(Dieser Artikel ist auch in deutscher Sprache verfügbar)

Last week the conference "On RFID", organised by the Portuguese Presidency with support of the European Commission DG Information Society, took place in Lisbon. During the one and a half days of the conference a number of topics were discussed, that could be crucial for the future development of RFID technology.

Privacy and security were the topics of a panel discussion held during the morning of the first day. The participants in this discussion, representatives of industry, consumer, data protection and international organisations, all shared the opinion that security and privacy by design is the proper way for advancements of RFID technology. As Reinhard Posch, representative of the European Network and Information Security Agency (ENISA), stated, the assumption that cloning of RFID tags is too expensive to constitute a risk, is not sustainable. Therefore, the utilisation of strong cryptography will be necessary to technically ensure a proper level of data protection.

With regards to data protection in the field of RFID, Peter Hustinx, the European Data Protection Supervisor, stated in his intervention that first it is necessary to properly implement the data protection rules that already exist and that probably some clarifications of these rules (as the one on the concept of personal data by the Article 29 working party) need to be made to ensure that they are understood and implemented correctly. At the end of this process it might well turn out that additional regulations are needed to address new problems that might arise when implementing and deploying RFID technology. According to Mr. Hustinx, a key issue that should be addressed in RFID research is, that users get control over the technology and that they are enabled to explicitly opt-in to the use of RFID, if they so wish.

Among the participants of the conference was Humberto Morán, founder and director of Friendly Technologies Ltd. His company claims to have invented "a privacy-friendly system for the tracking and control of mobile objects using RFID tags, which cannot be interrogated by unauthorised readers" (patent pending). The main concept of this system is to protect the data on every RFID tag with a password and to hand over the password with the movement of the object from one RFID reader to another. Once the ownership of a tagged object changes the owner also has to hand over the password to the new owner and delete it from his own systems. While this concept certainly has the potential to significantly strengthen the control of individuals in RFID systems, its suitability for real world applications has still to be proven. To this end, Friendly Technologies is currently looking for adequate funding.

Not only privacy and security are limiting factors for the development of RFID systems. While the size of the silicon chips can be further decreased (more or less constantly following Moore's law), physical limits hinder a further significant reduction of the size of the antennas of RFID Tags. A way to overcome these limitations would be to use higher frequencies for the communication between Tags and Readers, but this again would be subject to limitations due to an increased sensitivity to interferences. Therefore, it was said, a further decrease in the size of RFID Tags is not to be expected in the near future.

With regards to RFID research in Europe, a RFID Reference Model developed by the Cluster of European RFID Projects, was presented at the conference. This Reference Model depicts eight main RFID application fields (from "Logistical Tracking & Tracing of Goods" to "Public Services") and research topics relevant to them.

In the morning session of the second conference day, RFID governance issues were discussed. Problems here are similar to the situation with the Domain Name Service (DNS) for Internet domain names, since EPCGlobal's Object Name Service (ONS; which provides for tagged objects a service similar to the DNS) is designed to have one central managing authority (like ICANN for DNS). Given the dominant position of the US government with regards to ICANN it is certainly very unlikely that a central component of a future Internet of Things will remain undisputed amongst countries. Therefore a design should be found that allows for a decentralised architecture.

As this conference showed, there are many problems that have to be resolved on the way to an Internet of Things. Privacy and security are now clearly topics that have to be addressed and properly answered before a large scale deployment of RFID technology is possible and acceptable. It will however take a while until these answers are implemented and available in technology. As Sanjay Sarma from MIT Auto-ID Labs mentioned in the closing session of the conference, encryption on passive cheap RFID Tags is still five years away.

On RFID - The next step to the Internet of Things
http://www.rfid-outlook.pt/

Article 29 Working Party: Opinion No. 4/2007 on the concept of personal data
http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2007/wp136_en...

Patent application: Privacy-friendly RFID system prevents unauthorised interrogation of RFID tags
http://v3.espacenet.com/origdoc?DB=EPODOC&IDX=GB2437347&F=0&am...

Moore's law
http://en.wikipedia.org/wiki/Moore's_law

RFID Reference Model
http://www.rfid-in-action.eu/public/rfid-reference-model

Cluster of European RFID Projects (CERP)
http://www.rfid-in-action.eu/cerp

MIT Auto-ID Lab
http://autoidlab.mit.edu/

(contribution by Andreas Krisch - EDRI-member VIBE!AT)