EDRI's contributions to the RFID Expert Group

By EDRi · August 1, 2007

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

The RFID Expert Group created by the European Commission in order to assist
in drafting the future RFID strategy had several meetings until now.
European Digital Rights Initiative (EDRI) submitted two papers to this group
on RFID Privacy and Security in order to stress that the reliable protection
of privacy and personal data is a key issue for the acceptance of this

The first paper on RFID Privacy issues was EDRI’s contribution to the RFID
Expert Group Meeting on 10 July 2007 and focused on the data protection and
privacy issues of RFID applications, but also suggested a classification
scheme for RFID applications based on data protection and user control.

The first part of the paper explains that an enhanced data protection is
essential while a widespread use of RFID applications and collection of data
will dramatically increase and it will become more and more complicated for
the affected persons to understand and overlook all these applications and
the data they collect.

“Therefore it is of special importance to strengthen the data protection
authorities and to enable them to protect the legitimate rights of the data
subjects effectively ” underlined Andreas Krisch, the EDRI representative in
the RFID Expert Group

He explained that in order to “achieve the users trust in RFID applications,
two provisions are required: effective tools that support the users
protecting their personal data and privacy, and information on the
systematic context of these systems.”

EDRI also suggests a classification of the RFID applications that is based
on the user control criterion that defines to which extent the affected
person is able to access, correct or delete information stored about her or
him (3 categories – user-informed, user accessible and user controlled
applications) and the data-protection criterion that defines the extent to
which other applications are able to use the information stored on a tag (3
categories – data-protected, data shared and data unprotected RFID
applications). An assessment of barriers and threats especially with regard
to privacy and security needs to be made on a case-by-case basis.

The second paper on RFID Security issues that was submitted to the Group
explains that dealing with security and RFID means “to deal not only with
security aspects of RFID systems but also with security aspects of anything
or anyone affected by RFID systems.”

Krisch underlined that the RFID security issues needed to “start at the very
basis of the technology. Information on the tags has to be stored in a
secure way. Communication protocols have to ensure secure communication.
Information Systems have to use state of the art data protection mechanisms.” At the same time he pointed out that a second very important
issue was securing a proper quality of the stored information and therefore
it was important “to implement means to verify who provides, alters,
controls or is responsible for a given set of data.”

Other experts from the group have publicly shared their concerns and
opinions. BEUC (the European Consumers’ Organisation) and ANEC (the
European Consumer Voice in Standardisation) published on 12 July 2007 a
common position regarding the next steps that need to be envisaged in a RFID
policy framework. The comments entitled “Consumers’ scenarios for a RFID
policy” focus on the fact that the consumers need confidence to fully
embrace RFID technology and suggest several measures to be implemented.
The measures start with the consumers’ rights to know and to choose and
continue with the actions in the domains of regulatory framework, privacy
and security, health and environment or standardisation.

The European Parliament’s Scientific Technology Options Assessment group
(STOA) has also recently published a comprehensive study that evaluates the
use of RFID technology in the European Union citizens. The report considers
it is difficult to predict an impact, due to the lack of enough maturity
with the systems or of general awareness of the citizens about the
technology. It also sees as a major challenge the need of reconsidering the
“privacy guidelines and the concepts of personal data and informational
selfdetermination” in the light of an increasingly interactive environment.

RFID Privacy Issues (10.07.2007)

RFID Security Issues (07.2007)

RFID and Identity Management in Everyday Life – Striking the balance between
convenience, choice and control (07.2007)

Consumers’ scenarios for a RFID policy – Joint ANEC/BEUC Comments on the
Communication on Radio Frequency Identification (RFID) in Europe: steps
towards a policy framework (12.07.2007)

EDRI-gram: RFID Expert Group – Kick Off (6.06.2007)