During a high-level panel discussion at CeBIT 2006 Mrs. Viviane Reding, European Commissioner for Information Society and Media, announced a new public debate on RFID, organised by the European Commission. Its purpose is to make an inventory of concerns that might necessitate legislative changes.
Mrs. Reding said that "These networks and devices will link everyday objects into an 'internet of things' that will greatly enhance economic prosperity and the quality of life. But as with any breakthrough, there is a possible downside - in this case, the implications of RFID for privacy".
The public debate will rely on a series of workshops addressing RFID applications, end-user issues, interoperability and standards & frequency spectrum requirements. These workshops will take place in Brussels between March and June 2006 and their conclusions will assist the European Commission in drafting a working document on RFID. This document will be published in September in an online consultation. Additional feedback obtained will then be analysed and integrated in a Commission Communication on RFID, to be adopted before the end of the year. This feedback could lead to amendments of the e-privacy-Directive, which is up for review this year. The Communication will also address the need for other legislative measures for RFID, such as decisions on allocation of spectrum.
These activities are supported by the EU commission at a time when the growth of the RFID market is impressive, with 600 million tags being sold in Europe only in 2005. The value of the market, including hardware, systems and services, is expected to be multiplied by 10 between 2006 and 2016.
The growth is underlined also by a new Economist Intelligence Unit (EIU) rapport considering that RFID is gathering momentum. The report, called "RFID Comes of Age", is also warning the industry about the privacy concerns of this new technology, recognising that "there are genuine issues to be resolved, such as the ability for anyone with an RFID reader to track people by the items they wear or carry."
The authors are also suggesting that RFID tags be deactivated at point of sale to allay privacy concerns, but not require the permanent "killing" of stored data, as this would limit users' ability to opt-in to interesting post-sale applications that benefit consumers as well as businesses.
Lack of RFID security also made the news worldwide a few weeks ago. During the annual RSA conference in San Jose, cryptographer Adi Shamir talked about the possibility of bypassing security mechanisms on RFID tags by reading their power usage. Sending a wrong password to an average 8bit tag would result in extra power usage, because a note is made in the RAM memory that it is a wrong bit and the rest of the message has to be ignored. In theory, people could just use a mobile phone to do this.
The industry replied that this criticism was out of place; there is already a new generation EPC approved chips with 32 bit security. That increases the number of options for a password from 256 to 4 billion, thus making it a lot less attractive to fool around with a directional antenna and an oscilloscope.
Recently, researchers Melanie Rieback and Patrick Simpson, supervised by the renowned cryptographer Andy Tanenbaum, from the Amsterdam Free University have proven the possibility to introduce virusses through corrupted RFID tags. They can create a buffer overflow in the reading device, thus creating an opening that enables further access to the system, including the databases behind it.
Commission launches public consultation on radio frequency ID tags
(9.03.2006)
http://europa.eu.int/rapid/pressReleasesAction.do?reference=IP/06/289
Towards an RFID Policy for Europe
http://europa.eu.int/information_society/policy/rfid/index_en.htm
Industry uptake of RFID increases despite privacy concerns (8.03.2006)
http://store.eiu.com/index.asp?layout=pr_story&press_id=990001899&...
Growth of RFID must respect privacy, says EIU (9.03.2006)
http://www.out-law.com/page-6715
Cellphone could crack RFID tags, says cryptographer (24.02.2006)
http://www.eetimes.com/news/latest/showArticle.jhtml?articleID=1802016...
RFID Security: A Reality Check (27.02.2006)
http://www.rfidjournal.com/article/articleprint/2170/-1/1
RFID Viruses and worms
http://www.rfidvirus.org/