News Stay informed about the latest enterprise technology news and product updates.

RSA Conference panel says privacy legislation too premature for RFID

A group of public policy and technology experts at the RSA Conference 2007 said legislation could make radio frequency identification technology too costly for enterprises and hamper its innovation.

SAN FRANCISCO -- Adoption of radio frequency identification (RFID) technology could stall if lawmakers overreact to security and privacy concerns by legislating the technology, according to a group of experts who discussed the issue Tuesday at RSA Conference 2007.

While legislation could eventually protect consumers from overambitious enterprises using the technology to glean insight on consumer habits, the speakers said, it could also make RFID too costly, hindering adoption by retailers and manufacturers. In addition, researchers are still unclear how to address security issues while keeping down the price of the tags used to label pallets and items.

"We see that people are comfortable with the technologies that they know," said Daniel Caprio Jr., president of the Progress and Freedom Foundation, a Washington think tank. "Our challenge is to present this technology in a way that we talk about it in real terms with the challenges and opportunities related to privacy and security, but also by educating the public to raise their comfort level."

RSA Conference 2007

Can't make it to the show? staff members are on the RSA floor, on hand to deliver the latest RSA Conference 2007 news and updates.
Caprio was joined by Ari Juels, principal research scientist at RSA Laboratories, the security division of EMC, Robert Cresanti, under secretary at the U.S. Department of Commerce and Toby Stevens, director of the UK-based Enterprise Privacy Group. The panel, "RFID -- The benefits and the challenges: Do we legislate or do we innovate?" was one of several on RFID technology at this week's conference.

RFID, the use of tiny computer chips containing unique identifiers to track goods in the supply chain, has been adopted by a number of manufacturers and distributors who do business with retail giant Wal-Mart Stores Inc. and some agencies within the federal government. While to date the technology has been used mostly for benign purposes on the consumer level -- in animal identification, highway toll speed pass systems, U.S. passports and auto anti-theft devices -- privacy experts insist that the technology is ripe for abuse.

The most widely used tags are supported by EPCGlobal, an organization set up to boost adoption and standardization of Electronic Product Code (EPC) technology. The EPC tags are currently the most cost effective, at about 13 cents each, but they have no ability to contain the cryptography that's essential for access control and data confidentiality, said Juels, who is researching RFID security for RSA Laboratories. While researchers develop ways to boost data security in tags, he said legislators shouldn't take action.

"Technologically prescriptive legislation is inappropriate and likely to be ineffective and likely to hamper technology with enormous promise," Juels said "Scientists at this point don't know the right solutions to privacy and security problems in RFID infrastructure and its equally or more difficult for legislators to anticipate them, so legislation that includes specific prescriptive technological provisions is likely to be self defeating."

To address privacy and security concerns, scientists are developing a blocker tag that would spam an unauthorized tag reader. Researchers are developing ways to calibrate power in RFID chips to enable a kill switch for the tiny tags. Juels said scientists are also working on a way to shoehorn layers of security functionality onto the standard EPC tag.

Even without encryption and other security features, RFID use is rising, led by the federal government, which has been using it for years. First used by World War II bombers to identify friendlies, today the Department of Defense uses the technology to track shipments of supplies in war-torn areas. The Department of Homeland Security also uses the technology within the Federal Emergency Management Agency to track shipments during a crisis.

Officials from China have approached the U.S. federal government seeking standards for RFID chip production, said Cresanti, who serves as chief privacy officer for the department of commerce and chief co-chairman for the intergovernmental agency working to coordinate and understand RFID use in the federal government.

"I'm not sure we're ready to act," said Cresanti of the Chinese request. "The United States government generally doesn't set standards. We're one of those few places in the world where a myriad of standards evolve through industry working groups. … Often the deciding factor in that process is consumer adaptation and consumer interest in moving ahead."

Some groups worry that future uses of RFID could include ways to tag or embedded in a person's body to track individual. Delray Beach, Fla.-based VeriChip Corp. is currently planning to sell a technique to embed a tiny implant to help hospitals identify critical patient information or keep elderly from wandering off. That company plans an IPO this month. Some retailers in Europe also testing the technology to track customers throughout their store and understand their buying habits, said Stevens, who heads an organization consisting of a number of organizations, including private companies and government departments that collaborate on the development of solutions for their privacy, identity, data protection and freedom of information concerns.

"As long as that's authorized and consensual, we don't have an issue here," Stevens said. "It's when we start achieving unauthorized nonconsensual information we get into trouble."

He said RFID vendors, which create the software and hardware that collect RFID data, should put in place codes of conduct and other standards to monitor and self regulate the use of the technology.

"Governments are steering towards a legislative approach to this because they want the tech and they want to control it and they want to be seen to be doing something," Stevens said.

"It's up to industry now to work with the government and actually kick back against this gently," he added. "If we could get effective self regulation mechanisms to police ourselves, we will avoid some counterproductive legislation."

<< Return to our special coverage of RSA Conference 2007

Dig Deeper on Information security laws, investigations and ethics

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.