Future Now
The IFTF Blog
RFID in 2005: Privacy and Security
Notes from the final session of the Commerce Department's RFID in 2005 conference. As with all notes, they're my take on what was said, not a precise transcript, and all errors are mine.
James Lewis
Need rules and structure to use a technology (but they don't have to be laws or restrctions)
Public domain will expand; reasonable expectation of privacy will shrink
Rules for the collection and use of data no longer fit the technology. This is true not just for RFID, but for other technologies
There's some crazy talk out there, but public attitudes towards RFID are basically supportive: a majority have concerns about privacy, but aside from a hard-core 10% that will probably never be happy with it, there are lots of people who will use RFID
It's not about RFID; it's about functionalities and contexts
Susan McDonald (FTC)
Privacy and security concerns have their origins in technology; others involve protection of consumer data. Information security is a big thing now for the FTC. Transparency, accountability, consumer education.
Sandy Hughes (P&G)
Focusing now on testing and learning about EPC performance at pallet and case level; item level will come later.
Our IT and SCM tech is first-rate; the gains we'll get will come from others doing it, too.
EPC Usage guidelines
- Notice: logo on product or packaging
- Choice: discard, remove, in future disable
- Education: Know what logo means
- Record use/retention/security: No personal information on tags
Shelf signage doesn't work very well: they get knocked off, misplaced, etc..
Tom Kellerman (World Bank)
Big point is that RF is impossible to secure. Information can be intercepted from a short distance which will inevitably increase with new technologies. RFID readers are spoofable, the 40-bit encryption algorithm can be cracked, and man-in-the-middle attacks are possible.
Other scary points
- There is no privacy without layered security (World Bank has a 12-layer matrix that moves beyond firewalls and encryption, but the bad guys are spending a huge amount of time on hacking)
- No single bullet: need better encryption, more secure scanners
- Payments shouldn't be authorized by RFID (huge increases in wireless hacking)
- Sensitive items should not be tagged with RFID
Paula Browning (Center for Democracy and Technology)
CDT is doing a big project on privacy and RFID in a variety of industries and contexts.
Burt Kaliski (RSA)
The RFID industry is working now on reliability; important next step is trust; much discussion is around privacy; authentication is a significant thing. Right now, we've got security with RFID at the level of the Internet 30 years ago, and need to build in better security into the system (both for tags, but also for readers).
Paul Martino
Lessons from working on the Hill
- Sectorial approach to privacy is the norm in America: We treat financial, health care, educational, etc. information differently-- and may treat RFID uses, not technology
- Self-regulation and existing law/policies can work
- Legislate only if there's an express need: The number of problems that require redress is currently very low
- Need to look at economic impacts of legislation: Business access to information creates plenty of economic benefits to consumers
Q: What's the most critical element for security?
- Sandy Hughes: Education is important; but figuring out where to inform/educate consumers-- at point of sale, online, in advertising, etc.-- is a challenge.
- Susan McDonald: Consumer education is a key.
- James Martin: What you need is better attention at the back end, and agreement among companies to implement security.
- Tom Kellerman: Education of leadership of corporate America-- who see technology as a labor-saving tool, and not something that introduces operational risks-- is a lot more important than educating consumers.
- Paula Browning: Education has to be backed up with good practices.
- Burt Kaliski: Threats won't reduce over time; they'll stay the same or get worse.
- Paul Martino: Educate the policy-makers now.