Distinguishing Between Security and Privacy Issues

Shahram Moradpour

Q: Why are security and privacy important in RFID applications, and how do they relate to one another?

A: In many ways, the concerns for security and privacy with the use of RFID applications mirror those that were created with the introduction of the Internet.

In the pre-Internet world, data was kept either on paper, on stand-alone computers, or on private computer networks not easily accessible to hackers and intruders. Since the mid-1990s, the widespread use of the Internet has created large amounts of data that is exposed on what is essentially a public network of computers.

The dramatic increase of easily accessible data into our everyday lives brings with it a set of new security and privacy concerns.

For example, part of the Internet's popularity centers on electronic commerce. In this case, the Internet is used as a convenient way to shop and perform a variety of financial transactions. E-commerce requires that consumers reveal and transmit confidential or private data, such as detailed identity and financial information, over a conceivably insecure medium to potentially untrustworthy parties. To help keep data secure, technology solutions — such as encryption, identity management, firewalls, and intrusion detection — are routinely employed.

Similarly, RFID tags, essentially tiny computers, represent a network of computers where potentially confidential and personal data can be stored or exchanged. RFID tags store information about items or people and transmit data about them by radio frequency through the air around us. If left unprotected, this data becomes exposed to malicious or unauthorized access, use, and distribution.

As RFID technology and its applications become ubiquitous, nearly every item imaginable — a car tire, a box of cereal, a door handle, and even a beloved pet — will carry an RFID tag whose data could be compromised.

Meanwhile, consumer privacy groups contend that RFID tag data could conceivably be used by commercial or governmental agencies to track and trace people's actions and belongings in ways that might violate individual rights to privacy.

Although the terms "security" and "privacy" often are used interchangeably, it is important to understand the distinction between the two.

Security concerns revolve around vulnerabilities and solutions for protecting confidential data from unauthorized access and manipulation. Data about people and items that have been deemed confidential should be subject to protection and safekeeping. Deliberate security breaches involve the theft and use of such data by a third party for profit, mischief, or malice. Security solutions, such as encryption or intrusion detection, can be implemented to protect RFID data.

However, depending on the particular application of RFID, such solutions may be cost prohibitive. For example, implementing encryption technology with RFID tags often requires more sophisticated, therefore costlier, tags that can sometimes cost more than the individual items to which the tags are to be applied.

On the other hand, although privacy violations can happen because of security breaches, a good portion of the focus on privacy issues is about the potential misuse of data by authorized users.

This scenario is, of course, what leads to violation and invasion of individual privacy rights. Today, RFID technology is used in a number of applications, from granting people access to cars, buildings, night clubs, bridges, and highways, to tracking items going from manufacturing plants to distributors, shippers, retail warehouses, and sometimes even checkout stands. In such applications, hotly contested topics around privacy do not always relate to security, per se. Instead, they primarily relate to the authorized collection of data that could potentially be misused or abused by authorities.

The popular Orwellian expression "Big Brother is watching you" reflects concern that the same entities responsible for collecting and managing data — for providing valuable services — may be using that data for activities such as surveillance, monitoring, tracking, and profiling of citizens.

Finally, note that although individual privacy concerns are more often discussed and debated publicly, business enterprises should also be concerned with breaches of security that result in unauthorized access and possible manipulation of private, or confidential, corporate data.

For example, in a supply chain RFID application where RFID tags are used to track inventory and movement of products, a business partner who accesses confidential inventory data or tracks the movement of inventory by accessing the tag data, with or without authorization, can potentially compromise certain corporate data (e.g. product availability), which can lead to hampering a company's ability to negotiate better prices with its suppliers or customers.

Shahram Moradpour is chief executive of Cleritec Systems Corporation, San Jose, Calif. Cleritec provides RFID solutions for manufacturing, retail, and healthcare companies as well as logistics providers to improve the efficiency and accuracy of their operations. Moradpour also is co-author of "RFID Field Guide: Deploying Radio Frequency Identification Systems" (see Business Reply Card in this issue, or visit www.rfidfieldguide.com and mention RFID Product News).