To date, vendors have largely - and quite correctly - assumed that privacy is the responsibility of the integrator rather than the RFID equipment supplier. No amount of security and privacy controls can be effective if the end system is designed to ignore or circumvent privacy needs. Moreover, privacy and security implications are never fully understood in emerging technologies: it takes time to identify the problems and architect solutions. The likes of RSA and IBM are now beginning to do just that. We now have to encourage end users to recognize privacy needs and specify them in the design and procurement phases of their implementations so that privacy becomes the norm, not a value-add feature. What role should government policy makers play in developing privacy guidelines for the use of RFID?
There is an important distinction here between policy and guidelines. The European Commission is keen to mandate policy controls for RFID privacy, and similar moves are afoot in a number of US States. Yet there are numerous excellent guidelines out there, such as those gathered by the EC Article 29 Working Group for its analysis of RFID privacy. A number of high-profile privacy incidents arising from companies and government departments that have failed to heed this advice has spurred governments to consider legislative controls.
What is required here is not law that specifically controls the usage of RFID technologies, but legislative guidelines to ensure that implementers, consumers and law enforcement authorities understand that privacy and data protection laws apply to RFID systems in the same way as they do to any other technology implementation. Other disruptive technologies - for example the telephone, Internet, cellphones - created security and privacy concerns, but society found a comfortable balance for them, and the same will happen for RFID. What can be done without killing the technology?
If policy-makers are to avoid killing off RFID, then it is essential that the various stakeholders work together to develop, implement and enforce their own guidelines for privacy-positive use of RFID technologies.
Dig Deeper on Information security laws, investigations and ethics
Consumers should be able to control the privacy aspects of "smart" or radio frequency identity (RFID) chips typically found in digital passports, identity...