RFID security raises privacy issues

Awareness of consumer privacy issues and tight security must go hand in hand if RFID technology is to flourish, according to industry experts.

A set of RFID guidelines designed to help protect consumers' privacy have been released last week by a working group led by privacy body the Center for Democracy and Technology (CDT).

The best practice guidance outlines how consumers should be notified about RFID data collection, what choices consumers have and how that information should be treated by the companies which collect it.

The working group also included Eli Lilly and Company, IBM, Intel, Microsoft, the National Consumers League, Procter & Gamble, and Visa USA.

The CDT said that while many applications of RFID may raise no real privacy concerns, "when the data collected from RFID tags is linked to personally identifiable information, privacy issues can arise".

But in a research note, Gartner VP John Pescatore said that while the guidelines should help public acceptance of RFID, the industry must also work to ensure security of the technology.

Gartner said the guidelines "provide a solid privacy-protection framework for RFID industry stakeholders". And it said industry support for the best practices should help to prevent "a consumer, regulatory and legislative backlash against RFID".

But it added: "We believe, however, that minimising RFID technology and system vulnerabilities - to ensure that attackers cannot obtain confidential data by compromising systems - is equally important."

The analyst group points out most identity theft has been accomplished by exploiting mismanaged or vulnerable systems that were perfectly acceptable from a privacy perspective.

And it said industry efforts should include best practices for ensuring that security is built into the production of RFID tags and reader systems from the start, with the implementation of secure default configurations and support for standard vulnerability management processes.

Companies deploying RFID should make sure their technology providers demonstrate compliance with the CDT guidelines, and should review all RFID deployments for such compliance, Gartner warned.

But they should also make all RFID technology providers demonstrate security is an "integral element in their product design processes" and that vulnerability testing is included in their quality assurance processes.