Privacy and Security TidBits

The RFID Privacy and Data Protection Impact Assessment Framework in the EU: The Article 29 Working Party and the FTC are in No Rush

On February 11, the Article 29 Working Party adopted an opinion on the revised Industry Proposal for a Privacy and Data Protection Impact Assessment (PIA) Framework for RFID applications. (ARTICLE 29 DATA PROTECTION WORKING PARTY 00327/11/EN WP 180 Opinion 9/2011 on the revised Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications)

The aricle 29 WP endorses the proposal developed by industry associations, experts, academics, and individual companies from across Europe.

One of the main privacy concerns related to RFID technology arises from uses of RFID technology which entail individual tracking and obtaining access to personal data. While an RFID operator may not have such a goal in mind when deploying an RFID application, it is important to consider the risk that a third party may use tags for such unintended purposes. The revised framework now clearly requires RFID operators to evaluate the risks that may arise when tags may be used outside the operational perimeter of an RFID application and/or are carried by persons.

The European Commission published a recommendation on the implementation of privacy and data protection principles in applications supported by radio-frequency identification on May 12th, 2009.( the “RFID Recommendation”).

One of the recommendations reads:

“Article 7: RFID use in Retail

Article 7.3: (a) Where a RFID application processes personal data or the privacy impact assessment…shows significant likelihood of personal data being generated from the use of the application, the retailer has to follow the criteria to make the processing legitimate as laid down in directive 95/46 and to deactivate the RFID tag at the point of sale unless the consumer chooses to keep the tag operational. (b) Where a RFID application does not involve processing of personal data and where the privacy impact assessment has shown negligible risk of personal data being generated through the application, the retailer must provide an easily accessible facility to deactivate or remove the tag.”

In the U.S. Federal Trade Commission Comments on the the European Commission’s recommendation of May 2009, the FTC stated, in response to recommendation  Article 7.3: (a)

” …Similarly, with respect to RFID, we caution against mandating a specific technological approach, such as mandatory deactivation of tags, before fully understanding the range of benefits the technology might provide to consumers, as well as the range of protective measures that might be available to consumers in the future.”

(The U.S. Federal Trade Commission’s Bureau of Consumer Protection is in charge of protecting consumer rights in the US.)

This is the recent Article 29 WP’s opinion on the subject matter of RFID use in retail:

“This concern (about individual tracking and access to personal data) has received particular attention in the retail sector, where it is feared that tagged items bought by individuals could be misused by retailers or third parties for tracking or profiling purposes. The European Commission addressed this concern in the Recommendation by establishing the principle that tags must be deactivated at the point of sale unless the customers give their informed consent to keep tags operational. The same Recommendation allows an exception to this deactivation principle if the PIA concludes that keeping tags operational after the point of sale does not represent a likely threat to privacy or the protection of personal data. The Working Party observes that a risk management approach, as suggested by the Framework, is an essential tool for the RFID Operator to assess the risks of taking the responsibility to keep tags activated after the point of sale.”

As shown with this example, a key point is that the Revised Framework is based on a risk management approach, which is an essential component of any Privacy and Data Protection Impact Assessment Framework.

The Article 29 WP however would like see implementaion of the Commission’s recommendation no earlier than three years from now.( 2014):

“The European Commission is expected to provide a report on the implementation of the Recommendation, its effectiveness and its impact on operators and consumers, with regards in particular to measures concerning the retail sector. This report is set to be produced 3 years after the Recommendation was published, that is by May 2012. However, considering that the Framework may take 6 months to fully take effect, supplementary time would be beneficial for all stakeholders before such an evaluation is conducted. Therefore, the Working Party would like to suggest to the European Commission to either postpone or supplement the proposed report at a later date set in 3 years from the publication of this opinion.”

In the above mentioned comments on the the European Commission’s recommendation of May 2009, the FTC remarked:

“The FTC staff supports the EC’s risk- based approach to addressing potential consumer privacy and data security issues related to the use of RFID technology. The FTC staff also agrees with the EC that there is a need to raise consumer awareness about RFID technology, in order to enhance consumer trust and to give consumers the tools to protect themselves from the risk of misuse of their information. Given the current stage of deployment of consumer-facing RFID applications, however, the FTC believes that mandating or encouraging specific technological tools for protecting consumer privacy is premature.” (bold added)


Implementation no earlier than 2014?

Last summer, Wal-Mart created quite a controversy when it started to use RFID tags to track underwear and jeans and the George Miller III Head Start Program in Contra Costa County, California, created a buzz when they started to make pre-schoolers wear jerseys, with RFID chips inside that track them through the day.

But RFID (Radio frequency identification) technology is far from new. It has been used for many years to keep track of cattle, prisoners, goods, and  pets.

RFID technology is already widely adopted, world wide and in many industries, and is also found in enhanced driver’s licenses, credit and debit cards, passports and government IDs, TWIC Cards, Employer ID/Proximity Cards, US EZpasses, London Oyster cards, just to name a few applications.

The risk of tracking, profiling, fraud, identity theft is here and it is real.  RFID readers are used by convenience stores, pharmacies, restaurants, fast food markets, bars, and many other places of business to read the RFID chips.

However, these same readers can be freely purchased and attached to a laptop with very little technical knowledge required. There are even cell phones with built in card readers that can steal your information. By simply walking past you, anyone  equipped with such a device can acquire your credit card number and expiration date. There is even a term for it: electronic pick pocketing.

Here’s a not so recent video by Boingboingtv’: “How to hack RFID-enabled Credit Cards for $8 (BBtv)”

Human RFID Implants are already used for access to car, home, office.

Human RFID implants with personal health and financial information are being used and promoted:

Premature? Seriously?