OECD Urged to Study RFID

Forum attendees expressed hope that the organization will work to establish privacy and security guidelines for using the technology.
Published: October 6, 2005

Governments, businesses and societies worldwide need to start a coordinated effort to develop security, privacy and technical frameworks for emerging RFID applications, according to attendees at this week’s RFID Foresight Forum, held at the Paris headquarters of the Organization for Economic Co-operation and Development (OECD). Representatives from more than 20 governments attended the daylong event, discussing RFID technology and the OECD’s potential role in its development, alongside numerous industry executives, leading academics and union representatives.

The OECD brings together 30 member countries and has active relationships with some 70 other nations and various non-governmental organizations (NGOs). Best known for its publications, and as a source of demographic, economic and social data, the OECD has provided key work in developing internationally agreed policies and recommendations regarding economic and social issues. These have ranged from macroeconomics and trade to education, development, science and innovation.

“Privacy and security are two sides of the same coin, and they have to be baked in from the start,” says Dan Caprio, the U.S. Department of Commerce‘s deputy assistant secretary for technology policy and its chief privacy officer. He believes the OECD could provide a key forum for that work.

Other attendees emphasized that the OECD provides a multinational forum in which business, governments and civil society come together in a neutral setting. “The OECD offers the opportunity, not present in most places, for dialogue about issues raised in a constructive way, and if it is as successful [regarding RFID] as it has been in security and privacy guidelines, it will help us move toward a set of guidelines as the technology and practices evolve,” says Elliot Maxwell, a fellow with the communications program at The John Hopkins University.

The OECD already has a proven track record in developing security and privacy guiding principles for balancing work with business, government and individual rights. The results of these efforts include the OECD’s Guidelines on Protection of Privacy and Transborder Flows of Personal Data.

“We are hoping the OECD can work out some kind of guidance for RFID,” says Hugo Parr, director general of the Ministry of Modernization in Norway, as well as chair of the OECD Committee for Information, Computer and Communications Policy (ICCP). Parr told attendees the conference’s timing—merely a day before the annual ICCP meeting to determine its work program for the next few years—may have lent weight to any potential OECD efforts coming.

Concerned about the potential impact on individual privacy of current RFID implementations, many conference attendees supported the OECD’s involvement. “Work on RFID has, to date, been done almost entirely by manufacturers and a very small group of users with very little awareness of individual liberties, privacy and security issues,” says Simson Garfinkel, postdoctoral fellow at the Center for Research on Computation and Society at Harvard University. “[The] OECD could change the boundaries of that and bring the issues of privacy, personal liberty and security for RFID users to the forefront.”

EPCglobal representatives also welcomed the organization’s input. “I hope the OECD will do something and follow through with recommendations and guidelines,” says Henri Barthel, EPCglobal’s technical director.

RFID vendors and services suppliers also welcomed the neutral ground of the OECD to develop policy relating to RFID, but expressed caution about how that regulation should be applied. “Do not legislate against the technology, but [against] the applications,” says Jeroen Terstegge, corporate privacy officer and legal counsel at semiconductor manufacturer Royal Philips Electronics. “Most concerns are connected to the back-end systems, not the chip itself.”