EU: Data Protection and RFIDs
01 February 2005
The EU's Article 29 Working Party has produced a useful report setting out the data protections issues posed by RFID (Radio Frequency Identification). The report is intended to provide initial guidance to businesses and agencies intending to introduce RFID's.
The Working Party is concerned that some applications may "violate human dignity as well as data protection rights". In particular:
"concerns arise about the possibility of businesses and governments to use RFID technology to pry into the privacy sphere of individuals. The ability to surreptitiously collect a variety of data all related to the same person; track individuals as they walk in public places (airports, train stations, stores); enhance profiles through the monitoring of consumer behaviour in stores; read the details of clothes and accessories worn and medicines carried by customers are all examples of uses of RFID
technology that give rise to privacy concerns."
The two components of RFID are a tag (ie: a microchip) and a reader. The tag consists of an electronic circuit that store data and an antenna which communicates the data via radio waves. The reader also has an antenna and a "demodulator" which translates the data - which is then processed by a computer.
There are two types of "tags":
“Passive” tags have no own power supply (battery) and can therefore be wakened decades after having been manufactured. The tag is powered by the radio signal. A RFID reader sends radio signals that wake up the tag within a range, triggering it to respond by transmitting the information that is stored on it. “Active” tags have their own battery which reduces their life cycle."
The report gives current examples of RFID usage such as in carkeys, vehicles, tagged boarding cards for airline passengers, patients in hospital and commercial use in shops and stores.
Looking at the data protection implications the report uses several examples. First where a store can track not just the object containing the tag but link this to the record of the customer (through store or credit card data). Second, travel passes using RFID enable the operator: "to know where an identified individual travels at all times".
More than once the report emphasises that: "RFID systems are very susceptible to attacks" because a third party will only need to obtain a "reader" to access the same information.
The report raises that question of whether individuals will be able to disable the tags, a purse with shields could ensure that tagged banknotes could not be detected and an aluminium sheet incorporated into a RFID passport cover could ensure protection except when the passport is opened.
Source:
Working document on data protection issues related to RFID technology (pdf)