Thursday, 6 December 2007
RFID visas for foreigners? Oh my...
Even if I have discovered this pretty much late (after 3 months), realised that Malaysia should revisit the "surveillance" effort to introducing RFID visas for foreigners. It would potentially invite privacy and data protection debates. I hope the foreigners would be able to recognising their data protection and privacy rights. Read this between the line.
RFID in Australia
It has been quite some time I last blogged. Many things intervened. Anyhow, bumped into this useful website on the recent RFID development in Australia. It would provide some general ideas to exploring potential privacy and data protection issues in Asia Pacific, if any.
Saturday, 17 November 2007
Next RFID paper
It has been almost a month I have not updated this blog.
Reason being; attended my graduation in Scotland. Nevertheless, I have done some general research and observation on RFID in Malaysia lately. I have some interesting development to share with (provided that the materials that I am awaiting would be acceptable for online dissemination). On another note, I am keen to participate and present in the coming BILETA 2008. I would be writing on RFID. The abstract sounds as follows:-
RFID; IS PRIVACY STILL A MAJOR ISSUE IN MALAYSIA?
Noriswadi Ismail LLM (Information Technology & Telecommunications Law) Strathclyde
Group General Counsel/Company Secretary
Vice President, Corporate Services
HeiTech Padu Berhad, Malaysia
Abstract:
Radio Frequency Identification Technology (RFID) is no more a hype. It is now being deployed and tested in various industries throughout the world. The absence of a specific data protection and privacy legislation has led to many unsolved issues. Even though the success of RFID deployment encourages the growth and maturity of an ubiquitous society, it is claimed however, inhibits privacy. This debate has been the major cornerstone of civil liberties. Limited dissemination on RFID is also another key issue. Due to these scenarios, this paper shall explore the present issues that have not been unveiled, argued and debated openly in Malaysia. Three (3) reasons have been outlined. Firstly, the delay of data protection legislation, which in a way, contributes to the issue. Whilst the delay is being regarded as a ‘genuine’ and not a politically motivated one, however, it has taken quite some time for Malaysia to await its outcome and implementation. Secondly, the non-existence of such a regulatory and technical standard of RFID deployment has resulted to diversified approaches and techniques in mitigating data and privacy. This has led to many ICT and RFID middleware companies; being the service provider to deploy RFID with less pre-emptive assessment on data and privacy. Thirdly, the limited dissemination on RFID and data protection knowledge has also contributed to the issue. Whilst endless effort has taken place via the international foray, however, the dissemination reach is far beyond than the desired expectation. In outlining these reasons and issues pedantically, this paper has cross referred to the strategic position and consultation initiated by the European Union, being the general benchmark and balanced reasoning for Malaysia’s potential RFID roadmap.
Reason being; attended my graduation in Scotland. Nevertheless, I have done some general research and observation on RFID in Malaysia lately. I have some interesting development to share with (provided that the materials that I am awaiting would be acceptable for online dissemination). On another note, I am keen to participate and present in the coming BILETA 2008. I would be writing on RFID. The abstract sounds as follows:-
RFID; IS PRIVACY STILL A MAJOR ISSUE IN MALAYSIA?
Noriswadi Ismail LLM (Information Technology & Telecommunications Law) Strathclyde
Group General Counsel/Company Secretary
Vice President, Corporate Services
HeiTech Padu Berhad, Malaysia
Abstract:
Radio Frequency Identification Technology (RFID) is no more a hype. It is now being deployed and tested in various industries throughout the world. The absence of a specific data protection and privacy legislation has led to many unsolved issues. Even though the success of RFID deployment encourages the growth and maturity of an ubiquitous society, it is claimed however, inhibits privacy. This debate has been the major cornerstone of civil liberties. Limited dissemination on RFID is also another key issue. Due to these scenarios, this paper shall explore the present issues that have not been unveiled, argued and debated openly in Malaysia. Three (3) reasons have been outlined. Firstly, the delay of data protection legislation, which in a way, contributes to the issue. Whilst the delay is being regarded as a ‘genuine’ and not a politically motivated one, however, it has taken quite some time for Malaysia to await its outcome and implementation. Secondly, the non-existence of such a regulatory and technical standard of RFID deployment has resulted to diversified approaches and techniques in mitigating data and privacy. This has led to many ICT and RFID middleware companies; being the service provider to deploy RFID with less pre-emptive assessment on data and privacy. Thirdly, the limited dissemination on RFID and data protection knowledge has also contributed to the issue. Whilst endless effort has taken place via the international foray, however, the dissemination reach is far beyond than the desired expectation. In outlining these reasons and issues pedantically, this paper has cross referred to the strategic position and consultation initiated by the European Union, being the general benchmark and balanced reasoning for Malaysia’s potential RFID roadmap.
Saturday, 20 October 2007
RFID blood bank in Malaysia
Perhaps, it was quite an astonishment for certain countries that Malaysia is leading the pack in RFID growth, albeit, the data protection and privacy laws is pending. Public policy engagement in this area should be of a great concern. Indeed, it would not be materialised if there would be limited participation by the stakeholders. The recent development that was jointly developed by Intel and Siemens for an RFID blood bank is noble. Yet, it's generally unsure whether there have been certain pre-emptive risk controls, measures and privacy impact assessment. I believe, certain compliance checklist and best practices have been incorporated. The news are readable here.
Malaysian RFID towards 2020
Hi blog.
It has been a while I have not been updating this blog due to my one whole month of hibernation for the LLM dissertation and settling down at work with a new position (as the Group General Counsel/Company Secretary, Vice President, Corporate Services).
Now, the dissertation has been passed, marked and finally received its commendable praise. Though I have not secured distinction, the fact that the subject matter is truly challenging. I managed to secure a very good mark. Thanks to the people who have had inspired my RFID research for the past one (1) year.
I will, however, post the contents of the dissertation bit by bit (chapter by chapter) soon. In the meantime, bumped into this. Although it's quite not a new development (in 2004). It would give some general idea, how would Malaysia position her RFID's market growth and potential.
Welcome back Noris! Sorry for the long gap.
It has been a while I have not been updating this blog due to my one whole month of hibernation for the LLM dissertation and settling down at work with a new position (as the Group General Counsel/Company Secretary, Vice President, Corporate Services).
Now, the dissertation has been passed, marked and finally received its commendable praise. Though I have not secured distinction, the fact that the subject matter is truly challenging. I managed to secure a very good mark. Thanks to the people who have had inspired my RFID research for the past one (1) year.
I will, however, post the contents of the dissertation bit by bit (chapter by chapter) soon. In the meantime, bumped into this. Although it's quite not a new development (in 2004). It would give some general idea, how would Malaysia position her RFID's market growth and potential.
Welcome back Noris! Sorry for the long gap.
Sunday, 26 August 2007
RFID and healthcare setting
This presentation has briefed some privacy implications of RFID in a healthcare setting. I wonder has the follow up being disseminated to the stakeholders.
Saturday, 25 August 2007
RFID; a new world order?
Wow. This article is bravely written and sometimes, providing some shocking yet sensible points to laymen. Not many would be able to comprehend the words between the lines. However, it is a good to appraise the positive aspects of the author's findings.
Friday, 24 August 2007
RFID in the pharmaceutical industry
This is a good read up for those who are interested to discover the potential deployment, advantages and the foreseaable risk(s) of RFID in the pharmaceutical industry. Brief one and succintly written.
Thursday, 23 August 2007
Surveillance freight of RFID
Interestingly, even if this Article seems to have been published a year ago, it attracts my interest on the writer's udnerstanding. Sometimes, it's good to udnerstanding the technology and the contributions. But, sometimes, it's worthwhile to propose some balanced views on the same. An eye opener to the medical industry.
Tuesday, 21 August 2007
Call for papers; Internet of things conference - RFID perhaps?
I have selflessly and deeply read this. It will be held in 2008. I think, I may want to submit a paper on RFID, positioning the Malaysia's perspective or South East Asia (SEA). But, it does not have public policy sector. So much so, I have to abandon the intention.
Must or Should RFID-legislation be Technology Neutral?
As I am brainstorming and writing the dissertation, Christian Laux's views seem to open my mind. But then, as he said, there is no standard of pervasiveness of technology. A pretty much thin line to illustrate, distinguish and substantiate.
Sunday, 19 August 2007
RFID evolution networks by MIT Sloan
MIT Sloan School of Management initiated this co-joint research on RFID evolution (particularly on networks). Worthy to read and digest, albeit, sounds technical and business like.
Saturday, 18 August 2007
Tuesday, 14 August 2007
He/She said; RFID is a threat
Read Doug Mohney's write up on this. The bottom line is; RFID poses threats like the internet does, albeit, the only difference is the technology. It partially makes sense.
Friday, 10 August 2007
Draft version of European RFID Policy Outlook
This draft version of the European RFID Policy outlook is very, very, very interesting to read. The outlook was the preliminary consultation by the stakeholders (in various occasions and sessions) throughout Europe. It is hoped that some affirmative action would have taken place in months to come. As for Asia and Malaysia, we are unsure where we are heading to?...
Thursday, 9 August 2007
RFID Data Management
Mark Palmer has identified seven (7) principles or may I say, "best practices" of RFID Data Management. I wonder how it would be in practice. Also, another paper that may be considered as novel.
RFID in the automative industry
Even though it sounds very technical, I think, this paper is worthy to be read. Another progress of RFID. Interestingly, the summary and outlook has given some foregone points on RFID vis-a-vis' the automative industry. Besides, the joint authors of this paper (all of them are from Switzerland), has succintly concluded that the issue of 'standard' will be the 'subject matter of discussion' in years to come when adopting and difussing RFID in the automative industry.
Monday, 6 August 2007
More on RFID
It would be a superb technological application marrying both; WiFi and RFID. This talk, has briefly outlined the wonderness of it. However, privacy issues are left behind. Sometime in 2004, the Harvard Business School organized this talk, to explore the advantages and dangers of a "smart" barcodes. It's good when they regarded RFID as "the ecosystem of the internet". In another interesting view on the "rights chipped away"; do read this draft opinion by the American Civil Liberties Union of Northern California
Thursday, 2 August 2007
Nanaco: RFID emoney system in Japan
Shin'ichi Konomi has beautifully updated some of the technological progress of RFID in Japan here. Nanaco is the name of the technology - which has been widely deployed in selected Seven Eleven stores. I wonder, and still researching what is Japan's stance on the issue of privacy and data protection on this. Nevertheless, I believe the legislated data protection provisions of Japan, are less matured in terms of its application and implementation. Prove me wrong on this, if anyone wishes to debunk.
Friday, 13 July 2007
RFID conference and dissertation
My absence is due to many factors. Amongst others, summer break, research for my dissertation, consultancy and work. However, I will never ignore this dearly blog, never.
I missed this conference: EPC Global EPC/RFID Conference 2007, from 11 July to 12 July due to prior obligations. General details on the latter could also be retrieved here. I predict that the RFID growth is getting its momentum. Though sounds very industry focused, however, I would be more than happy to see some move on highlighting privacy issues within RFID.
On a more positive note, my LLM outline dissertation (on RFID) has been approved by the supervisor. It's pretty much challenging, yet refreshing to divulge into substantial legal issues instead of policy and technology growth. I will let you know the development soon.
I missed this conference: EPC Global EPC/RFID Conference 2007, from 11 July to 12 July due to prior obligations. General details on the latter could also be retrieved here. I predict that the RFID growth is getting its momentum. Though sounds very industry focused, however, I would be more than happy to see some move on highlighting privacy issues within RFID.
On a more positive note, my LLM outline dissertation (on RFID) has been approved by the supervisor. It's pretty much challenging, yet refreshing to divulge into substantial legal issues instead of policy and technology growth. I will let you know the development soon.
Wednesday, 6 June 2007
Active RFID 2006-2016
This summary analysis on RFID 2006-2016 has cursorily outlined the application of RFID on its growth and potential interfacing capabilities with:-
* WiFi
* WiMax
* Bluetooth
* GPS
* Cellphone
* Infrared
* GSM
* GPRS
* Passive RFID
* ZigBee
* NFC
* DSRC
Potential drammatic growth has also been predicted. Arguably, the question of privacy legitimacy will be a huge gap from the above interfacing technologies. Answers to this are needed.
* WiFi
* WiMax
* Bluetooth
* GPS
* Cellphone
* Infrared
* GSM
* GPRS
* Passive RFID
* ZigBee
* NFC
* DSRC
Potential drammatic growth has also been predicted. Arguably, the question of privacy legitimacy will be a huge gap from the above interfacing technologies. Answers to this are needed.
Sunday, 3 June 2007
RFID conference in Berlin
Unfortunately, I could not gain my presence in this conference due to pre-scheduled obligation in Malaysia. However. I am anticipating a very fruitful or at least, some 'small' moving forward outcome. As usual, Germany (Berlin) has been chosen as the central issue of RFID discussion as it is where the technology advancement and deployment matures. I hope to be able to extract this ongoing concerns:-
i) Whether the EU consultation will be extended again?;
ii) Whether the EU will need to consider a regulation on RFID, if yes, how feasible and vible it would be?;
iii) Whether the RFID stakeholders have agreed to plan for a global standard or regional standard like EPC?;
iv) Whether is there any specific test/guidance for countries which do not have privacy and data protection legislation, like Malaysia (in RFID context)?;
v) Whether the adversity faced by the EU, will be a useful guidance for other technology compliant and enabled countries like Australia and Singapore (Asia Pacific) and Japan, Taiwan, Korea and China (Asian Technology power)?; and
vii) Whether other international fora such as International Telecommunications Union, Privacy Commissioners and OECD will come into a global and shared understanding?
Those are just my skeletal points that I have had in mind. If I could make myself available in Berlin, I would have asked those issues pedantically.
i) Whether the EU consultation will be extended again?;
ii) Whether the EU will need to consider a regulation on RFID, if yes, how feasible and vible it would be?;
iii) Whether the RFID stakeholders have agreed to plan for a global standard or regional standard like EPC?;
iv) Whether is there any specific test/guidance for countries which do not have privacy and data protection legislation, like Malaysia (in RFID context)?;
v) Whether the adversity faced by the EU, will be a useful guidance for other technology compliant and enabled countries like Australia and Singapore (Asia Pacific) and Japan, Taiwan, Korea and China (Asian Technology power)?; and
vii) Whether other international fora such as International Telecommunications Union, Privacy Commissioners and OECD will come into a global and shared understanding?
Those are just my skeletal points that I have had in mind. If I could make myself available in Berlin, I would have asked those issues pedantically.
Thursday, 31 May 2007
Is RFID complicated as it is?
For the laymen, it may sounds complicated due to the technological jargon. For the computer scientists, it may be easy. For lawyers, it may be restricted in aspects of data protection and privacy. For civil liberties, it is all about rights and human rights. These are the clouding concerns RFID have posed. In this blog, the writer generally viewed that explaining RFID is not an easy task. I concurr. It takes many levels of attempt to reach the most adequate, comprehensive yet understandable explanation. But, not many will achieve the desired outcome of understanding.
Recently in the BBC, the complexity of RFID has been added with the WiFI RFID compliant and ability. It is believed the combination of both will make tracking more powerful as it is now. Siemen and Motorola are looking into the possibility of this potential product expansion. As many basic amenities in schools, universities, cafe' and hotels have deployed WiFI, it is, according to Siemen and Motorola wiseful to combine both technologies for maximum usage. A pry to privacy?
Recently in the BBC, the complexity of RFID has been added with the WiFI RFID compliant and ability. It is believed the combination of both will make tracking more powerful as it is now. Siemen and Motorola are looking into the possibility of this potential product expansion. As many basic amenities in schools, universities, cafe' and hotels have deployed WiFI, it is, according to Siemen and Motorola wiseful to combine both technologies for maximum usage. A pry to privacy?
Tuesday, 22 May 2007
UK National Consumer Council on RFID
Perhaps, it's late to mention this. I am wondering how "price discrimination" and "social exclusion" will have an impact to privacy enhancing technologies (PET)? The UK National Consumer Council has urged to develop a universally accepted principles on RFID,when desiging RFID applications.
Commentary:
* I think its the consumer awareness that will help to understand this technology generally
* RFID service provider and RFID enabler should disseminate to consumers whenever they deploy PETS in their premise or product
* Perhaps, a rethink should be made during the data protection principles and regulations were introduced 10 years back. On this note, examining the traditional role of "Data Controller" (which in this case, is the retailer) . This comparison will enable the Council to rethink.
* The outcome of the EU RFID consultation will provide some guidance and roadmap to the Council. But, the Council should clearly educate, disseminate and diffuse the advantages and disadvantges of this PETS on a balanced manner to the consumers
* I hope consumers are not being 'confused" or "exaggerated" by RFID
Commentary:
* I think its the consumer awareness that will help to understand this technology generally
* RFID service provider and RFID enabler should disseminate to consumers whenever they deploy PETS in their premise or product
* Perhaps, a rethink should be made during the data protection principles and regulations were introduced 10 years back. On this note, examining the traditional role of "Data Controller" (which in this case, is the retailer) . This comparison will enable the Council to rethink.
* The outcome of the EU RFID consultation will provide some guidance and roadmap to the Council. But, the Council should clearly educate, disseminate and diffuse the advantages and disadvantges of this PETS on a balanced manner to the consumers
* I hope consumers are not being 'confused" or "exaggerated" by RFID
Friday, 18 May 2007
Post RFID paper presentation; some feedbacks
It has been sometime, I have not updated this blog. One of the reasons is due to my conference engagement in Istanbul, Turkey.
My RFID paper presentation went well, despite of the limited time given. These are some feedbacks that I have received:-
i) That Malaysia should actually strategise it's localised RFID policy rather than looking into how the EU's RFID experience.
On this, I would partially agree and partially disagree. On one hand, I would say that Malaysia still needs to look into the EU's RFID market, development and maturity. It will be the basis for Malaysia to promulgate potential benchmark in it's RFID regulation or supervision. On the other hand, I would agree, IF, the personal data protection and privacy legislation would have been passed by the Malaysian parliament, in which, subsequently will attract considerable debate to the Malaysian RFID players.
ii) That Malaysia should consider opt for consumer protection laws' remedies instead of awaiting the personal data protection bill in its RFID initiative
I agree on that option. However, Malaysian consumer protection laws' remedies are not strong as in the UK. The consumer awareness on RFID tagging is still lacking. Thus, there should be a strategic avenue for the consumers in Malaysia to channeling their concerns on their privacy intrusion.
iii) That there should be more RFID technological readiness, awareness and exposure to the people.
I totally agree on this.
In an interesting development, I have had the opportunity to share some of my RFID perspectives with academics from Liverpool and Notre Damn. There might be an interesting trilateral research interest between Malaysia, UK and EU on RFID soon. Just await the outcome.
My RFID paper presentation went well, despite of the limited time given. These are some feedbacks that I have received:-
i) That Malaysia should actually strategise it's localised RFID policy rather than looking into how the EU's RFID experience.
On this, I would partially agree and partially disagree. On one hand, I would say that Malaysia still needs to look into the EU's RFID market, development and maturity. It will be the basis for Malaysia to promulgate potential benchmark in it's RFID regulation or supervision. On the other hand, I would agree, IF, the personal data protection and privacy legislation would have been passed by the Malaysian parliament, in which, subsequently will attract considerable debate to the Malaysian RFID players.
ii) That Malaysia should consider opt for consumer protection laws' remedies instead of awaiting the personal data protection bill in its RFID initiative
I agree on that option. However, Malaysian consumer protection laws' remedies are not strong as in the UK. The consumer awareness on RFID tagging is still lacking. Thus, there should be a strategic avenue for the consumers in Malaysia to channeling their concerns on their privacy intrusion.
iii) That there should be more RFID technological readiness, awareness and exposure to the people.
I totally agree on this.
In an interesting development, I have had the opportunity to share some of my RFID perspectives with academics from Liverpool and Notre Damn. There might be an interesting trilateral research interest between Malaysia, UK and EU on RFID soon. Just await the outcome.
Thursday, 3 May 2007
Some links to RFID boycott
Wednesday, 2 May 2007
Latest RFID paper: to be presented in Istanbul, Turkey
Radio Frequency Identification Technology: (RFID):
Is legal risk management relevant in consumer privacy?
Noriswadi Ismail[i]
British Chevening Scholar, University of Strathclyde
noriswadi.ismail@strath.ac.uk
Abstract. RFID is regarded as technological perfection in many global industries; retails, logistics, libraries, passports, surveillance, healthcare and banking. RFID proponents assert that the technology has been complementing global industries’ value chain and business continuity. Global market analysis has predicted that the Return of Investment from this technology will massively attract widespread deployment by 2010. Whilst the strength of this technology remains relevant for the proponents, there remain handful debates on the weaknesses of RFID’s data surveillance. Due to the latter, this paper will reveal the weaknesses and how it leads to privacy debates in consumer privacy. Regulatory and commercial developments from the United Kingdom and European Union will be painstakingly analysed. This paper will also comparatively analyse the developments in Malaysia and Singapore. It will endeavour to outline the respective Regulators’ position and selected industries’ feedbacks in RFID on cursory note. Significantly, this paper will attempt to argue the relevance of legal risk management in consumer privacy as the key question to be answered. It will explore a potential approach that could be balanced between RFID technology vis-Ã -vis consumer privacy.
1. Introduction
RFID has been generally cited as one of the most evolving technologies in the world. This powerful technology remains incompatible in these industries: retails, logistics, military, libraries, surveillance and banking, yet it endures endless debates in some legal regimes and contours. When the technology was first deployed by the military, the impact of the technology was never intended to be as sensitive as it is today. Besides, global RFID spending has increased by leaps and bounds and provides an ongoing deployment by these various industries to enjoy its value chain and business continuity. Many will view that RFID substitutes the role of barcode as means of tagging technology despite of the inhibiting level of protection towards the internal subject of the tagging - which is the data and most importantly - privacy. Due to the latter, it has prompted potential data protection and civil liberties debates across the globe. Whilst this concern is ongoing, this paper will attempt to look into how RFID technology leads to potential questions of privacy. The central attention will be on consumer privacy. Two substantive developments are discussed:
· Regulatory and commercial developments; and
· Legal risk management as a tool towards managing consumer privacy
2. RFID – an overview
RFID is a technology which illustrates any system of identification that uses radio frequency or magnetic field variations, wherein an electronic device which activates the variations is attached to an item.[ii] A tag and a reader are the components of an RFID. Tag is the identification device attached to the item for tracking whilst reader is a device that can recognise the presence of RFID tags and read the information stored on them. The reader can then inform another system about the presence of the tagged items. The system with which the reader communicates usually runs software that stands between readers and applications which are called as RFID middleware.[iii] Even if the historical trail of this technology remains ambivalent, but generally, it goes back to 1920s during the World War II.[iv]
2.1. RFID general functions
RFID could not function without frequency.[v] The operating frequency is the electromagnetic frequency that the tag uses to communicate or to secure power. Due to the nature of RFID which broadcast electromagnetic waves, they are regulated as radio devices. Thus, RFID systems must not interfere with other existing protected applications such as emergency service radios or television transmissions. In relation to the technical standard of ultra high frequencies (UHF), there are different ranges of applications in different parts of the world. Even if each country requires a different range of UHF, it is suggested that one possible global standard known as EPCglobal standard will be able to match varying local regulatory requirements.[vi]
As mentioned, the tag and the reader are two key components to operating an RFID system. The reader functions as transmitter of the system which contains electronics that use an external power source to generate the signal that drives the reader’s antenna. In effect, it creates the radio wave. The radio wave may be received by an RFID tag, which ‘reflects’ some of the energy it receives in a particular way, based on the identity of the tag.[vii] Whilst this reflection is going on, the RFID reader is also acting as a radio receiver so that it can detect and decode the reflected signal in order to identify the tag.
2.2. Types of categorisation
There are essentially three types of categorisation within an RFID system which is based on the power source used by the tag, as particularised:-
· Passive tag – This requires no power source at the tag. It does not require any batteries but utilises the energy of radio wave to effect its operation.[viii] In this category, it results to the lowest tag cost at the expense of the performance. Example that could be seen in practice is the usage of passive tag in individual product items for applications in supermarket checkouts and smart cards[ix];
· Semi-passive tag – This relies on the battery built into the tag in order to achieve a better performance within the operating range. In this category, the battery powers the internal circuitry during the communication; however it is not used to generate radio wave.[x] This tag is mostly fragile and expensive in the market[xi]; and
· Active tag – It utilises batteries for their entire operation which can generate radio wave actively in the absence of a reader.[xii] In this category, the tag is capable of a peer-to-peer communication. It has larger memory as compared to the passive tag, possesses higher processing capabilities and secure.[xiii]
Without any doubt, the semi-passive tag is the only category which does not require the involvement of a radio wave. It is also due to the costly price which compels the RFID provider to opt the first and second category.
3. Regulatory and commercial developments
Besides the United States of America, there are regimes which have been very serious to addressing RFID policy and regulation; the European Union and the United Kingdom. These regimes have undertaken a very smart move to advocate a possible RFID policy in the very near future. The European Commission is undertaking an open public consultation towards establishing an RFID policy for Europe. [xiv] The outcome will be disseminated and diffused to the member states once the European Commission would have duly substantiated the consultative deliberations. However, for the purpose of this paper, it shall restrict generally into the governing Directives of the European Union and the guidance by the United Kingdom.
3.1. The European Union (EU)
In the EU, Article 29 of the EU Working Party which is established under the auspices Article 29 of Directive 95/46/EC articulates existing privacy and data protection issues.[xv] On the data protection front, the Working Party has mooted the concerns on the effect of RFID technology which may lead to violation of human rights and data protections rights. The main concern exceedingly surrounds on the possibility of businesses and governments which have deployed RFID that is accruing and prying into the privacy sphere of individuals.[xvi] Cursorily, the published summary of responses by the RFID stakeholders has achieved a general satisfaction. In practice, however, it is asserted that the examples of RFID applications technically illustrated in the working document do not match the reality.[xvii] It is argued that societal benefits and realistic appreciation of technical possibilities should be painstakingly inferred whilst analysing RFID applications.
Two governing Directives are applicable within the EU; Directive 95/46/EC on the protection of personal data and Directive 2002/58/EC on the protection of personal data in the electronic communications sector. These Directives outline the pre-emptive mechanism of data processing that should be complied with, by the member states.[xviii] In Directive 95/46/EC, it could be asserted that not all RFID applications are governed under the provisions. This is due to the complexity nature of RFID technology itself via the tags, the reader and middleware. Technically, the tags possess the capability to exchange information and thus, the existing provision in the Directive have ignored and limited its scope of regulation, thus, fails to achieving technology neutrality approach. It also leads to a certain level of biasness towards existing RFID middleware and applications which are integrated with other component of technologies. In Directive 2002/58/EC, services must provide continually the possibility, of using a simple means and free of charge, of temporarily refusing the processing of certain personal data for each communication. It is asserted that a PC based system would fulfil the needs of the provision, but RFID may struggle to comply with the spirit due to the nature of its technical interface.
3.2 – Guidance in the United Kingdom (UK)
In the UK, the Data Protection Act 1998 regulates the processing of personal data. Supporting the provisions of the Act is The Data Protection Technical Guidance Radio Frequency Identification. It has outlined two scenarios in which personal data might be processed using RFID.[xix] First, personal data may be stored on the tags themselves, or linked to a database containing personal data. Second, if tags or individual items can be used to identify the individual associated with the item, they will be personal data.[xx] The Act also applies when the personal data is collected, generated or disclosed using RFID either directly or indirectly. RFID users should also adopt the data protection principles of fair processing, use limitation, data quality, data retention and security. The guidance has also mentioned extensively specific data protection concerns which involve security, monitoring, profiling and technical solutions.[xxi]
From these developments, the UK Information Commissioner has put a very high concern on the level of surveillance in the UK’s society. In a report on surveillance society, issued by the Surveillance Studies Network[xxii], RFID has been highlighted as one of the central issues and discussions. Even if the report does not critically analyse the technical aspects of RFID and its dangers to privacy and surveillance in detail, it has however outlined future directions to the data protection actors whenever potential RFID issues take place. Invariably, the report has analysed various social, technical, regulatory and economic perspectives which could be applied in today’s context in achieving a balanced surveillance society.
3.3. Development in Singapore[xxiii]
Singapore was one of earliest users of RFID technology in the world.[xxiv] Singapore Land Transport Authority has been deploying RFID since 1998 in what was the world's first Electronic Road Pricing system, an automated toll-collection system used to control and manage traffic volume in the city. Singapore's National Library Board was one of the first to harness RFID in a library environment back in late in 1998, when it embedded RFID tags on books to automate the borrowing and returning of library books as well as to expedite the process of sorting books and returning them to shelves.
As Asia's leading convention venue, Singapore has long used RFID technology to tracing delegates at large conferences and conventions in the city. Singapore became the first pilot port in Asia under the United States of America Container Security Initiative. The island-republic is now implementing the usage of RFID seals for all containers bound for the United States of America seaports. Selective local research institutions teamed up towards developing solutions to deploy RFID for tracing SARS contacts in local hospitals. At present, Singapore wants to leverage its existing expertise to undertake RFID research and development.[xxv]
It is evident that Singapore RFID deployment has positioned the republic as the leader in the Asia Pacific region. Whilst the commercial development looks positively encouraging, it is to note that data protection provisions in Singapore legal regime is rather sectorial and piecemeal.[xxvi] However, recent development in Singaporean parliament suggests that data protection and privacy should be the main priority for Singapore’s industries.[xxvii]
3.4. Development in Malaysia
Based on IDC’s forecast, the Malaysia’s RFID market is expected to hit RM77 million by 2010[xxviii] with a compound of annual growth rate of 45.84%. Significant developments have taken place in Malaysia’s RFID growth. On December 2006, the Malaysian Road Transport Department had initiated the usage of RFID license plates with the attempt to reduce the number of car thefts in the country. The plate will contain the information about the owner of the car and the vehicle. This will help the police official to know if the car has been stolen.[xxix]
On 24 February 2007, Malaysia had released the world’s smallest RFID microchip which measures between 0.4mm by 0.4mm with a built-in antenna, which can be embedded on paper.[xxx] The microchip, developed under the Malaysia Microchip Project, at a cost of US$50 million (RM180 million) based on Japanese technology, is the first with multi-band frequencies.[xxxi] These developments envisage promising RFID growth in the Malaysian market and if the IDC analysis remains prevalent, it is predicted Malaysia will be the central RFID investment within the South East Asian region.
In Malaysia, the effort to draft the PDP Bill started in 2000. However, the legislation is yet to be seen.[xxxii] Rumours claimed that the Bill was motivated by the European Union regulatory approach as compared to the self-regulation approach of safe harbour of the United States of America.[xxxiii] But now, the situation is otherwise and it has given quite a general setback to various industries in implementing possible data protection and privacy strategy within their organisations.
The issue of the PDP Bill delay was also mentioned in the parliament. One of the members of parliament lamented that the government was taking too long to pass laws on personal data protection, which existed in ninety countries. He further viewed that it is imperative that Malaysia hasten the enactment of the law and poignantly added that it could affect efforts to sustain Malaysia’s position as a competitive outsourcing country after India and China.[xxxiv]
The moans and groans are not only commonly shared by the Malaysian public but also multinational corporations and foreign investors. The next question to be asked is whether the RFID technology undermines privacy and data protection? There are two possible and skeletal answers. First, in the event the Bill has analysed thoroughly the application of emerging new technology and its convergence[xxxv] vis-Ã -vis’ the privacy and data protection provisions, it is believed it would not generally undermine due to its technology neutrality approach. Second, in the event the Bill has not achieved the same, a secondary review to the existing draft should be made pedantically. However, it should be noted that these answers may be duly substantiated once the Bill takes place in Malaysia.
4. RFID and consumer privacy
The regulatory and commercial developments in different legal regimes lead to different principles and approaches. Appropriately, these regimes are undertaking a multi-layered effort to ensuring that RFID remains relevant, yet there should be certain pre-emptive measures in protecting privacy. Civil liberties have also raised their eye brows questioning the legitimacy of RFID tracking technology. The technology reveals worried danger within the privacy sphere that needs to be defused.
In 2005, consumer privacy advocates had initiated a website boycotting TESCO which was aimed to encourage consumers’ participation and awareness on the danger of this “spy chip” technology.[xxxvi] Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN) launched the campaign nationwide evidencing the level of protest on privacy fears. CASPIAN was particularly concerned about item-level RFID tagging, especially the potential for retailers to be able to track goods after they leave the store - which it views as invasion of consumer privacy.
The boycott against GILLETTE is also another profound example advocated by CASPIAN in 2003. It was claimed that the GILLETTE product had been embedded with an RFID chip that was able to “spy” on consumers. Subsequently, a website to boycotting GILLETTE product was established to educate consumers the danger of RFID.[xxxvii] On the similar stance, BENETTON was also the subject of boycott by CASPIAN. It was claimed that the clothing that was on sale within the BENETTON’s premises were embedded with an RFID chip which simultaneously prying on consumers’ data and privacy.[xxxviii]
CASPIAN’s intention to educate the consumer privacy is commendable. On one hand, the boycott websites suggested consumers to abandon their intention to purchase the products due to the danger of potential data intrusion via the RFID technology. But, on the other hand, CASPIAN has failed to address the recommended best practices to consumers towards risk mitigation whenever the consumers would have purchased the product. Realistically, the outcome of boycott consultation between CASPIAN and the relevant RFID users like TESCO should also be channelled to the consumers for an informed notification.[xxxix]
4.1. Legal Risk Management in consumer privacy
Business continuity has always been the life cycle of organisations and companies. The term ‘legal risk management’[xl] is neither a new nor a coined terminology. It is a hybrid approach or strategy assessing issues within the application of risk management module and legal principles.[xli] Due to the hybrid nature of the module, akin to the RFID technology, RFID users should be able to adopt a strong risk management culture. A strong risk management culture commences with these levels of risk processes: risk identification, risk analysis, risk profiling, risk mitigation, risk control and risk scorecard.[xlii]
The traditional approach of risk management is mostly centred upon internal auditing exercise and internal control of organisations and companies. However, as the global market matures, risk management has been extended to control or pre-empted specific problems and issues, in the absence of a clear legislation or technical standard. The ultimate aim of adopting a legal risk management strategy for RFID users is to complement the industries’ readiness in complying privacy and data protection provisions.[xliii] This will also enable data controllers to self-regulate consumer privacy and be able to avoid potential boycotting.
Legal risk management does not favour any organisations or companies but it complements these entities within their risk appetites. Generally, risk management requires a pre-emptive strategy that is realistic and achievable. For organisations, the essential strategy starts with the establishment of an RFID risk manual.[xliv] This manual will be able to outline brief technical illustration of the RFID usage, the sensitive technical areas that lead to privacy issues as well as how to mitigate and manage the RFID and privacy related risk perceptions. The manual should also provide the commitment to manage the risk and at the same time, eliminating the risk that would have been derived from RFID middleware, applications and deployment. It is submitted that the manual should take into various aspects which include, cost, technical, legal, research & development, liability, operations, third party and reputation. Appropriately, RFID risk manual should also incorporate the privacy risk checklist[xlv] that could serve as useful guidance and tool for the users. It is emphasized that the checklist should be based on the risk appetites of organisations and companies.
A strong RFID risk manual should be supplemented with ongoing training, dissemination, careful review and control. This is deemed to be essential to companies and organisations. In the context of consumer privacy, a strong risk management processes would be able to cover potential liabilities of the RFID service provider, retailers, data controllers and any third parties who are involved with the deployment. This will boost strong confidence to existing consumers and potential consumers who intend to purchase any products or items without privacy fear and danger.
4.2 Potential arguments against legal risk management
The option to adopt this legal risk management strategy is an open option to preserve consumer privacy. It is not meant to compel organisations and companies to adopt the same in the absence of a clear privacy and data protection provisions. Apropos, this option should also be taken into consideration as a means of internal control and thus, complementing privacy and data protection terms of other countries and regimes. This option also helps retailers, hyper markets, RFID technology service providers and any data controllers to disclaim their privacy liabilities. There may be two potential arguments that underpin the adoption of legal risk management strategy, besides the typical cost and resources arguments.
First, one may argue that there are also other technical standards that could mitigate such RFID related privacy risks. However, to counter argue, it should be borne in mind that such existing standards are restricted on specific technology adoption and the risk assessment which is featured within any existing standards do not, in most cases, carry the levels of risk management in a whole package.
Second, one may also argue that relying on data protection terms are sufficient to overcome privacy issues and there is no need to extend such existing standards or models to examine the level of privacy and data protection within RFID technology. To the contrary, the purpose of legal risk management model is to add the value to privacy and data protection provisions. It does not, however, lead to duplication and interface other existing standards or models and legal risk management is deemed to be pragmatic in mitigating the issues between RFID and privacy. Besides being the added value tool towards privacy and data protection, this model adopts the commendable practice is corporate governance.
5. Privacy impact assessment
It is undeniable that RFID deployment involves multi layered of relationship ranging from the service providers, third parties’ applications, third parties’ middleware and to the users. In the event RFID technology has been deployed, it carries different levels of liabilities. It is very essential for these parties to conduct a privacy impact assessment as to ascertain the sustainability of the technology in the long run. Arguably, there are no specific models that could be developed for specific industries. However, it is asserted that this assessment will be able to carry a balanced weight which complements the legal risk management approach.
Appropriately, such assessment should involve four layers: technical, legal, economic and social.[xlvi] The assessment could be designed through detailed checklists corresponding to the structure of the RFID technology, based on specific industries’ demands and needs. For consumer privacy, retailers should be able to ascertain the sustainability of their RFID-related policy so that an informed notification has been channelled and disseminated to the consumers. It is also indispensable for retailers to model a tailor made RFID privacy policy for consumers’ attention so that the choice and option of consumers to purchase a specific product shall not be abandoned. Strategic privacy impact assessment between CASPIAN, the retailers and consumers should also take place in the very near future. The rationale is to establish a dynamic co-existence between these focused groups which will equalise a unique level of cooperation towards pre-empting privacy fears derived from RFID technology.
6. Conclusion
From the foregoing developments, caution steps should be taken by all parties who are involved directly and indirectly by RFID deployment. Whilst the European Union and the United Kingdom have provided a general model of RFID guidance, Malaysia and Singapore should expedite the lobbying to pass the motherhood of privacy and data protection legislation at the first instance. With that, it will enable to bridge the gap between RFID technology development vis-Ã -vis regulations. Even if the legislation would have been in place, it shall take some considerable time for both countries to reach the tested maturity stage alike of the European Union and the United Kingdom.
With regards to consumer privacy, CASPIAN, being the leader of civil liberties and consumer advocate should play a more effective cum strategic role in RFID. Whilst the boycotting and lobbying the consumers to abandon such purchases tend to be a brave move, it is however, needs effective yet resourceful dissemination and diffusion for consumers. As suggested, a trilateral consultative process between CASPIAN, retailers and consumers shall lead the headway towards a privacy compliant RFID environment.
It is very interesting to awaiting the outcome of the European Commission RFID EU Policy consultation. The impact shall change the current RFID landscape and, consumers should be able to monitor its developments tenaciously. Whilst the outcome remains to be speculative, it is timely for RFID players and actors to embark on with the best and strategic option which may fit their companies and organisations. As the notion of there is ‘no one size fits all’ deemed to be applicable in RFID technology context, it is however needful for the industries to consider the best and practical options from various perspectives; technically, economically, legally and socially. By this, it is believed that privacy will not be a nightmare and over exaggerated by unqualified justifications and assertions. RFID remains relevant and indeed it is.
1 Head, Company Secretary, Compliance & Risk Management of HeiTech Padu Berhad. See http://www.heitech.com.my. For detailed RFID research blog: http://the-rfid-nexus.blogspot.com. See also his paper presented in the British Irish Legal Education Technology Association 2007, hosted by University of Hertfordshire on 16-17 April 2007 titled “RFID: Malaysia’s privacy at the crossroads?”, readable at the RFID research blog.
[ii] Bill Glover & Himanshu Bhatt, “RFID Essentials” (2006, O’Reilly) pp 1-19.
[iii] Glover & Bhatt en above at p.1.
[iv] See generally Matt Ward, Rob van Kranenburg and Gaynor Backhouse “RFID: frequency, standards and innovation”, JISC Technology and Standards Watch, May 2006 at p. 4-5. Retrievable online: http://www.jisc.ac.uk/uploaded_documents/TSW0602.pdf, accessed 20 February, 2007.
[v] RFID typically operates within a low frequency (LF), high frequency (HF), ultra high frequency (UHF) and microwave. In practice, the actual frequencies available to RFID are limited to those frequencies set aside as Industrial Scientific Medical (ISM). Frequencies lower than 135 kHz are not ISM frequencies, but in this range RFID systems are usually using powerful magnetic fields and operating over short ranges, so much so, interference is less of an issue than it might be otherwise.
[v] Battle for different applications of UHF is also still taking place amongst RFID users in specific industry such as pharmacy. See generally: http://www.unisys.com/commercial/news_a_events/all__news/04048642.htm, accessed 20 February 2007.
[vi] It is argued that this standard shall lead to possible RFID technological convergence towards pre-emptive technical regulation. It is hoped that governments and standard bodies should make a genuine effort to cooperate producing a global standard; see also EPC Global, “Communications Commission sets the stage for the EU to realise benefits of applications based on EPCglobal standards” Retrievable online: http://www.epcglobalinc.org/about/media_centre/press_rel/Press_Release_Commission_Communication_on_RFID_070314.pdf, accessed 20 February 2007; see generally: http://en.wikipedia.org/wiki/EPCglobal, accessed 20 February 2007.
[vii] Steve Hodges & Mark Horrison, “WHITE PAPER – Demystifying RFID: Principles and Practicalities”, Auto-ID Centre, Institute for Manufacturing, University of Cambridge, Published 1 October 2003 at p. 8-9; see also http://www.ifm.eng.cam.ac.uk/automation/publications/documents/CAM-AUTOID-WH024.pdf, accessed 20 February 2007.
[viii] Ibid., at p.9.
[ix] See JISC Technology and Standards Watch, May 2006 at p. 4-5.
[x] Ibid., at p.9.
[xi] See en 16 above, at p. 4-5.
[xii] Ibid., at p.9.
[xiii] See en 18 above, at p.4-5.
[xiv] See generally http://ec.europa.eu/information_society/policy/rfid/index_en.htm, accessed 2 May 2007.
[xv] See generally http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/index_en.htm; see also http://www.edri.org/edrigram/number3.3/consultation, and http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2005/wp105_en.pdf respectively, accessed 22 March 2007.
[xvi] See Olli Pitkanen and Marketta Niemela, “Privacy and data protection in emerging RFID-applications”, Helsinki Institute for Information Technology HIIT, Helsinki University of Technology and University of Helsinki, VTT Technical Research Centre of Finland. This paper was presented in the EU RFID Forum 2007, retrievable at: http://www.rfidconvocation.eu/Papers%20presented/Business/Privacy%20and%20Data%20Protection%20in%20Emerging%20RFID-Applications.pdf, accessed 22 March 2007.
[xvii] Ibid., see en 17 above, at p.1-2.
[xviii] The data should be processed fairly and lawfully; collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; adequate, relevant and not excessive in relation to the purposes; accurate and, where necessary, kept up to date. For restrictions, see http://ec.europa.eu/justice_home/fsj/privacy/docs/95-46-ce/dir1995-46_part1_en.pdf, accessed 22 March 2007.
[xix] See http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/radio_frequency_indentification_tech_guidance.pdf; see also http://www.ico.gov.uk/global/search_results.aspx?search=RFID, accessed 22 March 2007.
[xx] Ibid., see en 18 above at p 3-4.
[xxi] The concerns include “skimming”, “hacking”, “rogue RFID tag readers”, “skimmers” “cloned EFID chip”, “blocker tags” and “clipped tags”. For more detailed explanation, see the guidance at p. 5-7; see also http://www.ico.gov.uk/upload/documents/library/data_protection/introductory/radio_frequency_identification_tags.pdf, accessed 23 March 2007.
[xxii] As the bulk report remains an authoritative and guidance to data controller, it is suggested however that the substance of the report should be inferred within the context of data protection strategy and management of the data controller. See http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/surveillance_society_full_report_2006.pdf, accessed 23 March 2007; see also the appendices of the report: http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/surveillance_society_appendices_06.pdf, accessed 23 March 2007; see the summary of the report: http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/surveillance_society_summary_06.pdf, accessed 23 March 2007.
[xxiii] See generally http://www.itu.int/osg/spu/ni/ubiquitous/Presentations/4_poon_RFID.pdf, accessed 2 May 2007; see also http://unpan1.un.org/intradoc/groups/public/documents/APCITY/UNPAN018240.pdf, accessed 2 May 2007.
[xxiv] See generally http://www.rfidjournal.com/article/articleview/1024/1/1/, accessed 2 May 2007.
[xxv] With government help, RFID technology provider Tunity Technologies is developing EPC-compliant multifrequency RFID tags that operate in three different RF bands.
[xxvi] See generally http://www.american.edu/carmel/ag0466a/Doc13.htm, accessed 2 May 2007.
[xxvii] See generally http://unpan1.un.org/intradoc/groups/public/documents/APCITY/UNPAN012665.pdf, accessed 2 May 2007; see also http://www.infowar-monitor.net/modules.php?op=modload&name=News&file=article&sid=1319, accessed 2 May 2007.
[xxviii] See http://www.theedgedaily.com/cms/content.jsp?id=com.tms.cms.article.Article_d2cc4b98-cb73c03a-29d65b00-cd5c3a50, accessed 20 February 2007 see also http://morerfid.com/details.php?subdetail=Report&action=details&report_id=1032&display=RFID, accessed 20 February 2007. In the Malaysia RFID 2006-2010 Forecast and Analysis, it predicted the state of the market for RFID solutions implementation in Malaysia, historical development, and prediction for the future. It also presents an end user's RFID case study and write-up on key players that offer RFID solutions in Malaysia. Based on the study, hardware comprises largest portion of the total commercial RFID spending in 2005 at 60%, driven primarily by the purchases of readers and tags, followed by software and services which take up the remaining 40% of the RFID spending. "Based on the IDC's definitions, software revenue captured in this forecast is limited to RFID middleware, reader firmware, and additional enterprise middleware directly related to integrating data from the RFID layer with the enterprise application layer. It does not incorporate spending on enterprise applications and upgrades beyond middleware to accommodate and take advantage of the influx of data from RFID tags. Services included in this forecast are business process consulting, installation, systems integration, and ongoing support services. Software and services would pose more growth potential, with CAGR of 48% and 51% respectively.
[xxix] The owner of the car should be nearby if the police officials want to check the driver's identity. The system will be implemented next year. The new cars would have such plates followed by the older ones. The risk what I see is that in case the RFID system of your car breaks down then you might be pulled from your car by the cops thinking that you are a thief. See generally http://www.iht.com/articles/ap/2006/12/09/asia/AS_GEN_Malaysia_Car_Thefts.php, accessed 22 February 2007.
[xxx] See http://www.hitachi.co.jp/Prod/mu-chip/index.html, accessed 22 February 2007.
[xxxi] The Prime Minister, Datuk Seri Abdullah Ahmad Badawi, who launched the microchip yesterday, said the chip with its identification serial number, could help to counter the forgery of government documents; currency notes; halal certificates; medical products and compact discs, among others. Besides, some applications currently being developed would further assist to improve the public service delivery system. See http://www.mida.gov.my/beta/view.php?cat=14&scat=1552, accessed 22 February 2007; see also http://en.qschina.com/html/tradeinfo/html/2007/3/13/9088.html, accessed 22 February 2007.
[xxxii] See Ida Madieha Azmi, “E-commerce and privacy issues: an analysis of the personal data protection bill”, International Review of Computer Laws & Technology, Volume 16, No. 3, pp 317-330, 2002.
[xxxiii] See Ida Madieha Azmi, “Why has data protection law been delayed in Malaysia? Nothing to do with Islam and who needs it anyway?” BILETA 2006, Malta 6th – 7th April 2006. See generally: http://events.um.edu.mt/bileta2006/29DP&I%20v1%20Ida%20madieha%20Aziz.pdf, accessed 22 February 2007; see also Hurriyah El Islamy, “Privacy and Technology”, BILETA 2005, Belfast retrievable at: http://www.bileta.ac.uk/Document%20Library/1/Privacy%20and%20Technology.pdf, accessed 22 February 2007.
[xxxiv] Jane Ritikos, Florence A. Samy and Elizabeth Looi, “Same law apply for bloggers, say BN rep”, The Star Online, Thursday March 22 2007; see also: http://star-techcentral.com/tech/story.asp?file=/2007/3/22/technology/20070322114048&sec=technology, accessed 22 March 2007.
[xxxv] See generally http://en.wikipedia.org/wiki/Technological_convergence, accessed 22 March 2007.
[xxxvi] See generally http://www.boycotttesco.com./, accessed 2 May 2007; see also http://news.bbc.co.uk/1/hi/business/4209545.stm, accessed 2 May 2007.
[xxxvii] See http://www.out-law.com/page-3812, accessed 2 May 2007 see also http://www.boycottgillette.com/, accessed 2 May 2007.
[xxxviii] Se http://www.boycottbenetton.com/ accessed 2 May 2007; see also http://www.rfidjournal.com/article/articleview/344/1/1/, accessed 2 May 2007 see generally http://www.out-law.com/page-3465, accessed 2 May 2007.
[xxxix] See generally http://www.ipc.on.ca/images/Resources/up-rfidtips.pdf, accessed 3 May 2007.
[xl] See generally http://en.wikipedia.org/wiki/Enterprise_Risk_Management, accessed 24 March 2007.
[xli] Globally, the preferred risk management module is enterprise risk management. See generally http://en.wikipedia.org/wiki/Enterprise_Risk_Management, accessed 24 March 2007.
[xlii] See generally http://www.admin.ox.ac.uk/riskmgt/overview.shtml, accessed 24 March 2007.
[xliii] Frederic Thiesse, “Managing risk perceptions of RFID” Auto-ID Labs White Paper WP-BIZAPP-031, pp 11-17; see Atkinson, W. (2004), “Tagged: the risks and rewards of RFID technology” Risk Management Journal 51 (7) at pp. 12-19; see also Cavoukian, A. (2004), “Tag, You’re it: privacy implications of Radio Frequency identification Technology, Information and Privacy Commissioner Ontario, Toronto; see also an interesting Australian perspective: http://www.privacy.gov.au/news/04_07.html, accessed 24 March 2007.
[xliv] RFID risk manual can only be established once organisations or companies have undergone the levels of risk management exercise. See also an example of risk management checklist: http://www.lms.ca/@pdf/Risk_Management_Checklist.pdf, accessed 24 March 2007.
[xlv] See generally http://cyber.law.harvard.edu/ecommerce/privacyaudit.html, accessed 24 March 2007; see also http://www.itcinstitute.com/display.aspx?id=2499, accessed 24 March 2007.
[xlvi] See http://csrc.lse.ac.uk/asp/aspecis/20050060.pdf, accessed 3 May 2007.
Is legal risk management relevant in consumer privacy?
Noriswadi Ismail[i]
British Chevening Scholar, University of Strathclyde
noriswadi.ismail@strath.ac.uk
Abstract. RFID is regarded as technological perfection in many global industries; retails, logistics, libraries, passports, surveillance, healthcare and banking. RFID proponents assert that the technology has been complementing global industries’ value chain and business continuity. Global market analysis has predicted that the Return of Investment from this technology will massively attract widespread deployment by 2010. Whilst the strength of this technology remains relevant for the proponents, there remain handful debates on the weaknesses of RFID’s data surveillance. Due to the latter, this paper will reveal the weaknesses and how it leads to privacy debates in consumer privacy. Regulatory and commercial developments from the United Kingdom and European Union will be painstakingly analysed. This paper will also comparatively analyse the developments in Malaysia and Singapore. It will endeavour to outline the respective Regulators’ position and selected industries’ feedbacks in RFID on cursory note. Significantly, this paper will attempt to argue the relevance of legal risk management in consumer privacy as the key question to be answered. It will explore a potential approach that could be balanced between RFID technology vis-Ã -vis consumer privacy.
1. Introduction
RFID has been generally cited as one of the most evolving technologies in the world. This powerful technology remains incompatible in these industries: retails, logistics, military, libraries, surveillance and banking, yet it endures endless debates in some legal regimes and contours. When the technology was first deployed by the military, the impact of the technology was never intended to be as sensitive as it is today. Besides, global RFID spending has increased by leaps and bounds and provides an ongoing deployment by these various industries to enjoy its value chain and business continuity. Many will view that RFID substitutes the role of barcode as means of tagging technology despite of the inhibiting level of protection towards the internal subject of the tagging - which is the data and most importantly - privacy. Due to the latter, it has prompted potential data protection and civil liberties debates across the globe. Whilst this concern is ongoing, this paper will attempt to look into how RFID technology leads to potential questions of privacy. The central attention will be on consumer privacy. Two substantive developments are discussed:
· Regulatory and commercial developments; and
· Legal risk management as a tool towards managing consumer privacy
2. RFID – an overview
RFID is a technology which illustrates any system of identification that uses radio frequency or magnetic field variations, wherein an electronic device which activates the variations is attached to an item.[ii] A tag and a reader are the components of an RFID. Tag is the identification device attached to the item for tracking whilst reader is a device that can recognise the presence of RFID tags and read the information stored on them. The reader can then inform another system about the presence of the tagged items. The system with which the reader communicates usually runs software that stands between readers and applications which are called as RFID middleware.[iii] Even if the historical trail of this technology remains ambivalent, but generally, it goes back to 1920s during the World War II.[iv]
2.1. RFID general functions
RFID could not function without frequency.[v] The operating frequency is the electromagnetic frequency that the tag uses to communicate or to secure power. Due to the nature of RFID which broadcast electromagnetic waves, they are regulated as radio devices. Thus, RFID systems must not interfere with other existing protected applications such as emergency service radios or television transmissions. In relation to the technical standard of ultra high frequencies (UHF), there are different ranges of applications in different parts of the world. Even if each country requires a different range of UHF, it is suggested that one possible global standard known as EPCglobal standard will be able to match varying local regulatory requirements.[vi]
As mentioned, the tag and the reader are two key components to operating an RFID system. The reader functions as transmitter of the system which contains electronics that use an external power source to generate the signal that drives the reader’s antenna. In effect, it creates the radio wave. The radio wave may be received by an RFID tag, which ‘reflects’ some of the energy it receives in a particular way, based on the identity of the tag.[vii] Whilst this reflection is going on, the RFID reader is also acting as a radio receiver so that it can detect and decode the reflected signal in order to identify the tag.
2.2. Types of categorisation
There are essentially three types of categorisation within an RFID system which is based on the power source used by the tag, as particularised:-
· Passive tag – This requires no power source at the tag. It does not require any batteries but utilises the energy of radio wave to effect its operation.[viii] In this category, it results to the lowest tag cost at the expense of the performance. Example that could be seen in practice is the usage of passive tag in individual product items for applications in supermarket checkouts and smart cards[ix];
· Semi-passive tag – This relies on the battery built into the tag in order to achieve a better performance within the operating range. In this category, the battery powers the internal circuitry during the communication; however it is not used to generate radio wave.[x] This tag is mostly fragile and expensive in the market[xi]; and
· Active tag – It utilises batteries for their entire operation which can generate radio wave actively in the absence of a reader.[xii] In this category, the tag is capable of a peer-to-peer communication. It has larger memory as compared to the passive tag, possesses higher processing capabilities and secure.[xiii]
Without any doubt, the semi-passive tag is the only category which does not require the involvement of a radio wave. It is also due to the costly price which compels the RFID provider to opt the first and second category.
3. Regulatory and commercial developments
Besides the United States of America, there are regimes which have been very serious to addressing RFID policy and regulation; the European Union and the United Kingdom. These regimes have undertaken a very smart move to advocate a possible RFID policy in the very near future. The European Commission is undertaking an open public consultation towards establishing an RFID policy for Europe. [xiv] The outcome will be disseminated and diffused to the member states once the European Commission would have duly substantiated the consultative deliberations. However, for the purpose of this paper, it shall restrict generally into the governing Directives of the European Union and the guidance by the United Kingdom.
3.1. The European Union (EU)
In the EU, Article 29 of the EU Working Party which is established under the auspices Article 29 of Directive 95/46/EC articulates existing privacy and data protection issues.[xv] On the data protection front, the Working Party has mooted the concerns on the effect of RFID technology which may lead to violation of human rights and data protections rights. The main concern exceedingly surrounds on the possibility of businesses and governments which have deployed RFID that is accruing and prying into the privacy sphere of individuals.[xvi] Cursorily, the published summary of responses by the RFID stakeholders has achieved a general satisfaction. In practice, however, it is asserted that the examples of RFID applications technically illustrated in the working document do not match the reality.[xvii] It is argued that societal benefits and realistic appreciation of technical possibilities should be painstakingly inferred whilst analysing RFID applications.
Two governing Directives are applicable within the EU; Directive 95/46/EC on the protection of personal data and Directive 2002/58/EC on the protection of personal data in the electronic communications sector. These Directives outline the pre-emptive mechanism of data processing that should be complied with, by the member states.[xviii] In Directive 95/46/EC, it could be asserted that not all RFID applications are governed under the provisions. This is due to the complexity nature of RFID technology itself via the tags, the reader and middleware. Technically, the tags possess the capability to exchange information and thus, the existing provision in the Directive have ignored and limited its scope of regulation, thus, fails to achieving technology neutrality approach. It also leads to a certain level of biasness towards existing RFID middleware and applications which are integrated with other component of technologies. In Directive 2002/58/EC, services must provide continually the possibility, of using a simple means and free of charge, of temporarily refusing the processing of certain personal data for each communication. It is asserted that a PC based system would fulfil the needs of the provision, but RFID may struggle to comply with the spirit due to the nature of its technical interface.
3.2 – Guidance in the United Kingdom (UK)
In the UK, the Data Protection Act 1998 regulates the processing of personal data. Supporting the provisions of the Act is The Data Protection Technical Guidance Radio Frequency Identification. It has outlined two scenarios in which personal data might be processed using RFID.[xix] First, personal data may be stored on the tags themselves, or linked to a database containing personal data. Second, if tags or individual items can be used to identify the individual associated with the item, they will be personal data.[xx] The Act also applies when the personal data is collected, generated or disclosed using RFID either directly or indirectly. RFID users should also adopt the data protection principles of fair processing, use limitation, data quality, data retention and security. The guidance has also mentioned extensively specific data protection concerns which involve security, monitoring, profiling and technical solutions.[xxi]
From these developments, the UK Information Commissioner has put a very high concern on the level of surveillance in the UK’s society. In a report on surveillance society, issued by the Surveillance Studies Network[xxii], RFID has been highlighted as one of the central issues and discussions. Even if the report does not critically analyse the technical aspects of RFID and its dangers to privacy and surveillance in detail, it has however outlined future directions to the data protection actors whenever potential RFID issues take place. Invariably, the report has analysed various social, technical, regulatory and economic perspectives which could be applied in today’s context in achieving a balanced surveillance society.
3.3. Development in Singapore[xxiii]
Singapore was one of earliest users of RFID technology in the world.[xxiv] Singapore Land Transport Authority has been deploying RFID since 1998 in what was the world's first Electronic Road Pricing system, an automated toll-collection system used to control and manage traffic volume in the city. Singapore's National Library Board was one of the first to harness RFID in a library environment back in late in 1998, when it embedded RFID tags on books to automate the borrowing and returning of library books as well as to expedite the process of sorting books and returning them to shelves.
As Asia's leading convention venue, Singapore has long used RFID technology to tracing delegates at large conferences and conventions in the city. Singapore became the first pilot port in Asia under the United States of America Container Security Initiative. The island-republic is now implementing the usage of RFID seals for all containers bound for the United States of America seaports. Selective local research institutions teamed up towards developing solutions to deploy RFID for tracing SARS contacts in local hospitals. At present, Singapore wants to leverage its existing expertise to undertake RFID research and development.[xxv]
It is evident that Singapore RFID deployment has positioned the republic as the leader in the Asia Pacific region. Whilst the commercial development looks positively encouraging, it is to note that data protection provisions in Singapore legal regime is rather sectorial and piecemeal.[xxvi] However, recent development in Singaporean parliament suggests that data protection and privacy should be the main priority for Singapore’s industries.[xxvii]
3.4. Development in Malaysia
Based on IDC’s forecast, the Malaysia’s RFID market is expected to hit RM77 million by 2010[xxviii] with a compound of annual growth rate of 45.84%. Significant developments have taken place in Malaysia’s RFID growth. On December 2006, the Malaysian Road Transport Department had initiated the usage of RFID license plates with the attempt to reduce the number of car thefts in the country. The plate will contain the information about the owner of the car and the vehicle. This will help the police official to know if the car has been stolen.[xxix]
On 24 February 2007, Malaysia had released the world’s smallest RFID microchip which measures between 0.4mm by 0.4mm with a built-in antenna, which can be embedded on paper.[xxx] The microchip, developed under the Malaysia Microchip Project, at a cost of US$50 million (RM180 million) based on Japanese technology, is the first with multi-band frequencies.[xxxi] These developments envisage promising RFID growth in the Malaysian market and if the IDC analysis remains prevalent, it is predicted Malaysia will be the central RFID investment within the South East Asian region.
In Malaysia, the effort to draft the PDP Bill started in 2000. However, the legislation is yet to be seen.[xxxii] Rumours claimed that the Bill was motivated by the European Union regulatory approach as compared to the self-regulation approach of safe harbour of the United States of America.[xxxiii] But now, the situation is otherwise and it has given quite a general setback to various industries in implementing possible data protection and privacy strategy within their organisations.
The issue of the PDP Bill delay was also mentioned in the parliament. One of the members of parliament lamented that the government was taking too long to pass laws on personal data protection, which existed in ninety countries. He further viewed that it is imperative that Malaysia hasten the enactment of the law and poignantly added that it could affect efforts to sustain Malaysia’s position as a competitive outsourcing country after India and China.[xxxiv]
The moans and groans are not only commonly shared by the Malaysian public but also multinational corporations and foreign investors. The next question to be asked is whether the RFID technology undermines privacy and data protection? There are two possible and skeletal answers. First, in the event the Bill has analysed thoroughly the application of emerging new technology and its convergence[xxxv] vis-Ã -vis’ the privacy and data protection provisions, it is believed it would not generally undermine due to its technology neutrality approach. Second, in the event the Bill has not achieved the same, a secondary review to the existing draft should be made pedantically. However, it should be noted that these answers may be duly substantiated once the Bill takes place in Malaysia.
4. RFID and consumer privacy
The regulatory and commercial developments in different legal regimes lead to different principles and approaches. Appropriately, these regimes are undertaking a multi-layered effort to ensuring that RFID remains relevant, yet there should be certain pre-emptive measures in protecting privacy. Civil liberties have also raised their eye brows questioning the legitimacy of RFID tracking technology. The technology reveals worried danger within the privacy sphere that needs to be defused.
In 2005, consumer privacy advocates had initiated a website boycotting TESCO which was aimed to encourage consumers’ participation and awareness on the danger of this “spy chip” technology.[xxxvi] Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN) launched the campaign nationwide evidencing the level of protest on privacy fears. CASPIAN was particularly concerned about item-level RFID tagging, especially the potential for retailers to be able to track goods after they leave the store - which it views as invasion of consumer privacy.
The boycott against GILLETTE is also another profound example advocated by CASPIAN in 2003. It was claimed that the GILLETTE product had been embedded with an RFID chip that was able to “spy” on consumers. Subsequently, a website to boycotting GILLETTE product was established to educate consumers the danger of RFID.[xxxvii] On the similar stance, BENETTON was also the subject of boycott by CASPIAN. It was claimed that the clothing that was on sale within the BENETTON’s premises were embedded with an RFID chip which simultaneously prying on consumers’ data and privacy.[xxxviii]
CASPIAN’s intention to educate the consumer privacy is commendable. On one hand, the boycott websites suggested consumers to abandon their intention to purchase the products due to the danger of potential data intrusion via the RFID technology. But, on the other hand, CASPIAN has failed to address the recommended best practices to consumers towards risk mitigation whenever the consumers would have purchased the product. Realistically, the outcome of boycott consultation between CASPIAN and the relevant RFID users like TESCO should also be channelled to the consumers for an informed notification.[xxxix]
4.1. Legal Risk Management in consumer privacy
Business continuity has always been the life cycle of organisations and companies. The term ‘legal risk management’[xl] is neither a new nor a coined terminology. It is a hybrid approach or strategy assessing issues within the application of risk management module and legal principles.[xli] Due to the hybrid nature of the module, akin to the RFID technology, RFID users should be able to adopt a strong risk management culture. A strong risk management culture commences with these levels of risk processes: risk identification, risk analysis, risk profiling, risk mitigation, risk control and risk scorecard.[xlii]
The traditional approach of risk management is mostly centred upon internal auditing exercise and internal control of organisations and companies. However, as the global market matures, risk management has been extended to control or pre-empted specific problems and issues, in the absence of a clear legislation or technical standard. The ultimate aim of adopting a legal risk management strategy for RFID users is to complement the industries’ readiness in complying privacy and data protection provisions.[xliii] This will also enable data controllers to self-regulate consumer privacy and be able to avoid potential boycotting.
Legal risk management does not favour any organisations or companies but it complements these entities within their risk appetites. Generally, risk management requires a pre-emptive strategy that is realistic and achievable. For organisations, the essential strategy starts with the establishment of an RFID risk manual.[xliv] This manual will be able to outline brief technical illustration of the RFID usage, the sensitive technical areas that lead to privacy issues as well as how to mitigate and manage the RFID and privacy related risk perceptions. The manual should also provide the commitment to manage the risk and at the same time, eliminating the risk that would have been derived from RFID middleware, applications and deployment. It is submitted that the manual should take into various aspects which include, cost, technical, legal, research & development, liability, operations, third party and reputation. Appropriately, RFID risk manual should also incorporate the privacy risk checklist[xlv] that could serve as useful guidance and tool for the users. It is emphasized that the checklist should be based on the risk appetites of organisations and companies.
A strong RFID risk manual should be supplemented with ongoing training, dissemination, careful review and control. This is deemed to be essential to companies and organisations. In the context of consumer privacy, a strong risk management processes would be able to cover potential liabilities of the RFID service provider, retailers, data controllers and any third parties who are involved with the deployment. This will boost strong confidence to existing consumers and potential consumers who intend to purchase any products or items without privacy fear and danger.
4.2 Potential arguments against legal risk management
The option to adopt this legal risk management strategy is an open option to preserve consumer privacy. It is not meant to compel organisations and companies to adopt the same in the absence of a clear privacy and data protection provisions. Apropos, this option should also be taken into consideration as a means of internal control and thus, complementing privacy and data protection terms of other countries and regimes. This option also helps retailers, hyper markets, RFID technology service providers and any data controllers to disclaim their privacy liabilities. There may be two potential arguments that underpin the adoption of legal risk management strategy, besides the typical cost and resources arguments.
First, one may argue that there are also other technical standards that could mitigate such RFID related privacy risks. However, to counter argue, it should be borne in mind that such existing standards are restricted on specific technology adoption and the risk assessment which is featured within any existing standards do not, in most cases, carry the levels of risk management in a whole package.
Second, one may also argue that relying on data protection terms are sufficient to overcome privacy issues and there is no need to extend such existing standards or models to examine the level of privacy and data protection within RFID technology. To the contrary, the purpose of legal risk management model is to add the value to privacy and data protection provisions. It does not, however, lead to duplication and interface other existing standards or models and legal risk management is deemed to be pragmatic in mitigating the issues between RFID and privacy. Besides being the added value tool towards privacy and data protection, this model adopts the commendable practice is corporate governance.
5. Privacy impact assessment
It is undeniable that RFID deployment involves multi layered of relationship ranging from the service providers, third parties’ applications, third parties’ middleware and to the users. In the event RFID technology has been deployed, it carries different levels of liabilities. It is very essential for these parties to conduct a privacy impact assessment as to ascertain the sustainability of the technology in the long run. Arguably, there are no specific models that could be developed for specific industries. However, it is asserted that this assessment will be able to carry a balanced weight which complements the legal risk management approach.
Appropriately, such assessment should involve four layers: technical, legal, economic and social.[xlvi] The assessment could be designed through detailed checklists corresponding to the structure of the RFID technology, based on specific industries’ demands and needs. For consumer privacy, retailers should be able to ascertain the sustainability of their RFID-related policy so that an informed notification has been channelled and disseminated to the consumers. It is also indispensable for retailers to model a tailor made RFID privacy policy for consumers’ attention so that the choice and option of consumers to purchase a specific product shall not be abandoned. Strategic privacy impact assessment between CASPIAN, the retailers and consumers should also take place in the very near future. The rationale is to establish a dynamic co-existence between these focused groups which will equalise a unique level of cooperation towards pre-empting privacy fears derived from RFID technology.
6. Conclusion
From the foregoing developments, caution steps should be taken by all parties who are involved directly and indirectly by RFID deployment. Whilst the European Union and the United Kingdom have provided a general model of RFID guidance, Malaysia and Singapore should expedite the lobbying to pass the motherhood of privacy and data protection legislation at the first instance. With that, it will enable to bridge the gap between RFID technology development vis-Ã -vis regulations. Even if the legislation would have been in place, it shall take some considerable time for both countries to reach the tested maturity stage alike of the European Union and the United Kingdom.
With regards to consumer privacy, CASPIAN, being the leader of civil liberties and consumer advocate should play a more effective cum strategic role in RFID. Whilst the boycotting and lobbying the consumers to abandon such purchases tend to be a brave move, it is however, needs effective yet resourceful dissemination and diffusion for consumers. As suggested, a trilateral consultative process between CASPIAN, retailers and consumers shall lead the headway towards a privacy compliant RFID environment.
It is very interesting to awaiting the outcome of the European Commission RFID EU Policy consultation. The impact shall change the current RFID landscape and, consumers should be able to monitor its developments tenaciously. Whilst the outcome remains to be speculative, it is timely for RFID players and actors to embark on with the best and strategic option which may fit their companies and organisations. As the notion of there is ‘no one size fits all’ deemed to be applicable in RFID technology context, it is however needful for the industries to consider the best and practical options from various perspectives; technically, economically, legally and socially. By this, it is believed that privacy will not be a nightmare and over exaggerated by unqualified justifications and assertions. RFID remains relevant and indeed it is.
1 Head, Company Secretary, Compliance & Risk Management of HeiTech Padu Berhad. See http://www.heitech.com.my. For detailed RFID research blog: http://the-rfid-nexus.blogspot.com. See also his paper presented in the British Irish Legal Education Technology Association 2007, hosted by University of Hertfordshire on 16-17 April 2007 titled “RFID: Malaysia’s privacy at the crossroads?”, readable at the RFID research blog.
[ii] Bill Glover & Himanshu Bhatt, “RFID Essentials” (2006, O’Reilly) pp 1-19.
[iii] Glover & Bhatt en above at p.1.
[iv] See generally Matt Ward, Rob van Kranenburg and Gaynor Backhouse “RFID: frequency, standards and innovation”, JISC Technology and Standards Watch, May 2006 at p. 4-5. Retrievable online: http://www.jisc.ac.uk/uploaded_documents/TSW0602.pdf, accessed 20 February, 2007.
[v] RFID typically operates within a low frequency (LF), high frequency (HF), ultra high frequency (UHF) and microwave. In practice, the actual frequencies available to RFID are limited to those frequencies set aside as Industrial Scientific Medical (ISM). Frequencies lower than 135 kHz are not ISM frequencies, but in this range RFID systems are usually using powerful magnetic fields and operating over short ranges, so much so, interference is less of an issue than it might be otherwise.
[v] Battle for different applications of UHF is also still taking place amongst RFID users in specific industry such as pharmacy. See generally: http://www.unisys.com/commercial/news_a_events/all__news/04048642.htm, accessed 20 February 2007.
[vi] It is argued that this standard shall lead to possible RFID technological convergence towards pre-emptive technical regulation. It is hoped that governments and standard bodies should make a genuine effort to cooperate producing a global standard; see also EPC Global, “Communications Commission sets the stage for the EU to realise benefits of applications based on EPCglobal standards” Retrievable online: http://www.epcglobalinc.org/about/media_centre/press_rel/Press_Release_Commission_Communication_on_RFID_070314.pdf, accessed 20 February 2007; see generally: http://en.wikipedia.org/wiki/EPCglobal, accessed 20 February 2007.
[vii] Steve Hodges & Mark Horrison, “WHITE PAPER – Demystifying RFID: Principles and Practicalities”, Auto-ID Centre, Institute for Manufacturing, University of Cambridge, Published 1 October 2003 at p. 8-9; see also http://www.ifm.eng.cam.ac.uk/automation/publications/documents/CAM-AUTOID-WH024.pdf, accessed 20 February 2007.
[viii] Ibid., at p.9.
[ix] See JISC Technology and Standards Watch, May 2006 at p. 4-5.
[x] Ibid., at p.9.
[xi] See en 16 above, at p. 4-5.
[xii] Ibid., at p.9.
[xiii] See en 18 above, at p.4-5.
[xiv] See generally http://ec.europa.eu/information_society/policy/rfid/index_en.htm, accessed 2 May 2007.
[xv] See generally http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/index_en.htm; see also http://www.edri.org/edrigram/number3.3/consultation, and http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2005/wp105_en.pdf respectively, accessed 22 March 2007.
[xvi] See Olli Pitkanen and Marketta Niemela, “Privacy and data protection in emerging RFID-applications”, Helsinki Institute for Information Technology HIIT, Helsinki University of Technology and University of Helsinki, VTT Technical Research Centre of Finland. This paper was presented in the EU RFID Forum 2007, retrievable at: http://www.rfidconvocation.eu/Papers%20presented/Business/Privacy%20and%20Data%20Protection%20in%20Emerging%20RFID-Applications.pdf, accessed 22 March 2007.
[xvii] Ibid., see en 17 above, at p.1-2.
[xviii] The data should be processed fairly and lawfully; collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; adequate, relevant and not excessive in relation to the purposes; accurate and, where necessary, kept up to date. For restrictions, see http://ec.europa.eu/justice_home/fsj/privacy/docs/95-46-ce/dir1995-46_part1_en.pdf, accessed 22 March 2007.
[xix] See http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/radio_frequency_indentification_tech_guidance.pdf; see also http://www.ico.gov.uk/global/search_results.aspx?search=RFID, accessed 22 March 2007.
[xx] Ibid., see en 18 above at p 3-4.
[xxi] The concerns include “skimming”, “hacking”, “rogue RFID tag readers”, “skimmers” “cloned EFID chip”, “blocker tags” and “clipped tags”. For more detailed explanation, see the guidance at p. 5-7; see also http://www.ico.gov.uk/upload/documents/library/data_protection/introductory/radio_frequency_identification_tags.pdf, accessed 23 March 2007.
[xxii] As the bulk report remains an authoritative and guidance to data controller, it is suggested however that the substance of the report should be inferred within the context of data protection strategy and management of the data controller. See http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/surveillance_society_full_report_2006.pdf, accessed 23 March 2007; see also the appendices of the report: http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/surveillance_society_appendices_06.pdf, accessed 23 March 2007; see the summary of the report: http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/surveillance_society_summary_06.pdf, accessed 23 March 2007.
[xxiii] See generally http://www.itu.int/osg/spu/ni/ubiquitous/Presentations/4_poon_RFID.pdf, accessed 2 May 2007; see also http://unpan1.un.org/intradoc/groups/public/documents/APCITY/UNPAN018240.pdf, accessed 2 May 2007.
[xxiv] See generally http://www.rfidjournal.com/article/articleview/1024/1/1/, accessed 2 May 2007.
[xxv] With government help, RFID technology provider Tunity Technologies is developing EPC-compliant multifrequency RFID tags that operate in three different RF bands.
[xxvi] See generally http://www.american.edu/carmel/ag0466a/Doc13.htm, accessed 2 May 2007.
[xxvii] See generally http://unpan1.un.org/intradoc/groups/public/documents/APCITY/UNPAN012665.pdf, accessed 2 May 2007; see also http://www.infowar-monitor.net/modules.php?op=modload&name=News&file=article&sid=1319, accessed 2 May 2007.
[xxviii] See http://www.theedgedaily.com/cms/content.jsp?id=com.tms.cms.article.Article_d2cc4b98-cb73c03a-29d65b00-cd5c3a50, accessed 20 February 2007 see also http://morerfid.com/details.php?subdetail=Report&action=details&report_id=1032&display=RFID, accessed 20 February 2007. In the Malaysia RFID 2006-2010 Forecast and Analysis, it predicted the state of the market for RFID solutions implementation in Malaysia, historical development, and prediction for the future. It also presents an end user's RFID case study and write-up on key players that offer RFID solutions in Malaysia. Based on the study, hardware comprises largest portion of the total commercial RFID spending in 2005 at 60%, driven primarily by the purchases of readers and tags, followed by software and services which take up the remaining 40% of the RFID spending. "Based on the IDC's definitions, software revenue captured in this forecast is limited to RFID middleware, reader firmware, and additional enterprise middleware directly related to integrating data from the RFID layer with the enterprise application layer. It does not incorporate spending on enterprise applications and upgrades beyond middleware to accommodate and take advantage of the influx of data from RFID tags. Services included in this forecast are business process consulting, installation, systems integration, and ongoing support services. Software and services would pose more growth potential, with CAGR of 48% and 51% respectively.
[xxix] The owner of the car should be nearby if the police officials want to check the driver's identity. The system will be implemented next year. The new cars would have such plates followed by the older ones. The risk what I see is that in case the RFID system of your car breaks down then you might be pulled from your car by the cops thinking that you are a thief. See generally http://www.iht.com/articles/ap/2006/12/09/asia/AS_GEN_Malaysia_Car_Thefts.php, accessed 22 February 2007.
[xxx] See http://www.hitachi.co.jp/Prod/mu-chip/index.html, accessed 22 February 2007.
[xxxi] The Prime Minister, Datuk Seri Abdullah Ahmad Badawi, who launched the microchip yesterday, said the chip with its identification serial number, could help to counter the forgery of government documents; currency notes; halal certificates; medical products and compact discs, among others. Besides, some applications currently being developed would further assist to improve the public service delivery system. See http://www.mida.gov.my/beta/view.php?cat=14&scat=1552, accessed 22 February 2007; see also http://en.qschina.com/html/tradeinfo/html/2007/3/13/9088.html, accessed 22 February 2007.
[xxxii] See Ida Madieha Azmi, “E-commerce and privacy issues: an analysis of the personal data protection bill”, International Review of Computer Laws & Technology, Volume 16, No. 3, pp 317-330, 2002.
[xxxiii] See Ida Madieha Azmi, “Why has data protection law been delayed in Malaysia? Nothing to do with Islam and who needs it anyway?” BILETA 2006, Malta 6th – 7th April 2006. See generally: http://events.um.edu.mt/bileta2006/29DP&I%20v1%20Ida%20madieha%20Aziz.pdf, accessed 22 February 2007; see also Hurriyah El Islamy, “Privacy and Technology”, BILETA 2005, Belfast retrievable at: http://www.bileta.ac.uk/Document%20Library/1/Privacy%20and%20Technology.pdf, accessed 22 February 2007.
[xxxiv] Jane Ritikos, Florence A. Samy and Elizabeth Looi, “Same law apply for bloggers, say BN rep”, The Star Online, Thursday March 22 2007; see also: http://star-techcentral.com/tech/story.asp?file=/2007/3/22/technology/20070322114048&sec=technology, accessed 22 March 2007.
[xxxv] See generally http://en.wikipedia.org/wiki/Technological_convergence, accessed 22 March 2007.
[xxxvi] See generally http://www.boycotttesco.com./, accessed 2 May 2007; see also http://news.bbc.co.uk/1/hi/business/4209545.stm, accessed 2 May 2007.
[xxxvii] See http://www.out-law.com/page-3812, accessed 2 May 2007 see also http://www.boycottgillette.com/, accessed 2 May 2007.
[xxxviii] Se http://www.boycottbenetton.com/ accessed 2 May 2007; see also http://www.rfidjournal.com/article/articleview/344/1/1/, accessed 2 May 2007 see generally http://www.out-law.com/page-3465, accessed 2 May 2007.
[xxxix] See generally http://www.ipc.on.ca/images/Resources/up-rfidtips.pdf, accessed 3 May 2007.
[xl] See generally http://en.wikipedia.org/wiki/Enterprise_Risk_Management, accessed 24 March 2007.
[xli] Globally, the preferred risk management module is enterprise risk management. See generally http://en.wikipedia.org/wiki/Enterprise_Risk_Management, accessed 24 March 2007.
[xlii] See generally http://www.admin.ox.ac.uk/riskmgt/overview.shtml, accessed 24 March 2007.
[xliii] Frederic Thiesse, “Managing risk perceptions of RFID” Auto-ID Labs White Paper WP-BIZAPP-031, pp 11-17; see Atkinson, W. (2004), “Tagged: the risks and rewards of RFID technology” Risk Management Journal 51 (7) at pp. 12-19; see also Cavoukian, A. (2004), “Tag, You’re it: privacy implications of Radio Frequency identification Technology, Information and Privacy Commissioner Ontario, Toronto; see also an interesting Australian perspective: http://www.privacy.gov.au/news/04_07.html, accessed 24 March 2007.
[xliv] RFID risk manual can only be established once organisations or companies have undergone the levels of risk management exercise. See also an example of risk management checklist: http://www.lms.ca/@pdf/Risk_Management_Checklist.pdf, accessed 24 March 2007.
[xlv] See generally http://cyber.law.harvard.edu/ecommerce/privacyaudit.html, accessed 24 March 2007; see also http://www.itcinstitute.com/display.aspx?id=2499, accessed 24 March 2007.
[xlvi] See http://csrc.lse.ac.uk/asp/aspecis/20050060.pdf, accessed 3 May 2007.
Subscribe to:
Posts (Atom)