RFID Growing Into Information Security Risk

By Greg McNevin

July 18, 2007: According to the European Parliament's technology assessment task force, as RFID technology becomes more ubiquitous the threat to personal privacy and security is increasing in tandem.

In its latest "RFID and Identity Management in Everyday Life" survey, the task force examined 24 RFID implementations in order to identify and explore how the technology is experienced by European citizens and identify any possible or current problems the rapidly advancing technology poses.

“Until recently, RFID was mainly used for logistical purposes to identify cargo,” reads the report. “Now it has entered the public space on a massive scale: public transport cards, the biometric passport, micro-payment systems, office ID tokens, customer loyalty cards, etc.

“Specific persons can be identified once the database can link the identity number of the chip to the person carrying it, as is the case with ID cards. Once the identity is confirmed, the system can respond for example by opening a door, providing information, performing a transaction, or any other kind of service. Meanwhile the service, as well as the combination of ID, place and time, is registered.”

It is this constant registration of information that has critics of RFID worried, as unless robust regulations are in place to control mining of this collected data, personal privacy could be most definitely at risk.

The report found that in general users of RFID technology liken it to an electronic key or wallet, however, for the maintainers or owners of a system the fact that it can be used to monitor and record movement, spending, productivity, preferences, habits and more gives them “a means of providing feedback according to […] identities and control over their users.”

In order to keep RFID use under control, the task force recommends users be informed what maintainers can and are allowed to do with RFID data, that users play a role in developing RFID environments, and if personal data from different RFID installations are merged it should remain clear who is responsible for handling data.

The task force also recommends that “privacy guidelines and the concepts of personal data and informational self-determination need to be reconsidered in the light of an increasingly interactive environment,” and that governments take a clear stance on whether RFID data will be mined for investigation purposes.

Comment on this story