Government Report Outlines RFID Privacy Risks

Radio frequency identification (RFID) technology, also called "smart tags," potentially can improve corporate logistics, change cost structures and improve current levels of product safety and authenticity for many industries; however, it also has the potential to threaten customers' privacy.

Retailers, manufacturers, hospitals, federal agencies, and other organizations planning to use the technology to improve their operations should also systematically evaluate their possible security and privacy risks and use best practices to mitigate them, according to a new report from the U.S. Department of Commerce's National Institute of Standards and Technology (NIST).

RFID tags send and/or receive radio signals to transmit identifying information such as product model or serial numbers. They come in a wide variety of types and sizes, from the size of a grain of rice to much larger devices with built-in batteries.

For Sophisticated Applications 

Unlike barcoding systems, RFID devices can communicate without requiring a line of sight and over longer distances for faster batch processing of inventory, and they can be outfitted with sensors to collect data on temperature changes, sudden shocks, humidity or other factors affecting products.

RFID tags also are being used in more sophisticated applications, from matching hospital patients with laboratory test results to tracking systems for dangerous materials, and concerns have been raised about preventing eavesdropping and unauthorized uses.

The goal of the report, according to lead author Tom Karygiannis of NIST, is to give organizations practical ways to address potential RFID security risks. The NIST report focuses on RFID applications for asset management, tracking, matching, and process and supply chain control.

Recommended Practices 

Its list of recommended practices for ensuring the security and privacy of RFID systems includes:

• Firewalls that separate RFID databases from an organization's other databases and information technology systems;
• encrypting radio signals when feasible;
• authenticating approved users of RFID systems;
• shielding RFID tags or tag-reading areas with metal screens or films to prevent unauthorized access;
• audit procedures, logging and time-stamping to help detect security breaches;
• and tag disposal and recycling procedures that permanently disable or destroy sensitive data.

Source: rfidglobal