[LINK] EPIC Urges FTC to Establish Privacy Safeguards for RFID Tags
Roger Clarke
Roger.Clarke at xamax.com.au
Sun Sep 28 11:32:40 AEST 2008
EPIC Alert 15.19 September 26, 2008
=======================================================================
[3] EPIC Urges FTC to Establish Privacy Safeguards for RFID Tags
=======================================================================
On September 23, 2008, the Federal Trade Commission held a workshop to
explore emerging applications of Radio Frequency Identification (RFID)
technology and its implication for consumer protection policy. The
workshop was attended by industry representatives, government officials
and consumer advocates from the United States and Europe to discuss
privacy and security concerns associated with RFID technology.
The FTC event had two panels to discuss the use of RFID in
"Contactless Payment Systems" and in "Item-level tagging in retail."
The panels discussed existing usage and potential benefits of large
scale deployment to both consumers and retailers. The discussions also
addressed privacy issues arising from such use. In this workshop, the
sufficiency of notice to consumers, the processing of personally
identifiable information and the availability of a written,
comprehensive privacy policy regarding the use RFIDs were identified
as key concerns.
Other privacy issues identified were the system level risk of leak of
Personally Identifiable Information, which entity would decide what
data on a RFID chip would constitute acceptable risk and RFID security
controls including consumer controlled kill switches. The NIST
representative highlighted risks outlined in their Special Publication
800-98.
In 2004, EPIC submitted recommendations to federal regulators
addressing risks to consumer safety and the unregulated use of RFID
that reveal personal data. EPIC's recommendations focused on
use in the retail and manufacturing industry where retailers and
manufacturers had begun to implement item-level RFID tagging to
facilitate supply chain efficiency, inventory control and similar
applications.
EPIC recommended that entities that use RFID must inform subjects about
the presence of tags, the presence of readers and when those tags are
being accessed. The removal of tags, considering alternatives prior to
the use of RFID, obtaining the consent of the subject and informing
the subject about the purpose of the usage were strongly urged.
Entities using RFID were told to inform subjects about whether the
obtained data could be disclosed to any third party. EPIC further
recommended that the data be kept accurate, securely stored and
readily available to the subject. The designation of specific personnel
to ensure compliance to the recommended guidelines was also deemed a
high priority. The guidelines further advocated that RFID users should
not track, snoop or coerce individuals into using tags or keeping the
tags alive, and should provide the subjects an opportunity to dispose
the tags if they desired.
The workshop panel consisted of representatives from federal
regulators, the European Commission, consumer organizations and both
European and American commercial entities. The FTC workshop followed an
earlier symposium organized by the TransAtlantic Business Dialogue on
the 'Societal Benefits of RFID' which was held on September 22, 2008.
The symposium focused on three RFID technology applications:
environmental protection and sustainability, healthcare delivery and
supply chain security.
The symposium participants encouraged the benefits of RFID in patient
tracking, medication errors and the need for standardization in RFID
technology applications. According to the participants, the presence of
a mere number on a tag was a virtual serial number and did not warrant
any privacy concern; however, as EPIC has pointed out earlier, RFID
users should specify the purpose before attaching, storing or
associating that number with other PII somewhere else on the system.
It was also pointed out, the implications of loss of medical privacy
through the use of RFIDs by organizations outside the purview of HIPAA.
The Federal Trade Commission is seeking comments from the public on
RFID and the increasing prevalence of contactless payment devices in
everyday consumer transactions like credit card purchases and
public transit. The Commission is also requesting information on the
growing utilization of item-level tagging in the retail sector as well
as security and privacy threats and proposed solutions. Comments may be
submitted until October 23, 2008.
FTC Transatlantic RFID Workshop on Consumer Policy and Data Security:
http://www.ftc.gov/bcp/workshops/transatlantic/index.shtml
EPIC FTC RFID Page:
http://epic.org/privacy/rfid/
EPIC Recommendations to the FTC on RFID tags:
http://epic.org/privacy/rfid/rfid_gdlnes-070904.pdf
NIST Guidelines for Securing Radio Frequency Identification:
http://epic.org/redirect/092608_NIST_rfid-guidelines.html
Transatlantic Symposium on the Societal Benefits of RFID:
http://epic.org/redirect/092608_TABD_rfid_sched.html
FTC request for public comment on RFID:
https://secure.commentworks.com/ftc-TransatlanticRFID/
=======================================================================
_______________________________________________
EPIC_news mailing list
EPIC_news at mailman.epic.org
http://right.epic.org/mailman/listinfo/epic_news
--
Roger Clarke http://www.anu.edu.au/people/Roger.Clarke/
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au http://www.xamax.com.au/
Visiting Professor in Info Science & Eng Australian National University
Visiting Professor in the eCommerce Program University of Hong Kong
Visiting Professor in the Cyberspace Law & Policy Centre Uni of NSW
More information about the Link
mailing list