Title: PROBLEM SUMMARY AND CONCLUSIONS

Problem Summary and Conclusions

In this section, we will summarise the different problems and constraints for reaching to privacy-enhancing RFID applications discussed above. To exemplify we will tie the specific problems to our example scenario from chapter and grade them in terms of relevance for the each specific combination of problem and scenario. Besides, the specific problems illustrated by some of the scenarios, we also list general problems, for which all our scenarios apply.

From the different perspectives, the following list of problems can be distilled from the discussions above. 

Legal

1. Information stored in an RFID tag does not always qualify as personal data. The collection and processing of data via RFID technology is covered by the provisions of the data protection directive only when the information stored in the RFID tag refers to an identified or identifiable person – thus qualifying as personal data- or when this information can be linked to other personal data (Art. 2 (a) data protection directive).
   
   Scenario relation
   
   Highly related: S4 (The Metro Future Store in Rheinberg): The comment added to the end of the use case S4 with the Art.29 WP example illustrate that customer profiling can also be done without real identifiers.
   

2. Personal data must be processed fairly and lawfully. This principle is not always respected in RFID applications.
   
   Scenario relation
   
   Highly related: S4 (The Metro Future Store in Rheinberg): In this use case there were no grounds for making the data processing legitimate, as the consent given when the customers applied for a loyalty card were not valid, as the customers were not properly informed (see P03).
   

3. Consent is a legitimate ground for data processing. However consent is not valid when the data subject is not properly informed. How can we handle the consent problem in an RFID environment?
   
   Scenario relation
   
   Highly related: S4 (The Metro Future Store in Rheinberg): In this use case the customers were not properly informed about the use of RFID tags in the loyalty cards and all purposes for which his data would be processed, and consequently the consents given when they applied for loyalty cards were not valid.
   

4. The data protection directive grants the data subject several rights (right to be informed, right of access, right to object, right to delete etc). The data subject cannot exercise these rights in RFID applications, as for instance he is not always informed about the processing of his data.
   
   Scenario relation
   
   Highly related: S4 (The Metro Future Store in Rheinberg), where the customers were not informed about the use of RFID tags. Also in use case S5 (Usage of RFID Technology in Educational Settings), the users were probably not properly informed about the extent of the personal data processing. Labels should inform the users about the use of RFID tags and readers in the exhibits and RFID token given to the visitor at the beginning of the visit
   
   

5. In cases of automatic processing of the data, the data subject is entitled to know the logic involved in this (Art. 12 data protection directive), which is not always the case in RFID applications.
   
   Scenario relation
   
   Related: S4 (The Metro Future Store in Rheinberg)
   
   

6. Consumer profiling is not allowed when it is based on illegal means. This principle is not always respected in RFID applications or can be questioned due to the consent problem.
   
   Scenario relation
   
   Related: S4 (The Metro Future Store in Rheinberg)
   Marginally related: S5 (Usage of RFID Technology in Educational Settings)
   
   

7. The data controller has to take ‘appropriate technical and organisational measures’ to protect personal data (Art. 17 data protection directive). However it is not obvious which measure are considered ‘appropriate’.
   
   Scenario relation
   
   Related: Scenarios S1 (Attack on an RFID System) and S2 (Enhanced proximity Card both provide examples were we can assume that no appropriate security measures were taken.
   
   

8. Article 9 ePrivacy directive contains specific provisions regarding Location Based Services (or value added services in general). For article 9 to apply the service needs to be offered via a public communications network and it is not always clear when this is the case in RFID applications.
   
   Scenario relation
   
   Related: S4 (The Metro Future Store in Rheinberg) illustrates how location tracking was done by the shopping assistant for displaying location-specific personalised shopping lists. Also scenarios S5 (Usage of RFID Technology in Educational Settings) and S7 (Scenario for Social Inclusion) are based on location tracking via RFID technology.
   
   

9. The processing of personal data shall take place in a transparent way. Lack of transparency implies breach of the data protection legislation.
   
   Scenario relation
   
   Highly related: S4 (The Metro Future Store in Rheinberg) gives an example were the processing and profiling of personal data via RFID tags are not transparent to the customers. S3 (An Identity Manager for RFID Tags) illustrated how the “data track” functionality can enhance transparency for the end users.
   

Ethical

1. RFID in combination with profiling can be a major privacy concern.Scenario relation
   
   Highly related: Privacy problems of profiling via RFID systems are illustrated by S4 (The Metro Future Store in Rheinberg) and S5 (Usage of RFID Technology in Educational Settings).
   

2. As detailed regulations of ethical issues are typically not possible, the fundamental principles themselves have to be formulated in an easy applicable and understandable way. How do we do this?

3. The central point of “respect the privacy of others” asks for PETs focusing on RFID. However, currently there are no such PETs for RFIDs providing appropriate protectionScenario relation
   
   Highly related: S3 (An Identity Manager for RFID Tags) and S6 (RFID at the CVS Cooperation, where special killer tags were used) describe some possible PET approaches..

4. The central problems, privacy issues and impacts of RFID must be formulated in a “comprehensive and thorough evaluation”. How do we perform such an evaluation?

5. The public awareness and understanding of the possibilities of use and abuse of RFID must be raised. How is this handled best?

6. The applicability of codes of ethics and conduct in the context of RFID systems must be widespread.
   
   

Socio-Economic and RFID technology inherent problems

1. Both the core RFID infrastructure (RFID tag and RFID reader) and especially also the backend system have to be securedScenario relation
   
   Highly related: S1 (Attack on an RFID system) and S2 (Enhanced Proximity Card) describe attacks where the RFID infrastructure and/or backend system were not properly protected.
   
   

2. PETs for RFID have to be globally applicable; this could prevent the usage of certain security technologies

1. Cheap RFID tags used in most of today’s RFID systems offer very limited control of the system’s behaviour or the process of data processing from the perspective of the user. This potentially also hampers technology acceptance.
   
   Scenario relation
   
   Highly related: S3 (An Identity Manager for RFID tags) illustrates how an additional mobile Identity Management device can enhance user control.
   Related: S4 (The Metro Future Store in Rheinberg) is an example where the use of cheap RFID tags for supermarket applications limits the possibilities of user control.
   

2. PETs for RFID have to respect existing standards and specifications, which were not made with privacy in mind; this will lead to all sorts of restrictions and workarounds
   
   

3. National laws and regulations are not feasible; the needed international agreements will introduce obvious drawbacks (e.g. long term implementation, consensus on a minimal base etc.)
   
   
   

4. PETs for RFID have to be extremely cheap; this however does not allow effective protection of the valuable asset of privacy in many situations
   
   Scenario relation
   
   Highly related: S4 (The Metro Future Store in Rheinberg) is an example where the use of cheap RFID tags for supermarket applications limits the possibilities of privacy protection.
   Related: S1 (Attack on an RFID System) and S2 (Enhanced proximity card) illustrate security problems
   Marginally related: S6 (RFID at the CVS Cooperation) provides an example for inexpensive solutions (killer tags), which can be applied for some privacy-sensitive applications such as the management of pharmaceuticals.
   

5. PETs for RFID have to cope with the physical manifestation of the RFID tag (e.g. very small size, embed within the material etc.) and related limitations (energy, storage, computing power etc.)
   
   

6. PETs for RFID have to solve the problem of control and uncertainty in order to achieve trustworthiness
   
   Scenario relation
   
   Highly related: Scenarios S4 (The Metro Future Store in Rheinberg), S5 (Usage of RFID Technology in Education Settings), S6 (RFID in the CVS Cooperation) are examples of the privacy-sensitive applications where trustworthiness plays an essential role.
   

7. PETs for RFID have to deal with problems and risks arising from the wireless communicationScenario relation
   
   Related: S1 (Attack on RFID System) , S2 (Enhanced Proximity Card), S7 (Scenario for Social Inclusion) illustrate security incidents that were possible as wireless communication risks were not properly addressed.
   

8. PETs for RFID have to implement a multi-layer approach; this would require to integrate privacy enhancing technologies on various layers, which could often not be done straight forward
   

9. PETs for RFID have to consider a huge variety of different kinds of RFID tags and readers (active, passive etc.) as well as areas of application; this makes a “one-fits-all” privacy framework more difficult or impossible
   
   Scenario relation
   
   Highly related: S7 (Scenario for Social Inclusion) where types of agile readers were used.
   
   

Technical security aspects

1. It must be possible to control the access to the information on the tag if it contains personal or otherwise sensitive information. This is usually handled by some form of access control/encryption mechanism. However, current limitations in the computational capabilities of RFID tags makes this types of solutions infeasible or too expensive. How do we solve this dilemma?
   
   Scenario relation
   
   Highly related: S3 (An Identity Manager for RFID tags) illustrates a possible approach to address this problem.
   

2. It must be possible to control the ability to alter the information if it is possible to change it in any way and if we need to rely on the information stored. How can this be achieved within the economical and technical constrains of an RFID system?
   
   Scenario relation
   
   Related: S1 (Attack on RFID System) which illustrates the consequences of lacking access control.
   
   

3. If the tag is to be used successfully as an authenticator then it needs to have both confidentiality mechanisms as well as integrity mechanisms regardless of the information stored. Further, there must be a way to guarantee that it is not possible to physically remove or switch tags. How do we solve this in an RFID system?
   
   Scenario relation
   
   Related: S2 (Enhanced Proximity Card) illustrates cloning attacks that are possible due to inappropriate protection. In S6 (RFID at the CVS Cooperation) the risk has to be addressed that tags for pharmaceuticals cannot be easily removed or switched.
   
   

4. In order to guarantee accountability we need a tamperproof mechanism that in some way can record how did what and when. How do we construct such a mechanism in an RFID environment?
   
   Scenario relation
   
   Related: S2 (Enhanced Proximity Card) describes how the cloning attack was not detected in time due to missing accountability measures. Scenario S3 (An Identity Manager for RFID Tags) provides with the “data track” functionality an example for technical means for enhancing means for accountability.

One can conclude that there exist a lot of privacy related problems with RFID technology. The main difficulties for a solution arise from the wide range of constraints and pre-conditions which have to be respected if one wants to develop a successful holistic privacy framework for RFID. This clearly restricts the possible solution space.