RFID Chips: A Privacy And Security Pandora's Box?

Radio-frequency identification (RFID) chips can be found tagging everything from groceries and clothing to the experimental swipe-free credit cards used to pay for those goods. In library cards, warehouse inventories, and under-skin pet tags. They are also used for prisoner and parole tags, in hospital patient wristbands, and in smart passports.

According to Eleni Kosta and Jos Dumortier of the Katholieke Universiteit Leuven in Belgium, the benefits of RFID technology in innovation are beyond question. However, the threats posed to personal privacy should be taken into account at the design phase of the applications. Their increasingly widespread deployment means individuals do not necessarily know when, how and what kind of information about them is being transmitted at any given time from an RFID in a passport, in their shopping bags, or even when they visit the library.

RFID tags are powerful devices for use in a wide array of applications: stock inventory, logistics, security finance, buildings, and across international borders. However, they provide a seemingly innocuous medium for the collection and transmission of personal data, as well as the ability to track the movements of people.

The European Union has already recognised some of the concerns being raised. A recent European Commission report, "Communication on RFID" emphasised that privacy and security should be built into RFID information systems before their widespread deployment. Moreover,
European legislation on data protection applies to RFID technology when it entails the processing of personal data, Kosta and Dumortier point out. However, it is not always clear whether or not information stored on or transmitted via an RFID tag is personal data.

"In order to achieve a common approach towards RFID technology at the
European level, a unified interpretation of what is perceived as personal data is necessary," the team explains. "When information about an individual, such as name, age and nationality, is directly stored in an RFID tag, it is beyond doubt that it qualifies as personal data."

However, there are many instances when the information seemingly cannot be directly linked to an individual, but by linking the RFID tag number to a back-end database can be correlated with a credit card payment, for instance, and so provide indirect identification of the individual. "In this case, even if the data seem anonymous at first sight, the processing falls under the scope of application of the Data Protection
Directive, as the data can be easily linked to the credit card data", the team explains. Even vaguer are the cases when the information on the RFID tag cannot be linked to an actual person, or at least significant effort is needed for a link to be made.

The team counter the argument that honest citizens have nothing to fear from RFID. "A surveillance society where RFID tags reveal personal information and enable the tracking and tracing of the individuals, shall be contested, as every law-abiding citizen should be free from any kind of monitoring," they say.