EU public consultation on RFID

By EDRi · March 15, 2006

During a high-level panel discussion at CeBIT 2006 Mrs. Viviane Reding,
European Commissioner for Information Society and Media, announced a new
public debate on RFID, organised by the European Commission. Its purpose is
to make an inventory of concerns that might necessitate legislative changes.

Mrs. Reding said that “These networks and devices will link everyday
objects into an ‘internet of things’ that will greatly enhance economic
prosperity and the quality of life. But as with any breakthrough, there is a
possible downside – in this case, the implications of RFID for privacy”.

The public debate will rely on a series of workshops addressing RFID
applications, end-user issues, interoperability and standards & frequency
spectrum requirements. These workshops will take place in Brussels between
March and June 2006 and their conclusions will assist the European
Commission in drafting a working document on RFID. This document will be
published in September in an online consultation. Additional feedback
obtained will then be analysed and integrated in a Commission Communication
on RFID, to be adopted before the end of the year. This feedback could lead
to amendments of the e-privacy-Directive, which is up for review this year.
The Communication will also address the need for other legislative measures
for RFID, such as decisions on allocation of spectrum.

These activities are supported by the EU commission at a time
when the growth of the RFID market is impressive, with 600 million tags
being sold in Europe only in 2005. The value of the market, including
hardware, systems and services, is expected to be multiplied by 10 between
2006 and 2016.

The growth is underlined also by a new Economist Intelligence
Unit (EIU) rapport considering that RFID is gathering momentum. The report,
called “RFID Comes of Age”, is also warning the industry about the privacy
concerns of this new technology, recognising that “there are genuine issues
to be resolved, such as the ability for anyone with an RFID reader to track
people by the items they wear or carry.”

The authors are also suggesting that RFID tags be deactivated at
point of sale to allay privacy concerns, but not require the permanent
“killing” of stored data, as this would limit users’ ability to opt-in to
interesting post-sale applications that benefit consumers as well as

Lack of RFID security also made the news worldwide a few weeks ago.
During the annual RSA conference in San Jose, cryptographer Adi Shamir
talked about the possibility of bypassing security mechanisms on RFID
tags by reading their power usage. Sending a wrong password to an
average 8bit tag would result in extra power usage, because a note is
made in the RAM memory that it is a wrong bit and the rest of the
message has to be ignored. In theory, people could just use a mobile
phone to do this.

The industry replied that this criticism was out of place; there is
already a new generation EPC approved chips with 32 bit security. That
increases the number of options for a password from 256 to 4 billion,
thus making it a lot less attractive to fool around with a directional
antenna and an oscilloscope.

Recently, researchers Melanie Rieback and Patrick Simpson, supervised by the
renowned cryptographer Andy Tanenbaum, from the Amsterdam Free University
have proven the possibility to introduce virusses through corrupted RFID
tags. They can create a buffer overflow in the reading device, thus creating
an opening that enables further access to the system, including the
databases behind it.

Commission launches public consultation on radio frequency ID tags

Towards an RFID Policy for Europe

Industry uptake of RFID increases despite privacy concerns (8.03.2006)

Growth of RFID must respect privacy, says EIU (9.03.2006)

Cellphone could crack RFID tags, says cryptographer (24.02.2006)

RFID Security: A Reality Check (27.02.2006)

RFID Viruses and worms