QUESTION & ANSWER

RFID privacy, security should start with design

By Robert Westervelt, News Editor 27 Feb 2007 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

It is essential that the various stakeholders work together to develop, implement and enforce their own guidelines for privacy-positive use of RFID technologies. Toby Stevens, director, Enterprise Privacy Group

Do you see IT vendors addressing RFID and privacy in a positive way?
Toby Stevens: To date, vendors have largely - and quite correctly - assumed that privacy is the responsibility of the integrator rather than the RFID equipment supplier. No amount of security and privacy controls can be effective if the end system is designed to ignore or circumvent privacy needs. Moreover, privacy and security implications are never fully understood in emerging technologies: it takes time to identify the problems and architect solutions. The likes of RSA and IBM are now beginning to do just that. We now have to encourage end users to recognize privacy needs and specify them in the design and procurement phases of their implementations so that privacy becomes the norm, not a value-add feature.

What role should government policy makers play in developing privacy guidelines for the use of RFID?
Stevens: There is an important distinction here between policy and guidelines. The European Commission is keen to mandate policy controls for RFID privacy, and similar moves are afoot in a number of US States. Yet there are numerous excellent guidelines out there, such as those gathered by the EC Article 29 Working Group for its analysis of RFID privacy. A number of high-profile privacy incidents arising from companies and government departments that have failed to heed this advice has spurred governments to consider legislative controls.

RFID privacy: RSA Conference panel says privacy legislation too premature for RFID

What are some of the challenges to creating policy to protect consumers?
Stevens: What is required here is not law that specifically controls the usage of RFID technologies, but legislative guidelines to ensure that implementers, consumers and law enforcement authorities understand that privacy and data protection laws apply to RFID systems in the same way as they do to any other technology implementation. Other disruptive technologies - for example the telephone, Internet, cellphones - created security and privacy concerns, but society found a comfortable balance for them, and the same will happen for RFID.

What can be done without killing the technology?
Stevens: If policy-makers are to avoid killing off RFID, then it is essential that the various stakeholders work together to develop, implement and enforce their own guidelines for privacy-positive use of RFID technologies.

Tags: Information Security Laws, Investigations and Ethics,  Wireless Network Protocols and Standards,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information Security Laws, Investigations and Ethics Melissa Hathaway urges more cooperation, government attention to cybersecurity Cybersecurity czar candidate questions clout of new position DHS fills National Cybersecurity Center post FTC shutters rogue ISP for hosting malicious content, botnets Experts optimistic of Obama cybersecurity plan WH cybersecurity plan needs private sector guidance Obama announces creation of cybersecurity coordinator position Cybersecurity Act of 2009: Power grab, or necessary step? Face-off: Who should be in charge of cybersecurity? Feds should get private sector advice on cybersecurity Wireless Network Protocols and Standards Wireless network guidelines for PCI DSS compliance Best Wireless Security Products MMS messaging spoof hack could have global ramifications PCI group releases wireless security guide 802.1X Port Access Control: Which version is best for you? Wireless Security Lunchtime Learning An introduction to wireless security Lesson 1: How to counter wireless threats and vulnerabilities Risky Business: Understanding WiFi threats Lesson 1 quiz: Risky business

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary CALEA  (SearchSecurity.com) cyberstalking  (SearchSecurity.com) FERPA  (SearchSecurity.com) HSPD-7  (SearchSecurity.com) I-SPY Act  (SearchSecurity.com) Information Awareness Office  (SearchSecurity.com) intelligence community  (SearchSecurity.com) lawful interception  (SearchSecurity.com) lifestyle polygraph  (SearchSecurity.com) vulnerability disclosure  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary