You are here: Resources > FIDIS Deliverables > Profiling > D7.7: RFID, Profiling, and AmI > 

D7.7: RFID, Profiling, and AmI

Social implications and policy options for RFID and Profiling as AmI enabling technologies  Title:
 Social acceptance of RFID in retail


Technical solutions for privacy options

Technical solutions have to be provided to the user in order to give him/her the means to protect himself/herself and to choose the level of protection.  


Herein, a brief introduction on the current mechanisms and a short analysis will show that from the existing mechanisms few provide a suitable way to combine user privacy and services. The related identified barriers are infrastructure issues, on-tag mechanism and opt-out policy.  


Some radical actions can disable the tag as the removal of tags (see CVS use case in Chapter 3), the clipping of tags (meaning that most of the antenna is removed, but tag remains active; patented by IBM) or by shielding the tag using a faraday cage. However, the two first actions imply that consumer has to be able to locate the tag (without mentioning the possible subsequent damage to the product) and the last one is not very practical for most common applications. 


Killing: Some claim that a kill command is issued as soon as the tagged objects are purchased, in order to permanently deactivate the tags. This mechanism appears as a mean to protect user privacy. However, it is to the detriment of the benefit of post-sale value .

Recoding is the mechanism that enables the overwriting of the tag with a new ID number when this tag changes owner. So, recoding mechanisms require rewritable tags.

Killing and recoding mechanisms entail the installation of a reader*. Moreover, and as they imply a radical modification of the tag, the associated threat may be denial of service as a consequence of a non-authorised modification. In order to avoid this threat, additional infrastructure should be implemented. In addition, some studies are leading to the same conclusions: Even if the above infrastructure issues are solved, killing and recoding mechanisms do not address the problem of privacy (Molnar et al., 2005): Until the killing or the recoding, tags are readable – Therefore, one has to consider other options. 

Sleeping seems a more suitable mechanism and should endeavour to conciliate privacy and services. Sleep/wake mode allows activating a deactivated tag. However, this mechanism is categorised in the on-tag (vs. off-tag) access control mechanism. On-tag access control mechanisms are located on the RFID tag*, although off-tag access control mechanisms put the access control mechanism on a device external to the RFID tag*. Consequently this mechanism implies a modification of the tag because the access control is in the tag itself and it is applicable only on high-cost tag.

So, the solution should focus on off-tag mechanism because the access control doesn’t require any extra complexity (hence, extra cost) on the RFID tag itself. Hence, off-tag access control has the advantage that it can protect low-cost RFID tags (like EPC tags) (Rieback et al., 2005: 2).

Blocking: This mechanism is an off-tag access control mechanism. By creating a jammed area, a blocker tag can make unreadable only the tags equipped with a privacy-control bit in the position “on”. So, a blocker tag has no impact on tags whose privacy bit is off: general case for purchased tags. Blocking approach allows an all-or-nothing policy as to privacy protection, i.e. an “opt-out” (vs. opt-in) policy. So, blocking mechanism does not enable several levels of participation.

Soft-blocking (Juels, Brainard, 2004) is an approach promoting an opt-in policy because this approach allows revealing only a part of the data; so this approach could support a wider range of privacy policies.


Security options

Privacy invasion may be a consequence of unauthorised access. Security options that we describe below are considered as preventive actions in order to protect the private sphere. 

If security is applied in order to guarantee the protection of the private sphere and it is completed, a subsequent benefit is to enhance the user trust and willingness as to the use of new technologies, like RFID. 



In this study accountability is used as a synonym of responsibility and liability. Accountability is a key concept for privacy-enhancing identity management. Therefore, transparency and accountability are necessary in order to respect the private sphere of the individual. Thus, it will be the basis of some safeguards against discrimination caused by the misuse/abuse/modification of personal data. For a detailed discussion of the liability issues that may arise and the adequacy of the present legal framework we refer to section 4.2 above. 


Enhancing Information Security

Because one of the main components of a RFID system* is the network and the exchanged data is performed via networks, a need to foster the information security arises. This action will prevent the lack of co-ordination and co-operation in the field of network and information society may result in fragmentation of security policies in different states, heterogeneous application rules and solutions. There is an interest to encourage the knowledge exchange and co-operation between governments, industry and users concerned. This action will help to fight cybercrime in general but in particularly, the victimisation when it is subsequent to a criminal act. In addition aspects of multilateral security covering different participating service providers in RFID systems* and the users have to be dealt with (see chapter ).


Technical solutions and regulations

Technical solutions and regulations (specification, protocol, etc.) have to be provided, in order to secure and guarantee the confidentiality and the integrity of the data when they are read, exchanged, or stored. Tag passwords, tag pseudonyms, and encryption are the proposed approaches, in order to enable privacy protection in RFID usage contexts.


Other points to be taken into account


As we said, accessibility is required in order to support the inclusive participation (user acceptance), the awareness, and the learning of the users. Thus, this point may embrace different sub points, such as usability (vs. complexity) and training/education: 


  • Usability will promote system design according to a user-centric approach. Better usability will then support easy learning (i.e. learning by observation), user control and efficiency, thus increasing satisfaction and, consequently, user acceptance.

  • Training/Education will promote education programs in order to learn how to use new technologies. Also it will increase the user awareness about the different possibilities and choices offered by RFID technologies and associated devices. This action is useful to increase the feeling of control and the awareness on the possible uses and consequences of the technology, thus in order to deter the misunderstanding on how the technology works.


Trust as a task force

Trust is necessary for any technology dealing with information related to user’s identity and it is the basis of the users’ willingness for their participation. Indeed, establishing public trust is a key point for any successful implementation. The trust concept encompasses different points, such as the user requirements, the trust model, the management of the trust and the solutions enabling trust. A trust model is the underpinning of any identity and access management system. The trust model establishes a verifiable and irrefutable process for managing user accounts, i.e. user profiles in the context of profiling activities. Trust models can be supported by contracts assuring information security for example via security service level agreements (SSLAs). However, trust also is a subjective concept because it is closely related to the perception of the risks and the benefits.

Regarding RFID technology, secure exchanges in view of authentication and confidentiality (trust criteria) have to be built in the different types of communication involved in a RFID system* – for example: 

  • Tag to reader* 

  • Reader* to tag 

  • Reader* to network 

The different proposed steps (Natarajan et al., 2005) are the authentication of the reader* or of the tag and the encryption of the exchanged data between the tag and the reader* after the authentication process. The reader* connects to a server that stores all information of the tag, such as secret keys, etc.


The solution “antenna-energy analysis” (Fishkin, Sumit, 2003) is one example of a technical solution, based on trust perception. The “trust” hypothesis is: The further away a reader* is, the more suspicious it is. Therefore by using antenna-energy analysis the distance between the tag and the reader* is exploited in order to adjust the tag’s response (related to the disclosure of the information level) depending on the reader’s* distance. However, this solution works only if we assume that those readers* that are further away have a malicious intent. 



As shown in this section, RFID benefits may be negated by numerous instances of accidental or intentional misuse of the different components of a RFID system* and associated databases. Moreover, there is a wide range of issues relating to privacy and personal well-being (societal and ethical issues). 


Indeed, various issues related to pervasive security problems can lead to enlarged privacy violations committed by insiders and outsiders. Examples are the misuses of databases associated with RFID tag* information or remote surveillance, whenever tags are vulnerable (without security guarantee). In addition, testing indicates that even passive RFID tags* may be interrogated over far greater distances than originally anticipated as said in a recent article (Neumann,  Weinstein, 2006) on “Risks of RFID” taking stock of RFID risks and implications.


It seems crucial that we engage in the difficult task of evaluating the circumstances and contexts within which RFID systems* should or should not be used, and the rights of individuals and organisations to control whether or not they will be subject to various uses of these systems.  


The proposal is to foster the protection of the private sphere by enhancing transparency and by identifying appropriate privacy options and security options for an “opt-in” solution, to increase accessibility relating to new technology such as RFID and to improve trust perception. 



Social implications and policy options for RFID and Profiling as AmI enabling technologies  fidis-wp7-del7.7.RFID_Profiling_AMI_02.sxw  Social acceptance of RFID in retail
Denis Royer 25 / 43