You are here: Home Contents V1 N3 V1N3_Spiekermann.html
Personal tools

RFID: a Systematic Analysis of Privacy Threats and A 7-point Plan to Adress Them



Full text

Journal of Information Systems Security
Volume 1, Number 3 (2005)
Pages 217
ISSN 1551-0123 (Print)
ISSN 1551-0808 (Online)
Sarah Spiekermann — Humboldt-University of Berlin, Germany
Holger Ziekow — Humboldt-University of Berlin, Germany
Information Institute Publishing, Washington DC, USA




This paper gives an overview of consumer fears associated with the introduction of RFID technology. It analyses the motivation and technical viability of these fears and derives suggestions for privacy-friendly technology design. The analysis shows that all consumer fears currently debated are essentially justified, because from a technical perspective they can all be implemented in the short- or mid-term. A 7-point plan of technological measures is presented that should be taken into consideration and developed further by standardization bodies, researchers and governments in order to confide potential abuses of the technology in the long term.




RFID, Privacy, Security




Auto-ID Center (2002). Physical Mark-Up Language Update. Auto-ID Center. Cambridge, USA, Massachusetts Institute of Technology, MIT.

Auto-ID Center (2003 a). Auto-ID Object Name Service (ONS) 1.0. M. Mealling. Cambridge, USA, Auto-ID Center.

Auto-ID Center (2003 b). EPC Information Service - Data Model and Queries. Auto-ID Center. Cambridge, USA, Massachusetts Institute of Technology, MIT.

Auto-ID Center (2003 c). Technical report 860MHz–930MHz Class I Radio Frequency Identification Tag Radio Frequency & Logical Communication Interface Specification Candidate Recommendation, Version 1.0.1.

Auto-ID Center (2003 d). The Use of the Electronic Product Code. Auto-ID Center. Cambridge, USA, Massachusetts Institute of Technology, MIT.

Bohn, J., V. Coroama, et al. (2004). “Living in a World of Smart Everyday Objects – Social, Economic, and Ethical Implications.” Journal of Human and Ecological Risk Assessment 10(5).

Brock, D. (2001). The Electronic Product Code (EPC) - A Naming Scheme for Physical Objects. Auto-ID Center. Cambridge, USA, Massachusetts Institute of Technology.

Cranor, L. F. (2003). P3P: Making Privacy Policies More Useful. IEEE Security & Privacy. 1: 50-55.

Cranor, L. F. and J. Reidenberg (2002). Can user agents accurately represent privacy notices? The 30th Research Conference on Information,Communication, and Internet Policy, Alexandria, Virginia, USA.

Duce, H. (2003). Public Policy: Understanding Public Opinion. Auto-ID Center. Cambridge, UK, University of Cambridge, UK.

Engels, D., R. Rivest, et al. (2003). Security and Privacy Aspects of Low-Cost Radio Frequency Identification Systems. First International Conference on Security in Pervasive Computing, SPC 2003, Boppard, USA, Springer Verlag.

Floerkemeier, C., D. Anarkat, et al. (2003). PML Core Specification 1.0. Auto-ID Center. Cambridge, USA, Massachusetts Institute of Technology, MIT.

Floerkemeier, C., R. Schneider, et al. (2004). Scanning with a Purpose - Supporting the Fair Information Principles in RFID Protocols. 2nd International Symposium on Ubiquitous Computing Systems, Tokyo,Japan.

GCI, G. C. I. (2003). Global Commerce Initiative EPC Roadmap. G. C. Initiative and IBM.

Harrison, M., H. Moran, et al. (2003). White Paper - PML Server Developments. Cambridge, University of Cambridge.

Harrison, M. (2004). EPC Information Service – Data Model and Queries. A.-I. Center. Cambridge, University of Cambridge.

Inoue, Y. (2004). RFID Privacy Using User-controllable Uniqueness.

RFID Privacy Workshop, Massachusetts Institute of Technology, Cambridge, MA, USA.

Jannasch, U. and S. Spiekermann (2004). RFID Technologie im Einzelhandel der Zukunft: Datenentstehung, Marketing Potentiale und Auswirkungen auf die Privatheit des Kunden. Berlin, Lehrstuhl für Wirtschaftsinformatik, Humboldt Universität zu Berlin.

Langheinrich, M. (2003). A Privacy Awareness System for Ubiquitous Computing Environments. 4th International Conference on Ubiquitous Computing, UbiComp2002, Göteborg, Sweden, Springer.

OECD (1980). Recommendation of the Council concerning Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data.

Schneier, B. (1999). Attack Trees. Dr. Dobb’s Journal.

Spiekermann, S. and O. Berthold (2004). Maintaining privacy in RFID enabled environments - Proposal for a disable-model. Pervasive 2004, 2nd International Conference on Pervasive Computing, Vienna, Austria.

Spiekermann, S. and O. Guenther (2004). RFID & Privacy: Consumer Perspective & Technology Insights. M.-L. St.Gallen. St.Gallen, CH.

Spiekermann, S. and H. Ziekow (2004). Technische Analyse RFIDbezogener Angstszenarien. Berlin, Lehrstuhl für Wirtschaftsinformatik, Humboldt Universität zu Berlin.

VeriSign (2004). The EPC Network: Enhancing the Supply Chain. VeriSign.

Weiser, M. (1991). The Computer for the 21st Century. Scientific American. 265: 94-104.

Weis, S. A. (2003). Security and Privacy in Radio-Frequency Identification Devices. Cambridge, Massachusetts Institute of Technology.