European citizens privacy is being put as a priority with the adoption of a radio-frequency identification (RFID) privacy framework which will come into effect in six months.
The framework will be voluntary and thus is not mandatory for everyone to join. After six months of production, the “Privacy and Data Protection Impact Assessment Framework for RFID Applications” is now endorsed by the European Network and Information Security Agency (ENISA), to make sure standards are consistent, for those who choose to use the framework.
The production of the document first started in January.
The Article 29 Working Group and the RFID industry have put the document together. The Article 29 Working Group is a committee of national data protection chiefs.
The creators do realize that the public is widely against the adoption of such a framework. However, they have made it clear that it is voluntary although they believe many people will accept such an adoption eventually.
Four levels of RFID application are identified by the framework, thus requiring different levels of observation.
- In Level 3, the personal data is stored on the chip itself.
- Level two has the information on a data key which can be linked to personal data.
A full audit is compulsory for both Level 2 and Level 3 applications.
- Level 1 applications are not directly linked to a person but can be carried around by a person so they require a mini-audit.
- Level 0 systems are attached to pallets and crates thus have no privacy requirements which need to be fulfilled.
The “RFID Application Operator” is what carries out the audits or Privacy Impact Assessment (PIAs). Three items that the PIA will keep track of are if each stage of transmission is properly encrypted, think about how potential miscreants could attack the system and think about how the system could be illegitimately used. Overall they will do the job of a decent systems architect.
Large companies that plan to focus on privacy implications could benefit greatly from this new system but the issue everyone has at the top of mind is whether the increase in usage of such a system could initiate a greater risk of privacy abuse. Over time such systems could become very easy to deploy and cheap to buy which will only invite security creeps.