European Commission Draws Up RFID Privacy Guidelines

The European Commission has signed a voluntary agreement with industry, civil society and data protection groups that establishes privacy guidelines for RFID use.

Under the new framework, every European company will have to address all privacy implications before putting smart tags on the market.

RFIDs (Radio Frequency Identification Devices) can have a wide range of applications. They can hold unique identifiers for use in access cards, credit amounts for public transportation cards or personal information, like in the case of biometric passports.

Experts have long warned about the security and privacy implications of smart tags, some pointing out serious vulnerabilities in current implementations.

In October 2008, researchers from the University of Washington and experts from the RSA Laboratories published a report about RFIDs embedded into passport cards and enhanced drivers' licenses (EDL).

The report concluded that data stored on these devices can be read from a distance and can be written back onto empty RFID tags to create fake documents. The unique codes can also be used to track individuals in some circumstances.

Some months later, renowned hardware security researcher Chris Paget demonstrated how smart tags can be read from a moving car with the help $250-worth of equipment bought from eBay.

In Europe, Dutch researchers from the Radboud University in Nijmegen, showed that the highly popular MIFARE Classic RFID chips produced by NXP Semiconductors can be hacked in a matter of minutes.

"I warmly welcome today's milestone agreement to put consumers' privacy at the centre of smart tag technology and to make sure privacy concerns are addressed before products are placed on the market," said Neelie Kroes, European Commission Vice-President for the Digital Agenda.

"I'm pleased that industry is working with consumers, privacy watchdogs and others to address legitimate concerns over data privacy and security related to the use of these smart tags. This sets a good example for other industries and technologies to address privacy concerns in Europe in a practical way," she added.