Title: SOCIO-ECONOMIC AND RFID TECHNOLOGY INHERENT CONSIDERATIONS

Impossibility of Avoidance

It is claimed that the usage of RFID technology leads to measurable positive economic effects through optimised processes especially in the area of production and logistics . Moreover we are just at the beginning of widely industrial application of RFID technology. Therefore many experts expect a boost in cost reduction when RFID becomes a well established technology.

In fact the expected cost reduction and rising productivity are the main drivers behind RFID technology. The economists hope that in the end the usage of RFID technology will result in competitive advantages in a world with ongoing globalisation. Note that these are not negative goals in themselves. However, as these are the primary goals they set clear restrictions, constraints and requirements for any approach towards a holistic privacy framework for RFID. 

Due to globalisation, one has to respect that any solution (including regulations) which just targets at the national level will not be successful. For the global problem one needs to develop globally applicable solutions. In order to give just one example of the difficulties arising from this, it would not be possible to suggest security or privacy protecting technologies which require cryptographic mechanisms which are forbidden in certain countries. Otherwise it would imply that one has to produce different RFID tags and related infrastructure for different countries which will result in an increase of costs - which would be fundamental contradictory to the primary goals of RFID. 

Another related aspect is that there already exist a lot of worldwide accepted RFID related standards and specifications. Hence any additional security or privacy protecting technology has to be as close and compatible as possible to these existing norms. They were on the other side often not developed with security or privacy in mind making the integration of security and privacy technologies even more difficult.

As a real world example, one can look at the development of the machine readable travel documents which are equipped with an RFID tag and offer only very limited protection mechanism due to the constraints implied by the necessary world wide agreements on them. Another problem which is exemplified by the machine readable travel documents (MRTD) is the multiplication of problems if two technologies carrying a number of known risks are combined (like combining biometrics and RFIDs in the case of the MRTD). This combination may not only lead to a new quantity of problems but very often also to a new quality of them . Taking into account that RFID is a key (or enabling) technology for ubiquitous computing and ambient intelligence it can be foreseen that the security and privacy problems of both technologies will be multiplied in much the same way as it happened in the MRTD case.

As mentioned above, one of (or maybe the main) driver behind RFID from an industrial point of view is cost reduction. One has to take this into account especially because many of the RFID related use cases would address the mass market. Some of the visions are that every single item sold for instance in a supermarket will have at least one RFID tag attached in order to reduce the logistics costs. This clearly implies that there have to be RFID tags which are extremely cheap. Otherwise these visions are unrealistic. The implications regarding security and privacy protection are manifold: Security and privacy protecting technologies applied in these RFID applications have to be very cheap. Originate from the state of the art and the experience with existing general purpose security technologies and their usual cost one can deduce that the cost restrictions will lead to some kind of “security and privacy protection ultra light”. Depending on the use case this does not need to be an inadequate solution for the given use case. However, given the fact that such cheap security solutions will exist, it can be foreseen that they would even be applied in use cases where they are not adequate. This will be even the case in situations where the usage of more expensive (and also more secure resp. privacy friendly) solutions would be in principle viable (from an economic point of view).

Forcing the producers or users of RFID technology to implement uneconomic but more secure solutions by means of laws and regulations seems to be at least problematic. If this is not done at a global scale (which is unrealistic in itself) it will mean that a certain country has to give up its potential competitive advantages. 

Lack of Awareness

Surveys on the value of privacy for individuals (in terms of cost one is willing to accept for its protection) clearly indicate that the usual European citizen sacrifices his privacy even for small amounts of monetary advantages . This is just another reason why any security or privacy protecting technology in the area of RFID has to be extremely cheap.

Moreover RFID advocates might claim that there are no new privacy problems related to RFID, because also existing technologies like discount/consumer cards, mobile phones etc. could be used for all kinds of profiling. Similar to discount cards consumers are enticed with monetary advantages (for example in case of shaver blades where the expectation is a reduction of the overall dwindling of 40 percent which would lead to an adequate passing of the cost advantages to the consumers) - therefore the privacy risky behaviour of the consumers would be similar in the RFID case. 

One possible counterbalance against the economic driven usage and development of RFID technology could be the normal citizen whose privacy is affected by that technology. However, not only might citizens accept to give away privacy for small monetary advantages - the situation is even worse because people are often not aware of the risks. According to a Capgemini study from 2005, 85 percent of the European consumers have not even an idea what RFID means or how this technology works. Therefore they cannot make any conscious decision for or against it. Nevertheless, as RFID gets more and more into the focus of the public attention, scientific literature and other media start to report also about the privacy related problems and risk.

A difficulty with explaining the privacy risk of the RFID technology to the masses is that RFID advocates can argue that RFID is not more than just a “thumb” number on a thing (as this is one of the main implementations of RFID at the moment). Hence the RFID (tag) in itself is not per se a privacy harming technology - it might even be possible that in a given area of application of RFID no personal data at all will be processed as discussed in Section 4.2.1. Very often the problems arise only from combining the core RFID technology with other supporting technologies (backend processing etc.). This could lead to a reduction of privacy piece by piece, where every single piece in itself is not a big risk/harm to privacy (as we have seen it in many other areas). At the end one could raise the question: Which technology is responsible for the privacy problems? Is it really the RFID tag or the data warehouse behind it? 

If one just has a dip into the RFID related literature one could get the impression that the privacy problems of RFID are not only well understood but also many solutions exist which can solve all the problems. This impression arises from the fact that almost all RFID related publications have a section/chapter which deals with privacy/data protection problems. However, apart from that it is realised that privacy and data protection is a real problem in the area of RFID, they actually are not offering useful solutions for most scenarios of application of RFID. They very often just anticipate solutions sometime in the future. If these sections/chapters indeed offer some solutions, then the proposed solutions are very often very abstract and sketchy, so that in most cases they will not work well or are not feasible in practice. One of the main problems for privacy and data protection arising from such kind of publications is that RFID advocates can promise that data protection is of crucial importance for them - as one can easily see from the huge number of pages they dedicate to this topic. We refer to FIDIS deliverable 7.7 for an approach that takes into account the far reaching consequences of untimely adoption of RFID systems. 

Controllability, perceived Control and Usability

One factor which supports and explains the unawareness among customer’s results from the very small size a typical RFID tag has . They are simply invisible or even embedded within the material a certain thing is made off. Besides the negative impact on awareness this kind of physical manifestation also leads to problems for implementing security or privacy protecting mechanisms - especially because it is impossible in most cases to have an adequate user interface directly on the RFID tag. Hence it is difficult to develop convincing and trustworthy privacy solutions for RFID because one cannot directly interact with the source of the problem or may not even see it. The technology trend goes to the direct integration of RFID tags into the material of the components / parts of things. Therefore a decoupling of RFID tag and RFID marked object is usually impossible.

At the end it leads to the question of control from different perspectives. From the users’ perspective the following questions are relevant such as:  

1. Do I take part as “user” in an RFID system? Which one(s)? Who is operating it (or them)? 

2. Are benefits and risks of these systems balanced in a way I personally can accept? 

From the operators’ or vendors’ perspective: 

1. Which factors influence the acceptance of RFID from the users’ perspective? The results of recent research gives evidence, that (1) the social power and trustworthiness of the operator or service provider, (2) perceived usefulness, (3) perceived ease of use and (4) perceived control (or balance of control) in the context of RFID systems by the user play a major role in addition to personal preferences with respect to technology (see also [16]).

2. How to convince the user that a privacy measure like deactivating the RFID chip really happened? In other more “classical” areas this could be done much easier. As an example just think off a hard drive with some personal data on it, where the revealing of this data would be a privacy breach. In this case one can imagine applying all sorts of physical destruction to the hard drive to convince themselves that the data on the magnetic slices could not be reconstructed with reasonable investments. In the case of RFIDs, it is however really hard to be convinced that whatever attempts of destructions that one has done was really successful. 

Moreover destroying the RFID tag as a measure for deactivating them is in many scenarios not the goal of the users. Normally the users wants to benefit from RFID too (as already said, security and privacy are not the primary goals of RIFD technology), but in a controlled, self-determined and balanced way. Control by the user in many cases is not understood in the same way as security or data protection specialists understand it. Technology acceptance research generally knows possession of parts of the system (a piece of technology) as a strong factor influencing the perception of control in a positive way . But in the context of RFID systems this influence seems to be very limited due to the limited capability of RFID tags. Hence the question is: how to convince the user that he can control the RFID system and thus the data associated with the tag? This becomes even more difficult because of the wireless communication capabilities as well as the wireless energy absorption possibilities. The problem is not only that the data transmission uses a technology inherent broadcast (at least at the lowest communication level). It is also extremely difficult (or even impossible for human beings) to recognise, if a certain data transmission happens right now or not. Moreover the same difficulties exist just for recognising / influencing the communication capability / inability as well as the functioning of an RFID tag. Here the situation is completely different to the one that a user normally knows from everyday experience with usual computers. If one wants to ensure that a normal PC does not reveal any secret data nor does any other unwanted processing of them one can simply unplug the network and power cables. A comparable measure does not exist in case of RFID tags (besides the already discussed and often unwanted destruction of the RFID tag). Although blocker tags and other devices to disrupt the communication at the physical layer are being developed or at least there is some research going on, they are up to now neither as efficient as necessary nor are the legal issues with these kind of blockers solved. But even if these difficulties could be solved the fundamental problem of uncertainty and thus a reduction in perceived trustworthiness still remains the same.