(Dieser Artikel ist auch in deutscher Sprache verfügbar)
The RFID Expert Group created by the European Commission in order to assist in drafting the future RFID strategy had several meetings until now. European Digital Rights Initiative (EDRI) submitted two papers to this group on RFID Privacy and Security in order to stress that the reliable protection of privacy and personal data is a key issue for the acceptance of this technology.
The first paper on RFID Privacy issues was EDRI's contribution to the RFID Expert Group Meeting on 10 July 2007 and focused on the data protection and privacy issues of RFID applications, but also suggested a classification scheme for RFID applications based on data protection and user control.
The first part of the paper explains that an enhanced data protection is essential while a widespread use of RFID applications and collection of data will dramatically increase and it will become more and more complicated for the affected persons to understand and overlook all these applications and the data they collect.
"Therefore it is of special importance to strengthen the data protection authorities and to enable them to protect the legitimate rights of the data subjects effectively " underlined Andreas Krisch, the EDRI representative in the RFID Expert Group
He explained that in order to "achieve the users trust in RFID applications, two provisions are required: effective tools that support the users protecting their personal data and privacy, and information on the systematic context of these systems."
EDRI also suggests a classification of the RFID applications that is based on the user control criterion that defines to which extent the affected person is able to access, correct or delete information stored about her or him (3 categories - user-informed, user accessible and user controlled applications) and the data-protection criterion that defines the extent to which other applications are able to use the information stored on a tag (3 categories - data-protected, data shared and data unprotected RFID applications). An assessment of barriers and threats especially with regard to privacy and security needs to be made on a case-by-case basis.
The second paper on RFID Security issues that was submitted to the Group explains that dealing with security and RFID means "to deal not only with security aspects of RFID systems but also with security aspects of anything or anyone affected by RFID systems."
Krisch underlined that the RFID security issues needed to "start at the very basis of the technology. Information on the tags has to be stored in a secure way. Communication protocols have to ensure secure communication. Information Systems have to use state of the art data protection mechanisms." At the same time he pointed out that a second very important issue was securing a proper quality of the stored information and therefore it was important "to implement means to verify who provides, alters, controls or is responsible for a given set of data."
Other experts from the group have publicly shared their concerns and opinions. BEUC (the European Consumers' Organisation) and ANEC (the European Consumer Voice in Standardisation) published on 12 July 2007 a common position regarding the next steps that need to be envisaged in a RFID policy framework. The comments entitled "Consumers' scenarios for a RFID policy" focus on the fact that the consumers need confidence to fully embrace RFID technology and suggest several measures to be implemented. The measures start with the consumers' rights to know and to choose and continue with the actions in the domains of regulatory framework, privacy and security, health and environment or standardisation.
The European Parliament's Scientific Technology Options Assessment group (STOA) has also recently published a comprehensive study that evaluates the use of RFID technology in the European Union citizens. The report considers it is difficult to predict an impact, due to the lack of enough maturity with the systems or of general awareness of the citizens about the technology. It also sees as a major challenge the need of reconsidering the "privacy guidelines and the concepts of personal data and informational selfdetermination" in the light of an increasingly interactive environment.
RFID Privacy Issues (10.07.2007)
http://www.edri.org/docs/EDRi_RFID_Privacy_Issues_published.pdf
RFID Security Issues (07.2007)
http://www.edri.org/docs/EDRi_RFID_Security_Issues.pdf
RFID and Identity Management in Everyday Life - Striking the balance between
convenience, choice and control (07.2007)
http://www.europarl.europa.eu/stoa/publications/studies/stoa182_en.pdf
Consumers' scenarios for a RFID policy - Joint ANEC/BEUC Comments on the
Communication on Radio Frequency Identification (RFID) in Europe: steps
towards a policy framework (12.07.2007)
http://www.anec.org/attachments/ANEC-ICT-2007-G-059.pdf
EDRI-gram: RFID Expert Group - Kick Off (6.06.2007)
http://www.edri.org/edrigram/number5.11/rfid-workgroup