RFID privacy, security should start with design

Interview

RFID privacy, security should start with design

Robert Westervelt, News Editor

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

 It is essential that the various stakeholders work together to develop, implement and enforce their own guidelines for privacy-positive use of RFID technologies.
Toby Stevens,
directorEnterprise Privacy Group
Do you see IT vendors addressing RFID and privacy in a positive way?
To date, vendors have largely - and quite correctly - assumed that privacy is the responsibility of the integrator rather than the RFID equipment supplier. No amount of security and privacy controls can be effective if the end system is designed to ignore or circumvent privacy needs. Moreover, privacy and security implications are never fully understood in emerging technologies: it takes time to identify the problems and architect solutions. The likes of RSA and IBM are now beginning to do just that. We now have to encourage end users to recognize privacy needs and specify them in the design and procurement phases of their implementations so that privacy becomes the norm, not a value-add feature. What role should government policy makers play in developing privacy guidelines for the use of RFID?
There is an important distinction here between policy and guidelines. The European Commission is keen to mandate policy controls for RFID privacy, and similar moves are afoot in a number of US States. Yet there are numerous excellent guidelines out there, such as those gathered by the EC Article 29 Working Group for its analysis of RFID privacy. A number of high-profile privacy incidents arising from companies and government departments that have failed to heed this advice has spurred governments to consider legislative controls.
RFID privacy:
RSA Conference panel says privacy legislation too premature for RFID
What are some of the challenges to creating policy to protect consumers?
What is required here is not law that specifically controls the usage of RFID technologies, but legislative guidelines to ensure that implementers, consumers and law enforcement authorities understand that privacy and data protection laws apply to RFID systems in the same way as they do to any other technology implementation. Other disruptive technologies - for example the telephone, Internet, cellphones - created security and privacy concerns, but society found a comfortable balance for them, and the same will happen for RFID. What can be done without killing the technology?
If policy-makers are to avoid killing off RFID, then it is essential that the various stakeholders work together to develop, implement and enforce their own guidelines for privacy-positive use of RFID technologies.