Title: CONCLUSION

The emergence of RFID technology provides the potential for vast and varied applications, bringing with it both promise and peril. The use of RFID technology in several contexts and its role as a prime Ambient Intelligence enabler raises important data protection and privacy threats.  

The basic principles of the current European regulatory framework on privacy and data protection apply in cases when processing of personal data takes place in relation to RFID technology. The specific provisions of the ePrivacy directive are not however always applicable, as they presuppose processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks. RFID technology however neither needs a publicly available electronic communications network not involves respective providers. Therefore the European Commission in its Communication on RFID has identified this problem and will publish by the end of 2007 a Recommendation on how to handle data security and privacy of smart radio tags to Member States and stakeholders. 

Many proposals for PETs for RFID exist - but only a few of them seem to be really feasible. One of the main problems is that low-cost RFID tags cannot offer any solution for strong privacy. Nevertheless in the short term the mechanisms suitable for a given area of application should be implemented in order to increase the level of privacy the RFID systems offers. In the long-term many actions need to be taken to accomplish the goal of a holistic privacy framework for RFID which complies with strong privacy as well as security requirements.  

In fact the descriptions above just mention technology building blocks which might be of use for a holistic privacy framework for RFID - but it does not explain how these technologies could be orchestrated to get this framework. The reason is that the state-of-the-art at the moment is to have a privacy patchwork for RFID rather than a holistic and integrative approach. Major effort in terms of research and development seems to be necessary to achieve a true holistic privacy framework for RFID. 

These necessary actions are associated with different levels: 

1. on the technical level 

   1.  RFID tags with hardware efficient cryptographic hash functions, symmetric encryption, message authentication codes, random number generators and timeout mechanisms need to be developed.

   2. new RFID protocols need to be developed which use new possibilities to enhance the already known privacy and security mechanisms for RFID 

2. on the political and regulative level 

   1. transparency and awareness need to be increased e.g. by laws which oblige labelling RFID tags and readers 

   2. research in the area of security and privacy for RFID needs to be intensified 

   3. the incentives for manufactures and users of RFID technology to develop more privacy friendly and secure solutions need to be increased 

As problem P10 indicates, the combination of RFID and profiling, eventually coupled with many other means and techniques, may be a major privacy concern. Clearly, profiling itself already bears these problematic issues (e.g. ). In the context of RFID this problem – as already discussed in section – is of major importance.

The simplest solution clearly would be a PET focusing on RFID. However – as the discussion above and also problem P12 indicates – for the moment there is no such PET, one major issue being the very limited computation and storage capabilities of passive RFIDs. 

Clearly solutions to problems P16 and P17 are of major interest for this problem. For the focus of P16, there is lots of work to be done, yet there is also lots of knowledge and routine in securing backend systems. The more general ethical considerations must be integrated more thoroughly in this context, but this must be seen in a more general view not only fixed to RFID techniques, as backend systems are used in various environments for different goals.

The more intrinsically problematic issue of PETs for RFID being globally applicable is on its first step a technical one, caused by the especially low capabilities (in storage and computing) of passive RFID tags.  

Clearly there are different needs for different applications, there are applications that contain no (and will never contain) personal data at all and in those cases there is no need for privacy solutions. Then there are applications where the tag or the system as a whole contain some form of non-sensitive personal data (or data that might in some period of the tags life be considered non-sensitive personal data) in these cases some form of protection is needed otherwise there will be no possibility to control access to this data. Then finally there is the case where the tag contains (or could be linked to) sensitive personal data or data that in some period of the tags life could be classified as sensitive data. This case requires explicit consent of the data subject or needs to fulfil any of the other requirements in art 8 of the data protection directive. In this case one would want the strongest possible (or justifiable) protection in order to stop unauthorised entities to read or alter data.  

However, some of the information on the tag is always an identifier of the tag and if that tag is linkable to a person then the sensitivity of the information gained or derived from the tag is not only dependent on the information read from the tag but also on the context of where it was read. So part of the problem is in some sense application independent (or could even differ within an application). Because of this it is extremely difficult (if indeed not impossible) to give general guidelines on applications because a lifecycle analysis of the tag needs to be conducted and the possibilities that the tag in some part of its life or in some context will be personal or sensitive personal information needs to be estimated in some way. In essence this is a risk management problem, the question here is who should manage the risk the person that is subject to the risk or some other party that is not affected by the risk. The person in control of the information is the one that can or at least have the possibility to manage this risk. We believe that the data subject should be in control of its own data or at least to the identifier of his/her information and in order to do so the means to exercise control needs to exist. The key to having this control regarding the RFID specific problems is to control the access to the tag. How strong this access control needs to be is in a risk management sense dependent on the value of the information, but who decides that value? Based on this we feel that it is very hard to give general advice based on application-types more than the division between strictly non-personal or possible personal data. With more research into life cycle analysis methods for RFID systems that would give a clearer view of the data flows through out the applications life a more fine-grained set of recommendations might be developed.