Thursday 29 March 2007
Will RFID be absolete?
I have been thinking whether RFID will be absolete? or to be substituted with an advanced technology. Research & Development (R&D) will tell as to whether the technology will harmonise privacy and data protection. Perhaps, Privacy Impact Assessment will be widely adopted. Time will tell.
Wednesday 28 March 2007
We should appreciate RFID
Yes. We should appreciate RFID as it is. It assists tracking, processing and applications. There are many advantages that RFID give us. We should look at the bright and positive side.
Tuesday 27 March 2007
BILETA 2007: My RFID paper
Finally, I have completed my BILETA 2007 paper. Have a good reading:-
(C) Noriswadi Ismail
__________________________________________________________
Radio Frequency Identification Technology (RFID):
Malaysia’s privacy at the crossroads?
Noriswadi Ismail[1]
British Chevening Scholar, University of Strathclyde
1 Introduction
Back 1998, the Kuala Lumpur International Airport[2] had deployed the Malaysian ePassport autogate system. The technology requires Malaysian travellers to place their ePassport document on the autogate slot, followed by verification of their fingerprints on a biometric scanner. The time to scan and verify the passport owner takes less than ten second to complete. The system also does a check against a watch-list on the server to detect any criminal suspects trying to enter Malaysia. The government had also initiated the usage of RFID passports – claimed to be the first in South East Asian region and the world.[3] RFID chips which are embedded in these Malaysian passports possess strong capability to expose personal information and trail the historical data of a traveller’s journey.[4] Invariably, the motivation implementing these ePassport and RFID passports initiatives are meant for surveillance. It also evidences the government’s level of seriousness to combating potential terrorism and crimes.
Alas, after eleven years of technology deployment, there have been mixed reactions by the Malaysian citizens. On one hand, technology proponents viewed that these developments have moulded the growth of Malaysia’s Multimedia Super Corridor[5], and thus, charting the progress towards Vision 2020 or locally translated to “Wawasan 2020.”[6] On the other hand, privacy proponents viewed that much could be done to addressing privacy concerns in Malaysia despite of the RFID technology.[7] Due to these divided views, this paper proposes to outline a cursory RFID technological explanation and explore the approaches adopted by the United Kingdom and the European Union. The central focus will be on the predictions to Malaysia’s RFID players once the Personal Data Protection (PDP) Bill would have been passed by the parliament. Primarily, three (3) predictions are discussed:
· Readiness towards complying privacy and data protection regulations;
· Legal risk management strategy; and
· Pre-empted compliance cost strategy.
2 What is RFID?
RFID connotes Radio Frequency Identification Technology, a terminology which illustrates any system of identification wherein an electronic device that uses radio frequency or magnetic field variations to communicate is attached to an item.[8] There are two (2) most-talked-about components of an RFID; Tag and reader respectively. Tag is an identification device attached to the item for tracking whilst reader is a device that can recognise the presence of RFID tags and read the information stored on them. The reader can then inform another system about the presence of the tagged items. The system with which the reader communicates usually runs software that stands between readers and applications. This software is called RFID middleware.[9]
The exact technology deployment date of RFID is relatively unknown. But, generally it goes back to 1920s during the World War II.[10] As the technology suggested, at that point of time, the all Identity Friend or Foe (IFF) system was used in British aircrafts. The IFF system comprised important components of interrogator and transponder. The interrogator was the radar system and the transponder was an unwieldy box of tubes with dials and switches. The term interrogator provides the guidance as to how the system worked: the ground station sent out a radar signal, and the transponder receiving this signal reflected it back, causing the radar antenna to receive a stronger return than it otherwise would have. The transponder also ‘swept’ the frequency of its return back and forth over a small range as it responded, causing the radar return to pulsate according to a specific rhythm. [11]
2.1 RFID functions and operations
RFID could not operate and function without frequency.[12] The operating frequency is the electromagnetic frequency the tag uses to communicate or to secure power. Due to the nature of RFID which broadcast electromagnetic waves, they are regulated as radio devices. Thus, RFID systems must not interfere with other existing protected applications such as emergency service radios or television transmissions. Throughout the world, regulatory bodies have chosen different ranges for ultra high frequencies (UHF) in different parts of the world. [13] Even if each country requires a different range of UHF, it is suggested that one possible global standard known as EPCglobal standard will be able to match varying local regulatory requirements.[14]
The tag and reader are the two (2) key components to operate an RFID system. The reader functions as transmitter of the system which contains electronics that use an external power source to generate the signal that drives the reader’s antenna. In turn, it creates the appropriate radio wave. The radio wave may be received by an RFID tag, which in turn ‘reflects’ some of the energy it receives in a particular way (based on the identity of the tag).[15] Whilst this reflection is going on, the RFID reader is also acting as a radio receiver, so that it can detect and decode the reflected signal in order to identify the tag.[16]
2.2 RFID types of categorisation
There are essentially three (3) types of categorisation within an RFID system which is based on the power source used by the tag, as particularised:-
· Passive tag – This requires no power source at the tag. It does not require any batteries but utilises the energy of radio wave to effect its operation.[17] In this category, it results to the lowest tag cost at the expense of the performance. Example that could be seen in practice is the usage of passive tag in individual product items for applications in supermarket checkouts and smart cards[18];
· Semi-passive tag – This relies on the battery built into the tag in order to achieve a better performance within the operating range. In this category, the battery powers the internal circuitry during the communication; however it is not used to generate radio wave.[19] This tag is mostly fragile and expensive in the market[20]; and
· Active tag – It utilises batteries for their entire operation which can generate radio wave actively in the absence of a reader.[21] In this category, the tag is capable of a peer-to-peer communication. It has larger memory as compared to the passive tag, possesses higher processing capabilities and secure.[22]
Without any doubt, the semi-passive tag is the only category which does not require the involvement of a radio wave. It is also due to the costly price which compels the RFID provider to opt the first (1st) and second (2nd) category.
3. RFID in Malaysia - a brief overview
Based on IDC’s forecast, the Malaysia’s RFID market is expected to hit RM77 million by 2010[23] with a compound of annual growth rate of 45.84%. Significant developments have taken place in Malaysia’s RFID growth. On December 2006, the Malaysian Road Transport Department had initiated the usage of RFID license plates with the attempt to reduce the number of car thefts in the country. The plate will contain the information about the owner of the car and the vehicle. This will help the police official to know if the car has been stolen.[24] On 24 Februray 2007, Malaysia had released the world’s smallest RFID microchip which measures between 0.4mm by 0.4mm with a built-in antenna, which can be embedded on paper.[25] The microchip, developed under the Malaysia Microchip Project, at a cost of US$50 million (RM180million) based on Japanese technology, is the first with multi-band frequencies.[26] These developments envisage promising RFID growth in the Malaysian market and if the IDC analysis remains prevalent, it is predicted Malaysia will be the central RFID investment within the South East Asian region.
4. Does RFID undermine privacy and data protection?
4.1 Malaysia’s cursory development
Arguably, many of these developments have posed significant privacy and data protection concerns not only in Malaysia but also throughout other jurisdictions.[27] In Malaysia, the effort to draft the PDP Bill started in 2000. However, until today, the legislation is yet to be seen.[28] Rumours claimed that the Bill that was introduced in 2000 was motivated by the European Union (EU) regulatory approach as compared to the self-regulation approach of safe harbour of the United States.[29] But now, the situation is otherwise and it has given quite a general setback to various industries in implementing possible data protection and privacy strategy within their organisations.
Recently, the issue of the PDP Bill delay has been mentioned in the parliament. One of the members of parliament lamented that the government was taking too long to pass laws on personal data protection, which existed in ninety countries. He further viewed that it is imperative that Malaysia hasten the enactment of the law and poignantly added that it could affect efforts to sustain Malaysia’s position as a competitive outsourcing country after India and China.[30] The moans and groans are not only commonly shared by the Malaysian public but also multinational corporations and foreign investors. The next question to be asked is whether the RFID technology undermines privacy and data protection? There are two possible and skeletal answers. First, in the event the Bill has analysed thoroughly the application of emerging new technology and its convergence[31] vis-à-vis’ the privacy and data protection provisions, it is believed it would not generally undermine due to its technology neutrality approach. Second, in the event the Bill has not achieved the same, a secondary review to the existing draft should be made pedantically. However, it should be noted that these answers may be duly substantiated once the Bill takes place in Malaysia.
4.2 The EU reaction – a brief overview
Within the EU, the Article 29 Working Party which has been established under Article 29 of Directive 95/46/EC articulates existing privacy and data protection issues.[32] On the data protection front, the Working Party has mooted its concerns on the effect of RFID technology which may lead to violation of human dignity and data protection rights. The focus of the concern surrounds on the possibility of businesses and governments which have deployed RFID and thus, leads to prying into the privacy sphere of individuals. [33] Based on the published summary of the responses, RFID stakeholders deemed to be satisfied with the working document. In practice, many may assert that the examples of RFID applications illustrated in the working document do not reflect the reality.[34] It is argued that societal benefits and realistic appreciation of technical possibilities should be inferred whilst analysing RFID applications.
Primarily, two (2) governing Directives apply within the EU; Directive 95/46/EC on the protection of personal data and Directive 2002/58/EC on the protection of personal data in the electronic communications sector. These directives provide the mechanism of data processing to be adhered by the member states with some restrictions. [35] Upon reading the provisions under the Directive 95/46/EC, it could be generally summarised that not all RFID applications are governed under the provisions. This is due to the nature of RFID technology itself, i.e. via RFID tags and the complex technicality involved. The tags possess the capability to exchange information and thus, the provisions fail to achieve its technology neutrality approach, leading to a level of biasness towards existing RFID technical solutions and also other related technology. i.e., Ambient Intelligence (Aml).[36]In Directive 2002/58/EC, services must provide continually the possibility, of using a simple means and free of charge, of temporarily refusing the processing of certain personal data for each communication. It is argued however, a PC based system would fulfil the needs of the provision, but RFID and Aml will fail to comply with the spirit due to the nature of its technical interface.[37]
4.3. The UK reaction – a brief overview
In the UK, the Data Protection Act 1998 concerns the processing of personal data. The Data Protection Technical Guidance Radio Frequency Identification has outlined two (2) scenarios in which personal data might be processed using RFID.[38] First, personal data may be stored on the tags themselves, or linked to a database containing personal data. Second, if tags on individual items can be used to identify the individual associated with the item, they will be personal data.[39] Alike of the EC Directives’ provisions, the guidance mentioned that where personal data is collected, generated or disclosed using RFID either directly or indirectly, the Act will apply. In addition, RFID users should apply the data protection principles of fair processing, use limitation, data quality, data retention and security.[40] The guidance has also mentioned extensively specific data protection concerns which involve security, monitoring, profiling and technical solutions.[41]
Besides the guidance, it could be seen that the UK Information Commissioner has put a very high concern on the level of the UK’s surveillance society. In a report on surveillance society, by the Surveillance Studies Network[42], RFID has been cited as one of the central issues and discussions. Even if the report does not critically analyse the technical aspects of RFID and its dangers to privacy and surveillance in detail, it has however outlined future directions to the data protection actors whenever potential RFID issues take place. It is also noteworthy to mention that the report has painstakingly analysed various social, technical, regulatory and economic perspectives which could be applied in today’s context in achieving a balanced surveillance society. It is convinced the substantive analysis of the report should be able to guide Malaysia’s roadmap in the event potential surveillance and privacy concerns will be raised subsequent to the passing of PDP Bill.
5. Predictions for Malaysia
On 28 January 2007, Council of Europe had historically celebrated the first ever Data Protection Day.[43] It was the occasion for European citizens to become more aware of personal data protection and of what their rights and responsibilities are in that regard. That initiative is considered as a considerable breakthrough platform to disseminate the significance of data protection not only to European citizens, but also providing a model to the rest of the world to adopt the similar approach and strategy. After years of legislative measures and harmonisation within the EU, it could be generally said that the level of regulatory harmonisation between the member states has been quite effective and fruitful.
To the contrary, Malaysia is facing potential challenges to co-exist the issue of privacy, data protection and RFID simultaneously, notwithstanding the PDP Bill delay. [44] As to move forward, it is submitted that Malaysia needs potential predictions to accelerate the already existing problems, challenges and directions that privacy and data protection have posed to RFID. There are three (3) predictions that could be mapped and guided in the near future; readiness to complying with the privacy and data protection regulations, legal risk management strategy and pre-empted compliance cost and strategy. These predictions are hypothesised from the EU and the UK data protection historical legislative and consultation experience, literature, industries’ approaches, technical and security approaches as well as the ongoing EU RFID public consultation.[45]
5.2 Readiness to comply
Issue of readiness is the main concern whenever a specific legislation takes place. In the context of RFID and privacy, it could be seen that the readiness is a shared responsibility by the RFID players.[46] Leading solution providers in the UK and EU[47] had taken the necessary steps to ensure technology would be able to be a reasonable preventive measure especially when dealing with privacy and data protection issues.[48] RFID evaluation is considered as the best practice to instil the readiness. The evaluation will cover an extensive assessment on RFID technology and affiliating the assessment with privacy and data protection provisions. The RFID evaluation will be able to provide the roadmap to the players towards complying with privacy and data protection provisions. As RFID evaluation needs involvement within a particular organisation or company which is deemed to be multi departmental. In this regard, a proposed RFID privacy and data protection team should be established to ensure that the deployment of RFID technology is technically compliant, with the privacy and data protection provisions and there should be a continuous assessment and self regulation effort to ensuring effectiveness in implementation.
It is argued that the establishment of such a team would lead to issues of cost and resources. However, to debunk that, the readiness should be embarked on by the organisation via clear terms of reference for a particular organisation or company. For example, a Director in semi medium enterprises could outline brief and understandable privacy and data protection terms and conditions, being part and parcel of the company’s privacy policy. This policy should be able to explain certain emerging new technology deployment such as RFID and how it would be privacy friendly within the context of data protection provisions. Dynamically, dissemination through peer-to-peer knowledge management sharing session shall be an added value in a long run. Further, for companies which are directly and indirectly deploying the RFID technology, middleware and applications, it is essential for these companies to conduct effective road show and continuous compliance briefing within their companies and to the Malaysian public in ensuring business continuity.[49] These companies may admit that such effort of dissemination and diffusion requires a dedicated timeline. Besides, these companies’ substantial investment may also add towards their marketing and branding initiative by taking into account their commitment of compliance. Thus, it is submitted that having a dedicated compliance team to manage RFID and privacy related issues are exceedingly desirable.
It is also argued that the readiness to comply with the terms involve bilateral diffusion between Malaysian proposed regulator; Data Protection Commissioner/Privacy Commissioners/Information Commissioners and the RFID industry. The proposed regulator should be able to gauge and balance the industry’s understanding, growth and challenges besides imposing compliance mechanism to uphold privacy and data protection. In order to avoid over excessive compliance and regulatory mechanism, such technology neutrality approach should be adopted by collating the industry’s feedback and analysing the expected maturity and growth of RFID related privacy issues. For example, one of the key steps that have been taken by the Office of Communications (Ofcom), UK is the deregulation of RFID. Ofcom has allowed the use of RFID technology without the need for a licence. The rationale of deregulation is influenced by the need to remove unnecessary regulatory obligations upon industry.[50] The step taken has balanced the RFID growth which encourages RFID market maturity. Besides Ofcom, as reiterated, the UK Information Commissioner technical guidance is a leading example to display that the regulator could do more instead of excessive regulatory compliance.[51]
5.3 Legal risk management strategy
Business continuity has always been the life cycle of organisations and companies. The term ‘legal risk management’[52] is neither a new nor a coined terminology. It is however, a hybrid approach or strategy assessing issues within the application of risk management module and legal principles.[53] Due to the hybrid nature of the module, similar to the RFID technology, RFID players should be able to preach a strong risk management culture clearly and understandably. A strong risk management culture starts with these levels of risks’ process: risk identification, risk analysis, risk profiling, risk mitigation, risk control and risk scorecard.[54] The traditional approach of risk management is mostly centred upon internal auditing exercise and internal control of organisations and companies. However, as the global market matures, risk management has been extended to control or pre-empted specific problems and issues, in the absence of a clear legislation and standard. Ultimately, the aim of having a legal risk management strategy for RFID players is to complement the players’ readiness in complying privacy and data protection provisions.[55]
Legal risk management does not favourite any organisations or companies but it complements these entities within their risk appetites. There is an indispensable strategy that Malaysian RFID players can strategise whilst awaiting the PDP Bill to be passed by the Parliament. The strategy relies on the need to establish RFID risk manual.[56] This manual will be able to outline brief technical illustration of the RFID usage, the sensitivity areas that lead to privacy issues as well as how to mitigate and manage the RFID and privacy related risk perceptions. The manual should also provide the commitment to manage the risk and at the same time, eliminating the risk that would have been derived from RFID middleware, applications and deployment. It is submitted that the manual should take into various aspects which include, cost, technical, legal, research & development, liability, operations, third (3rd) party and reputation. Appropriately, RFID risk manual should also incorporate the privacy risk checklist[57] that could serve as useful guidance and tool for the players. It is emphasized that the checklist should be based on the risk appetites of organisations and companies.
The option to adopt this legal risk management strategy is an open option. It is not meant to compel organisations and companies to adopt the same in the absence of a clear privacy and data protection provisions in Malaysia. Apropos, this option should also be taken into consideration as a means of internal control and thus, complementing privacy and data protection terms of other countries. There may be two (2) potential arguments that underpin the adoption of legal risk management strategy, besides the typical cost and resources arguments. First, one may argue that there are also other technical standards that could mitigate such RFID related privacy risks. However, to counter argue that, it should be borne in mind that such existing standards are restricted on specific technology adoption and the risk assessment which is featured within any existing standards do not, in most cases, carry the levels of risk management in a whole package. Second, one may also argue that relying on data protection terms are sufficient to overcome privacy issues and there is no need to extend such existing standards or models to examine the level of privacy and data protection within RFID technology. To the contrary, the purpose of legal risk management model is to add the value to privacy and data protection provisions. It does not, however, lead to duplication and interface other existing standards or models and legal risk management is deemed to be pragmatic in mitigating the issues between RFID and privacy. Besides being the added value tool towards privacy and data protection, this model adopts the commendable practice is corporate governance.
5.4 Pre-empted compliance cost strategy
For RFID players, budgeting and spending towards regulatory compliance requires strategic planning. It should be pre-determined at an early stage to ensure the level of execution and implementation will take place without hindrance. A successful compliance cost strategy should involve dynamic participation of a team comprising of financial manager, human resource manager, risk manager, legal manager, internal auditor, project manager and corporate communications manager. The latter’s composition only suits companies and organisations which have the required resources and control. However, for semi medium sized industries, the role could be managed by the director of the company or their supporting resources. It is undeniable that implementing a new legislation requires cost and thus, strategic budget planning should be effectively analysed and planned. This is to ensure that the players, organisations and companies are aware of the significant impact with the PDP Bill compliance cost requirements. The next step to ponder is the ability of RFID players to adopt a defensible and solid compliance cost strategy. This is deemed to be the challenging aspect in Malaysian contour. It is generally argued that such compliance cost which is resulted by new legislation in Malaysia does not tend to be friendly to small companies. However, it is submitted that due to the embryonic growth of Malaysia’s privacy and data protection regime, these companies should be able to pre-empt and predict an informed analysis and decision to ensuring that cost shall not be the main hindrance towards their business continuity.
6. Conclusion
Whilst this paper is being finalised, the EU has just celebrated its 50th Anniversary.[58] The key speech on “A stronger Europe for a successful globalisation”[59] has further affirmed the EU’s presence in legal and technology harmonisation. As reiterated, the PDP Bill should not be delayed as Malaysia’s multilateral trade arrangements and investment with her EU partners looks promising and encouraging.[60] Whilst the EU has realised that the need to pass the PDP Bill is about time, it is submitted that emerging technology like RFID should not be anyway inhibit privacy and Malaysia’s business growth if selected strategies by the RFID players are in place. For the proposed regulator, it is submitted that the drafting process of privacy and data protection provisions should also consider the market and regulatory trends that rely on technology neutrality and balanced harmonisation. On that note, it will be interesting and useful for the proposed regulator to ascertain the outcome of the EU RFID policy consultation[61] in the very near future.
(C) Noriswadi Ismail
__________________________________________________________
Radio Frequency Identification Technology (RFID):
Malaysia’s privacy at the crossroads?
Noriswadi Ismail[1]
British Chevening Scholar, University of Strathclyde
1 Introduction
Back 1998, the Kuala Lumpur International Airport[2] had deployed the Malaysian ePassport autogate system. The technology requires Malaysian travellers to place their ePassport document on the autogate slot, followed by verification of their fingerprints on a biometric scanner. The time to scan and verify the passport owner takes less than ten second to complete. The system also does a check against a watch-list on the server to detect any criminal suspects trying to enter Malaysia. The government had also initiated the usage of RFID passports – claimed to be the first in South East Asian region and the world.[3] RFID chips which are embedded in these Malaysian passports possess strong capability to expose personal information and trail the historical data of a traveller’s journey.[4] Invariably, the motivation implementing these ePassport and RFID passports initiatives are meant for surveillance. It also evidences the government’s level of seriousness to combating potential terrorism and crimes.
Alas, after eleven years of technology deployment, there have been mixed reactions by the Malaysian citizens. On one hand, technology proponents viewed that these developments have moulded the growth of Malaysia’s Multimedia Super Corridor[5], and thus, charting the progress towards Vision 2020 or locally translated to “Wawasan 2020.”[6] On the other hand, privacy proponents viewed that much could be done to addressing privacy concerns in Malaysia despite of the RFID technology.[7] Due to these divided views, this paper proposes to outline a cursory RFID technological explanation and explore the approaches adopted by the United Kingdom and the European Union. The central focus will be on the predictions to Malaysia’s RFID players once the Personal Data Protection (PDP) Bill would have been passed by the parliament. Primarily, three (3) predictions are discussed:
· Readiness towards complying privacy and data protection regulations;
· Legal risk management strategy; and
· Pre-empted compliance cost strategy.
2 What is RFID?
RFID connotes Radio Frequency Identification Technology, a terminology which illustrates any system of identification wherein an electronic device that uses radio frequency or magnetic field variations to communicate is attached to an item.[8] There are two (2) most-talked-about components of an RFID; Tag and reader respectively. Tag is an identification device attached to the item for tracking whilst reader is a device that can recognise the presence of RFID tags and read the information stored on them. The reader can then inform another system about the presence of the tagged items. The system with which the reader communicates usually runs software that stands between readers and applications. This software is called RFID middleware.[9]
The exact technology deployment date of RFID is relatively unknown. But, generally it goes back to 1920s during the World War II.[10] As the technology suggested, at that point of time, the all Identity Friend or Foe (IFF) system was used in British aircrafts. The IFF system comprised important components of interrogator and transponder. The interrogator was the radar system and the transponder was an unwieldy box of tubes with dials and switches. The term interrogator provides the guidance as to how the system worked: the ground station sent out a radar signal, and the transponder receiving this signal reflected it back, causing the radar antenna to receive a stronger return than it otherwise would have. The transponder also ‘swept’ the frequency of its return back and forth over a small range as it responded, causing the radar return to pulsate according to a specific rhythm. [11]
2.1 RFID functions and operations
RFID could not operate and function without frequency.[12] The operating frequency is the electromagnetic frequency the tag uses to communicate or to secure power. Due to the nature of RFID which broadcast electromagnetic waves, they are regulated as radio devices. Thus, RFID systems must not interfere with other existing protected applications such as emergency service radios or television transmissions. Throughout the world, regulatory bodies have chosen different ranges for ultra high frequencies (UHF) in different parts of the world. [13] Even if each country requires a different range of UHF, it is suggested that one possible global standard known as EPCglobal standard will be able to match varying local regulatory requirements.[14]
The tag and reader are the two (2) key components to operate an RFID system. The reader functions as transmitter of the system which contains electronics that use an external power source to generate the signal that drives the reader’s antenna. In turn, it creates the appropriate radio wave. The radio wave may be received by an RFID tag, which in turn ‘reflects’ some of the energy it receives in a particular way (based on the identity of the tag).[15] Whilst this reflection is going on, the RFID reader is also acting as a radio receiver, so that it can detect and decode the reflected signal in order to identify the tag.[16]
2.2 RFID types of categorisation
There are essentially three (3) types of categorisation within an RFID system which is based on the power source used by the tag, as particularised:-
· Passive tag – This requires no power source at the tag. It does not require any batteries but utilises the energy of radio wave to effect its operation.[17] In this category, it results to the lowest tag cost at the expense of the performance. Example that could be seen in practice is the usage of passive tag in individual product items for applications in supermarket checkouts and smart cards[18];
· Semi-passive tag – This relies on the battery built into the tag in order to achieve a better performance within the operating range. In this category, the battery powers the internal circuitry during the communication; however it is not used to generate radio wave.[19] This tag is mostly fragile and expensive in the market[20]; and
· Active tag – It utilises batteries for their entire operation which can generate radio wave actively in the absence of a reader.[21] In this category, the tag is capable of a peer-to-peer communication. It has larger memory as compared to the passive tag, possesses higher processing capabilities and secure.[22]
Without any doubt, the semi-passive tag is the only category which does not require the involvement of a radio wave. It is also due to the costly price which compels the RFID provider to opt the first (1st) and second (2nd) category.
3. RFID in Malaysia - a brief overview
Based on IDC’s forecast, the Malaysia’s RFID market is expected to hit RM77 million by 2010[23] with a compound of annual growth rate of 45.84%. Significant developments have taken place in Malaysia’s RFID growth. On December 2006, the Malaysian Road Transport Department had initiated the usage of RFID license plates with the attempt to reduce the number of car thefts in the country. The plate will contain the information about the owner of the car and the vehicle. This will help the police official to know if the car has been stolen.[24] On 24 Februray 2007, Malaysia had released the world’s smallest RFID microchip which measures between 0.4mm by 0.4mm with a built-in antenna, which can be embedded on paper.[25] The microchip, developed under the Malaysia Microchip Project, at a cost of US$50 million (RM180million) based on Japanese technology, is the first with multi-band frequencies.[26] These developments envisage promising RFID growth in the Malaysian market and if the IDC analysis remains prevalent, it is predicted Malaysia will be the central RFID investment within the South East Asian region.
4. Does RFID undermine privacy and data protection?
4.1 Malaysia’s cursory development
Arguably, many of these developments have posed significant privacy and data protection concerns not only in Malaysia but also throughout other jurisdictions.[27] In Malaysia, the effort to draft the PDP Bill started in 2000. However, until today, the legislation is yet to be seen.[28] Rumours claimed that the Bill that was introduced in 2000 was motivated by the European Union (EU) regulatory approach as compared to the self-regulation approach of safe harbour of the United States.[29] But now, the situation is otherwise and it has given quite a general setback to various industries in implementing possible data protection and privacy strategy within their organisations.
Recently, the issue of the PDP Bill delay has been mentioned in the parliament. One of the members of parliament lamented that the government was taking too long to pass laws on personal data protection, which existed in ninety countries. He further viewed that it is imperative that Malaysia hasten the enactment of the law and poignantly added that it could affect efforts to sustain Malaysia’s position as a competitive outsourcing country after India and China.[30] The moans and groans are not only commonly shared by the Malaysian public but also multinational corporations and foreign investors. The next question to be asked is whether the RFID technology undermines privacy and data protection? There are two possible and skeletal answers. First, in the event the Bill has analysed thoroughly the application of emerging new technology and its convergence[31] vis-à-vis’ the privacy and data protection provisions, it is believed it would not generally undermine due to its technology neutrality approach. Second, in the event the Bill has not achieved the same, a secondary review to the existing draft should be made pedantically. However, it should be noted that these answers may be duly substantiated once the Bill takes place in Malaysia.
4.2 The EU reaction – a brief overview
Within the EU, the Article 29 Working Party which has been established under Article 29 of Directive 95/46/EC articulates existing privacy and data protection issues.[32] On the data protection front, the Working Party has mooted its concerns on the effect of RFID technology which may lead to violation of human dignity and data protection rights. The focus of the concern surrounds on the possibility of businesses and governments which have deployed RFID and thus, leads to prying into the privacy sphere of individuals. [33] Based on the published summary of the responses, RFID stakeholders deemed to be satisfied with the working document. In practice, many may assert that the examples of RFID applications illustrated in the working document do not reflect the reality.[34] It is argued that societal benefits and realistic appreciation of technical possibilities should be inferred whilst analysing RFID applications.
Primarily, two (2) governing Directives apply within the EU; Directive 95/46/EC on the protection of personal data and Directive 2002/58/EC on the protection of personal data in the electronic communications sector. These directives provide the mechanism of data processing to be adhered by the member states with some restrictions. [35] Upon reading the provisions under the Directive 95/46/EC, it could be generally summarised that not all RFID applications are governed under the provisions. This is due to the nature of RFID technology itself, i.e. via RFID tags and the complex technicality involved. The tags possess the capability to exchange information and thus, the provisions fail to achieve its technology neutrality approach, leading to a level of biasness towards existing RFID technical solutions and also other related technology. i.e., Ambient Intelligence (Aml).[36]In Directive 2002/58/EC, services must provide continually the possibility, of using a simple means and free of charge, of temporarily refusing the processing of certain personal data for each communication. It is argued however, a PC based system would fulfil the needs of the provision, but RFID and Aml will fail to comply with the spirit due to the nature of its technical interface.[37]
4.3. The UK reaction – a brief overview
In the UK, the Data Protection Act 1998 concerns the processing of personal data. The Data Protection Technical Guidance Radio Frequency Identification has outlined two (2) scenarios in which personal data might be processed using RFID.[38] First, personal data may be stored on the tags themselves, or linked to a database containing personal data. Second, if tags on individual items can be used to identify the individual associated with the item, they will be personal data.[39] Alike of the EC Directives’ provisions, the guidance mentioned that where personal data is collected, generated or disclosed using RFID either directly or indirectly, the Act will apply. In addition, RFID users should apply the data protection principles of fair processing, use limitation, data quality, data retention and security.[40] The guidance has also mentioned extensively specific data protection concerns which involve security, monitoring, profiling and technical solutions.[41]
Besides the guidance, it could be seen that the UK Information Commissioner has put a very high concern on the level of the UK’s surveillance society. In a report on surveillance society, by the Surveillance Studies Network[42], RFID has been cited as one of the central issues and discussions. Even if the report does not critically analyse the technical aspects of RFID and its dangers to privacy and surveillance in detail, it has however outlined future directions to the data protection actors whenever potential RFID issues take place. It is also noteworthy to mention that the report has painstakingly analysed various social, technical, regulatory and economic perspectives which could be applied in today’s context in achieving a balanced surveillance society. It is convinced the substantive analysis of the report should be able to guide Malaysia’s roadmap in the event potential surveillance and privacy concerns will be raised subsequent to the passing of PDP Bill.
5. Predictions for Malaysia
On 28 January 2007, Council of Europe had historically celebrated the first ever Data Protection Day.[43] It was the occasion for European citizens to become more aware of personal data protection and of what their rights and responsibilities are in that regard. That initiative is considered as a considerable breakthrough platform to disseminate the significance of data protection not only to European citizens, but also providing a model to the rest of the world to adopt the similar approach and strategy. After years of legislative measures and harmonisation within the EU, it could be generally said that the level of regulatory harmonisation between the member states has been quite effective and fruitful.
To the contrary, Malaysia is facing potential challenges to co-exist the issue of privacy, data protection and RFID simultaneously, notwithstanding the PDP Bill delay. [44] As to move forward, it is submitted that Malaysia needs potential predictions to accelerate the already existing problems, challenges and directions that privacy and data protection have posed to RFID. There are three (3) predictions that could be mapped and guided in the near future; readiness to complying with the privacy and data protection regulations, legal risk management strategy and pre-empted compliance cost and strategy. These predictions are hypothesised from the EU and the UK data protection historical legislative and consultation experience, literature, industries’ approaches, technical and security approaches as well as the ongoing EU RFID public consultation.[45]
5.2 Readiness to comply
Issue of readiness is the main concern whenever a specific legislation takes place. In the context of RFID and privacy, it could be seen that the readiness is a shared responsibility by the RFID players.[46] Leading solution providers in the UK and EU[47] had taken the necessary steps to ensure technology would be able to be a reasonable preventive measure especially when dealing with privacy and data protection issues.[48] RFID evaluation is considered as the best practice to instil the readiness. The evaluation will cover an extensive assessment on RFID technology and affiliating the assessment with privacy and data protection provisions. The RFID evaluation will be able to provide the roadmap to the players towards complying with privacy and data protection provisions. As RFID evaluation needs involvement within a particular organisation or company which is deemed to be multi departmental. In this regard, a proposed RFID privacy and data protection team should be established to ensure that the deployment of RFID technology is technically compliant, with the privacy and data protection provisions and there should be a continuous assessment and self regulation effort to ensuring effectiveness in implementation.
It is argued that the establishment of such a team would lead to issues of cost and resources. However, to debunk that, the readiness should be embarked on by the organisation via clear terms of reference for a particular organisation or company. For example, a Director in semi medium enterprises could outline brief and understandable privacy and data protection terms and conditions, being part and parcel of the company’s privacy policy. This policy should be able to explain certain emerging new technology deployment such as RFID and how it would be privacy friendly within the context of data protection provisions. Dynamically, dissemination through peer-to-peer knowledge management sharing session shall be an added value in a long run. Further, for companies which are directly and indirectly deploying the RFID technology, middleware and applications, it is essential for these companies to conduct effective road show and continuous compliance briefing within their companies and to the Malaysian public in ensuring business continuity.[49] These companies may admit that such effort of dissemination and diffusion requires a dedicated timeline. Besides, these companies’ substantial investment may also add towards their marketing and branding initiative by taking into account their commitment of compliance. Thus, it is submitted that having a dedicated compliance team to manage RFID and privacy related issues are exceedingly desirable.
It is also argued that the readiness to comply with the terms involve bilateral diffusion between Malaysian proposed regulator; Data Protection Commissioner/Privacy Commissioners/Information Commissioners and the RFID industry. The proposed regulator should be able to gauge and balance the industry’s understanding, growth and challenges besides imposing compliance mechanism to uphold privacy and data protection. In order to avoid over excessive compliance and regulatory mechanism, such technology neutrality approach should be adopted by collating the industry’s feedback and analysing the expected maturity and growth of RFID related privacy issues. For example, one of the key steps that have been taken by the Office of Communications (Ofcom), UK is the deregulation of RFID. Ofcom has allowed the use of RFID technology without the need for a licence. The rationale of deregulation is influenced by the need to remove unnecessary regulatory obligations upon industry.[50] The step taken has balanced the RFID growth which encourages RFID market maturity. Besides Ofcom, as reiterated, the UK Information Commissioner technical guidance is a leading example to display that the regulator could do more instead of excessive regulatory compliance.[51]
5.3 Legal risk management strategy
Business continuity has always been the life cycle of organisations and companies. The term ‘legal risk management’[52] is neither a new nor a coined terminology. It is however, a hybrid approach or strategy assessing issues within the application of risk management module and legal principles.[53] Due to the hybrid nature of the module, similar to the RFID technology, RFID players should be able to preach a strong risk management culture clearly and understandably. A strong risk management culture starts with these levels of risks’ process: risk identification, risk analysis, risk profiling, risk mitigation, risk control and risk scorecard.[54] The traditional approach of risk management is mostly centred upon internal auditing exercise and internal control of organisations and companies. However, as the global market matures, risk management has been extended to control or pre-empted specific problems and issues, in the absence of a clear legislation and standard. Ultimately, the aim of having a legal risk management strategy for RFID players is to complement the players’ readiness in complying privacy and data protection provisions.[55]
Legal risk management does not favourite any organisations or companies but it complements these entities within their risk appetites. There is an indispensable strategy that Malaysian RFID players can strategise whilst awaiting the PDP Bill to be passed by the Parliament. The strategy relies on the need to establish RFID risk manual.[56] This manual will be able to outline brief technical illustration of the RFID usage, the sensitivity areas that lead to privacy issues as well as how to mitigate and manage the RFID and privacy related risk perceptions. The manual should also provide the commitment to manage the risk and at the same time, eliminating the risk that would have been derived from RFID middleware, applications and deployment. It is submitted that the manual should take into various aspects which include, cost, technical, legal, research & development, liability, operations, third (3rd) party and reputation. Appropriately, RFID risk manual should also incorporate the privacy risk checklist[57] that could serve as useful guidance and tool for the players. It is emphasized that the checklist should be based on the risk appetites of organisations and companies.
The option to adopt this legal risk management strategy is an open option. It is not meant to compel organisations and companies to adopt the same in the absence of a clear privacy and data protection provisions in Malaysia. Apropos, this option should also be taken into consideration as a means of internal control and thus, complementing privacy and data protection terms of other countries. There may be two (2) potential arguments that underpin the adoption of legal risk management strategy, besides the typical cost and resources arguments. First, one may argue that there are also other technical standards that could mitigate such RFID related privacy risks. However, to counter argue that, it should be borne in mind that such existing standards are restricted on specific technology adoption and the risk assessment which is featured within any existing standards do not, in most cases, carry the levels of risk management in a whole package. Second, one may also argue that relying on data protection terms are sufficient to overcome privacy issues and there is no need to extend such existing standards or models to examine the level of privacy and data protection within RFID technology. To the contrary, the purpose of legal risk management model is to add the value to privacy and data protection provisions. It does not, however, lead to duplication and interface other existing standards or models and legal risk management is deemed to be pragmatic in mitigating the issues between RFID and privacy. Besides being the added value tool towards privacy and data protection, this model adopts the commendable practice is corporate governance.
5.4 Pre-empted compliance cost strategy
For RFID players, budgeting and spending towards regulatory compliance requires strategic planning. It should be pre-determined at an early stage to ensure the level of execution and implementation will take place without hindrance. A successful compliance cost strategy should involve dynamic participation of a team comprising of financial manager, human resource manager, risk manager, legal manager, internal auditor, project manager and corporate communications manager. The latter’s composition only suits companies and organisations which have the required resources and control. However, for semi medium sized industries, the role could be managed by the director of the company or their supporting resources. It is undeniable that implementing a new legislation requires cost and thus, strategic budget planning should be effectively analysed and planned. This is to ensure that the players, organisations and companies are aware of the significant impact with the PDP Bill compliance cost requirements. The next step to ponder is the ability of RFID players to adopt a defensible and solid compliance cost strategy. This is deemed to be the challenging aspect in Malaysian contour. It is generally argued that such compliance cost which is resulted by new legislation in Malaysia does not tend to be friendly to small companies. However, it is submitted that due to the embryonic growth of Malaysia’s privacy and data protection regime, these companies should be able to pre-empt and predict an informed analysis and decision to ensuring that cost shall not be the main hindrance towards their business continuity.
6. Conclusion
Whilst this paper is being finalised, the EU has just celebrated its 50th Anniversary.[58] The key speech on “A stronger Europe for a successful globalisation”[59] has further affirmed the EU’s presence in legal and technology harmonisation. As reiterated, the PDP Bill should not be delayed as Malaysia’s multilateral trade arrangements and investment with her EU partners looks promising and encouraging.[60] Whilst the EU has realised that the need to pass the PDP Bill is about time, it is submitted that emerging technology like RFID should not be anyway inhibit privacy and Malaysia’s business growth if selected strategies by the RFID players are in place. For the proposed regulator, it is submitted that the drafting process of privacy and data protection provisions should also consider the market and regulatory trends that rely on technology neutrality and balanced harmonisation. On that note, it will be interesting and useful for the proposed regulator to ascertain the outcome of the EU RFID policy consultation[61] in the very near future.
[1] HeiTech Padu Berhad, http://www.heitech.com.my; see also his RFID blog at http://the-rfid-nexus.blogspot.com.
[2] See generally http://www.klia.com.my/; see also http://en.wikipedia.org/wiki/Kuala_Lumpur_International_Airport, accessed 18 February 2007 and http://www.mida.gov.my/beta/view.php?cat=14&scat=1573, accessed 18 February 2007.
[3] See http://en.wikipedia.org/wiki/Malaysian_passport, accessed 18 February 2007.
[4] See generally http://www.ftc.gov/bcp/workshops/rfid/tien1.pdf, accessed 18 February 2007.
[5] See http://www.msc.com.my/, accessed 18 February 2007.
[6] See an interesting speech by the former Prime Minister, Tun Mahathir Mohammed, Malaysia’s foremost Vision 2020 architect: http://unpan1.un.org/intradoc/groups/public/documents/apcity/unpan003222.pdf., accessed 18 February 2007; see Malaysian Dream: http://www.themalaysiandream.net/documents/12/vision-2020
accessed 20 February 2007; see also an analytical review by Gavin Stamp, BBC Reporter, BBC News, Malaysia “Malaysia focused on 2020 Vision”, Thursday, 1 June 2006: http://news.bbc.co.uk/2/hi/business/5020794.stm, accessed 18 February 2007.
[7] See http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-545269, accessed 20 February 2007.
[8] Bill Glover & Himanshu Bhatt, “RFID Essentials” (2006, O’Reilly) pp 1-19; see also http://en.wikipedia.org/wiki/RFID, accessed 20 February 2007.
[9] Ibid., Glover & Bhatt fn 6 above at p. 1.
[10] Ibid., Glover & Bhatt fn 6 above at p. 59; see generally Matt Ward, Rob van Kranenburg and Gaynor Backhouse, “RFID: frequency, standards and innovation”, JISC Technology and Standards Watch, May 2006 at p. 4-5. Retrievable online: http://www.jisc.ac.uk/uploaded_documents/TSW0602.pdf, accessed 20 February 2007.
[11] Ibid., Glover & Bhatt, fn 8 above at p. 59.
[12] RFID typically operates within a low frequency (LF), high frequency (HF), ultra high frequency (UHF) and microwave. In practice, the actual frequencies available to RFID are limited to those frequencies se aside as Industrial Scientific Medical (ISM). Frequencies lower than 135 kHz are not ISM frequencies, but in this range RFID systems are usually using powerful magnetic fields and operating over short ranges, so much so, interference is less of an issue than it might be otherwise.
[13] Battle for different applications of UHF is also still taking place amongst RFID users in specific industry such as pharmacy. See generally: http://www.unisys.com/commercial/news_a_events/all__news/04048642.htm, accessed 20 February 2007.
[14] It is argued that this standard shall lead to convergence and it is hoped that governments and standard bodies should make a genuine effort to cooperate producing a global standard; see also EPC Global, “Communications Commission sets the stage for the EU to realise benefits of applications based on EPCglobal standards” Retrievable online: http://www.epcglobalinc.org/about/media_centre/press_rel/Press_Release_Commission_Communication_on_RFID_070314.pdf, accessed 20 February 2007; see generally: http://en.wikipedia.org/wiki/EPCglobal, accessed 20 February 2007.
[15] Steve Hodges & Mark Horrison, “WHITE PAPER – Demystifying RFID: Principles and Practicalities”, Auto-ID Centre, Institute for Manufacturing, University of Cambridge, Published 1 October 2003 at p. 8-9; see also http://www.ifm.eng.cam.ac.uk/automation/publications/documents/CAM-AUTOID-WH024.pdf, accessed 20 February 2007.
[16] Ibid., at p. 9.
[17] Ibid., at p.9.
[18] See JISC Technology and Standards Watch, May 2006 at p. 4-5.
[19] Ibid., at p.9.
[20] See fn 16 above, at p. 4-5.
[21] Ibid., at p.9.
[22] See fn 18 above, at p.4-5.
[23] See http://www.theedgedaily.com/cms/content.jsp?id=com.tms.cms.article.Article_d2cc4b98-cb73c03a-29d65b00-cd5c3a50, accessed 20 February 2007 see also http://morerfid.com/details.php?subdetail=Report&action=details&report_id=1032&display=RFID, accessed 20 February 2007. In the Malaysia RFID 2006-2010 Forecast and Analysis, it predicted the state of the market for RFID solutions implementation in Malaysia, historical development, and prediction for the future. It also presents an end user's RFID case study and write-up on key players that offer RFID solutions in Malaysia. Based on the study, hardware comprises largest portion of the total commercial RFID spending in 2005 at 60%, driven primarily by the purchases of readers and tags, followed by software and services which take up the remaining 40% of the RFID spending. "Based on the IDC's definitions, software revenue captured in this forecast is limited to RFID middleware, reader firmware, and additional enterprise middleware directly related to integrating data from the RFID layer with the enterprise application layer. It does not incorporate spending on enterprise applications and upgrades beyond middleware to accommodate and take advantage of the influx of data from RFID tags. Services included in this forecast are business process consulting, installation, systems integration, and ongoing support services. Software and services would pose more growth potential, with CAGR of 48% and 51% respectively.
[24] The owner of the car should be nearby if the police officials want to check the driver's identity. The system will be implemented next year. The new cars would have such plates followed by the older ones. The risk what I see is that in case the RFID system of your car breaks down then you might be pulled from your car by the cops thinking that you are a thief. See generally http://www.iht.com/articles/ap/2006/12/09/asia/AS_GEN_Malaysia_Car_Thefts.php, accessed 22 February 2007.
[25] See http://www.hitachi.co.jp/Prod/mu-chip/index.html, accessed 22 February 2007.
[26] The Prime Minister, Datuk Seri Abdullah Ahmad Badawi, who launched the microchip yesterday, said the chip with its identification serial number, could help to counter the forgery of government documents; currency notes; halal certificates; medical products and compact discs, among others. Besides, some applications currently being developed would further assist to improve the public service delivery system. See http://www.mida.gov.my/beta/view.php?cat=14&scat=1552, accessed 22 February 2007; see also http://en.qschina.com/html/tradeinfo/html/2007/3/13/9088.html, accessed 22 February 2007.
[27] See the ongoing consultation effort by the European Union: http://www.rfidconsultation.eu/, accessed 22 March 2007.
[28] See Ida Madieha Azmi, “E-commerce and privacy issues: an analysis of the personal data protection bill”, International Review of Computer Laws & Technology, Volume 16, No. 3, pp 317-330, 2002; see also
[29] See Ida Madieha Azmi, “Why has data protection law been delayed in Malaysia? Nothing to do with Islam and who needs it anyway?” BILETA 2006, Malta 6th – 7th April 2006. See generally: http://events.um.edu.mt/bileta2006/29DP&I%20v1%20Ida%20madieha%20Aziz.pdf, accessed 22 February 2007; see also Hurriyah El Islamy, “Privacy and Technology”, BILETA 2005, Belfast retrievable at: http://www.bileta.ac.uk/Document%20Library/1/Privacy%20and%20Technology.pdf, accessed 22 February 2007.
[30] Jane Ritikos, Florence A. Samy and Elizabeth Looi, “Same law apply for bloggers, say BN rep”, The Star Online, Thursday March 22 2007; see also: http://star-techcentral.com/tech/story.asp?file=/2007/3/22/technology/20070322114048&sec=technology, accessed 22 March 2007.
[31] See generally http://en.wikipedia.org/wiki/Technological_convergence, accessed 22 March 2007.
[32] See generally http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/index_en.htm; see also http://www.edri.org/edrigram/number3.3/consultation, and http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2005/wp105_en.pdf respectively, accessed 22 March 2007.
[33] See Olli Pitkanen and Marketta Niemela, “Privacy and data protection in emerging RFID-applications”, Helsinki Institute for Information Technology HIIT, Helsinki University of Technology and University of Helsinki, VTT Technical Research Centre of Finland. This paper was presented in the EU RFID Forum 2007, retrievable at: http://www.rfidconvocation.eu/Papers%20presented/Business/Privacy%20and%20Data%20Protection%20in%20Emerging%20RFID-Applications.pdf, accessed 22 March 2007.
[34] Ibid., see fn 31 above, at p.1-2.
[35] The data should be processed fairly and lawfully; collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; adequate, relevant and not excessive in relation to the purposes; accurate and, where necessary, kept up to date. For restrictions, see http://ec.europa.eu/justice_home/fsj/privacy/docs/95-46-ce/dir1995-46_part1_en.pdf, accessed 22 March 2007.
[36] Concept of Ambient Intelligence (AmI) is described as a vision where humans are surrounded by computing and networking technology unobtrusively embedded in their surroundings. AmI puts the emphasis on user-friendliness, efficient and distributed services support, user empowerment, and support for human interactions. This vision assumes a shift away from PCs to a variety of devices which are unobtrusively embedded in our environment and which are accessed via intelligent interfaces using RFID, PDA, wearables and robots.
[37] Ibid., see fn 31 above, at p.2-4.
[38] See http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/radio_frequency_indentification_tech_guidance.pdf, see also http://www.ico.gov.uk/global/search_results.aspx?search=RFID, accessed 22 March 2007.
[39] Ibid., see fn 36 above at p 3-4.
[40] Ibid., see fn 36 above, at p.4.
[41] The concerns include “skimming”, “hacking”, “rogue RFID tag readers”, “skimmers” “cloned EFID chip”, “blocker tags” and “clipped tags”. For more detailed explanation, see the guidance at p. 5-7; see also http://www.ico.gov.uk/upload/documents/library/data_protection/introductory/radio_frequency_identification_tags.pdf, accessed 23 March 2007.
[42] As the bulk report remains an authoritative and guidance to data controller, it is suggested however that the substance of the report should be inferred within the context of data protection strategy and management of the data controller. See http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/surveillance_society_full_report_2006.pdf, accessed 23 March 2007; see also the appendices of the report: http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/surveillance_society_appendices_06.pdf, accessed 23 March 2007; see the summary of the report:
http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/surveillance_society_summary_06.pdf, accessed 23 March 2007.
[43] See http://www.coe.int/t/e/legal_affairs/legal_co-operation/data_protection/Data_Protection_Day_default.asp#TopOfPage, accessed 23 March 2007; see generally http://ec.europa.eu/idabc/en/document/6526/194, accessed 23 March 2007.
[44] See fn 28 above.
[45] See fn 25 above.
[46] For the purpose of this paper, RFID player means the service provider, the regulator, the customers who are deploying RFID and the general public who have direct and indirect affiliation with RFID technology, applications and middleware.
[47] See generally the position paper: http://www.rfid-in-action.eu/public/papers-and-documents/guidelines.pdf, accessed 24 March 2007.
[48] One of the examples is SAP, see generally SAP approach: http://www.sap.com/netherlands/industries/healthcare/pdf/SAP_RFID_for_healthcare_readiness_check.pdf, accessed 24 March 2007.
[49] Business continuity is a standard which is applied globally in managing continuous business process. Further details could be read here: http://www.thebci.org/gpg.htm, accessed 24 March 2007; se also a guide for business continuity guide: http://www.axa4business.co.uk/resources/files/BizContinuityGuideT1404.pdf, accessed 24 March 2007.
[50] See Ofcom CEO report: http://www.ofcom.org.uk/about/accoun/reports_plans/annrep0506/ceo_rpt/, accessed 24 March 2007; see also http://www.out-law.com/page-5995, accessed 24 March 2007.
[51] Ibid., see fn 37.
[52] See generally http://en.wikipedia.org/wiki/Enterprise_Risk_Management, accessed 24 March 2007.
[53] Globally, the preferred risk management module is enterprise risk management. See generally http://en.wikipedia.org/wiki/Enterprise_Risk_Management, accessed 24 March 2007.
[54] See generally http://www.admin.ox.ac.uk/riskmgt/overview.shtml, accessed 24 March 2007.
[55] Frederic Thiesse, “Managing risk perceptions of RFID” Auto-ID Labs White Paper WP-BIZAPP-031, pp 11-17; see Atkinson, W. (2004), “Tagged: the risks and rewards of RFID technology” Risk Management Journal 51 (7) at pp. 12-19; see also Cavoukian, A. (2004), “Tag, You’re it: privacy implications of Radio Frequency identification Technology, Information and Privacy Commissioner Ontario, Toronto; see also an interesting Australian perspective: http://www.privacy.gov.au/news/04_07.html, accessed 24 March 2007.
[56] RFID risk manual can only be established once organisations or companies have undergone the levels of risk management exercise. See also an example of risk management checklist: http://www.lms.ca/@pdf/Risk_Management_Checklist.pdf, accessed 24 March 2007.
[57] See generally http://cyber.law.harvard.edu/ecommerce/privacyaudit.html, accessed 24 March 2007; see also http://www.itcinstitute.com/display.aspx?id=2499, accessed 24 March 2007.
[58] See http://news.bbc.co.uk/1/hi/world/europe/6490437.stm, accessed 26 March 2007; see also http://ec.europa.eu/commission_barroso/president/focus/50th_en.htm, accessed 26 March 2007.
[59] See http://europa.eu/rapid/pressReleasesAction.do?reference=SPEECH/07/185&format=HTML&aged=0&language=EN&guiLanguage=en, accessed 26 March 2007.
[60] See generally http://ec.europa.eu/comm/external_relations/malaysia/intro/index.htm, accessed 26 March 2007.
[61] Ibid., see fn 26.
Saturday 24 March 2007
RFID as a tool combating terrorism
This post has analysed both sides of the coin as to whether RFID could stop terrorism: http://www.rfidfactfile.com/rfidfactfile/rfidfactfile.php/2006/4/6/can_rfid_stop_terrorism. I think, the argument should look into four (4) angles. First, on the surveillance point. Second, on technical point. Third, on societal impact point and lastly, on privacy point. If all of these have been addressed, the intention deploying RFID to combat terrorism will seem to achieve its objective.
Friday 23 March 2007
Interesting insights on RFID and post in Finland
This slide presentation, presented by the CTO of Finland Post explains: http://akseli.tekes.fi/opencms/opencms/OhjelmaPortaali/ohjelmat/Ubicom/fi/Dokumenttiarkisto/Viestinta_ja_aktivointi/Seminaarit/Yhteisseminaari_030506/Pienimaki.pdf
The interesting part was the RFID Roadmap for Finland Post from 2006-2010. In my opinion, it's realistic and achievable.
The interesting part was the RFID Roadmap for Finland Post from 2006-2010. In my opinion, it's realistic and achievable.
Thursday 22 March 2007
Data protection guidance on RFID
I am happy to have read this guideline: http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/radio_frequency_indentification_tech_guidance.pdf.
It has cursorily explained the scenarios on how RFID tags are deemed classified under the provisions of the Act. However, there is some lacking of technology neutrality, I think.
It has cursorily explained the scenarios on how RFID tags are deemed classified under the provisions of the Act. However, there is some lacking of technology neutrality, I think.
Wednesday 21 March 2007
RFID ticket
This RFID provider has marketed quite an interesting RFID ticket: http://rfid.bemrosebooth.com/benefits_of_rfid_tickets.php. But, as I have browsed through the details, I'm afraid there are some privacy issues to be addressed. I do hope that the Chief Security Officer/ Chief Information Officer or the Legal Counsel has conducted some privacy impact assessment on this product. No doubt, it's interesting to be introduced to potential markets like theme parks, bus station operators, tour operators, car parking operators and those who need to use the tickets. I am yet to research the level of success and achieveability by the usage of RFID ticket. Hope something will pop out within few months time.
EPC global standard as option to RFID frequency?
EPC Global has been lobbying the EU to adopt their standard, despite of the varying Ultra High Frequency (UHF) of RFID spectrum. The lobbying could be analysed here: http://www.epcglobalinc.org/about/media_centre/press_rel/Press_Release_Commission_Communication_on_RFID_070314.pdf
I would say, the proposed standards sounds more tailor-made instead of restrictive
I would say, the proposed standards sounds more tailor-made instead of restrictive
Tuesday 20 March 2007
Extending liability to RFID provider?
Whether fair or unfair, it is still unsettled. The notion of extending liability to RFID provider has always attracted unclear stand. In the US, based on the RFID Law Blog's posting said: http://rfidlawblog.mckennalong.com/archives/drug-chain-security-liability-issues-with-rfid-for-drug-security.html, extending the contractual liability to RFID provider would be the option to control such movement of counterfeited drugs. The blog quoted:-
..."The FDA has indicated that they want drug companies to provide an electronic chain of custody that shows where drugs have traveled from manufacturer to patient, to reduce the risk of counterfeiting. RFID has been identified as the FDA's preferred technology for achieving that, although their rule does not specifically require RFID"...
Inquisitive question: What would be the position in the UK, EU, China, Singapore and Japan? It is hoped the EU consultation paper on RFID policy would be able to address this concern, to say the least.
..."The FDA has indicated that they want drug companies to provide an electronic chain of custody that shows where drugs have traveled from manufacturer to patient, to reduce the risk of counterfeiting. RFID has been identified as the FDA's preferred technology for achieving that, although their rule does not specifically require RFID"...
Inquisitive question: What would be the position in the UK, EU, China, Singapore and Japan? It is hoped the EU consultation paper on RFID policy would be able to address this concern, to say the least.
RFID readings
It will take some time for me to read all of the materials here: http://www.rfidsolutionsonline.com/Downloads/Browse.aspx. However, I believe, some of the RFID issues written by the writer would contribute towards RFID policy making.
Monday 19 March 2007
Is Government bad enough on RFID?
I have discovered this blog: http://hasbrouck.org/blog/archives/001138.html. It has advocated certain government's initiatives to embed RFID chip in travelling documents. Again, there were mixed reactions and arguments. Most concerns of the latter were brought by consumer advocates. I think, it is also important for consumers to listen painstakingly what would be the motivation behind the government's initiatives and propose an effective workable policy. The interesting part on this issue is also the existence of diparity between the developed, developing and less developed nations. A time to rethink and restrategise, I hope.
Saturday 17 March 2007
CEBIT will also talk on RFID
The latest CEBIT will also highlight on RFID, like last year. This time around, towards an effort of policy making. The details are readable here: http://www.cebit.de/homepage_e and here: http://ec.europa.eu/information_society/events/cebit_07/rfid/index_en.htm. I hope, the time around, the outcome of discussion will benefit all, to say the least.
Friday 16 March 2007
RFID development from the European Commission
In a smart move, European Commission has initiated a group to formulate policy on usage of RFID tags. Read this latest news here: http://www.rfidconsultation.eu/ and here: http://news.bbc.co.uk/1/hi/technology/6453931.stm. Some critics argued that RFID should not be over regulated. I think, RFID policy making should learn the lessons from the data protection policy making and regulations. Nice on paper but yet, ugly in implementation.
Data mining in RFID?
I have been wondering what would be the status of data transmitted from RFID spectrum. That is considered as data mining too. Such data mining research should also take into consideration the unclear position in RFID. Especially, the legality of data that has been transmitted via the spectrum. I have stumbled across quite an interesting data mining research group here: http://dm1.cs.uiuc.edu/. Am awaiting whether such research effort is being done to ascertain the legality of RFID in data mining - whether it's purely illegal or whether it involves levels of intermediaries' consent.
Thursday 15 March 2007
RFID's implanter interview
This is regarded as a 'creepy cool human RFID project'. Details could be read here: http://www.makezine.com/blog/archive/2005/04/interview_with_2.html This project was also highlighted in the RFID implant forum here: http://tagged.kaos.gen.nz/. In my opinion, the readiness to accepting such implants are not matured enough. However, worth to observe and predict the acceptance in years to come.
Tuesday 13 March 2007
RFID for the elderly?
I wonder whether this technology has been kick off in the market? however, the authors' analysis seem to be refreshing: http://www.cs.mtu.edu/~wallace/research/papers/Pastel-Heines-Wallace-HCII2007.pdf
Sunday 11 March 2007
RFID in library - security, technology architecture and privacy
David Molnar and David Wagner of Bekerley have appraised the security aspects, as well as the relationship with privacy via this article: http://www.cs.berkeley.edu/~dmolnar/library.pdf. It's a very technical literature which contributes to RFID usage in libraries. Perhaps, it will take some of my time to extract it. Both writers have attempted to mention that they could not answer to this question: "Is the cost of privacy and security worth it?" and again, I am attracted with their views: that libraries should make an informed decision as well as technical option to further improve RFID systems. A good article.
Saturday 10 March 2007
RFID implant and RFID ink product
The news was reported sometime on January in North America. It is claimed that the canadian coins were transmitted with a tiny RFID chip. Yet, that report remains questionable. Full details could be read here: http://www.cbc.ca/technology/story/2007/01/10/rfid-defence.html
On another development, another report said that RFID ink product could track humans and animal. The latter invention was meant to mitigate such trade loss, the report further said: http://www.computerweekly.com/Articles/2007/01/11/221122/rfid-ink-product-could-track-humans.htm.
My opinion: these two different applications were quitely exaggerated unless real cases have proven it otherwise.
On another development, another report said that RFID ink product could track humans and animal. The latter invention was meant to mitigate such trade loss, the report further said: http://www.computerweekly.com/Articles/2007/01/11/221122/rfid-ink-product-could-track-humans.htm.
My opinion: these two different applications were quitely exaggerated unless real cases have proven it otherwise.
Friday 9 March 2007
RFID in logistics
Added value, that's the word RFID gives to logistics business. This presentation tells why: http://www.critt-tti.net/html/fr/global/agenda/2004-05-25-mt-rfid/champ_cargo_systems.pdf
It's nice to requote John Johnston's quotation: "RFID is not a NICE TO HAVE, but RFID is a MUST". That summarises the whole thing.
It's nice to requote John Johnston's quotation: "RFID is not a NICE TO HAVE, but RFID is a MUST". That summarises the whole thing.
Thursday 8 March 2007
RFID debate by Berkeley students (2005)
Whilst researching some areas on RFID, I bumped into this well-written and articulate debate by Berkeley students. The document was jointly authored by Professors Hal Varian and Michael Franklin. The debate touched the issue on RFID and privacy. The points have been carefully divided into these positive and negative point of arguments. The positive carries: security check, counterfeiting, accuracy, innovation/business opportunity, homeland security, item/personal retrieval, privacy protection and general efficiency. The negative carries: privacy, anonymity, misusing RFID (a.k.a a false sense security), big brother, technology advancement, readiness of technology and cost. The document is readable here: http://www.ischool.berkeley.edu/~hal/Courses/StratTech07/Debates/Debates05/F-outline.doc
Wednesday 7 March 2007
Public policy thought on RFID
I am attracted by these words of American Electronics Association: "Good Public Policy Bans Bad Behaviour, Not Technology". It could be found at page three (3) here: http://www.aeanet.org/Publications/AeA_CS_RFID_grad.asp
This newsletter attempts to educate people that RFID is something manageable, what more in the context of privacy. Whilst the points deemed to be general, it gives the idea to people that a good public policy should not ban the technology. In other words, the technology should not be inhibited and stifled. I expected detailed explanation on the lack of control part. However, it is quite general. One of the key points that I would love to mention here is the issue of database security and control which is interlinked indirectly by the radio wave. To date, not many literature has argued on its legitimacy. Perhaps, the world today should look at Japan, on how they embrace technology: as Robert Akinson, Director, Technology & New Economy Project of Progressive Policy Institute said.
This newsletter attempts to educate people that RFID is something manageable, what more in the context of privacy. Whilst the points deemed to be general, it gives the idea to people that a good public policy should not ban the technology. In other words, the technology should not be inhibited and stifled. I expected detailed explanation on the lack of control part. However, it is quite general. One of the key points that I would love to mention here is the issue of database security and control which is interlinked indirectly by the radio wave. To date, not many literature has argued on its legitimacy. Perhaps, the world today should look at Japan, on how they embrace technology: as Robert Akinson, Director, Technology & New Economy Project of Progressive Policy Institute said.
Subscribe to:
Posts (Atom)