- Email: [email protected]
Radio frequency identification technology
computer law & security report 22 (2006) 313–315
available at www.sciencedirect.com
www.compseconline.com/publications/prodclaw.htm
Electronic communications – technology
Radio frequency identification technology Tatyana Dobson, Elle Todd Olswang, London
abstract This paper looks at some of the legal and regulatory questions the European Commission have identified for consideration in a set of forthcoming workshops on RFID. ª 2006 Olswang. Published by Elsevier Ltd. All rights reserved.
1.
Introduction
Many of the debates and legal issues surrounding Radio Frequency Identification Technology (‘‘RFID’’) have been circulating for years. While some high profile organisations like Wal Mart, Tesco and Marks & Spencer have been using RFID for some time, recent European-wide attention on the regulatory challenges posed by RFID marks the coming of age of RFID as a more mainstream business application. On 9 March 2006, Information Society and Media Commissioner Viviane Reding announced the launch of a European Commission debate on RFID to comprise a series of targeted workshops in Brussels to form the background to a document that is intended to be published for consultation in September 2006. A Communication document is then promised with potential amendments proposed to EU Directives such as the Directive implemented in the UK by way of The Privacy and Electronic Communications (EC Directive) Regulations 2003. This article provides an overview of the key legal issues that the European Commission will be focussing on and suggests other questions they could also be thinking about.
2.
Application domains
The first of the Commission workshops, due to take place at the beginning of May 2006, will focus on mapping the different potential applications for RFID. While RFID offers promising potential in many domains (including pharmaceuticals, health, agriculture, transport, logistics, security) this workshop will aim to identify and prioritise the domains and to
formulate recommendations for assessing the needs and defining the guidelines on the use of technology in these areas.
3.
Consumer privacy and security
Scheduled to take place in June 2006, perhaps one of the most contentious of the workshops will focus on the privacy and security implications of RFID. Of all the legal issues RFID poses, privacy has probably received the most media attention. Little wonder this is the case as the prospect of electronic tagging under the skin, in bank notes and of retail items purchased by consumers easily gives rise to dystopian visions of intrusive retailers, law enforcement bodies undertaking covert surveillance and of fraudsters gaining unauthorised access to chips. For example, RFID chips embedded in retail products (rather than the packaging of products) could remain in products for indefinite periods and so be potentially trackable beyond the limited scope of their original purpose. It is therefore not surprising that one of the aims of this Commission workshop is to extend the acceptability of technological approaches to build consumer trust in such RFID applications. While it is crucial that the Commission examines the privacy issues surrounding the increased use of RFID, there is also a need to differentiate between applications that do not implicate privacy and security (including many of the business-to-business applications in use or predicted in the short-term) and those that do. For example, uses of RFID in supply chain applications before the point-of-sale, where security is a main concern but where there are no privacy implications, should be differentiated from uses after the
0267-3649/$ – see front matter ª 2006 Olswang. Published by Elsevier Ltd. All rights reserved. doi:10.1016/j.clsr.2006.05.008
314
computer law & security report 22 (2006) 313–315
point-of-sale where both privacy and security are of concern. So while the privacy issues surrounding RFID clearly need to be debated at a European level, it is important to remember that they only relate to certain applications. A report published by the European Commission’s Article 29 working party in early 2005 examined the privacy implications of the spread of RFID technology and identified some of the potential drawbacks that remain to be addressed by the Commission. From a legal perspective, the collection and storage of personal data and the tracking of individuals through the use of RFID technology could all potentially infringe current data protection law. To the extent that RFID applications will make use of personally identifying information, covered in the UK by the Data Protection Act 1998, organisations adopting such applications will need to consider the application of that Act’s implications in terms of basic principles but also (in this context) more arcane points such as rights of consumers to access their personal data. Under some of the scenarios where RFID technology is used, consent from individuals will be the only legal ground available to data controllers to legitimise the collection of information through RFID. Individuals will need to be informed which products contain tags, how to destroy or disable tags, when RFID readers are within range and who will have access to their data. Although the privacy implications of RFID have received much media attention it will be more interesting to see how the European Commission addresses the potential threats to security that may be generated by RFID. These include risks of fraud and rogue third parties accessing data via passive signal interception from the RFID tag or reader and unauthorised reading. In addition, the mere fact that RFID usually tracks tags, not objects themselves, poses a security risk. Is an empty DVD recorder box with an RFID tag indistinguishable from a DVD recorder? Can invoices be raised for goods when all that is delivered is RFID-tagged boxes? While RFID tagging can help control pilferage, it can also enable it, potentially on a larger scale. Experts from Amsterdam’s Free University have recently pointed out that RFID tags could also be vulnerable to computer viruses. Integrating privacy and security by design in the conception of RFID applications is vital to ensure the widespread adoption of RFID and maximise the benefits from this technology. The EIU report ‘‘RFID Comes of Age’’ concludes that legislators should require that RFID tags be deactivated at point-of-sale to ally privacy concerns, but not require the permanent ‘‘killing’’ of stored data, as this would limit users’ ability to opt-in to interesting post-sale applications that benefit consumers as well as businesses, such as the product recall and research initiatives under consideration by a number of retailers already. The EC has already published a series of guidelines to advise companies on best practice with the use of RFID tags and how to ensure that consumers’ privacy is not breached and also that businesses do not break the law by mishandling data. While the EC clearly recognises the need for the design of RFID tags, readers and RFID applications to be driven by standardisation initiatives, there is also a need for additional research and development in both light-weight security protocols and more sophisticated key distribution mechanisms and
for the use of industry wide codes of practice to help engender consumer trust and dispel misperceptions.
4.
Interoperability and intellectual property
This workshop, scheduled for late June 2006, will focus on the issues and solutions surrounding interoperability of RFID including the role of standardisation in facilitating the rollout of the technology and the use and operation of governance models and processes for RFID technologies and related database systems when objects of any kind are linked to a data source (including Object Naming System, Domain Name System (DNS) and Internet Protocol Version 6 (IPv6) amongst others). A successful realisation of ‘‘the Internet of Things’’ will require global standards for interoperability with the existing internet and wireless networks. Uniform standards will help to avoid the costly choices of different standards for different regions and maximise the benefits of the technology. Although much significant R&D work has been undertaken, most of the research is still very application specific (with security and environmental applications dominating) and demonstration driven. It is likely that a more generic and comprehensive approach is required, where different stakeholders and research specialists work together interdisciplinary to solve true system level problems in the context of the Internet of things and of their applications.
5.
Frequency spectrum requirements
Currently, each member state in the EU controls the use of the radio spectrum within its jurisdiction and regulations governing UHF RFID have already been adopted in various countries around the world. In September 2004 the European Conference of Postal and Telecommunications Administrations (CEPT) agreed unanimously to adopt a new European Standard for UHF RFID which has since been adopted into national legislation in a number of European member states. In November 2005 Ofcom approved the European standard for adoption in the UK. Ofcom also announced that the use of RFID operating in the standard UHF range would be exempt from licensing, meaning that equipment can be used without a licence under the Wireless Telegraphy Act 1949, subject only to regulations intended to minimise potential interference. The aim behind Ofcom’s deregulation is clearly to increase the amount of licence-exempt spectrum used by businesses to facilitate the introduction of new technologies and services to the market. The Commission’s workshop on frequency spectrum, currently scheduled for early June 2006, will aim to address the short, medium and long term issues surrounding the availability of spectrum in Europe and worldwide. In discussing the short-term, emphasis will be placed on the need for timely implementation of existing standards and spectrum regulations, especially in the UHF band. For the longer term, a sustainable implementation strategy for Europe will be defined, including an assessment of the quantitative and qualitative spectrum needs. There will also be an attempt to identify and solve obstacles, whether technical, economic or political.
computer law & security report 22 (2006) 313–315
A potential long term obstacle that certainly requires consideration is the frequency harmonisation for specific applications (particularly in across Europe and the US).
6.
Conclusion
It is clear that RFID is likely to have a lasting impact on global business across a wide range of sectors. The technology is being used by a number of major organisations and is on the brink of widespread applications in logistics, transport, manufacturing, distribution, retail, safety, security, healthcare, law enforcement and many other areas. The expanding industrial interest in the use of RFID and the increasing
315
tangibility of the prospects of these commercial applications reinforce the need for collaborative efforts by regulators worldwide to smooth the uptake of the technology by helping to clarify where the significant legal obstacles lie. On that note, while the issues surrounding privacy are important and deserve further scrutiny, let us hope that they do not overshadow some of the more challenging obstacles to be faced by the Commission this summer.
Tatyana Dobson ([email protected]) is a trainee solicitor and Elle Todd ([email protected]) is an assistant solicitor in the Media, Communication and Technology Group at Olswang, a law firm with offices in London, Thames Valley and Brussels.
available at www.sciencedirect.com
www.compseconline.com/publications/prodclaw.htm
Electronic communications – technology
Radio frequency identification technology Tatyana Dobson, Elle Todd Olswang, London
abstract This paper looks at some of the legal and regulatory questions the European Commission have identified for consideration in a set of forthcoming workshops on RFID. ª 2006 Olswang. Published by Elsevier Ltd. All rights reserved.
1.
Introduction
Many of the debates and legal issues surrounding Radio Frequency Identification Technology (‘‘RFID’’) have been circulating for years. While some high profile organisations like Wal Mart, Tesco and Marks & Spencer have been using RFID for some time, recent European-wide attention on the regulatory challenges posed by RFID marks the coming of age of RFID as a more mainstream business application. On 9 March 2006, Information Society and Media Commissioner Viviane Reding announced the launch of a European Commission debate on RFID to comprise a series of targeted workshops in Brussels to form the background to a document that is intended to be published for consultation in September 2006. A Communication document is then promised with potential amendments proposed to EU Directives such as the Directive implemented in the UK by way of The Privacy and Electronic Communications (EC Directive) Regulations 2003. This article provides an overview of the key legal issues that the European Commission will be focussing on and suggests other questions they could also be thinking about.
2.
Application domains
The first of the Commission workshops, due to take place at the beginning of May 2006, will focus on mapping the different potential applications for RFID. While RFID offers promising potential in many domains (including pharmaceuticals, health, agriculture, transport, logistics, security) this workshop will aim to identify and prioritise the domains and to
formulate recommendations for assessing the needs and defining the guidelines on the use of technology in these areas.
3.
Consumer privacy and security
Scheduled to take place in June 2006, perhaps one of the most contentious of the workshops will focus on the privacy and security implications of RFID. Of all the legal issues RFID poses, privacy has probably received the most media attention. Little wonder this is the case as the prospect of electronic tagging under the skin, in bank notes and of retail items purchased by consumers easily gives rise to dystopian visions of intrusive retailers, law enforcement bodies undertaking covert surveillance and of fraudsters gaining unauthorised access to chips. For example, RFID chips embedded in retail products (rather than the packaging of products) could remain in products for indefinite periods and so be potentially trackable beyond the limited scope of their original purpose. It is therefore not surprising that one of the aims of this Commission workshop is to extend the acceptability of technological approaches to build consumer trust in such RFID applications. While it is crucial that the Commission examines the privacy issues surrounding the increased use of RFID, there is also a need to differentiate between applications that do not implicate privacy and security (including many of the business-to-business applications in use or predicted in the short-term) and those that do. For example, uses of RFID in supply chain applications before the point-of-sale, where security is a main concern but where there are no privacy implications, should be differentiated from uses after the
0267-3649/$ – see front matter ª 2006 Olswang. Published by Elsevier Ltd. All rights reserved. doi:10.1016/j.clsr.2006.05.008
314
computer law & security report 22 (2006) 313–315
point-of-sale where both privacy and security are of concern. So while the privacy issues surrounding RFID clearly need to be debated at a European level, it is important to remember that they only relate to certain applications. A report published by the European Commission’s Article 29 working party in early 2005 examined the privacy implications of the spread of RFID technology and identified some of the potential drawbacks that remain to be addressed by the Commission. From a legal perspective, the collection and storage of personal data and the tracking of individuals through the use of RFID technology could all potentially infringe current data protection law. To the extent that RFID applications will make use of personally identifying information, covered in the UK by the Data Protection Act 1998, organisations adopting such applications will need to consider the application of that Act’s implications in terms of basic principles but also (in this context) more arcane points such as rights of consumers to access their personal data. Under some of the scenarios where RFID technology is used, consent from individuals will be the only legal ground available to data controllers to legitimise the collection of information through RFID. Individuals will need to be informed which products contain tags, how to destroy or disable tags, when RFID readers are within range and who will have access to their data. Although the privacy implications of RFID have received much media attention it will be more interesting to see how the European Commission addresses the potential threats to security that may be generated by RFID. These include risks of fraud and rogue third parties accessing data via passive signal interception from the RFID tag or reader and unauthorised reading. In addition, the mere fact that RFID usually tracks tags, not objects themselves, poses a security risk. Is an empty DVD recorder box with an RFID tag indistinguishable from a DVD recorder? Can invoices be raised for goods when all that is delivered is RFID-tagged boxes? While RFID tagging can help control pilferage, it can also enable it, potentially on a larger scale. Experts from Amsterdam’s Free University have recently pointed out that RFID tags could also be vulnerable to computer viruses. Integrating privacy and security by design in the conception of RFID applications is vital to ensure the widespread adoption of RFID and maximise the benefits from this technology. The EIU report ‘‘RFID Comes of Age’’ concludes that legislators should require that RFID tags be deactivated at point-of-sale to ally privacy concerns, but not require the permanent ‘‘killing’’ of stored data, as this would limit users’ ability to opt-in to interesting post-sale applications that benefit consumers as well as businesses, such as the product recall and research initiatives under consideration by a number of retailers already. The EC has already published a series of guidelines to advise companies on best practice with the use of RFID tags and how to ensure that consumers’ privacy is not breached and also that businesses do not break the law by mishandling data. While the EC clearly recognises the need for the design of RFID tags, readers and RFID applications to be driven by standardisation initiatives, there is also a need for additional research and development in both light-weight security protocols and more sophisticated key distribution mechanisms and
for the use of industry wide codes of practice to help engender consumer trust and dispel misperceptions.
4.
Interoperability and intellectual property
This workshop, scheduled for late June 2006, will focus on the issues and solutions surrounding interoperability of RFID including the role of standardisation in facilitating the rollout of the technology and the use and operation of governance models and processes for RFID technologies and related database systems when objects of any kind are linked to a data source (including Object Naming System, Domain Name System (DNS) and Internet Protocol Version 6 (IPv6) amongst others). A successful realisation of ‘‘the Internet of Things’’ will require global standards for interoperability with the existing internet and wireless networks. Uniform standards will help to avoid the costly choices of different standards for different regions and maximise the benefits of the technology. Although much significant R&D work has been undertaken, most of the research is still very application specific (with security and environmental applications dominating) and demonstration driven. It is likely that a more generic and comprehensive approach is required, where different stakeholders and research specialists work together interdisciplinary to solve true system level problems in the context of the Internet of things and of their applications.
5.
Frequency spectrum requirements
Currently, each member state in the EU controls the use of the radio spectrum within its jurisdiction and regulations governing UHF RFID have already been adopted in various countries around the world. In September 2004 the European Conference of Postal and Telecommunications Administrations (CEPT) agreed unanimously to adopt a new European Standard for UHF RFID which has since been adopted into national legislation in a number of European member states. In November 2005 Ofcom approved the European standard for adoption in the UK. Ofcom also announced that the use of RFID operating in the standard UHF range would be exempt from licensing, meaning that equipment can be used without a licence under the Wireless Telegraphy Act 1949, subject only to regulations intended to minimise potential interference. The aim behind Ofcom’s deregulation is clearly to increase the amount of licence-exempt spectrum used by businesses to facilitate the introduction of new technologies and services to the market. The Commission’s workshop on frequency spectrum, currently scheduled for early June 2006, will aim to address the short, medium and long term issues surrounding the availability of spectrum in Europe and worldwide. In discussing the short-term, emphasis will be placed on the need for timely implementation of existing standards and spectrum regulations, especially in the UHF band. For the longer term, a sustainable implementation strategy for Europe will be defined, including an assessment of the quantitative and qualitative spectrum needs. There will also be an attempt to identify and solve obstacles, whether technical, economic or political.
computer law & security report 22 (2006) 313–315
A potential long term obstacle that certainly requires consideration is the frequency harmonisation for specific applications (particularly in across Europe and the US).
6.
Conclusion
It is clear that RFID is likely to have a lasting impact on global business across a wide range of sectors. The technology is being used by a number of major organisations and is on the brink of widespread applications in logistics, transport, manufacturing, distribution, retail, safety, security, healthcare, law enforcement and many other areas. The expanding industrial interest in the use of RFID and the increasing
315
tangibility of the prospects of these commercial applications reinforce the need for collaborative efforts by regulators worldwide to smooth the uptake of the technology by helping to clarify where the significant legal obstacles lie. On that note, while the issues surrounding privacy are important and deserve further scrutiny, let us hope that they do not overshadow some of the more challenging obstacles to be faced by the Commission this summer.
Tatyana Dobson ([email protected]) is a trainee solicitor and Elle Todd ([email protected]) is an assistant solicitor in the Media, Communication and Technology Group at Olswang, a law firm with offices in London, Thames Valley and Brussels.