D3.6: Study on ID Documents

Title: RFID

The Legal and Procedural Perspective

Electronic identification documents (hereafter ID documents) are seen as a necessary upgrade of important paper documents. RFID tags are considered to have enough storage capacity to store biometric images and they are believed to ease the identity checks and enhance security. The equipment of ID documents with RFID tags is claimed to reduce fraud and prevent identity theft as the ID document will not be easily tampered. Furthermore the limiting of human inspection of the documents would help to lessen the amount of errors made.  

Standards and Legal Requirements

Legal sources with respect to RFID are described in chapter .

The ICAO Document 9303 for epassports mandates that the RFID chip contains the passport holder’s name, nationality, date of birth and sex as well as the passport number and its date of issue and expiry. Biometric information shall also be included, containing at a minimum a photograph. Similar information (holder’s name, date of birth, nationality etc. but sometimes also other information such as the place of birth or national register number) is included in every kind of electronic ID document. The ICAO blueprint does not require that the information stored in the RFID tag has to be encrypted, a fact that increases the dangers against the privacy of the holder.

All the aforementioned data that are saved on the RFID chip are information relating to an identified or identifiable natural person (in our case the ‘ID document holder’) and can therefore be considered as personal data according to the definition of the Data Protection Directive. The ID document holder needs to be informed about the data that are going to be included in the RFID tag and about the ways, in which she can access, rectify, erase or block incorrect data that is stored in the tag. The passport authorities need to have reading devices which enable the citizens to access their data stored on the chip and ask for their eventual rectification, erasure or blocking.

A basic principle in the field of data protection is the data minimisation principle; according to this principle the data shall be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed. The data stored in the RFID tag shall be the data needed for the identification of the holder and be kept to the minimum.

Personal data shall be processed fairly and lawfully. The data shall be collected for a specified, explicit and legitimate purpose and be processed only for this purpose (finality principle). That means that the data collected for the issuing of an ID document cannot be further processed in a way incompatible with those purposes.

Privacy Threats

One of the major dangers regarding the use of RFID tags in electronic ID documents is the fact that the RFID tag can be read by any reader and not just the ones of the competent authorities. The unauthorised reading of the tag violates especially the finality principle and underestimates the consent of the ID document holder; therefore it must be guaranteed that only competent authorities are able to have access to the data stored in the chip. The ID holder shall give her prior unambiguous consent for a legitimate data processing to follow. However in the case of clandestine scanning or even eavesdropping she is not even aware that the collection and processing of her data is taking place and therefore she cannot consent to something of which she has no knowledge. ICAO admits that ‘although it is unlikely that unauthorised reading will occur, […] this cannot [be] completely ruled out’ (emphasis added). As already mentioned the ICAO blueprint does not require authenticated or en­crypted communications between passports and read­ers. Consequently, an unprotected epassport chip is subject to short-range clandestine scanning (up to a few feet), with attendant leakage of personal information.

The solution ICAO proposes is the use of ‘Faraday cages’ as a countermeasure to clandestine scanning. In an epassport, a Faraday cage would take the form of metal­lic material in the cover or holder that prevents the penetration of RFID signals. Passports equipped with Faraday cages would be subject to scanning only when expressly presented by their holders, and would seem on first blush to allay most privacy concerns. However the use of Faraday cages does not eliminate the danger of illegal listening into an existing communication between the reader and the RFID chip (eavesdropping).

Repeated unauthorised collection of personal data from a specific RFID tag does not only enable the tracking of the ID document holder, but can also lead to the creation of her profile. If the identity of the ID holder is linked with a unique RFID tag number, the ID holder could be tracked everywhere and thus easily profiled without her knowledge or consent.  

The creation of a central database of European Union passports and travel documents containing all EU passport holders’ biometric and other data was one of the thorny issues between the European Parliament and the Council. The Committee on Civil Liberties, Justice and Home Affairs had proposed the inclusion of the following provision in the Council Regulation:

‘No central database of European Union passports and travel documents containing all EU passport holders’ biometric and other data shall be set up’.

According to the Parliament Report the setting up of a centralised database would violate the purpose and the principle of proportionality. It would also increase the risk of abuse and function creep. Finally, it would increase the risk of using biometric identifiers as ‘access keys’ to various databases, thereby interconnecting data sets. However this amendment was not included into the final version of the Council Regulation. As already stated in the Parliament Report the setting up of a centralised database of European Union passports and travel documents violates the principle of proportionality and the same shall be accepted for the setting up of central databases for ID-cards.

The use of RFID tags in identity documents is not free of problems. The fact that unauthorised machines and consequently persons, who control these machines, may read the tags raises a number of privacy and data protection issues. The most common solution proposed against this treat is the use of ‘Faraday cages’ and the encryption of the data saved on the RFID tag.  

The Technological State-of-the-Art

RFID technology has many application areas, but none of them in the past has come close to the kind of application we are introducing with ID documents. Typically RFID has been used for identification of things (in supply chain management and retail) and persons (for example proximity cards, SpeedPass system) using unique identifiers. So most technical privacy and security features that are currently discussed are focused on these types of RFID and the corresponding back-office systems. The use for more complex micro controller type RFIDs as they are introduced in the European passport is fairly limited. This chapter focuses on the use of RFID in the retail and in MRTDs. As both applications use RFID chips with different capabilities, they show very well the state-of-the-art.

RFID technology is being introduced for use in the retail supply chain (Luckett 2004). Many large retailers have instructed their suppliers to tag pallets and cases with RFID tags carrying the Electronic Product Code (EPC), a “license plate” with a hierarchical structure that can be used to express a wide variety of different, existing numbering systems. EPCglobal has approved a new communications protocol for UHF tags that will standardise tags and readers for the retail supply chain throughout the world. Eventually, many billions of tags will be needed for pallets and cases alone.

If the initiative of the retailers for the tagging of pallets and cases proves successful, then the next step in the process may be to tag individual items. Even though some experiments on item tagging have been conducted by retailers, the enormous number of tags needed, in the many trillions, and the current costs of tags, US $0.25 to $0.50, indicate that it will be several years before large-scale item tagging becomes a reality. 

Given that the ultimate vision is to tag all products at the item level, consumers will be affected. Compared with bar codes, the wireless nature of the communication provides significant qualitative and quantitative advantages: tags can store and communicate many more bits of information, multiple tags can be interrogated by the same reader, and readers do not require line-of-sight to the tag. Tags can be read without explicit user action (Floerkemeier et al 2004). Although tags that can be read at a distance cannot be as small as a grain of rice, as stated for example in (Weiss 2003), the aforementioned characteristics of RFID tags have raised privacy concerns; see for example (McGinity 2004, Want 2004).

Shaping of public opinion has been started by consumer advocacy groups, for example, by Consumers Against Supermarket Privacy Invasion And Numbering - CASPIAN, followed by numerous articles in journals and newspapers and not only in those specialised in technology and business (Want 2004) but also in the popular press. Perceptions of RFID differ dramatically - ranging from fuzzy fear (“spy chips”, “Orwellian Eyes”) to unlimited belief in its not yet completely discovered potential.

Ever since the “sensitivity” of RFID-tagged products was recognised, an informed debate has been taking place. For example, the possible economic consequences are discussed by Fusaro in form of a fictional case study (Fusaro 2004). Consumer organisations and data protection commissioners have taken a proactive stands on privacy, and develop policies and guidelines for appropriate implementation of RFID technology. Data protection commissioners have reacted and propose guidelines or regulations. On the other hand, there are RFID proponents who argue that RFID privacy concerns are exaggerated and legislation is premature (Brito 2004). The RFID Position Statement of Consumer Privacy and Civil Liberties Organizations of November 20, 2003, raises the following privacy concerns with RFID:

• hidden placement of tags; 

• unique identifiers for all objects worldwide; 

• massive data aggregation; 

• hidden readers; and 

• individual tracking and profiling. 

But what are the problems with RFID? Most of today’s RFID tags have a static identifier, which never changes throughout its lifetime and is transmitting unassumingly to any reader requesting it. RFID tags, whose identifiers are globally unique and follow a standardised structure, enable inferences about the tagged item to be made. In the following, we describe possible attacks on privacy.

Detecting tag presence often implies signaling the presence of a human being. By correlating multiple observations of the tag’s identifier, an adversary tracks the item and may profile an individual’s associations. Next, the adversary may have a “hotlist’’ of items/tags in advance that it wishes to detect. Once the adversary succeeds in establishing a link between a tracked item and the owning individual, the individual’s history becomes open. If there exists unlocked memory on the tag, an adversary could even write a `cookie’ and thus track tags and bypass other mechanisms intended to prevent tracking or hotlisting (Molnar & Wagner 2004).

In the retail space, consumer privacy could be affected by target marketing, where the set of products carried by a consumer or the shopping history if known is then used to classify that consumer for focused marketing efforts. It has further been argued that this knowledge about a customer might also lead to price discrimination or embarrassing situations. 

In 2002, Garfinkel proposed ”An RFID Bill of Rights”, inspired by the Principles of Fair Information Practices, in which consumers should have the following rights (Garfinkel 2002):

• [Notice] The right to know whether products contain RFID tags, the right to know when, where and why the tags are being read.

• [Choice] The right to have RFID tags removed or deactivated when a product is purchased, the right to use RFID-enabled services without RFID tags.

• [Transparency] The right to access an RFID tag’s stored data.

Organisations followed to state RFID policies such as Data Protection Commissioners (Cavoukian 2004), the German Computer Society (GI), the European Commission (Article 29), and EPCglobal.

The technologies for protecting consumer privacy can be categorised according to who must provide the technology. Technology deployed by the consumer consists of physical means to detect or block RF signals. A Faraday Cage around the item with an embedded or attached RFID tag will prevent radio waves from reaching the tag. This approach works well with small items, which fit into a purse or bag lined with aluminium foil, but has its limits when goods are large or if the consumer is not aware of tags.

RFID sensor detectors indicate the presence of an RFID reader, and, correspondingly, an RFID reader can be used to search for RFID tags by the consumer by scanning products after purchase. A drawback of the sensor detector is that (almost) any source of electromagnetic waves, a wireless LAN for example, may trigger an alarm.

There is also the possibility of jamming RF signals. Such jamming stations have been used to disable the operation of cell phones. A device that broadcasts radio signals to block/disrupt nearby RFID readers could work. However, this crude approach raises legal issues relating to illegal broadcasting. Alternatively, the RSA blocker tag (Juels et al 2003) is an elegant mechanism to interfere with the reading of RFID tags.

On the other hand, RFID tag manufactures and researchers have developed technologies embedded into RFID tags to protect consumer privacy. The most prominent example of this class is the “kill command” specified by EPCglobal, which allows the deactivation of tags at the point of sale. There is a steadily increasing number of proposals for “smart” tags. These proposals include hash locks, re-encryption, silent tree-walking, or other cryptography-based approaches to prevent the unauthorised reading of RFID tags.

Technical Approaches to Improve Privacy of RFIDs

An interesting example of a consumer self-protection device is the proposal by RSA for a blocker tag (Juels et al 2003), which prevents the reading of other RFID tags in its proximity by spamming the RFID reader. In its basic form, the blocker tag responds in the singulation phase to any query by simulating all possible serial numbers for tags, thereby obscuring the serial numbers of other tags. When carried by a consumer, it effectively mounts a denial-of-service attack.

Selective blocker tags, however, only simulate a given subset of serial numbers. Such ranges of serial numbers may constitute “privacy zones”. Each zone (subtree) is identified by its common prefix or, equivalently, by the position of the last common bit on the serial number (the “privacy bit”). Tags can be transferred to a privacy zone if the corresponding privacy bit is switched on. The selective blocker tag responds only to queries related to tags whose identifiers are in the privacy zone. Otherwise, it is silent and only the tag responds to queries related to its ID.

When a reader at a cash register scans an item for purchase, it also transmits a tag-specific key to the RFID tag on the item. This causes the privacy bit in the serial number of the tag to flip to a “1”. However, a password needs to be managed for each standard RFID tag, to authorise it to change privacy zones. Further, the reader protocol must be augmented with a special query to ask whether there is a sub-tree blocked by a selective blocker tag (“polite blocking”). Otherwise, the reader may never get around to reading identifiers outside of privacy zones.

Blocker tags are expensive and place the onus of privacy protection solely on consumers (Cavoukian 2004). A blocker tag can only be similar in size and cost to a conventional RFID tag if produced in high quantities. It also suffers from the heterogeneity of current RFID technology: different frequencies, air protocols, etc. It is not likely that tag manufacturers will produce blocker tags as they could be used to interfere with the legitimate reading of RFID tags. Furthermore, retailers have to provide appropriate equipment at checkout where either staff or the consumers disable tags if wanted. Finally, it may be possible that the jamming can be overcome in time (Floerkemeier et al 2004).

Concerned over public perceptions of RFID tags embedded in products (Benetton, Gillette), chip makers have introduced a “kill command” into their RFID chips. This special command causes a permanent state change in the tag, which prevent it from responding to any interrogations from any readers. Applied upon purchase of tagged products, “a killed tag is truly dead and can never be re-activated’’ (Juels et al 2003), and thus provides post-purchase privacy.

While the kill command requires only limited changes to tag hardware, there are also some weaknesses. First, it is an “all or nothing” privacy mechanism. Once deactivated, the tag cannot be used for after-sale purposes, no matter how interesting they might be for the consumer. Emerging applications may require that tags still be active while in the consumer’s possession. Secondly, consumers have no way of knowing whether the tag has actually been deactivated. The command may have not been received by the tag, or tags can appear to be “killed” when they are really “asleep” and can be reactivated.

As with the blocker tag, “passwords” are needed to prevent unauthorised killing of tags. Depending on the RFID tag specification, passwords range from trivial eight bits up to 32 bits. However, if the password(s) become known, the consequences for the retail supply chain are severe, as this would allow a malicious customer or competitor to silently deactivate numerous tags while walking along the shelves.

The tag killing option could be easily halted by government directive. Retailers might offer incentives or disincentives to consumers to encourage them to leave tags active. 

Current RFID technology for the retail space imposes severe constraints on deploying cryptography on the RFID tags. Because of stringent cost pressure, tags are passive and have extremely few gates (Weiss et al 2003). As an RFID tag is only powered when within range of a reader, it only has an extremely limited amount of time to carry out computations. Pre-computation of results is also impossible when the tag is out of range (Molnar & Wagner 2004). Although recent breakthroughs have been reported in implementing ciphers, for example NtruEncrypt, with no more than 3000 gates (Gaubatz et al 2004) we assume that encryption, hash functions, or pseudo-random functions are not possible on today’s RFID tags. Realistically, only simple password comparison and XOR operations can be expected.

Privacy-preserving authentication protocols have only recently been proposed that are based on randomised hash-lock, re-encryption, hash chains, one-time authenticators, PIN-protected read commands to authenticate readers against tags and others. In the remainder of this section, we briefly elaborate on their basic characteristics and limitations. For a more in-depth discussion on many of these protocols, we refer to (Avoine, Oechsle 2004, Juels et al 2003, Molna, Wagner 2004).

Even if a tag only transmits a fixed identifier, it can be used to trace an object in time and space. However, as noted earlier, a tag must first be singulated before the reader can start to send commands. Thus, any tag that uses a static identifier in the collision-avoidance protocol can be uniquely identified. 

Many of the proposed protocols take advantage of the asymmetry in signal strength, as it is much harder for attackers to eavesdrop on signals from tag to reader. By sending secret information only on the back-channel, these protocols make it harder for passive eavesdroppers. 

To achieve location privacy, the information sent by the tag to the reader has to change at each identification. This information is either the identifier of the tag or an encrypted value of it. It implies that the information sent by the tag has to be indistinguishable (by an adversary) from a random value and must be used only once. When the reader is involved in the regeneration of the information, access to a central database is needed. Otherwise, the tag must be able to generate new information by itself, which requires corresponding cryptographic primitives. 

Passwords and secret keys for RFID tags must be securely managed. Good security practice further demands that different passwords or keys per tag are used. This may impose a workload on the reader that is on the order of the number of keys. Only Molnar and Wagner have shown a private authentication scheme, for which the reader workload is logarithmic in the number of tags (Molnar & Wagner 2004). On the other hand, this protocol needs a logarithmic number of message exchanges. Because of chip cost and time consumption, it therefore does not offer an alternative technology for today’s retail business.