MIT helps security industry explore the privacy implications of RFID
20 April, 2006
category: Contactless, Library, RFID
By Andy Williams, Contributing Editor, AVISIAN Publications
A company specializing in contactless cards and readers and a university that’s synonymous with technology advances are meeting the privacy and security fears surrounding RFID head-on.
HID Corp. started with a forum last December on RFID legislation pending in California then joined up with the Massachusetts Institute of Technology (MIT) to create a public forum to discuss RFID and public policy. Additionally they will jointly explore new uses of RFID for personal identification that can enhance privacy and security. They also will be producing a web site to inform industry, government, and the general public about RFID.
“There is a lot of misinformation, a lot of misperceptions out there about RFID,” said Kathleen Carroll, HID’s new government relations director. “HID would like to take a proactive approach in this area.”
One of the reasons for her hiring, she said, was that “HID realized very quickly that it needed someone dedicated to following this legislation and educating (legislators and others) on the technology. I was drawn to the position because Steve Wagner (HID CEO) is passionate about the fact the company does care about the privacy of individuals. Your ultimate customer is the person using that card and if they don’t trust it, it hurts your business. You have to be trustworthy.”
Collaborating with MIT lends legitimacy to what might otherwise be construed as an attempt by industry to promote a profitable enterprise. MIT is the ideal impartial ground for this collaboration, said Dan Greenwood, an attorney and lecturer at MIT’s Media Lab. “As government and private industry expand their use of RFID, privacy concerns have emerged that deserve a neutral forum for dialogue that includes stakeholders from government, private industry and the public. We at MIT will provide that forum with support from HID, by inviting stakeholders to our campus and hosting a relevant Web site on our servers,” he added.
Creating a proactive plan …
“We’re bringing people together and leveraging academia where we have the scope to go much deeper on the issues,” said Mr. Greenwood. “That doesn’t depend on quarterly profits, it’s an important role as a partnership. We’re also looking at developing a white paper with a much deeper treatment of the privacy questions and balancing those with the economics.”
The December forum in California was HID’s initial attempt to bring together federal policy makers, industry representatives, end users, and government agencies to begin the RFID/privacy discussion. Of immediate concern was pending RFID legislation proposed by California Senator Joe Simitian, a forum participant.
Senator Simitian called his SB 768, “look before you leap” legislation that would require a three-year moratorium on any use of RFID on certain state-issued ID cards, including driver licenses. The senator, after consulting with industry, revised the bill from the original, more hard-lined intent that would have barred RFID technology from a wide range of government issued ID documents.
Mr. Greenwood, who spoke at the December forum, explained that one of the “sub-texts of the event was the getting together of stakeholders to have a broad-based dialog on the deeper balances that have to happen to widely deploy this new technology. We can consider it social digestion. Part of what was significant about this forum is that it reflected the coming of age of RFID technology. No one has the final answer in this. The tone was one of contributing our opinions, a dialog as opposed to a one-sided monolog. The other aspect was we came away with the intent to not have this be the last public forum. There was a desire by all the stakeholders to have this be the beginning.”
For now, the industry will be focusing on privacy concerns. “People are worried that their information stored on RFID-enabled (or contactless) cards can be stolen,” said Ms. Carroll. “What HID is doing is getting the facts out there that the industry cares about privacy too. No one is going to use our products if they don’t trust our products. If legislators start to ban the technology, it will throw a blanket over creative solutions to the privacy issue and we’ll also lose the benefits of the technology.”
She adds, “(An RFID-enabled ID card) doesn’t contain any personal information, just a unique ID number. When you listen to some of the rhetoric out there, people think you have this card in your pocket telling everyone you’re Jane Doe and you live on XYZ Street. That’s not true. Even if someone has a reader, even if they get the ID number off your card, they would then have to figure out where to go to connect that number with any information about you.”
On the web …
MIT and HID are also creating an online resource for industry, government and the general public, where they can learn more about RFID and privacy-related topics.
According to Ms. Carroll, “We have a section that will describe the technology in laymen terms. It’s not a complicated process, but we tried to put it in language the average person will understand. There will also be a section on legislation pending in various states and the status of it. A section will give people the opportunity to learn more and the web site will be linked to various white papers about RFID technology, its many uses.”
“It’s a model we’ve used before,” added Mr. Greenwood. “We successfully held an online forum on the Real ID Act and we were able to create a neutral forum and facilitate it.”
A Steering Committee, composed of MIT researchers and faculty and an industry Advisory Board, has been created since the collaboration was announced. Advisory Board membership includes: Richard Varn, Senior Fellow, Center for Digital Government and Center for Digital Education; Daniel Combs, President, Global Identity Solutions; Jeff Staples, Managing Partner, Avisian Inc.; and Bill Newill, Acting Executive Director, International Association for Identification Technologies.
In addition to its proactive efforts involving RFID, HID says it has established an “industry-first” set of corporate privacy policy principles governing the use of RFID. These privacy principles can be found on HID’s Web site at www.hidcorp.com./page.php?page_id=83.
The web site is address for new RFID and Privacy site is http://rfidprivacy.mit.edu/access/.