Legal Aspects of RFID Technology

Similar documents
RFID and Privacy Impact Assessment (PIA)

RAIN Radio Protocol. December 2015

Low-cost RFID identification variation

Wireless# Guide to Wireless Communications. Objectives

Smart Brands and Product Protection 2005

Lightweight Cryptography for RFID Systems

EPC Standards: EPC Tag Classes: EPC Class Type Features Tag Type

SIMATIC RF630L Smartlabel 1. SIMATIC Sensors. RFID systems SIMATIC RF630L Smartlabel. Operating Instructions 06/2009 J31069-D0186-U001-A4-7618

This document is a preview generated by EVS

Igor Timoshenko Developing RFID library systems in the direction of integration into the global identification system EPC

SL3 ICS General description UCODE EPC G2

This document is a preview generated by EVS

Radio Frequency Identification (RFID) on Cisco Catalyst 9000 Family Switches

Managing the EPC Generation Gap An overview of EPC standard migration from Generation 1 To Generation 2 RFID tags. APPLICATION WHITE PAPER

RFID Technical Tutorial and Threat Modeling. Presented by: Neeraj Chaudhry University of Arkansas

Pre-Announcement of Administration of the (Proposed) Legislation of Management Guidelines for Display and Management of Unique Device Identifier

RFID & EPC Essentials. Version 01

Performance Analysis of Anti-collision Algorithm for Tag Identification Time Improvement

Implementation of Articles 15 and 16 of the Tobacco Products Directive Brussels 12 October 2017

Commission on Marketing and Advertising Task Force on Electronic Product Codes

ISO/IEC INTERNATIONAL STANDARD

ISO/IEC INTERNATIONAL STANDARD

Privacy Preservation and Mutual Authentication in RFID Systems

RFID Questions & Answers

RFID OVERVIEW. by ADC Technologies Group. Introduction to Radio Frequency Identification (RFID) Certified RFID Provider

IMPLEMENTATION FOR ENHANCING SECURITY OF RFID CARD

This document is a preview generated by EVS

A Review of RFID ISO Standards & CEN TC225 Developments. Paul Chartier Principal, Praxis Consultants Chair, CEN TC225 RFID Ad Hoc October 2007

Library Automation using RFID Technology

Design of the RFID for storage of biological information

RFID FAQs, not Fiction

Identity Management. ID management for people and objects

Secure EPCglobal Class-1 Gen-2 RFID System Against Security and Privacy Problems

Sponsors. Gold Sponsors. Silver Sponsors. Bronze Sponsors

EPC Primer. Erik Sundermann HUG Meeting - Paris 20th Sept 2006

ISO/IEC INTERNATIONAL STANDARD

OBID RFID by FEIG ELECTRONIC. RFID Reader Technologies: OBID i-scan HF / UHF

RFID Basics. Three primary frequency bands have been allocated for RFID use.

WHITEPAPER Barcoding, Incorporated How to Implement a Successful RFID Project Tom O Boyle, Director, RFID Systems Barcoding, Inc.

Module 7 Evaluation and Selection

RFID IN HEALTHCARE Technology Meets Stringent Safety Regulations for use in Medical Devices

RFID enabled Solutions TYRE MANAGEMENT

Real World Applications of RFID. Mr. Mike Rogers Bryan Senior High School Omaha, NE

Privacy Management for Medical Service Application using Mobile Phone collaborated with RFID Reader

RFID Technologies. By Francisco J. Carabez

Seminar: Communication Infrastructure, RFID Security

COMMISSION OF THE EUROPEAN COMMUNITIES COMMISSION RECOMMENDATION. of

INTERNATIONAL ENGLISH scripts, and voices for business

Novel Tag Anti-collision Algorithm with Adaptive Grouping

and they can be managed throughout their life-cycle. RFID tags are silicon chips with their IDs, radio frequency functions and some

ITU-T. JCA-NID Joint Coordination Activity on Network aspects of Identification Systems

System Virtualization and Efficient ID Transmission Method for RFID Tag Infrastructure Network

ISO/IEC INTERNATIONAL STANDARD

Security issues in RFID Middleware Systems: Proposed EPC implementation for network layer attacks

Retail and Apparel Workshop

Basics of EPC. Training

Reassignment Scheme of an RFID Tag s Key for Owner Transfer

White Paper. A B C s o f R F I D : U N D E R S T A N D I N G

UHF RFID 2017: In the world's most comprehensive study, the EECC investigates the chances and limitations of UHF transponders

RFID Privacy Protection

ISO/IEC TR TECHNICAL REPORT

ISO/IEC TR TECHNICAL REPORT

About The FILE Group of Companies

WEBINAR SERIES #4 EPC/RFID STANDARDS AND RFID STUFF YOU NEED TO KNOW

INNOV-6: "RFID Vapor, Fiction and Truths"

Modified Epc Global Network Architecture of Internet of Things for High Load Rfid Systems

RFID PRIVACY IN EUROPE Implications for Libraries. Paul Chartier Convergent Software Ltd. CILIP Conference, Nov 2012

ISO/IEC Information technology Mobile item identification and management Consumer privacy-protection protocol for Mobile RFID services

Facilitating & Protecting Global Commerce

Cyber-physical systems for processes and organisation NEO SKILLS PORTFOLIO

A Shopping Environment for Blind People Using RFID

EPCglobal Overview Delivering value through global standards

An RFID Based Generalized Integrated System for the Identification and Traceability of Products and Subsets in Enterprises

Guidelines for Using RFID Tags in Ontario Public Libraries

GS1 Identification Key Series - SSCC (Serial Shipping Container Code) Issue 1.1, July Table of Contents. 1. Definition of a SSCC...

Hyperion Economic Journal Year I, no.3(1), September 2013

How to start an RFID project. Anja Olbertz, GS1 Germany Uwe Quiede, TAILORIT GmbH

T H E I N T E R M E C G U I D E T O RFID TAG S E L E C T I O N

The research and design of the RFID track and trace system based on web services

RFID FOR TIRES. an enabler for new services. Julien DESTRAVES R&D MICHELIN. Page 1 / RAIN RFID Alliance / Julien DESTRAVES / June 2018 /

Avonwood Developments Ltd. Tel: +44 (0) Fax: +44 (0) Web:

SIMATIC Sensors RFID Systems

SIMATIC Sensors RFID Systems

In-Network Phased Filtering Mechanism for a Large-Scale RFID Inventory Application

Dimitar Popov Zeina Muallem

Challenges to data carrier in networked RFID

A proposed formula for comparing kill password effectiveness in single password RFID systems

Introduction to RFID

Traceability and Identification Solutions for Secure and Comfortable Society

A Improved Frame Slotted Aloha Protocol with Early End in Mobile RFID Systems

RFID EPC-Gen2 for Postal Applications: A Security and Privacy Survey

SIMATIC Sensors. RFID Systems SIMATIC RF. for optimization of material flow and logistics. Brochure September Answers for industry.

Security of Smartcard Based Payment Protocol

RFID supply chain standards. Brussels, 24 October 2007 Henri Barthel, GS1 Global Office

Neetu Singh 1, Lalit Kumar 2, Rishabh Wadhwa 3 and Naresh Kumar 4

Ubiquitous Computing in Business Processes Part III

Campus Tracking System Based On IoT Yibiao Pi

RFID (Radio Frequency IDentification)

Animal Radio Frequency Identification: Low Frequency Advanced Transponder with flexible memory organization

Implementation and Design of Digital System for High Frequency RFID Tag Chip

Transcription:

Legal Aspects of RFID Technology Jürgen Müller University of Kassel Provet Project Team for Constitutionally Compatible Technology Design Matthias Handy University of Rostock Institute of Applied Microelectronics & CS

"Living in a Smart Environment" Interdisciplinary international research project EE, CS, Law, Econ. 7 universities (Germany, Switzerland) Implications of Ubiquitous Computing Funded by Daimler-Benz-Foundation, Ladenburg http://www.smart-environment.de (in german) http://www.daimler-benz-stiftung.de (english)

Motivation A hype about RFID technology Published (and public) opinion is critical Feb.2004: Protest at Metro FutureStore 20-30 participants; worldwide headlines on TV, newspapers, Internet Main questions Are there legal issues in the use of RFID technology? How can privacy issues be solved (and consumers be conviced)?

Agenda Introduction Scenarios of RFID-applications Legal relevant application constellations Survey of applicable regulatory systems Need for protection Technical solutions Outlook

Elements of an RFID-System Transponder T T T Data Clock Energy Reader Application TCP/IP TCP/IP Network Network Transponder T T T Data Clock Energy Reader Application

Application Examples Constellation: Application Example: Goods with RFID-tags in retail stores as a customer information system Milk cartons RFID-tags given to customers as a customer card Payback Card Packaged goods and packaging with RFID-tags for internal logistic requirements Suitcase

Application Constellation From a legal point of view there are three main areas of relevance with respect to the use of RFID-Systems: RFID-tags as a means of identification and a means of information storage... attached to objects and used by third parties (Constellation 1) issued to the customer and used solely by the issuer or a third party (Constellation 2) used for internal or merely bilateral purposes (Constellation 3)

Overview: Legal Classification + Subsumtion (1) Applicable regulatory system: Constellation 1 TC-Law (-): E-Communication Framework-DIR (2002/21/EC), (-): bugging prohibition in PEC-DIR (2002/58/EC, Art. 5 I) because those regulations are only applicable for publicly available electronic communications services (-) TKG, except for bugging prohibition 89 TKG Unless RFID reading device is not in user s property and has a communication interface (e.g. WLAN IEEE 802.11) that is able to transmit data to a mobile device (e.g. PDA) of the user.

Overview: Legal Classification + Subsumtion (2) Constellation 1* Multimedia Laws Identifier Data: (-) E-Commerce-DIR 2000/31/EC; (-) TDG Non-Identifier Data: (+) E-Commerce-DIR 2000/31/EC; (+) TDG Unless there is no provider-user-relationship (e.g. in employeremployee relationship, recital no. 18 of EC-Dir) * Provided that: Directive 2000/31/EC bases on the conception of technological openess for information society services, and provided that RFID-tags will contain links to Intra- or Internet addresses (e.g. ONS) and in the long run possibility of RFIDtags storing data in multimedia form

Overview: Legal Classification + Subsumtion (3) Constellation 1 Data Protection Law Identifier Data: (+) Data Protection-DIR 95/46/EC; (+) BDSG Non-Identifier Data: (+) Data Protection-DIR 95/46/EC, (+) TDDSG; (+) BDSG Limitation of scope: 1 I Nr. 1 & 2 TDDSG (-) PEC-DIR 2002/58/EC, because there is no electronic communication service Only applicable for publicly available electronic communications services in public communications networks, Art. 3 I PEC-DIR 2002/58/EC, recital no. 10; Scope of DP-DIR 95/46/EC: applicable for non public communications services

Overview: Legal Classification + Subsumtion (4) Constellation 2 TC Law (-) Framework-DIR (2002/21/EC) (-) bugging prohibition PEC-DIR 2002/58/EC, Art. 5 I (-) TKG, except 89 TKG Multimedia Law Identifier: (-) E-Commerce-DIR 2000/31/EC; (-) TDG Non-Identifier: (-) E-Commerce-DIR 2000/31/EC; (-)TDG Data Protection Law Identifier: (+) DP-DIR 95/46/EC; (+) BDSG Non-Identifier: (+) DP-DIR 95/46/EC; (+) BDSG The transparency requirements of Art. 12 a) subsection 3 of DP-DIR 95/46/EC and of 6c BDSGare not applicable because RFID-tags are not yet able to use or change data

Overview: Legal Classification + Subsumtion (5) Constellation 3 TC- Law Multimedia Law Data Protection Law (-) Framework-DIR 2002/21/EC, (-) bugging prohibition PEC-DIR 2002/58/EC Art. 5 I (-) TKG, except 89 TKG Identifier: (-) E-Commerce-DIR 2000/31/EC; (-) TDG Non-Identifier: (-) E-Commerce-DIR 2000/31/EC; (-) TDG Identifier: (+) DP-DIR 95/46/EC; (+) BDSG Non-Identifier: (+) DP-DIR 95/46/EC; (+) BDSG

Technologically determined possibilities (1) Considering the features of RFID technology, these are the novel possibilities: Technical Features Radio interface Extremely small sizes Flexible materials Possibilities Sightless communication Unnoticeable placement on and in objects Undetachable and cheaply integrated into object Worldwide unique identifier Identifiability of RFID-tag Store for non-identifier data (optional) Content identity Integration into a background information system (e.g. ONS) Unlimited additional and context data about an object

Technologically determined possibilities (2) Technical Features No input or output medium apart from reader No access protocol Possibilities Unregistrability of the processes No access protection No data protection No communication protection Open data and communication Limited radio range Controllability in the radius of the range

Risks of RFID-Systems (1) Overview of Risks in the Use of RFID-Systems Imperceptibility of Presence Imperceptibility of Data Processing Sequences Taking Place No Control in Use of Object Omnipresence of Use Integration of Data Processing Processes into Behaviour and Actions of the Party Concerned No Escape from the Data Processing Processes

Risks of RFID-Systems (2) Object Related Data Traces (e.g. Movement Profile via Site Date of Reader) Object Related Context Data Higher Validity of Context Data Capacity for Re-recognition and Assignment of Object Capacity to Indentify and Read Patterns (Sequences and Habits) by Relationalization of Objects Detected Generation of Valid Knowledge on Re-recognition on Rerecognition of Patterns via Additional Data Danger of Manipulation of Open Data and Communication

Potentially Violated Rights Starting point: RFID-Systems are both Part of the Virtual Social World and the Real Physical World. Thus, the following Rights could be violated: Protection of Proprietary Rights (Art. 14 GG, Art. II-77 Constitution for Europe (draft)) Protection of Freedom of Action (Art. 2 I GG, Art. II-66 Constitution for Europe (draft)) Protection of Confidentiality of the communications or telecommunication privacy (Art. 10 GG, Art. II-67 Constitution for Europe (draft), Art. 8 EHRC) Protection of personal datas and informational self-determination (Art. 1 I, 2 I GG, Art. II-68 Constitution for Europe (draft))

Need for Protection (1) To guarantee telecommunications privacy (Art. 10 GG), personal data-protection and informational self-determination (Art. 1 I, 2 I GG), protection is necessary. Protection Programme that has to be incorporated: Proprietary Right ( 903 BGB) and Possession ( 872 BGB) Guarantee removal and deactivation rights Problemfelder No removal or deactivation rights in the case of temporary possession of property (e contrario 872 BGB), because this is no interference with possession ( 858 BGB) Technical and Organizational Protection Measurements according to 9 BDSG, DP-DIR 95/46/EC Art. 17 Securing Transponders against Bugging by Third Party Securing Data against Unauthorized Access and Manipulation

Need for Protection (2) Transparency Principle (DP-DIR 95/46/EC Art. 10, Art. 11 and Art. 12) Knowledge about use of RFID Systems Knowledge about type and content of processed data Knowledge about structure of data processing processes (also integration of data processing processes in a background information system, e.g. ONS) Knowledge about use of data gathered by RFID Systems Perceptibility of Sequence of Data Processing Procedures Perceptibility of the Communication Processes between RFID tag and Reader Perceptibility of the Purpose of the stored Data Perceptibility of Designation of Data Recipients

Need for Protection (3) Purpose Determination (DP-DIR 95/46/EC Art. 6, I b) Exclusion of Storage and Use of Data Recorded by RFID-tags, expecially for Commercial Use Informational Division of Powers (DP-DIR 95/46/EC Art. 6, I b) Hermetic Protection of Data according to their Purpose Determination Entailing Separation of Data in the RFID-tag Identifier with Serial Number Function of Data with Content Determination Data Avoidance ( 3a BDSG, DP-DIR 95/46/EC Art. 6 I c) Preventive Measures in the context of RFID application must be taken This contains also the Requirement to enable Deactivation or Removal of RFID-tags because they are potential Data Processing objects

Solutions Technical Approaches Existing Approaches: Blocker-Tag, Kill-Command, Meta-ID, Jamming Alternatives: Delete serial number; only object class remains on tag (same as bar code) Replace serial number with private (variable) inventory number break logical connection: RFID-Tag Object RFID-tag stores object's identity as bit sequence "Real" identity after decoding (look-up) Delete database entry of an object Limit access to look-up-service

Anticollision: Blocker Tag collision! A. Juels, R. Rivest, M. Szydlo; 2003 (Selective) Blocking of RFID tags Only works with binary search anticollision Simulates the full set of 2 k possible RFID-tag serial numbers Reader cannot tell which tags are really present Example: 48 bit ID, Reader reads 1000 tags/s: > 8000 years reading all tags collision! 0 00 01 collision! collision! collision! 000 001 010 011 100 101 110 111 1 collision! 10 11 collision! Blocker Tag Tag Tag Tag Tag Reader Anticollision protocol recursively asks: "What is your next bit?" Blocker tag always answers: "Both 1 and 0!"

Kill-Command As defined in EPC Protocol Specification for 900 MHz Tag Permanently disables a tag Kill command carries 24-bit passcode If command's passcode matches tag's passcode tag is killed Kill-Command 011010111011101110010011 T Reader 011010111011101110010011 = 011010111011101110010011 Kill successful

Replace Serial Number Drawback of the Kill-Command "Smart Appliances" won't work Better Approach: Delete or replace serial number; item reference (object class) remains Replace unique serial number with private inventory number Problem: Tracking Example: SGTIN-96 (Serialized Global Trade Identification Number) Company Prefix Item Reference Serial Number Header, Filter Value, Partition (14 bit) (20-40 bit) (24-4 bit) (38 bit) Deleted / replaced at check-out

Meta-ID* Tags able to store Meta-ID Owner can lock a tag: Computes hash-value of random key i.e. lock = hash(key) Tag stores lock-value and enters locked state To unlock tag: Owner sends original key value to tag Tag hashes key and compares it to stored value If match tag unlocked A locked tag only responds with its Meta-ID! Problem: Tracking Refresh Meta-ID! * Sarma et al., 2002

Application Identifier (AI) Indicates target application of RFID-tags (e.g. logistics) Reader includes AI in request RFID-tag only answers if AIReader = AITag AI can be locked by "owner" No AI in reader request No tag will respond! In ISO 15693: 8-bit AFI (Application Family Identifier) Reader transmits AFI with Inventory-Command Tags with different AFI don't respond No AFI in request All tags in range will respond!

Data Usage Identifier (DUI) Indicates intended data usage of RFID-Tag Assumption: Tag-ID not relevant; tag memory contains personal data Reader requests information tags respond with Tag-ID and DUI With DUI the user has to decide to acquire more data from a tag ISO/IEC 15693: DSFID: Data Storage Format Identifier

Results (1) Increase of risks with RFID usage, if there is: Increase of computational and storage capacity Integration of sensors Integration into networks "Better" energy supply for RFID tags The following apply to RFID systems: RFID systems are not per se a threat for privacy. Many regulations of existing data protection law can be applied.

Results (2) Objectives might be : Extended transparency regulations for RFID systems in multimedia law Extended transparency regulations for RFID systems in data protection law (latitude for member states DP-DIR 95/46/EC recital 53) Obligation to be able to deactivate RFID tags Strengthening of preventive action in data protection law Data protection should be concerned more with prevention, because with the use of RFID systems the interests of people only come into play when a lot of already processed data can be accessed.

Outlook Alliance between Technology und Law: Technology Law Technology Compatible with Law Law Compatible with Technology Protection of constitutional rights Law observing Technology Effective Law

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback