Humans and Emerging RFID Systems: Evaluating Data Protection Law on the User Scenario Basis

Introduction

Radio Frequency Identification (RFID) is an important technology to enable the Internet of Things, ubiquitous computing (ubicomp), ambient intelligence (AmI), and other promising future platforms. In short, the main components of RFID technology are a tag and a reader. The tag has an electronic circuit storing data and an antenna to communicate using radio waves. The reader also has an antenna, and electronics to translate the incoming data to be processed by a computer. A reader may thus send a radio signal requesting tags to identify themselves, and tags reply by sending the information that is stored in them.

The simplest and the most inexpensive RFID tags are called passive tags. They do not have any internal power supply. Enough power for the tag to power up and transmit a response is induced in the antenna by the incoming radio frequency signal. Passive tags are typically quite small, in the size range of a stamp. Therefore, a passive tag is relatively easy and cheap to place in almost any object.

Active tags, in contrast, include internal power supplies. They are able to communicate further, and store and process more information. Although active tags are more versatile than passive tags, they can be much more expensive, larger, and more difficult to place.

While RFID tags become smaller and cheaper, reader technology is also developing. It is already possible to equip, for example, mobile phones with RFID readers. Thus not only tags, but also readers are spreading widely and enabling an unforeseeable amount of new services.

RFID technology is said to advantage not only businesses but also individuals and public organizations in many ways. It enables useful new services and applications. The benefits of RFID tags are apparent, but their exploitation has been retarded by notable obstacles. So far, there have been three main problems that have hindered the diffusion of RFID technology: First, the technology has not been mature enough. Second, there has been a lack of standards. Third, there have been severe concerns on the risks that RFID poses to the end-users privacy. In this article, we concentrate on the third problem. Especially, with the help of RFID tags, it is possible to collect and process personal information on human-beings.

Many researchers have studied RFID privacy issues in recent years. The following brief list includes some of the important studies related to this topic.

Ohkubo, Suzuki, and Kinoshita (2003, 2005), Lahlou, Langheinrich, and Röcker (2005),Garfinkel, Juels, and Pappu (2005), Juels (2005) and Garfinkel (2006) have discussed various RFID related threats and potential solutions to them.

Langheinrich, Coroama, Bohn, and Mattern (2005) have presented some of the consequences of ubiquitous computing implied by several scenarios.

Spiekermann and Ziekow (2006) have analyzed consumer fears associated with the introduction of RFID technology.

Goel (2007) has outlined critical barriers in implementing RFID technologies, specifically for authentication and privacy, and provided a set of initial responses.

Langheinrich (2007) has gathered a good overview of earlier studies in this field.

From the legal viewpoint, Kardasiadou and Talidou (2006) have discussed the implications with emphasis to data protection.

Kosta and Dumortier (2008) have excellently analyzed European data protection legislation and its ambiguity in relation to RFID.

Also, some official reports have been published on RFID privacy issues. For example, in Europe, the advisory body called Article 29 Working Party has published a working document, which aims to provide guidance to RFID deployers, manufacturers, and standardization bodies. (Art 29 WP 105, 2005) In the USA, Federal Trade Commission (FTC) has published a staff report on RFID Applications and Implications for Consumers (2005).