RFID privacy and security article published in Stepping Stone

The below article was recently published in Linda Ockwell-Jenner's Stepping Stone newsletter issue 39. The "Remove before washing" tag on the inside of your new sweater, the special key that is needed to start your car, and the dashboard mounted device that lets you use the fast lane, these are examples of Radio Tags. Radio Frequency Identification (RFID), or Radio Tags, are an automatic identification technology, used in similar applications as bar codes, the lines and spaces that are scanned at the grocery store, and two dimensional symbols, the rectangle of static that gets scanned by shipping companies. Q.E.D. Systems contributed heavily to the development of bar codes and two dimensional symbols and has become a clearing house for automatic identification standards. Q.E.D. is helping build a risk analysis framework for RFID privacy and security. On weekly conference calls and in quarterly face-to-face meetings; end users, solution providers, and international GS1 organizations gather to discuss how this new technology can satisfy consumer protection while capitalizing on this promising technology. RFID has been around since Harry Stockman wrote "Communications by Means of Reflected Radar" in 1948, however it was not until the 1990s that the price came down far enough for commercial use in highway toll collection. In 2003 privacy became a hot button in the RFID industry when Italian clothing manufacturer Benetton put RFID tags into its clothing brand Sisley. It is no surprise that since 2003 numerous organizations have formed to discuss privacy and security matters relating to the use of RFID technology. The Center for Democracy and Technology (CDT) released the RFID Privacy Best Practices document which covers notice, choice and consent, information sharing of tag data, and security. The Electronic Privacy Information Center (EPIC) and the Electronic Frontier Foundation (EFF) dedicate time and resources to advocating privacy concerns and gather RFID privacy related information and news. EPCglobal, a key player in the retail RFID industry specifications, gathers subscribers to participate in the development of the Electronic Product Code (EPC) which is their own networking RFID product. Subscribers participate in the standards development process through action groups. To address the above mentioned security issues, EPCglobal's product data protection committee (PDPC) formed to study, analyze, and recommend a set of security, privacy and authentication requirements. Some of the same organizations that participate within EPCglobal, also participate with international standards bodies and their national equivalent. Groups such as the International Organization for Standardization (ISO), the American National Standards Institute (ANSI), Standards Canada, Association Francaise de Normalisation (AFNOR), Deutsches Institut für Normung (DIN), the National Institute for Standards and Technology (NIST), AIM Global and the Information Protection Commissioner (IPC) of Ontario, Canada are developing privacy and security documents which will serve as best practices, guidelines and standards for multiple industries. Q.E.D. Systems recently presented an overview of risks and vulnerabilities to EPCglobal. This work summarized the efforts of AIM Global RFID Experts Group, NIST, and the freight container industry; while adding Q.E.D.'s assessment of the viability of proposed countermeasures. For further information on Q.E.D. Systems services in the area of privacy and security contact Matthew J. Harmon at matthew.harmon@qed.org.