RFID PRIVACY IN EUROPE Implications for Libraries. Paul Chartier Convergent Software Ltd. CILIP Conference, Nov 2012

Transcription

1 RFID PRIVACY IN EUROPE Implications for Libraries Paul Chartier Convergent Software Ltd CILIP Conference, Nov 2012 In addition to being MD of Convergent Software, I am also Principal of Praxis Consultants. In that role I am co-project Editor of ISO , and Project Editor of the European Standard on the RFID Privacy Impact Assessment Process.

2 Today s Presentation Broad Overview of the EU position A bit of jargon-busting CEN TC 225 work on Mandate M 436 Focus on two critical standards Some tools Implications for libraries Timetable In addition to the list of topics that I mention here, I will also provide you with an update on Convergent Software's initiatives for RFID privacy.

3 Déjà Vu This is what I presented at last year s Conference : European Commission receives a detailed response for standards on RFID privacy All libraries will be expected to undertake a privacy impact assessment, and more New standard interface to support migration to next generation RFID This is what I said at last year s Conference There will be a number of European standards and related documents on RFID privacy. Few vendors and few libraries contributed to the public consultation - now it will be a reality Since last year's CILIP conference, the European Commission has accepted the detailed response from CEN European Standards organisation to develop 10 standards, which I will discuss in more detail in the next few slides. Like all RFID operators, libraries will be expected to undertake a Privacy Impact Assessment on their applications. However, in that intervening year since the last conference, there has still been very little activity. Unlike the play "Waiting for Goddo", there is not much serious discussion in the library community on this topic.

4 The European Commission What do you know about: Data Protection Directive 95/46/EC? EC Recommendation on RFID privacy and security 2009? Mandate M436 Phase 1 on RFID privacy? And the library sector response to public consultation? The proposed Data Protection and Privacy Regulation? Mandate M436 Phase 2 assigned to CEN TC225? So now is the time for a show of hands on each of the questions on the slide. Rather than ask what do you know about the topic? let's put it another way: Do you know anything about your library's registration with the Information Commissioner's Office under the Data Protection Directive 95/46/EC? Who has read the EC recommendation on RFID Privacy and Security 2009? Has anyone read the report of Mandate M436 Phase 1 on RFID Privacy? Did any of you participate in the library sector response to the public consultation of that document? Has anyone kept up-to-date with the proposed Data Protection and Privacy Regulation? Apart from Mick Fortune, has anyone seen the work programme for Mandate M436 Phase 2?

5 Jargon-busting EU legal documents: Recommendations, Directives, Regulations European Standards: EN = Standard, TS =Technical Specification, TR = Technical Report RFID ~ the EU might have a different view from you EU Mandate Privacy is different from Data Protection RFID application and RFID operator Privacy Impact Assessment Let's put some of the jargon into context. A Recommendation is advice from the Commission to member states. A Directive is an instruction to member states to implement national law. A Regulation is a legal device that imposes common law across member states. The RFID Recommendation is therefore advisory, but by 2014 the Commission may convert it to a Directive. An EN or European standard, once approved, has to be published by all the member states in the EU. A Technical Specification is less prescriptive and can be delivered more quickly than a full standard. A Technical Report is basically a research document. The Commission considers that RFID is any technology that uses radio waves for communication. Therefore, membership cards and contactless payment cards fall within the remit. An EU Mandate is an instruction from the Commission to one, or all, of the European Standards organisations to undertake specific work in a nominated area. I will discuss privacy and data protection in a few minutes. An RFID application includes those that read data from the tags but also encode data on tags. An RFID operator is the legal entity controlling an RFID application. Finally, a Privacy Impact Assessment is a process to consider risks in this case associated with RFID - in a methodical manner.

6 CEN TC 225 work on Mandate M 436 Project Structure The work for M436 Phase 2 is divided into five project teams. I will briefly discuss the deliverables of the Project Teams B, D and E and concentrate more on the deliverables of Project Teams A and C.

7 CEN TC 225 work on Mandate M 436 Projects of PT-B, D and E PT-B - TR: Privacy capability features of current RFID technologies PT-D - TR: RFID threat and vulnerability analysis PT-E - TR: Authorisation of mobile phones used as RFID interrogators PT-E - TS (TR?): Device interface to support ISO/IEC Mode 1 and Mode 3 tags Project Team B is delivering a Technical Report, which will identify the privacy capability features for a range of standardised RFID technologies. I can tell you that the current tag used in the library community has few such capabilities. Project Team D's Technical Report is looking at some of the more extreme threats associated with RFID. For example, the ability to read tags at a much longer range than normal. Project Team E has two deliverables. One is a Technical Report so that mobile phones can be approved for use on applications. The other started life as a Technical Specification, might still remain that way, or be downgraded to a Technical Report. It is for a device interface to support a crossover solution to allow libraries and others using high frequency technology to migrate to new and more secure solutions. We will not know until a few week's time which form the deliverable will be.

8 M 436 Projects of PT-A Signage and Emblem TR: Additional information to the signage to be provided by operators TS: Information sign to be displayed in areas where RFID interrogators are deployed EN: Information sign and additional information to be provided by operators of RFID data capture applications The TS and the EN will be released at the same time for review by standards bodies. The EN also undergoes a round of public review before publication. At this point the TS will be withdrawn. Project Team A is dealing with signage, an emblem and notification of RFID. It has three deliverables. The Technical Report is to identify the type of information that individual consumers and citizens can expect to access about a specific RFID application. I will talk in a bit more detail about the Technical Specification and EN in the next slides.

9 RFID Notification Emblem This slide shows the common RFID emblem which some people think looks a little bit like a beer stein with a handle. More formally, it will be included in EN/ISO/IEC From what I said before, it means that the symbol will be adopted right across Europe.

10 The European Emblem Current unresolved issue: coexistence of the Common European Emblem and current logos, especially global systems such as contactless bank cards National and local cards. e.g. travel cards The problem with a new emblem, is that the world has other emblems or logos that are intended to be application-specific. The symbol on the left is one that you will see on terminals that can accept contactless payment cards and the symbol on the right is for acceptance of the Oyster card issued by Transport for London. The problem with travel cards is that different emblems are used in various cities across Europe.

11 RFID Notification Sign: Reading Zone RFID Tags may be read in this area for the purposes of stock control security and product warranty. This system is controlled by Van Rees B.V. For more information. Contact us on : Freephone Or visit our website This slide shows the type of notification sign that will need to be displayed in an area where RFID data capture takes place and interacts with the public. The sign is divided into three zones with the common emblem on the top. The second block gives a very brief summary of why RFID is being used. The third block provides the source of information to access more detailed publicly-accessible information. This will include the summary Privacy Impact Assessment, which will declare a risk value and possible counter-measures that can be used to reduce the risk. The summary PIA will not provide access to all of the detailed evaluations in the Privacy Impact Assessment itself.

12 M 436 Projects of PT-C Privacy Impact Assessment TR: RFID PIA analysis for specific sectors (retail, libraries, banking, transportation) TR: Analysis of PIA methodologies relevant to RFID EN: RFID PIA process The Technical Reports are intended to set the scene and enable comments to be made to modify the Standard, which has an additional round of review Project Team C has three deliverables associated with a Privacy Impact Assessment. The two Technical Reports take different approaches to provide input material to the PIA process. The one on sectors note it includes libraries is intended to provide some background material about the sectors. The other Technical Report is looking at methodologies for Privacy Impact Assessments but never turned into the higher status of a standard. A number of these have been associated with government initiatives, particularly in New Zealand and Canada.

13 Privacy, Data Protection, Security and RFID Data Protection: ensures appropriate collection, consent, correction and use of data collected by an organisation from their consumers & users Data Security: protects all the organisation s data including the data about individuals as well as other operational data held by the organisation Privacy : provides an individual s control over the use of collected data by organisations and protection from unauthorised collection of data from ICT in the individual s possession Data Protection, Security and Privacy Privacy focuses on the individual not the corporation Privacy extends beyond the operational domain of the application It is probably easier for you to read this slide to understand that data protection, data security and privacy are different topics but significantly inter-related. The key point to understand is that privacy focuses on the individual not the organisation, whereas security is very focused on the organisation. Privacy extends beyond the operational domain of the application, whereas traditionally data protection is focused on protecting data about individuals within the application.

14 TR: RFID PIA Analysis for Specific Sectors Synthesis and conclusion lead to a generic approach Enabling RFID operators to identify risks Identification of relevant characteristics per sector Libraries Retail eticketing Banking & Finance RFID PIA Framework as basis This slide provides a slightly better insight into how the work on the specific sectors is being used. It was basically defined as a "bottom-up" by the senior European Commission official whose brainchild it was to address RFID privacy.

15 EN: RFID Privacy Impact Assessment (PIA) process Key points from Scope It provides a standardised set of procedures for developing PIA templates, including tools compatible with the RFID PIA methodology. In addition, it identifies the conditions that require an existing PIA to be revised, amended, or replaced by a new assessment process. The PIA process is designed around an individual RFID application. Just like a registration under data protection laws, the individual organisation has to effectively sign on the dotted line. However, the PIA process encourages the development of sector and application-based templates. This is an idea borrowed from the Information Commissioner's Office for data protection, and was part of EDItEUR's formal response to the Phase 1 report. This has now been carried through into the Draft European Standard.

16 EN: PIA Process Focus on Privacy Challenge Data is already subject to Data Protection Directive 95/46/EC The EN needs to address RFID features and privacy Approach The figure (based on ISO ) shows the complete RFID layered stack Each layer needs to be addressed Top 4 layers are generally not wellunderstood from a privacy perspective Many optional features in the standards The interrogator and tag can differ Device to host - a real challenge with mobile devices like smart phones RFID tag (inc RF card) RF air interface protocol RFID interrogator Device - host interface Host computer Application RFID-related Data The point to focus on with this slide is the vertical stack of components on the right hand side. The figure is based on an international standard for security that addresses the topic known as defence in depth. The key purpose of the standard on Privacy Impact Assessment is to focus on all layers, but particularly the top four layers. Some of the other Technical Reports also provide useful back-up material. One fact that is not well understood about RFID is that there are many optional features specified in the standard. This presents some real challenges. Did you know that to comply with the fundamental standard for the commonly used tag in libraries there is no requirement to be able to read and write data? Another challenge is with the use of smart phones, which I discuss next.

17 Smartphone: Operational Blessing Privacy Curse? As the title of the slide says, a smart phone can be an operational blessing and at the same time a privacy and security curse. Until early last year, NFC phones operated at the same frequency as the majority of library applications, but using a different air interface protocol. All of this has been turned upside down this year by new mobile phones supporting the same air interface protocol as used for libraries. Data can be read from the tag, and data can be written to the tag with certain devices. Therefore, any library or vendor thinking that an NFC phone provides useful business opportunities needs to consider very carefully the privacy and security aspects. There are ways that controls and counter-measures can be put in place, but it does require some serious re-thinking. An attacker does not need to know how the encoding is done on the tag, just that maliciously changing some of the byte values will cause problems for the application.

18 EN: PIA Process What is Identifiable? Challenge No ambiguity in the Data Protection Directive: Sensitive personal data - name, national ID code, medical records Personal data - membership code Identifiable data - unique chip ID, product code Approach Asset value (asset can be personal privacy) Assess threats Vulnerabilities (exposure) of assets Identify risks = function {asset, threat, vulnerability} Controls and mitigations Resulting in residual risk Issue: Quantitative or not? As the Data Protection Directive has been in place for 17 years, there is no real issue about what is identifiable from that perspective. It includes the types of things mentioned on the slide, plus various behavioural information potentially anything that can narrow down the identification of a person. So the unique chip ID in the RFID tag of a loan item, irrespective of whether any other data is on the tag, makes a person identifiable for a period of time. The standard will propose a methodical approach. Assets are physical things that have RFID tags. So in the case of a library, this could be a membership card, an RFID tag on a book, a payment card. Each of these assets has data associated with it and it is these that will give the asset a value. RFID threats and vulnerabilities generally apply to an air interface protocol and the tags and readers that comply with that protocol. We already have an answer to the question whether risk assessment should be quantitative or not, and the answer is Yes. The EN specifies some simple scores for assets, threats and vulnerabilities that will result in a risk analysis score ranging from 0 to 8. Controls and counter-measures can reduce the risk, and these controls can even be implemented on the application side. Remember I mentioned a PIA summary; this will require the residual risk score to be notified to users of the application.

19 EN: PIA Process Take-up Challenge Both the Recommendation and the EN that we are drafting have no legal basis for implementation Approach The EN will identify, as a best practice, why a PIA needs to be undertaken even for an established RFID system. Here are three drivers: governments (at all levels) as RFID operators: ID cards, transport systems, libraries, even contactless payments. Potentially the best opportunity for rapid take-up to align with sector templates; do organisations want to be exposed as not interested in privacy? the signage, which will have a blank entry for the source of the PIA summary Take-up of the Privacy Impact Assessment is a challenge, because both the Recommendation and the EN have no legal basis for implementation. However, we have had discussions with the Information Commissioner's Office and we also know that the French and German data protection authorities are highly interested. As you can see from this approach, the main drivers are considered to be governments, the development of sector templates and the embarrassment factor of having to display a sign but not provide any information about the Privacy Impact Assessment.

20 EN: PIA Process Tools EN will describe process and to assist risk assessment list: Assets and associated data elements RFID threats RFID vulnerabilities Device privacy capability statements provided by vendors and on a publicly accessible database Templates: Sector level e.g. Libraries based on ISO Application level e.g. Contactless payment cards, staff id cards If we are considering something for libraries, the EN provides rules for determining the risk value based on the assets, threats, vulnerabilities and controls. Another key thing that has been developed is a Privacy Capability Statement for RFID tags, the capabilities of their inherent chips, and RFID interrogators or readers. These will be available on a publicly accessible database and take some of the mystique out of RFID. There is a potential to develop templates for the library sector, for example based on ISO and specific applications like contactless payment cards and staff ID cards.

21 Implications for Libraries No legal requirement yet, but the new Data Protection and Privacy Regulation is on the way. There will be pressure to display the sign The sign without a summary PIA will expose libraries Conclusion: need to move forward in parallel to the standard; library ownership might be a factor to accelerate The technology is not without vulnerabilities, and more are exposed in the security area Enhancing privacy and security ideal driver Who takes the lead in the library sector? As I have mentioned, there is no legal requirement to do anything yet, but given the new Data Protection and Privacy Regulations, it would be unwise to do nothing. Once the signs are displayed, any one without a summary PIA would expose libraries. So the conclusion is that there is a need to move forward to comply with the Recommendation and enhance privacy and security on the way. One big question is who takes the lead in the library sector, given what unfortunately has been a reasonably high degree of apathy over the past few years. Convergent Software Limited has already launched some software to help libraries with planning and understanding of ISO We will be extending that service to cover privacy and security aspects for libraries. Depending on the interest, we might get even more involved.

22 Timetable for the ENs Work started March 2012 CEN TC 225 meetings in December and January Translation March month public enquiry August / September 2013: Final text At this point all technical details and content is stable Translation December month formal vote, simple Yes/ No Publication > February 2014 What will the library community have achieved? This slide shows the aggressive timetable. I have to deliver the first complete draft of the Privacy Impact Assessment standard by 20 November As the slide shows, there are a few steps to go through but publication should be complete by first quarter 2014 and the big question is "What will the library community have achieved by then?"

23 Thanks for Your Attention Thank you for your attention. I will be pleased to talk to anyone about the challenges of RFID privacy and security. Contact: info@convergent-software.co.uk or visit our website