Smart tags
April 7, 2011
As RFID or "smart" tags become are increasingly used in applications ranging from starting cars, to crossing international borders, to buying groceries, the glut of digitized data available about individual citizens is sure to increase, European Union privacy regulators worry.
A new voluntary agreement signed Wednesday between the European Commission and companies will now require a "privacy impact assessment" be carried out before a new product containing a smart tag is brought to the market.
The European Commission said in a statement that this would include "potential impact on privacy of links between the data collected and transmitted and other data." The new rules are due to take effect before the end of the year.
Industry estimates some 50 billion products with smart tags could be in circulation by 2020. This year, nearly a billion of the smart tags themselves are expected to be sold in Europe, with 2.8 billion being sold worldwide, according to official EU statistics.
"I'm pleased that industry is working with consumers, privacy watchdogs and others to address legitimate concerns over data privacy and security related to the use of these smart tags," said Neelie Kroes, the European Commission's vice-president for the digital agenda, in a statement. "This sets a good example for other industries and technologies to address privacy concerns in Europe in a practical way."
However, Adam Laurie, of Surrey-based security consultancy Aperture Labs, is skeptical about the way smart tags are being implemented. He's more worried about fraud than privacy.
"They are being thrust upon us," he told Deutsche Welle. "We have little choice but to use them. As more and more companies adopt them - and it becomes the norm - by opting out of a specific implementation, you're opting out of an entire system."
Multitude of uses
For Laurie, who publishes the security vulnerabilities of the United Kingdom's smart tag-equipped passports at rfidiot.org, opting out of using smart tags would already mean higher fares on the London Underground, as paying in cash is more expensive. Neither would he be able to start his car or turn off the alarm system in his home.
One common fear is that smart tags used in retail could give advertisers the ability to profile consumers. A trail of information would be vulnerable to security breaches and could shed light on, for instance, a person's lifestyle or an embarrassing medical condition.
Christian Herzog of the German tech industry trade group, Bitkom, said some of the alarmism surrounding smart tags is unwarranted. In their simplest form, the devices are mass-produced, inexpensive and designed to transmit only a number. In 2009 the EU Commission recommended that in a retail environment, the tags be automatically deactivated after a sale.
"In reality, at the moment these chips are mostly used in logistics before products ever reach customers," he told Deutsche Welle. "The consumer isn't in the process until a good is exchanged and the tag is still activated. Keep in mind there are good reasons for a customer to leave the tags activated, because the manufacturer could offer after-sale services with it, voluntarily, of course."
Adam Laurie also says customer tracking is unrealistic because smart tags have their limitations. Used in retail, they would replace barcodes.
"They're designed to work reliably in that environment," he said. "They're not designed to work in an environment where (lots) of things are piled in a shopping bag, and the reader is 10 centimeters away."
Vulnerabilities persist
However, vulnerabilities exist in the more complex, encrypted smart tags. They may be used to verify the authenticity of medication or luxury products, and to process financial and personally-identifying information.
Part of the problem is the standards implemented in smart tags are made public so companies can develop systems, Laurie said. "Anyone with half a brain can buy or build their own equipment that will do the same thing."
Although Laurie believes smart tag systems can be made secure, he says they're often adopted quickly and with little foresight.
"They should think more about the security at the beginning," he said. "What tends to happen with these things is they get rolled out without worrying too much about security until it becomes an issue. At that point it's too late. You've already got a deployed user base, and you've got all the systems in place."
Bitkom, which endorsed the EU agreement, now wants to make sure companies know it exists, according to Herzog.
"The challenge will be to really reach out to the entire industry. Companies need to know this framework exists in order to be able to adhere to it," he said. "It's generally always better for industry if they can regulate things themselves, because they deal with the technology more deeply."
Author: Gerhard Schneibel
Editor: Cyrus Farivar