Lisbon Conference "On RFID – The next step to the Internet of Things"

By EDRi · November 21, 2007

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

Last week the conference “On RFID”, organised by the Portuguese Presidency
with support of the European Commission DG Information Society, took place
in Lisbon. During the one and a half days of the conference a number of
topics were discussed, that could be crucial for the future development of
RFID technology.

Privacy and security were the topics of a panel discussion held during the
morning of the first day. The participants in this discussion,
representatives of industry, consumer, data protection and international
organisations, all shared the opinion that security and privacy by design is
the proper way for advancements of RFID technology. As Reinhard Posch,
representative of the European Network and Information Security Agency
(ENISA), stated, the assumption that cloning of RFID tags is too expensive
to constitute a risk, is not sustainable. Therefore, the utilisation of
strong cryptography will be necessary to technically ensure a proper level
of data protection.

With regards to data protection in the field of RFID, Peter Hustinx, the
European Data Protection Supervisor, stated in his intervention that first
it is necessary to properly implement the data protection rules that
already exist and that probably some clarifications of these rules (as the
one on the concept of personal data by the Article 29 working party) need to
be made to ensure that they are understood and implemented correctly. At the
end of this process it might well turn out that additional regulations are
needed to address new problems that might arise when implementing and
deploying RFID technology. According to Mr. Hustinx, a key issue that should
be addressed in RFID research is, that users get control over the technology
and that they are enabled to explicitly opt-in to the use of RFID, if they
so wish.

Among the participants of the conference was Humberto Morán, founder
and director of Friendly Technologies Ltd. His company claims to have
invented “a privacy-friendly system for the tracking and control of mobile
objects using RFID tags, which cannot be interrogated by unauthorised
readers” (patent pending). The main concept of this system is to protect the
data on every RFID tag with a password and to hand over the password with
the movement of the object from one RFID reader to another. Once the
ownership of a tagged object changes the owner also has to hand over the
password to the new owner and delete it from his own systems. While this
concept certainly has the potential to significantly strengthen the control
of individuals in RFID systems, its suitability for real world applications
has still to be proven. To this end, Friendly Technologies is currently
looking for adequate funding.

Not only privacy and security are limiting factors for the development of
RFID systems. While the size of the silicon chips can be further decreased
(more or less constantly following Moore’s law), physical limits hinder a
further significant reduction of the size of the antennas of RFID Tags. A
way to overcome these limitations would be to use higher frequencies for the
communication between Tags and Readers, but this again would be subject to
limitations due to an increased sensitivity to interferences. Therefore, it
was said, a further decrease in the size of RFID Tags is not to be expected
in the near future.

With regards to RFID research in Europe, a RFID Reference Model developed by
the Cluster of European RFID Projects, was presented at the conference. This
Reference Model depicts eight main RFID application fields (from “Logistical
Tracking & Tracing of Goods” to “Public Services”) and research topics
relevant to them.

In the morning session of the second conference day, RFID governance issues
were discussed. Problems here are similar to the situation with the Domain
Name Service (DNS) for Internet domain names, since EPCGlobal’s Object Name
Service (ONS; which provides for tagged objects a service similar to the
DNS) is designed to have one central managing authority (like ICANN for
DNS). Given the dominant position of the US government with regards to ICANN
it is certainly very unlikely that a central component of a future Internet
of Things will remain undisputed amongst countries. Therefore a design
should be found that allows for a decentralised architecture.

As this conference showed, there are many problems that have to be resolved
on the way to an Internet of Things. Privacy and security are now clearly
topics that have to be addressed and properly answered before a large scale
deployment of RFID technology is possible and acceptable. It will however
take a while until these answers are implemented and available in
technology. As Sanjay Sarma from MIT Auto-ID Labs mentioned in the closing
session of the conference, encryption on passive cheap RFID Tags is still
five years away.

On RFID – The next step to the Internet of Things

Article 29 Working Party: Opinion No. 4/2007 on the concept of personal data

Patent application: Privacy-friendly RFID system prevents unauthorised
interrogation of RFID tags

Moore’s law’s_law

RFID Reference Model

Cluster of European RFID Projects (CERP)

MIT Auto-ID Lab

(contribution by Andreas Krisch – EDRI-member VIBE!AT)