| QUESTION & ANSWER |
RFID privacy, security should start with design |
 |
By Robert Westervelt, News Editor
27 Feb 2007 | SearchSecurity.com |
|
|
Companies planning to deploy radio frequency identification technology (RFID) must demand that privacy and security issues are addressed in the design and procurement phases of the implementation, according to Toby Stevens, a leading privacy and identity expert. Privacy should not be a "value-add feature," said Stevens, director of the UK-based Enterprise Privacy Group, an association of public agencies and corporations working to understand and develop solutions to privacy and identity-related issues. In an interview with SearchSecurity.com, Stevens talked about whether the European Commission would mandate policy controls for RFID privacy and whether government legislation could stall widespread use of the technology. Stevens said the opinions given are his own and do not necessarily reflect those of his group's member organizations.
|
|
|
|
|
It is essential that the various stakeholders work together to develop, implement and enforce their own guidelines for privacy-positive use of RFID technologies.
Toby Stevens,
director, Enterprise Privacy Group
|
|
|
|
|
|
|
|
|
|
Do you see IT vendors addressing RFID and privacy in a positive way?
Toby Stevens: To date, vendors have largely - and quite correctly - assumed that privacy is the responsibility of the integrator rather than the RFID equipment supplier. No amount of security and privacy controls can be effective if the end system is designed to ignore or circumvent privacy needs. Moreover, privacy and security implications are never fully understood in emerging technologies: it takes time to identify the problems and architect solutions. The likes of RSA and IBM are now beginning to do just that. We now have to encourage end users to recognize privacy needs and specify them in the design and procurement phases of their implementations so that privacy becomes the norm, not a value-add feature.
What role should government policy makers play in developing privacy guidelines for the use of RFID?
Stevens: There is an important distinction here between policy and guidelines. The European Commission is keen to mandate policy controls for RFID privacy, and similar moves are afoot in a number of US States. Yet there are numerous excellent guidelines out there, such as those gathered by the EC Article 29 Working Group for its analysis of RFID privacy. A number of high-profile privacy incidents arising from companies and government departments that have failed to heed this advice has spurred governments to consider legislative controls.
What are some of the challenges to creating policy to protect consumers?
Stevens: What is required here is not law that specifically controls the usage of RFID technologies, but legislative guidelines to ensure that implementers, consumers and law enforcement authorities understand that privacy and data protection laws apply to RFID systems in the same way as they do to any other technology implementation. Other disruptive technologies - for example the telephone, Internet, cellphones - created security and privacy concerns, but society found a comfortable balance for them, and the same will happen for RFID.
What can be done without killing the technology?
Stevens: If policy-makers are to avoid killing off RFID, then it is essential that the various stakeholders work together to develop, implement and enforce their own guidelines for privacy-positive use of RFID technologies.
|
|
|
|
