RFID Policy Update 1/23/08 Dan Caprio President DC Strategies, LLC

Benefits The use of RFID technology offers significant benefits in many areas including food safety/recall; genuine products (plane parts); preventing counterfeit drugs; sustainable consumption; transport, security, logistics and stock control. The use of RFID technology offers significant benefits in many areas including food safety/recall; genuine products (plane parts); preventing counterfeit drugs; sustainable consumption; transport, security, logistics and stock control. Need for industry led, voluntary RFID self regulatory approaches and practices to issues like privacy, information security, and data management while differentiating the many applications of RFID that do not implicate personally identifiable information (PII). Concerns about consumer privacy, data collection and security, are not unique to RFID.

Unintended Consequences Thus, in dealing with issues surrounding privacy, one must assure to take into account both existing regulatory and policy constructs as well as technology solutions, which enable further security and privacy. Overbroad application of existing regulation, new regulation, if warranted, not narrowly tailored to specific applications of RFID and failure to appropriately take into account of technology and policy based solutions that work in conjunction with regulatory constructs could, and often do, result in unintended consequences.

Privacy Need for industry led, voluntary RFID self regulatory approaches and practices to issues like privacy, information security, and data management while differentiating the many applications of RFID that do not implicate personally identifiable information (PII). Yet, the privacy concerns are real and must be addressed in order to assure that the potential economic and societal benefits of RFID are realized.

Item Level While test beds of RFID at the product level have garnered the majority of press attention, the majority of RFID deployments exists at the business-to-business level and deal with logistics and inventory management. These applications do not present privacy issues as RFID in the pre-point-of sale space are not associated with PII and only contain product information. RFID in these types of application continue to feed into the same logistics and supply chain applications, which are usually controlled by the owner of the supply chain.

Best Practices A number of private sector and civil society organizations have already been doing work on possible codes of policy and practice to address these issues led by the International Chamber of Commerce Principles for Responsible Deployment and Operation of Electronic Products Codes, EPCglobal Guidelines for Consumer Products, The Center For Democracy and Technology (CDT) Privacy Best Practices for Deployment of RFID Technology, and the Electronic Privacy Information Center (EPIC) Guidelines on Commercial Use of RFID Technology.

Proportionately One of the public privacy concerns is RFID will be used to secretly track, monitor, and collect data on individuals. There is fear the technology will allow collection of personal data without the individual’s knowledge or consent. In order to address this privacy concern, the principles of “proportionality” and “transparency” should be applied to the RFID implementation. “Proportionality” in this context requires a balanced analysis of whether the risk to individuals is sufficiently mitigated to justify the use of RFID to process the information.

Transparency An element of an RFID “proportionality” risk analysis should be whether the use of a radio to transmit the identifier is necessary or beneficial. However, an RFID enabled card limited to a very close read range with appropriate safeguards (e. g. cryptographic protection or unique /dedicated reader frequencies) may pose very little additional risk but may add convenience. “Transparency” ensures RFID is not secretly used to collect data. The use of RFID tags, readers, data collection and sharing of data collected using this technology should not be done covertly.

Notice In order to achieve transparency, individuals in RFID enabled environments should receive reasonable and appropriate notification that the technology will be used, the type of data collected, and how the data will be shared and used. Achieving “reasonable” and “appropriate” notification will vary based upon the application of the RFID technology and the type of data collected.

Choice RFID implementers should consider whether the tag should be disabled at some point. The determination to disable should be made by focusing on whether disabling (e.g. a kill tag) is necessary to mitigate real risks to individuals. For example, an RFID tag in an item which an individual will carry with them consistently (e.g. a watch) may provide less risk, if it allows the individual to disable the tag. Conversely, RFID tags placed in product packaging which an individual will discard quickly, there is likely little need for the disable function.

Encryption Another concern is an individual’s RFID tag can be read by a reader that is not authorized to read the data and will do so without the person’s knowledge or consent. This can cause privacy concerns when a tag is read by an entity that is not authorized to collect personal data. Technologists have demonstrated the vulnerabilities of RFID tags by showing the tags can be read in certain circumstances by special tools that interrogate or attempt to read them. These special tools are free but require technical knowledge to operate. Therefore, the average untrained person will most likely not be able to read an unauthorized tag.

Authentication The increased use of RFID authentication and encryption technologies can increase privacy by ensuring that only authorized readers are able to access the tag’s information. Cryptography is an evolving technology that should be applied when there is a risk of unauthorized reading of RFID tags and the risk of unauthorized reading would create risk for an individual. It is worth noting that while data confidentiality is always a desirable goal; passive RFID tags often have a very limited broadcast range and may pose only a limited risk for unauthorized reading.

Passive In addition, passive tags and other low power sensors may lack the power to support encryption or authentication. Please note that confidentiality is not a requirement in environments that do not include individuals (e.g. supply chain structure where only pallets of merchandise are marked).

Tracking Much of the public privacy concern comes from the fear RFID will enable an individual to be uniquely identified and that this data may be used to track the individual or create a personal profile by tying the RFID data to other data for that individual. Like other technologies that collect personal data (e.g. the internet for e-Commerce), the focus should be on ensuring only data related to achieving the stated business objective will be collected. Further, entities should make certain the collected RFID data will be protected with the same rigorous privacy standards applied to personal data collected from other sources.

Data Protection This policy position shifts the focus away from RFID technology and turns the focus to the broader issue of ensuring there are rigorous privacy data protection policies in place to protect all individual privacy data, regardless of the source of that data. Typically these broader policy standards apply to how the data is stored and protected on the back-end, such as the database where the data is stored, the processes used to manage and protect the collected data, and how the data is protected when shared with authorized third parties.

Regulation Governmental regulations mandating the type of acceptable RFID technology or use may chill or slow future industry innovation that could lead to superior technology solutions and methods for data collection. The development of RFID authentication and encryption could potentially do much more in the long run to protect privacy than regulations mandating which technologies can or cannot be used. Rather than focus on regulating RFID technology, the focus should be on regulating, as appropriate, robust general privacy standards through the rigorous protection of stored personal data, and controlled use of that data, regardless of the source of the data.

Thank You Thank you again for inviting me to participate. I can be reached at strategies.com