Text: padeluun and Jan E. Hennig

Zurück zum deutschen Text.

The FoeBuD e.V. from Bielefeld has made it its aim to accompany and assist mankind on its way towards a communication society. FoeBuD’s know-how is meant to serve the goal that technology be sensibly and safely used for the co-existence of the people. The FoeBuD has no particularistic interest in the issue. Critical questioning of the technology and the ways of its presentation towards the public has made FoeBuD renowned the world over. We would like to present our thoughts about the workingpaper WP 105 to the working group. As a rule, we refer to the Geman translation of the paper.

The FoeBuD is not made up of lawyers and is also not a data protection association. Therefore a number of our comments will not refer to data protection issues alone but also shed a light on other aspects. This is important to note, since a number of outcomes of the technology (also in terms of data protection issues) can almost only be understood under the light of interdisciplinary knowledge. RFID also touches the interests of human rights protagonists, committed citizens, environmental protectionists, and workers’ representatives.

We regard it as imperative that legal adjustments be made with respect to RFID. This is of advantage also for the respectable industrial and trade corporations since it provides protection against (possibly irresponsible) competitors as well as their own share-holders, who could force the management to break principles of ethical handling of data as efficiently“ as at all possible.

1.0 Survey over the WP 105
We try to facilitate navigation within WP 105 by immitating its structure. For reasons of time itwas not possible for us to structure our comments more clearly, nor to employ a more formalised style. We ask you to excuse this.

1.1 Chapter 1: Introduction
1.1.1 „The benefits of RFID technology are clearly visible“
Already here we would like to point out that these benefits are not clearly visible. Many of the so called benefits under closer scrutiny turn out to be mere marketing babble or even, if looked upon from another perspective, massive disadvantages.

From the point of view of data protection, RFID contains mostly disadvantages. Benefits will rather have to be searched for with a magnifying glass and then carefully picked up with a pair of tweezers.

1.2 Chapter 2 Radio Identification (RFID): Introduction to the technology and its employment
1.2.1 Basics of RFID technology
When describing RFID technology, it must not only be described as the connection of an electronic circuit for storing of data and a reading device. Already at this stage one has to point out that, thirdly, even at the point of production there is an information unit involved: the unique number of the transponder.

Even a tag by itself – even without having additional data stored on it – is potentially dangerous.

1.2.2 Is UID unnecessary?

Why aren’t RFID chips produced without a UID (unique serial number)? If only the EPC is to be stored on them, there is no need for UIDs.

Legal adjustments may vary according to whether RFID employments work with chips that contain a UID or do not.

In terms of de-activation (overwriting the memory with zeros), up to now we only know of devices that leave the UID untouched. Which means that the chip is not de-activated.

1.2.3 Analogy to the German Personalausweisgesetz
If RFID-enabled systems allow identification of a person (e.g. BahnCard), these systems may not be used for other identification purposes. In these instances there have to be regulations similar to those laid down in the German Personalausweisgesetz (ID-card act).

1.2.4 „By request“ or „by force“
The retail business has „asked“ producers to tag their wares. This request constitutes more of an obligation, with which producers comply, more or less gnashing their teeth, because they don’t want to be thrown out of the stores.

1.2.5 No RFID in the shop
We believe that customers should not come into contact with RFID in the actual shopping areas.

1.2.6 EPC code should not contain serial numbers
The serial number should be erased from the standard EPC code. In dangerous goods a serial number is perhaps in order. But not already in medications etc.

1.3 Chapter 3: Intrusion into data protection and personal rights
1.3.1 linked personal data / linkable personal data
Everything that can be said about personal data is also true for data that can be (potentially) related to an individual. As an explanation: Data is

• linked personal data when items such as name, address, date of birth, are stored directly upon the chip,
• linkable personal data when there is only a number (e.g. the UID) stored, which can be related or linked to personal data in an external data base,
• potentionally linkable personal data when data are collected but for the time being cannot yet be related to an individual, but the relation can be made some time later (sometimes a lot of time later). An example: A person X is as yet unknown; but what is known is that a person carrying the RFID tags A, B and C has bought or looked at products G, H and I, and has also passed the distance K-to-L and O-to-P. This person once pays with his or her credit card, and thus is identified as being person X. All items (A,B,C, G, H, I and the distances K-L and O-P) can be traced back to person X (see alsoWP 105, 4.1: „identfiable natural person“).

In all places where WP 105 says „linked“, this should be changed to „(potentially) linkable“. On a side note: Also an anonymous person, i.e. unknown to me, has to enjoy protection against (mis-)use of data.

1.3.2 Cryptalgorithms and authentification of the reader

Season tickets etc. must work with cryptagorithms and authentification. The reader needs to identify itself towards the ticket (i.e. the chip). EC tellers, e.g., do not have to authenticate themselves towards the EC-card – with the result that many cards and PINs get stolen by defrauders. Communication between reader and tag needs to be encrypted. (Note: Communication between reader and tag can be tapped over long distances!)

1.4 Chapter 4: Application of EU data protection laws to data collection by RFID
1.4.1 The principle of data-thrift / avoidance of data accumulation

In WP104, 4.2 three principles are listed. The second one is called „Principle of Data-quality“. Shouldn’t that read: „Principle of data thrift“ (Article 6, paragraph 1, point c)? It should be obligatory not to install applications that collect data when a similar result could be achieved without accumulation of data.

1.4.2 Objectives of data collection
The objectives of the respective collections of data need to be made clearer. Data collected for the purpose e.g. of giving refunds must never be used for other goals. Data from subscribers to magazines must not be sold to institutions like the GEZ (German „Gebuehreneinzugszentrale“, which collects radio licence fees).

1.4.3 Fraudulent access to consent
Customer’s consent to the collection of data must not be gained by fraudulent means (e.g. in Germany „Payback“-cards are still called „customer’s cards“ instead of data collection cards).

1.4.4 Information requirements
It needs to be stated by whom and where the data is processed. Easily readable type size and colouring need to be obligatory.

1.4.5 Right of change

People affected should not only have a right to correction of data but, more generally, have a right to changing of the information.

1.4.6 Possibilities of sanctioning
Violations of rules and laws need to be followed by severe sanctions.

1.4.7 Speed of data collection
We are dealing with entirely new qualities respecting the speed of data collection. Data protection legislation and protective technology (Privacy Enhancement Technology, PET) need to be adjusted accordingly.

If in former times, data collection often was beneficial to the customer (delivery of news papers to the house ->subscriptions), nowadays each and every little titbit can be stored in data bases (How long did the customer stand in front of a shelf?). Such data and its storage is exclusively to the benefit of the corporation. This needs to be taken in to consieration in new data protection legislations.

1.4.8 Data processing because of job relations
Chips in work-related devices need to be equipped with a switch so that they can be turned off when away from the working place. Also here the demand: No chips in work uniforms.

1.5 Chapter 5: Technical and organisational requirements that guarantee an appropriate enactment of the data protection principles
The heading of this chapter should be changed to: „Technical, organisational and legal requirements to guarantee appropriate enactment of data protection principles.“

1.5.1 RFID switch-off-able
RFIDs (e.g in key cards, car keys, customers’ cards etc.) need to be designed in a way that allows the holder of an RFID to switch off their radio emission. The status of the chip, whether enabled or switched off, must be optically (for the blind also haptically, if at all possible) recognisable. The dis-/enabling status can be shown through functions similar to those in electronic paper. Cards must be given out in their disabled state. The customer needs to switch it on by himself (thus he or she gets knowledge of the switch-function contained in the chip).

1.5.2 Is RFID necessary?
There should always be a required evaluation whether a solution involving bar-codes is not easier, better and less dangerous.

1.5.3 RFID warning symbol
A unique warning symbol needs to be developed which is easily recognisable as a warning symbol. Accompanying / explaining texts must not use euphemistic language. The sign must be sufficiently big. If necessary, there should be further symbols or plain texts giving further information about this RFID tag or that reader (frequency, standard, perhaps collected in classes, operator of the device, number of device, where to find further information about operator and device on the internet).

1.5.4 Data protection needs to be default
Dismantling of the RFID needs to be standard procedure. The RFID chip may only remain switched on and attached to the object if the customer requests this.

On no account may safeguarding one’s right to privacy be used as a reason for higher activity, expenses or communication on the part of the customer than the waiving of data protection rights.

1.5.5 Obligatory consent to the storing of data
Storing of data needs to be based on explicit consent of the customer.

1.5.6 Data extracts
Every transaction with respect to storing of data (new set, change, deletion) needs to be laid down in a kind of „bank statement“ and sent to the person affected. Receipt of such a statement may be waived. But at the end of the year a statement containing all movements on the respective data base over the year needs to be made and conveyed to the customer in any case.

1.5.7 No compulsory RFID
A service must not be made dependent on the customer’s acceptance of an RFID-chip. The customer must have full claims to warranties and the like if a product and the respective POS-receipt can be produced.

1.5.8 Ban on price discrimination
Clandestine spying on costumers, and the processing data gained this way, make it possible that (retail-) prices are idividually adapted to an individual customer. This means e.g. that each customer will pay the highest price he or she is possibly willing to pay, according to what the underlying computer system may decide.

We quote from the „laudation“ at the 2003 Big Brother Awards in Germany: Startup entrepreneur Lars H. is ill. He asks his neighbour Nina S. to do his shopping for him. When she presents him the receipt, he is astonished that Nina S. pays twice the amount for certain products. They find out that toiletry articles are more expensive for her than for him. When comparing this with a handful of friends they find out that all women pay more for toilet articles than men, that families pay more for videos than singles do, etc.

1.5.9 Deletion of data
There need to be fixed procedures for physical delection of the collected data. These need to include and define limits (for the duration) of storage (e.g. three months) etc.

Data from RFID-enabled bus or train tickets must be deleted immediately after completion of the respective individual journey.

Discounts must not be made dependent on the collection of data. Example: There is no need in the case of a season ticket to document each individual journey in order to afterwards get a refund or have it reduced to another price-stage. A total amount of journeys in a given time would be sufficient.

1.5.10 Publication of data flow
There must be a notice in the shop rooms and on the website of an enterprise that gives a detailed description of the process of data use. This notice must state all other enterprises envolved, the physical location of the computing centers, the data lines used etc.

1.5.11 Decentralised data storage
Decentralised data storage must have priority. Centralised data collections/bases must be avoided.

1.5.12 Avoidance of monopolies
RFIDs are empolyed in B2B in order to find out which customers get deliveries from the retailer. Once these data have come to the corporation, the retailer can be eliminated from the selling chain. Thus, also, information gets centralised and can constitute a bigger threat to data protection.

1.5.13 Authorisation processes
It is conceivable that a formal authorisation processes for RFID applications be installed.

1.5.14 Designing data protection friendly technology
Not only producers and normation bodies are requested to offer data protection friendly technology. Also users and developers have a great influence on the actual implementation and their respective data protection friendly application.

1.5.15 Information at POS
People affected should be entitled to demanding printouts of their (potentially) person-releated data at point of sale.

With a PIN the person could then release the data (which the person at the till cannot otherwise access). On request, the PIN must be comunicated to the customer through the post, e.g. when he or she has lost or cannot remember it.

If abbreviations, symbols or the like are stored, they need to be given in clear text or at least be explained in a legend.

1.5.16 No „Security by Obscurity“
Encryption processes and data structures must be laid open.

No undocumented codes may be used or laid down in keys hidden on the chip. "Chips with an even number of bits refer to men...“ etc.

This will be part of the authorisation process, if necessary.

1.5.17 Right to dismantling of tags
Retailers must take off tags from products in the store, should they be on or in them. The chips should remain attached to the product only if the customer expressly wishes that.

1.5.18 Ownership
Ownership of an RFID tag goes to its purchaser/possessor. The possessor is allowed to change, destroy and falsify data contained on the chip, as well as destroy the chip itself.

1.5.19 Difference between EPC and UPC
The difference between UPC and EPC should be represented in the text of the WP105 in such a way that the difference in quality is clearly recognisable, and should not be played down: „The difference between the two systems is that EPC, other than UPC, now contains a unique serial number.“

1.5.20 EPCIS / ONS
There must not be standard access-ways to the data bases containing product-level tag information. Any possibility to acces all data bases from one single point must be prevented (avoidance of centralisation). Also authorities etc. must only be allowed such access after passing certain thresholds like, e.g. court orders.

Access codes have to be changed at least every three months.

Right to requests of access must be proven and documented.

1.5.21 Log file on chip
Every writing on the chip is laid down in a file (together with the location of th reader). This can be switched off, if the person affected wishes this. This person must also be able at any time to delete log data.

1.5.22 Detection services
There must be a place in every community where I can take my things and have them inspected for RFID tags.

1.5.23 No tags in clothing
No tags in clothing, also not in working clothes, uniforms, shoes or any other.

1.5.24 Further research and development efforts
Research efforts need to include and envolve human and civil rights protagonists as well as environmental and consumers’ protectors. For this, sufficient funding has to be provided.

1.6 Chapter 6: Conclusion
No comment

1.7 Appendix
All necessary comments have been given.

(Translation: Harald Manninga)