years, at the expense of RFID technology and industry in general.

We quickly determined that if RFID tags were ever going to have a shot at being widely used, a 5-cent price target was important for both psychological and commercial reasons. In return, though, the volumes would have to be very high—for example, more than 5 billion bar codes are scanned daily today. The problem with RFID tags at the time was that the industry was "stuck" in a higher-margin, lower-volume mind-set. At the Auto-ID Center, we set about flipping it to a high-volume, low-margin approach. (Integrating RFID, Sanjay Sarma, ACM Queue vol. 2, no. 7 - October 2004)

There is no doubt when Sanja Sarma and his colleagues envisioned 5-cent RFID tags, they were comparing RFID tags with barcode labels and referring only to retail supply chain item tagging, instead of the general RFID tags and applications.

Nevertheless, when the news of 5-cent RFID tags was published in the media, many became excited and over-enthusiastic. Some unrealistic expectations started to be unfolded. Many people easily forget or ignore the underlying assumption that an initial large volume purchase is necessary to achieve the 5-cent RFID tag vision.

Is Gen 2 the Silver Bullet?
Realising the shortcomings of the Class 0 and Class 1 UHF Air Interface Protocol Standard, EPCglobal began its work on the second generation of UHF air interface protocol mostly known as Gen 2. The standard was later ratified by the International Organization for Standardization (ISO) last year.

When EPCglobal later realised that the strengths of UHF RFID technology comes with its weaknesses and limitations, the organization started to look into HF RFID technology and formed HF Air Interface Working Group. The Working Group currently works toward the extension of Gen 2 into HF band.

The less known facts are actually the cost for involvement in the EPCglobal and the cost of adopting EPCglobal standards. If you are an end user, you have to pay at least US$750 (EPCglobal North America) for the initial subscription fee, in addition to other fees. Solution providers will have to pay more. The subscription fee schedule for companies outside the United States is less transparent, but since EPCglobal is a joint-venture between GS1 and GS1 US, one may expect similar fees to be collected as well.

Beside the high organisational and infrastructure costs, the design of current Gen 2 protocol standard ironically does not reflect any breakthrough towards the vision of 5-cent RFID tags, especially with added security feature extensions for RFID Supply Chain item-level tagging that will increase the total tag manufacturing cost.

The result of unrealistic expectations is predictable: disappointment. RFID vendors will fail to meet unrealistic expectations already generated by aggressive and unrealistic marketing campaign, including the demand for 5-cent tags. RFID technology and industry will get more bad press, in addition to the current opposition from already flourishing privacy groups. Wait-and-see attitude towards RFID implementations will become more common among potential RFID adopters, including the ones outside the retail supply chain industry. The expectation of large volume purchase that can decrease general RFID tag price will happen in a very slow pace, along with various setbacks.

Fortunately, there are hundreds of RFID applications that are independent from the need to adopt EPCglobal standards. These RFID applications are primarily unrelated to the supply chain industry. Nevertheless, we still urgently need a healthy dosage of marketing campaign that is balanced with rational and realistic expectations and actions to move beyond the current hype. We need to prevent one drop of indigo to stain the whole cauldron of milk (*).

(*) "One drop of indigo stains the whole cauldron of milk" is an Indonesian proverb that means one minor ill behaviour can ruin the whole good things or efforts.


Send your comments and discuss.

Labels: 2.0, epc, epcglobal, iso, privacy, rfid, scm, security, tag, technology

Read more »

 

by Adi Tedjasaputra

Smart Card vendors have realized that some negative perception against RFID technology is not good for them, especially when they are after various large contracts from governments around the world, supplying their Contactless Smart Card Chips for biometric passports and ID cards.

When a defensive approach to distinguish RFID from Contactless Smart Card does not seem to be enough, some Smart Card vendors have decided to invest in a Secure ID Coalition for promoting the smart card technology to achieve enhanced security for ID management systems while maintaining user privacy.

(update 31 May 2007: After the release of this article in 2006, the Smart Card Alliance has removed the article titled "RFID and Contactless Smart Card Technology: Comparing and Contrasting Applications and Capabilities" previously available on their website and also linked in this article . The new version of similar article titled RF-Enabled Applications and Technology: Comparing and Contrasting RFID and RF-Enabled Smart Cards is now available on their website instead.)

Their initiatives to avoid negative perception against smart card deserve an attention. However, there is also a need to set the record straight. Contactless Smart Card technology used for biometric passports and ID cards is RFID.

Contactless Smart Card Chip used in most biometric passports and ID cards is a passive 13.56 MHz RFID transponder incorporating a microcontroller conforming to ISO/IEC 14443 standard that allows for a read range of up to 10 cm, with a memory capacity of at least 32 Kilobytes and data transfer rate of 106 kbps or greater.

Some might argue that contactless smart card biometric passport and ID card applications require a higher degree protection for information privacy due to the sensitive information, compared to most RFID tags that only carry some product identification number. Nonetheless, the fact that they are all used for unique identification by means of radio waves implies that they are RFID.

There are various applications that use different types of RFID technology. It is understandable if the word RFID could trigger some allergic reactions in some people, given many hypes, devastating RFID image. For different reasons, some technology vendors are reluctant to use the word RFID for describing their products and services, eventhough what they actually sell is RFID. It is part of the current challenges and concerns faced by the RFID technology. There is a need to embrace and tackle the RFID challenges and concerns, but before assessing the challenges and concerns, it is essential to have a better understanding of RFID technology in the first place.


Send your comments and discuss.

Labels: card, privacy, rfid, security, tag, technology

Read more »

 

by Adi Tedjasaputra

Biometric passports have recently been touted as cutting-edge technology able to prevent travel document forgery using a secure authentication process. These passports carry digital data about the physical characteristics of their respective holders, such as face shape and fingerprints. These physical characteristics, and their combinations, are the parameters or the determining factors in an authentication process known as biometric authentication.

Before the biometric authentication process can be performed, a recording process that transforms human physical characteristics into digital biometric data, or a biometric signature, is required to set an authentication reference. These digital data are usually encrypted and stored in a Radio Frequency Identification (RFID) chip embedded or inserted into each biometric passport.

During the biometric passport authentication process, a passport-reading machine will read the biometric data stored in the RFID chip. After a successful contactless access, the data retrieved from the chip will then be authenticated against the initial, presumably genuine, biometric data stored in a database. In addition, a physical authentication process can also be integrated to increase the trustworthiness of the authentication process.

Most countries in the world are currently implementing or planning to adopt biometric passports for security purposes, including Indonesia.

As the world's fourth-most populous nation with more than 200 million people, Indonesia has decided to venture into the world of biometrics. Since February 2006, the country has been issuing what the government calls new biometric passports. According to the article, Justice ministry clarifies biometric passport prices, published by The Jakarta Post on July 21, 2006, the government says the biometric system, which scans fingerprints and photographic data into a bar code, has helped it detect 1,800 attempted passport frauds since its introduction in February 2006.

In addition, a press release issued by the sole contractor for the Biometric Indonesian Passport project, Digital Identification Solutions AG of Germany, dated July 12, 2006, from Stuttgart, claims that on average the new biometric passport system processes thousands of on-line passport applications daily and issues the passports in full color, and with numerous security features, on the spot where people apply for the passports.

"Being a German national, I sometimes would love to have my own government provide such user-friendly service to the public". says the CEO of the company in the press release.

Does this sound like an overstatement? I believe so.

However, I agree that the Biometric Indonesian Passport project is indeed one-of-a-kind in the world.

While developed countries are implementing or planning biometric passports with RFID chips embedded or inserted into them, the biometric Indonesian passports resort to bar code technology (the Post, July 21, 2006), which defeats the purpose of anti-counterfeit measures. Basically, it is easier to clone bar codes than the encrypted identification stored in an RFID chip.

Besides the security issue, it is also essential to guarantee that certain information in biometric passports is kept from unauthorized parties and specific privileges granted or assigned to the right people, which is almost impossible with the application of bar code technology. The biometric Indonesian passport system designer apparently forgets that secure authentication is the fundamental assumption for privacy protection and authorization.

In addition, the use of bar code technology also means that there is no unique identification system due to the limitation of the bar code numbering system. Bar code technology was originally designed only to identify a class of generic products, not a unique item, compared to RFID technology, which can support a unique identification system despite the numbering system being used.

Biometric (+RFID) passports and ID cards are definitely better, not having the basic security issues posed by bar code technology.

Nevertheless, the recent demonstration of biometric (+RFID) passport data cloning performed by a security consultant at the Black Hat security conference in Las Vegas could indicate that security risks in the use of biometric (+RFID) passports and ID cards still exist. However, the consultant could not change the information stored in the chip due to cryptographic protection.

In reality, there is no 100 percent security guarantee in this networked world. When you become part of a "network" voluntarily or involuntarily, there is always a chance that your security will be compromised. One sensible action you can take is to assess your state of security continuously, take several appropriate security measures and prepare recovery plans in the event of a security breach (RFID Security Threats: Your Cat is Probably Safe ... for Now, RFID Asia).

During a government forum on national IDs and e-passports for Indonesia held last June in Jakarta, the director for international cooperation at the Directorate General of Immigration unveiled a plan to decentralize the issuing of biometric Indonesian passports throughout Indonesian embassies.

Until now, there has been no country in the world planning or implementing a decentralization plan similar to the one proposed by the Indonesian government. It is certainly not about technological barriers. It is simply based on common sense and the assumption that the security risks of such decentralization outweigh the benefits of such a system in terms of efficiency. There is simply no country in the world that is willing to put its nationals and citizens on the front line of security risks and threats.

This article is featured at The Jakarta Post, Opinion and Editorial - August 15, 2006

Send your comments and discuss.

Labels: biometric, card, indonesia, privacy, project, rfid, security, technology

Read more »

 

by Adi Tedjasaputra

Going to school may seem to be routine and ordinary for most children. However, a growing number of children (and parents) around the world may not feel the same.

Let's meet Sanami-chan, a 4-year old student from Ayase city, Kanagawa prefecture in the greater Tokyo area, Japan. Her mother, Megumi-san, a 33-year old house wife, usually takes Sanami-chan to her school, Ryounan preschool, located several kilometers from their home.

Since February 2006, Sanami-chan and her mates in the school started to wear some active 300 MHz UHF RFID tags attached to their rucksacks. When Sanami-chan and Megumi-san pass through the preschool's front gate in the morning, the RFID reader installed in the gate will read the identification number stored in Sanami-chan's RFID tag. The reader will then instantly transmit the ID to the school's attendance information system, which then records Sanami-chan's arrival and changes the colour of Sanami-chan's name displayed on a PC monitor from red to green.

Sanami-chan and Megumi-san (fictitious personas) could describe how the children and parents in Japan have taken part in a growing number of RFID projects that involve children.

Children Safety

Several amusement parks, such as Legoland in Billund, Denmark, Dollywood Splash Country in Tennessee, USA and Wannado City, Florida, USA, have started adopting RFID technology mainly for the purpose of tracking and pinpointing children location in the amusement parks. A child safety seat system has been developed to alert drivers if a seat buckle disengages. Children clothes could be embedded with RFID tags with a purpose of triggering an alarm and some alerts when a child wearing such clothes crosses some predetermined boundaries. Various school attendance systems are implemented in various places in Japan and some other countries across Asia.

Despite the tremendous growth of RFID technology applications for ensuring children safety, there is also some opposition regarding the use of the technology on children. The ones who oppose the use of the technology for children safety often argue that the technology application could breach children's right to privacy and dignity, like the opinion expressed by EPIC, Electronic Frontier Foundation and ACLU-Northern California to the Brittan School Board regarding mandatory RFID badge programme for tracking children’s movements in and around the school located in Sutter, California, USA.

Nevertheless, in a different location quite far away, Tanabe city, Wakayama prefecture, Japan, Kinki Bureau of Telecommunications released a report of an RFID experiment on children that draws a different picture through a survey on parents whose children took part in the experiment: 83% of the parents said that the experimental RFID system increased their peace of mind and most of them were willing to pay a monthly fee for this kind of service.

Beyond Safety

Children safety is not the only reason for using RFID technology in the children world. RFID technology has also found its way into the world of children education and entertainment as well.

Embedding RFID into toys for language learning, interactive toy kitchen that can detect and respond to toy food placed on its plate and hybrid gaming system are only a few from many other innovative ideas that have become popular.

If you think that children have already had enough exposure to RFID technology in the world, think again!
There is already a specific lesson designed for children that they can share opinions about the technologies used to identify them and monitor their activities, and then develop plans for new uses of RFID-enabled technologies to share with their classmates, and write essays persuading readers to use their proposed technologies.

Send your comments and discuss.

Labels: japan, privacy, reader, rfid, tag, technology, tracking

Read more »

 

by Adi Tedjasaputra

It is always difficult to digest an opinion or article on Radio Frequency Identification (RFID) based on incomplete facts and bias, especially when it comes from a company that considers itself as the world's authority in the field of RFID.

About two months ago, we heard about the draft report titled The Use of RFID for Human Identification published by the DHS Data Privacy and Integrity Advisory Committee, U.S. Department of Homeland Security. The report recommends a careful consideration whether to use RFID to identify and track individuals.

In about the same period, the CEO of Applied Digital is injecting RFID into the immigration mess, literally, by suggesting the implant of RFID chips manufactured by VeriChip Corp., a subsidiary of Applied Digital, into the arms of registered aliens in the U.S.

While the hype is still fresh in our memory, we heard another story that illustrates how easy it is to "clone" a unique identification number from a supposedly secure implanted RFID chip manufactured by the same company.

What was the reaction of VeriChip?

Interestingly, the spokesman could still argue that: "It’s very difficult to steal a VeriChip … it's much more secure than anything you'd carry around in your wallet".

Another hype that results in another setback for RFID.

Technology, including RFID, is only an enabler.
You still need to consider moral and ethical borderlines in applying RFID technology.


Send your comments and discuss.

Labels: privacy, rfid, security, technology, tracking

Read more »

 

In the spirit of cooperation between government and industry through RFID innovation, we are glad to announce that the upcoming RFID Asia 2nd Meeting 2006 will be held in Kuala Lumpur, 20-21 September 2006.

Following the success of the RFID Asia 1st Meeting 2006 in Singapore, the RFID Asia 2nd Meeting 2006 is expected to attract the attention and participation of the major RFID players, governments and users in the Asia region, including industrial senior executives, researchers, venture capitalists, government official representatives and policy makers.

Several topics of interest during the meeting include the Integration of RFID and Sensor technology, RFID Access Control and Security Systems, RFID Privacy, New RFID Standards and Alternatives, IEEE P1902.1, RFID/USN and the Regional RFID Ecosystem in Asia and Malaysia.

By actively participating in the event, the attendees can expect the opportunities for RFID knowledge exchange, network among the RFID community members in Asia, open up business opportunities, develop RFID skills and participate in Asian RFID projects.

More detail information on the event can be retrieved from http://summit.rfid-asia.info.


Send your comments.

Labels: business, malaysia, privacy, rfid, security, singapore, technology

Read more »

 

Edited News Release.

Ontario ’s Information and Privacy Commissioner, Dr. Ann Cavoukian, yesterday released privacy Guidelines for the growing field of radio frequency identification (RFID).

These Guidelines flow from her earlier work in 2003 when the Commissioner first identified the potential privacy concerns raised by RFID technology. Following a history of ground-breaking work on building privacy into the design of emerging technologies, these Guidelines are a natural progression of this pragmatic approach.

“I have always found it beneficial to assist those working on emerging technologies, and to be proactive whenever possible – to develop effective guidelines and codes before any problems arise,” said Commissioner Cavoukian. “These made-in-Canada Guidelines provide guidance and solutions regarding item-level consumer RFID applications and uses.”

EPCglobal Canada, an industry association that sets standards for electronic product codes, has been collaborating with the IPC in the development of these Guidelines, and will be seeking Board approval by its member companies to signify the association’s endorsement of the Guidelines.

“ This technology offers exciting benefits to consumers and businesses alike. As the trusted source for driving adoption of EPC/RFID technology for increased visibility within the supply chain, privacy is as important as anything else we are doing,” said Art Smith, President and CEO, EPCglobal Canada. “We promote an environment that encourages ongoing innovation while respecting privacy issues.”

RFID tags contain microchips and tiny radio antennas that can be attached to products. They transmit a unique identifying number to an electronic reader, which in turn links to a computer database where information about the item is stored. RFID tags may be read from a distance quickly and easily, making them valuable for managing inventory but pose potential risks to privacy if linked to personal identifiers. RFID tags are the next generation technology from barcodes.

Although RFID technology deployed in the supply chain management process poses little threat to privacy, item-level use of RFID tags in the retail sector, when linked to personally identifiable information, can facilitate the tracking and surveillance of individuals. The goal of these Guidelines is to alleviate concerns about the potential threat to privacy posed by this technology and to enhance openness and transparency about item-level use of RFID systems by retailers.

The Guidelines address key privacy issues regarding the use of RFID technology at an item-level in the retail sector, said Commissioner Cavoukian.

The Guidelines are based on three overarching principles, including:

* Focus on RFID information systems, not technologies: The problem does not lie with RFID technologies themselves, but rather, the way in which they are deployed that can have privacy implications. The Guidelines should be applied to RFID information systems as a whole, rather than to any single technology component or function;

* Build in privacy and security from the outset – at the design stage: Just as privacy concerns must be identified in a broad and systemic manner, so, too, must the technological solutions be addressed systemically. A thorough privacy impact assessment is critical. Users of RFID technologies and information systems should address the privacy and security issues early in the design stages, with a particular emphasis on data minimization. This means that wherever possible, efforts should be made to minimize the identifiability, observability and linkability of RFID data; and

* Maximize individual participation and consent : Use of RFID information systems should be as open and transparent as possible, and afford individuals with as much opportunity as possible to participate and make informed decisions.

A companion piece to the Guidelines – Practical Tips for Implementing RFID Privacy Guidelines, is also being released by the Commissioner to help organizations put the Guidelines into practice.


Send your comments and discuss.

Labels: antenna, business, epcglobal, privacy, reader, rfid, scm, security, tag, technology, tracking

Read more »

 

A simple idea such as button pushing is expected to overcome the privacy issues in using short range RFID solutions such as RFID-enabled ID cards and passports.

This idea was revealed by SmartCode™ Corp. in its recent press release after the DHS Emerging Applications and Technology Subcommittee of the DHS Data
Privacy and Integrity Advisory Committee published a draft report titled “The Use of RFID for Human Identification". The report recommends a careful consideration whether to use RFID to identify and track individuals.


References

(1) SMARTCODE™ CORP. SMARTCODE™ CORP. SOLVES THE PRIVACY ISSUE RELATING to potential unauthorized reading of RFID enabled PASSPORTS AND id cards. http://www.smartcodecorp.com/newsroom/22-05-06.asp (retrieved 25th May 2006)

(2) U.S. Department of Homeland Security. The Use of RFID for Human Identification. http://www.dhs.gov/dhspublic/interweb/assetlibrary/privacy_advcom_rpt_rfid_draft.pdf (retrieved 25th May 2006)


Send your comments and discuss.

Labels: card, privacy, rfid, security, technology, tracking

Read more »

 

(1) CDT-Led Working Group Releases RFID "Best Practices"

A working group led by CDT and made up of some of the nation's largest companies, public interest and consumer advocates earlier this month unveiled a set of "best practices" designed to promote respect for consumer privacy in the growing use of Radio Frequency Identification (RFID) technology in commercial applications.

Released at the RFID Journal Live! conference in Las Vegas, May 1, the document offers guidance for companies that use RFID technology to collect data that can be linked to consumers' personally identifiable information. Drawn from widely accepted principles of "fair information practices," the best practices outline how consumers should be notified about RFID data collection, what choice they should have with regard to the uses and sharing of their own personal information, and how that information should be treated by the companies that collect it.

The document is a milestone in the evolution of RFID technology, offering companies and organizations clear guidance on what steps they should take before putting in place RFID technology that can be linked to personally identifiable information.

In addition to CDT, the American Library Association, aQuantive, Cisco Systems, Eli Lilly and Company, IBM, Intel, Microsoft, the National Consumers League, Procter & Gamble, VeriSign and Visa USA all worked for more than a year to develop the document. Elliot Maxwell, an RFID consultant and fellow with the communications program at Johns Hopkins University also worked on the document.

RFID refers to a broad range of technologies that allow users to track and identify physical items using radio waves. RFID "tags" of various types can be placed on shipping crates, livestock, even clothing, where they can be later identified by RFID readers designed to scan the items at a distance. Many of those applications raise no real privacy concerns, but when the data collected from RFID tags is linked to personally identifiable information, privacy issues can arise. The best practices are geared specifically toward those instances.

The best practices described in the document are based on the fair information principles of notice, consent, access, transfer and security.

RFID Privacy Best Practices: http://www.cdt.org/privacy/20060501rfid-best-practices.php

(2) Best Practices Ideal for Evolving Technology

CDT shares the concern of the privacy community that RFID technology deployed without proper transparency and privacy safeguards could undermine consumer privacy. However, CDT does not believe that passing legislation limiting RFID deployment or imposing privacy rules specific to RFID technology are appropriate responses to those concerns. The best practices document offers a means to address legitimate privacy concerns pertaining to RFID, without hobbling the technology.

Government-imposed mandates on specific technologies can be problematic. Technological advancement typically outpaces the legislative cycle, meaning that technology-specific laws can quickly become obsolete, or worse, become impediments to the natural evolution of technology. Those problems are compounded in the case of newer services or devices, like RFID, that evolve at a much faster pace than more mature technologies.

Although technology-specific legislation is probably not the best way to address the privacy concerns associated with RFID, failing to address those concerns systematically would be equally troubling. As RFID becomes increasingly ubiquitous, the potential for the technology to impinge on personal privacy grows exponentially. As RFID sensors proliferate, the abundance of collection points, and the detail of location data that can be gathered, also increases.

If industry adequately addresses those concerns now, before RFID is widespread in consumer applications, companies may be spared challenge of trying to retrofit RFID systems with appropriate privacy protections after the fact. The best-practices document offers companies a blueprint for those considerations. Drawing on fair information principles, the best practices represent a practical response to the privacy issues that arise when personal information is linked to information collected using RFID.

Of course, the real test of any self-regulatory regime is industry uptake and compliance. But the diversity and size of the organizations that participated in drafting the best practices document gives it a solid basis for widespread discussion and adoption. CDT will encourage all organizations planning to deploy RFID in a consumer context to use the best practices as a starting point.

Because the technology continues to evolve, members of the working group dubbed the first public the release of the best practices an "interim draft." As new technological considerations arise, the RFID working group will review the document to determine whether advances in the technology and its applications require changes to the best practices.

(3) Technology-Neutral Consumer Privacy Legislation Still Needed

While CDT believes that it would not be appropriate to enact legislation specially regulating RFID, technology-neutral consumer privacy legislation should require that uses of the technology in conjunction with personal information be bound by fair information practices.

Many of the privacy concerns that arise from deploying commercial applications of RFID would be eliminated or greatly lessened by the existence of a strong, national consumer privacy law. For many years, the multiple laws to protect personal information held by companies have lagged far behind the technological advances that have allowed those companies to collect, store and share ever greater quantities of their customers' personal data.

State and federal lawmakers have traditionally responded to privacy concerns with laws to address symptomatic problems like data breaches and spyware. But the privacy issues that arise when companies collect personal data, create detailed profiles and use those profiles to track their customers' physical or virtual activities are the same regardless of the technology used. The more appropriate and sustainable solution is legislation that focuses on the information collected rather than the technology used to collect it.

In every case, citizens should be properly notified when their data is collected, given more control over how their data is shared, be allowed to know what information a company has on file about them, be allowed to correct inaccuracies, and be assured that the company collecting their personal information is taking serious steps to protect it from being stolen or compromised. Such a law could provide companies deploying emerging technologies with baseline guidance about appropriate data practices, and consumers with a degree of confidence that their information is being collected and handled responsibly.

Congress was nearing passage of a broad, technology neutral consumer privacy measure before the dot-com bust and the September 11 terrorist attacks. Major technology companies including Microsoft, HP and eBay have signaled their support in principle for consumer privacy legislation, and Congress now appears prepared to restart that debate.

If Congress prevails in passing a strong consumer privacy measure, it will address the fundamental concerns privacy advocates have with RFID technology. In the meantime, the best practices provide clear guidance for companies to deploy RFID in a way that protects consumers.

Source: http://www.cdt.org/publications/policyposts/2006/9


Send your comments and discuss.

Labels: cdt, privacy, rfid, security, tag, technology, tracking

Read more »

 

by Adi Tedjasaputra

The recent paper titled “Is Your Cat Infected with a Computer Virus?”, published during the Pervasive Computing and Communications Conference 2006 in Italy warns that data from RFID tags can be used to exploit back-end software systems.

One day later, the president of AIM Global, the Association for Automatic Identification and Mobility, published an article on his web site that mitigates this issue and criticises the methodology of the particular research in the paper.

Recognising the two extremely different opinions expressed by two respected representatives from the Computer Science community and the RFID community, it is particularly important for both community members to really understand the essential issues beyond the issue of RFID virus.

Analysis
The paper published by the researchers from Vrije Universiteit Amsterdam has done a good job summarising the common security and privacy threats, i.e. Sniffing, Tracking, Spoofing, Replay Attacks and Denial of Service and demonstrating the possible malware threat for an RFID system by exploiting several possible security holes.

With the increasing number of IT vendors that jump on the RFID bandwagon and the fiercer competition among the vendors that requires shorter middleware's time-to-market, there is a realistic chance that the existing RFID middlewares available in the market are delivered with security holes, independent from the critic uttered by the AIM Global's president that the demonstration system mentioned in the paper was intentionally built with a weakness. Instead of pointing fingers to each other, there is a need for verification from security experts to objectively evaluate the current state of RFID middlewares' susceptibility to malware threats.

On the other hand, some organisations that have implemented some RFID system can still currently sleep without worries, because any exploit using the methodology presented in the paper would require a combination of thorough knowledge in malware production and RFID system design, one or more security holes that match the malware exploit, an opportunity to infect a tag with a proper (relatively expensive) equipment and most important of all an ill intention to sabotage. It is safer to assume that the potential threats coming from internal organisation is more prominent than the external ones.

Reflection
When I explained the possible security threats of using on-line banking facilities to some people who were not aware of the risks in using an on-line banking system, they usually became alerted with the fact that their asset has been vulnerable to various security threats the second they connect to the Internet.

Explaining some security measures that they could perform, I usually added a joke for the ultimate on-line banking security measure: Unplug all the cables from your computer, turn off all your electronic devices and remove any power source elements from your electronic devices for 100% security guarantee.

In reality, there is no 100% security guarantee in this networked world. When you become part of a “network” voluntarily or involuntarily, there is always a chance that your security is compromised. A sensible action you can take is to assess your security state continuously, take several appropriate security measures and prepare for some recovery plans that may arise from any security breach.

End-Note
Your cat may be safe for now, because the current RFID animal tags usually have the Read-only (RO) memory attribute and immune from any change of data. However, the recent natural threats from mad cow disease and avian flu have sparked some interests in using RFID animal sensory tags that can integrate some sensing devices to detect, monitor, measure, record and transmit various environmental and host parameters, such as temperature. A future scenario of recording more data into a Read-Write (RW) animal sensory tag is no longer far-fetched. Your cat may no longer be safe in this future scenario.

The PDF version of this article is downloadable at:
http://www.rfid-asia.info/rfid_security_threats.pdf



Send your comments and discuss.

Labels: privacy, rfid, security, tag, technology, tracking

Read more »

 

Radio Frequency Identification Devices (RFID), which will soon replace bar codes in your supermarket, offer tremendous opportunities for business and society. But their power to report their location, identity and history also raises serious concerns about personal privacy and security, as well as technical interoperability and international compatibility. To address these concerns – some of which may well require legislative responses –, the European Commission today launched a comprehensive public consultation with a high-level Conference on RFID at the CeBit 2006 trade fair in Hannover, Germany.

“RFID tags are far cleverer than traditional bar codes. They are the precursors of a world in which billions of networked objects and sensors will report their location, identity, and history” said Information Society and Media Commissioner Viviane Reding. “These networks and devices will link everyday objects into an ‘internet of things’ that will greatly enhance economic prosperity and the quality of life. But as with any breakthrough, there is a possible downside – in this case, the implications of RFID for privacy. This is why we need to build a society-wide consensus on the future of RFID, and the need for credible safeguards. We must harness the technology and create the right opportunities for its use for the wider public good.”

The European Commission last year established an RFID inter-service group to co-ordinate the gathering, analysis and internal dissemination of information concerning RFID technology and its uses. Building on this, the Commission has started today to launch a wide public debate on the opportunities and challenges associated with RFID. To exploit the economic potential of RFID, privacy and consumer concerns associated with the use of RFID tags need to be handled constructively, with the assent of all stakeholders. Furthermore, to enable RFID to deliver on its potential for growth and jobs, Europe needs to agree on common technical standards, to ensure RFID interoperability across borders, and also on a common radio spectrum band for RFIDs to use.

The public debate on RFID launched by the Commission today will rely on a series of workshops to build consensus on key issues associated with the use of RFID. These workshops will address RFID applications, end-user issues, interoperability and standards, and frequency spectrum requirements. They will take place in Brussels between March and June 2006 and their conclusions will assist the European Commission in drafting a working document on RFID. This document will be published in September in an online consultation. Additional feedback obtained will then be analysed and integrated in a Commission Communication on RFID, to be adopted before the end of the year.

This feedback could lead to amendments of the e-privacy-Directive which is up for review this year. The Communication will also address the need for other legislative measures for RFID, such as decisions on allocation of spectrum.

The Commission is at the same time stepping up its exchanges with the USA and Asia on RFID technologies, in order to define globally-accepted interoperability standards and practices with regard to data privacy and ethical principles when applying the technology.

Finally, the Commission is also planning to support, in the forthcoming Seventh Framework Programme for Research and Technological Development, technology and innovative applications that bring us a step closer to the “Ambient Intelligent Society”.

For more information:

- DG INFSO website “Towards a RFID Policy for Europe3

http://europa.eu.int/information_society/policy/rfid/index_en.htm

- CEBIT Fair Hannover, “The Revolution of RFID – Changes and Options for Action”

http://www.cebit.de/34733?usertyp=1&highlight=Reding&x=1


Send your comments and discuss.

Labels: business, privacy, rfid, security, tag, technology

Read more »

 

From 19th January 2006, the Seoul city government will offer tax benefits for drivers who are willing to participate in "No Driving Day" campaign and attach a sticker embedded with an RFID tag to the front window of their cars.

The idea of using stickers embedded with RFID tags for vehicle identification is nothing new. However, the idea of giving the choice for claiming tax benefits or risking privacy is new.

The bottom line is that 5 percent discount in automobile taxes and a 2.7 percent discount in auto insurance fees will be traded with the requirement to leave vehicles for one day a week and allow the authorities to track their movements and access their personal information.

Labels: privacy, rfid, tag, tax, technology, tracking

Read more »

 

In a recent survey conducted by the Federation of Malaysian Manufacturers, the lack of commitment in the Radio Frequency Identification (RFID) adoption due to poor understanding and knowledge of RFID. From more than 2,000 respondents in the survey, less than 10% of the respondents understood the significance of the technology and its potential impact on their businesses.

Additionally, according to another recent survey conducted by Fusion Consulting with 136 international and local manufacturers, buying offices and logistics service providers located in Guangdong and Hong Kong, 94% indicated that they are currently not interested in adopting RFID technology for tracking their merchandise.

Of the 93 companies who had clear reasons for not adopting RFID, the main obstacle is ignorance i.e. "don't understand/not familiar with RFID" (44%). The main reasons given by American or European companies for not adopting RFID are they are "not interested/do not find RFID useful" (19%) and "not popular/wait and see market response" (11%), whereas the main obstacle to adoption for Asian companies is that they "don't understand/not familiar with RFID" (35%).

The Meeting Event
During the RFID Asia 1st meeting, the speakers and attendees will share their knowledge and experience, while networking among the RFID Asia community members and discussing strategic partnerships and alliances to participate in Asian RFID projects.

The event will gather senior management executives from companies and organisations working in the field of RFID, such as RFID component suppliers, RFID hardware and software developers, RFID system integrators, RFID academic and research institutions and RFID technology end users.

As the leading RFID event in Asia, this event will be held from 8th February to 9th February 2006 in Singapore at the UOB Plaza 1.

About RFID Asia
As a global independent and non-profit RFID community in Asia, RFID Asia adopts a vision of becoming the Regional Independent RFID Knowledge Centre in Asia by facilitating a regional RFID community forum for industrial, research and educational institutions and organisations, building and disseminating knowledge on the emerging RFID technological, business and societal issues, promoting regional RFID standards, innovation, venture capital, products, services, solutions, privacy issues and business opportunities.

Meeting Pre-registration
Pre-registration is available on-line and by sending a fax containing name, telephone, fax, e-mail, address and affiliation to:
Fax no. +62-21-4586 5545
Att. RFID Asia Meeting Registration

The number of attendees is limited to 50 persons to guarantee the high meeting quality. The RFID Asia community members automatically get a higher priority in acceptance than non-members.

Labels: business, meeting, partnership, privacy, rfid, singapore, technology, tracking

Read more »

 

Refusing to be tracked during U.N. World Summit on the Information Society, the founder of Free Software Foundation (FSF), Richard Stallman, was held by U.N. security, according to Bruce Perens, vice president of developer relations and policy for SourceLabs.

Stallman's action to wrap his identification badge with alumunium foil was simple, yet effective, to avoid tracking by U.N. security during the summit. This incidence has attracted attention of many due to the public concern related to the privacy issues posed by some applications of the technology.

Labels: fsf, privacy, refuse, rfid, security, tagging, technology, tracking

Read more »

 

One of the privacy issues in the application of RFID technology in the retail industry is related to RFID tag deactivation. Several latest attempts, such as the support of deactivation feature (KILL) in EPCglobal's Gen 2 tags and Zero-knowledge approach, both rely on technology embedded in RFID tags to ensure the "preservation" of privacy.

Tackling the privacy issues from a different angle, two IBM researchers, Guenter Karjoth and Paul Moskowitz, recently proposed the use of Clipped Tags to deactivate RFID tags. In the usage scenarios of these tags, retail consumers have an opportunity to scratch off the specially designed antenna, tear off perforated rfid tags or peel off antenna sandwiched between two layers of packaging material.

Labels: antenna, kill, privacy, rfid, scratch, tag, technology

Read more »

 

STMicroelectronics has introduced a UHF (Ultra-High Frequency) contactless memory chip, compliant with the latest Electronic Product Code™ (EPC) specifications.

The new XRAG2 builds on its predecessor (XRA00)for Very Long Range RFID systems and operates at a range of UHF frequencies from 860 to 960MHz. This frequency agility ensures the same tag can be applied and read at any place in the world, regardless of the geographically varying wireless regulations.

The XRAG2 features an anti-collision mechanism that allows the reader to detect and correctly identify all tags in its operating range. Designed for the noisy and unpredictable radio conditions typical of RFID applications, ST devices use a tag-unique selection based on a 16-bit random handle.

The Generation 2 specifications also optimize system performance in different reader environments. At facilities with more than 10 readers, XRAG2 chips are capable of operating in the dense-reading mode, which minimizes interference by allowing readers to transmit within a different sub-band from the one within which the tags respond.

The XRAG2’s security mechanisms include password-protection against tampering and the KILL command that supports disabling tags in the field so their data can never again be accessed. The ability to permanently deactivate a tag is vital in satisfying consumer privacy concerns. For example, the KILL command could be executed when the tagged item is purchased by a consumer, thereby disabling future tracking.

The XRAG2 is a 432-bit memory offering two possible configurations, thus allowing the tag to store dedicated industrial codes: three memory banks (64 bits TID, 304 bits for EPC code and 64 bits reserved), or four memory banks (128 bits user, 64 bits TID, 176 bits for EPC code and 64 bits reserved).

Developed using a highly reliable and mature CMOS technology with embedded EEPROM, the XRAG2 is well-suited to high-volume, cost-driven markets. Its non-volatile memory technology features 40-year data retention and more than 10,000 Write/Erase cycles to support the requirements of long-life applications.

Engineering samples of the XRAG2 are now with key partners, with full sample availability within the next few weeks and volume production expected by December 2005. The device is priced at $0.07 in 100,000 unit quantities. The product can be ordered in thin un-sawn wafers, or in bumped and sawn wafers.

Labels: 2.0, chip, epcglobal, privacy, reader, rfid, security, stmicro, tag, technology, tracking

Read more »

 

In deploying the system, if you consider RFID as merely a form of next-generation barcode technology, you are one step closer to its failure upon adoption.

You need to think "outside the box" and identify the needs and solutions to the problems shoppers encounter when using the system. You need to make sure that by using the system, their privacy is protected, their identity is secure from identity thieves and the self-check-out system is usable in a practical sense.

Labels: business, design, human, privacy, rfid, technology

Read more »

 

Governments within ICAO have decided for security and easy border passage to introduce a RFID chip within passports. Integrated Engineering announced the introduction of its anti-eavesdropping chip reader for preventing the possibility of eavesdropping on privacy sensitive information contained on a passport. The company proved to have a mature anti-eavesdropping device on the last e-passport inter operability tests in Tsukaba, Japan.

Labels: japan, passport, privacy, reader, rfid, security, technology

Read more »

 

"The manufacturer has a lot of large factories with between 5000 to 6000 employees in each and had difficulty tracking who was arriving or leaving. It looked into putting RFID chips into employee overalls so the company could monitor entry and exit areas," Watson said. "The reason why it chose RFID was that its privacy requirement needed to uniquely identify the overalls, not the people.

Labels: identity, management, privacy, rfid, tracking

Read more »

 

RFID Videos