Humans and Emerging RFID Systems: Evaluating Data Protection Law on the User Scenario Basis

Humans and Emerging RFID Systems: Evaluating Data Protection Law on the User Scenario Basis

Olli Pitkänen (Helsinki Institute for Information Technology (HIIT), Finland) and Marketta Niemelä (VTT Technical Research Centre of Finland, Finland)
DOI: 10.4018/978-1-60960-575-9.ch007
OnDemand PDF Download:
No Current Special Offers


Radio Frequency Identification (RFID) technology offers a lot of promises. To redeem them, RFID applications have to respect privacy and they need to be supported by the legal system. The article evaluates how the current EU directives on data protection support emerging applications that are based on RFID tags. The evaluation is based on user scenarios that illustrate human needs in relation to technologies and applications. The article continues earlier analyses and uses more realistic and state-of-the-art applications and scenarios. We conclude by pointing out further research needs in the field of RFID and data protection.
Chapter Preview


Radio Frequency Identification (RFID) is an important technology to enable the Internet of Things, ubiquitous computing (ubicomp), ambient intelligence (AmI), and other promising future platforms. In short, the main components of RFID technology are a tag and a reader. The tag has an electronic circuit storing data and an antenna to communicate using radio waves. The reader also has an antenna, and electronics to translate the incoming data to be processed by a computer. A reader may thus send a radio signal requesting tags to identify themselves, and tags reply by sending the information that is stored in them.

The simplest and the most inexpensive RFID tags are called passive tags. They do not have any internal power supply. Enough power for the tag to power up and transmit a response is induced in the antenna by the incoming radio frequency signal. Passive tags are typically quite small, in the size range of a stamp. Therefore, a passive tag is relatively easy and cheap to place in almost any object.

Active tags, in contrast, include internal power supplies. They are able to communicate further, and store and process more information. Although active tags are more versatile than passive tags, they can be much more expensive, larger, and more difficult to place.

While RFID tags become smaller and cheaper, reader technology is also developing. It is already possible to equip, for example, mobile phones with RFID readers. Thus not only tags, but also readers are spreading widely and enabling an unforeseeable amount of new services.

RFID technology is said to advantage not only businesses but also individuals and public organizations in many ways. It enables useful new services and applications. The benefits of RFID tags are apparent, but their exploitation has been retarded by notable obstacles. So far, there have been three main problems that have hindered the diffusion of RFID technology: First, the technology has not been mature enough. Second, there has been a lack of standards. Third, there have been severe concerns on the risks that RFID poses to the end-users privacy. In this article, we concentrate on the third problem. Especially, with the help of RFID tags, it is possible to collect and process personal information on human-beings.

Many researchers have studied RFID privacy issues in recent years. The following brief list includes some of the important studies related to this topic.

Ohkubo, Suzuki, and Kinoshita (2003, 2005), Lahlou, Langheinrich, and Röcker (2005),Garfinkel, Juels, and Pappu (2005), Juels (2005) and Garfinkel (2006) have discussed various RFID related threats and potential solutions to them.

Langheinrich, Coroama, Bohn, and Mattern (2005) have presented some of the consequences of ubiquitous computing implied by several scenarios.

Spiekermann and Ziekow (2006) have analyzed consumer fears associated with the introduction of RFID technology.

Goel (2007) has outlined critical barriers in implementing RFID technologies, specifically for authentication and privacy, and provided a set of initial responses.

Langheinrich (2007) has gathered a good overview of earlier studies in this field.

From the legal viewpoint, Kardasiadou and Talidou (2006) have discussed the implications with emphasis to data protection.

Kosta and Dumortier (2008) have excellently analyzed European data protection legislation and its ambiguity in relation to RFID.

Also, some official reports have been published on RFID privacy issues. For example, in Europe, the advisory body called Article 29 Working Party has published a working document, which aims to provide guidance to RFID deployers, manufacturers, and standardization bodies. (Art 29 WP 105, 2005) In the USA, Federal Trade Commission (FTC) has published a staff report on RFID Applications and Implications for Consumers (2005).

Complete Chapter List

Search this Book: