European Study Probes RFID's Impact on Privacy

By Mary Catherine O'Connor

July 11, 2007—The European Parliament's Scientific Technology Options Assessment (STOA) committee, comprised of 15 Parliament members, provides the governmental body with information about new applications and innovations in technology. The committee recently released an 86-page report entitled "RFID and Identity Management in Everyday Life," exploring the perceptions, benefits and concerns surrounding the use of RFID technology among consumer end users in Europe, as well as among vendors and implementers of the technology.

The report was researched and written by members of an independent Dutch organization called the Rathenau Institute. Founded and funded by the Dutch Ministry of Education, Culture and Science, and administered by the Royal Netherlands Academy of Arts and Sciences, this organization carries out research into the development of science and technology.

The Rathenau Institute conducted the study as part of the European Technology Assessment Group (ETAG), which provides the European Parliament—by reporting to the STOA committee—with research regarding the social, environmental and economic aspects of new technological and scientific developments. The body of research used for the report consists of 24 case studies conducted by the institute on a variety of RFID deployments. In addition, it features interviews with RFID technology experts and end users, as well as reviews of existing reports and other documentation.

The study's mission is to provide the European Parliament with insight into how RFID has been used to date, as well as create scenarios for how its uses and capabilities will expand in the coming years, and discuss possible implications on personal privacy and other issues linked to the technology's growth.

Based on the case-study results and interviews, the report concludes that the use of RFID thus far has not had significantly negative impacts on the privacy of people carrying tags on their person in Europe—whether voluntarily, unknowingly or through an employer or government mandate. However, it does make the case that technology could be misused in ways that have negative implications on privacy.

One example the document cites involves an office building in The Hague, where employees are issued RFID cards used to grant access to the main entrances and other sections of the building (not all workers have equal access). The report notes that the access-control system saves a log of the card ID numbers read by the HID 125 kHz readers mounted at secure doorways, and could use this information to track the times at which employees arrive at work. It also indicates that while office administrators do not access this data to track employees' arrival times, employees are not informed that this data is being collected (most think the cards only allow access, anonymously). This creates a scenario in which workers' movements could be tracked without their knowledge.