The study, titled "RFID and Identity Management in Every Day Life," reaches a compelling but not surprising conclusion: There is a precarious balance between the benefits of RFID technology and the potential for misuse of the data generated. But, warns the report, there is not yet enough maturity with the systems—nor do citizens know enough about the technology—to accurately predict its impact.
"Once RFID systems work exclusively with RFID, it will become easier to aggregate and analyze the data on the level of the whole user population. Further, once different RFID systems might become connected to each other, or other technologies and the Internet, a much richer image of its users will appear," according to STOA researchers. "This opens up many opportunities for the maintainers of the RFID settings to gain control over their users and governments to use RFID data for police investigation. Meanwhile, for the users it will become much less clear who is actually managing their identity in which setting, upsetting the power balance in the digital public space."
The report concludes that the upset of power balance is not just an issue of protecting privacy or personal data, but more about securing personal freedom through the right balance between "choice, convenience and control."
The June report points out that until recently RFID technology was used mainly for logistical purposes to identify cargo. "Now it has entered the public space on a massive scale: public transport cards, the biometric passport, micro-payment systems, office ID tokens, customer loyalty cards, et cetera."
The authors of the study reviewed 24 separate use cases, conducted meetings with experts and reviewed literature regarding a variety of RFID systems. The goal: provide insight into "real-life experiences with RFID, draw a future scenario and formulate challenges for this rapidly emerging technology," according to the studys preface.
In the course of its research, STOA found that very few Europeans have ever even heard of RFID, and of those who did a detailed explanation of the technology was required to elicit an opinion, according to a Cap Gemini study. A separate effort to obtain the publics view on RFID undertaken by the European Commission last summer was able to solicit feedback from a total of 2,190 citizens—hardly a representative sample of the European population, according to the report.
"The results of the consultation draw a mixed picture. Some would agree RFID offers great potential for users (42 percent), while some not (44 percent) and a slight majority states the public is not sufficiently aware of RFID (61 percent)," reads the report. "Although the consultation also covered technical issues such as standardization of the frequency spectrum, privacy turned out to the respondents biggest concern. They consider the solution to these problems to be more awareness raising and privacy embracing technologies."
STOA determined that while RFID is in fact being used by many citizens, "users generally perceive RFID as no more than an electronic key or wallet."
The report suggests that citizens are at risk of being caught between two emerging camps: pressure groups, journalists and members of the public predicting a "Big Brother scenario" unfolding with the growing use of RFID. "Their keywords are: spy chips, privacy and surveillance." On the other side are business promoters painting a bright future in which everything is smart, same and automated. "Their keywords: solutions, innovation, efficiency, return on investment and usability," reads the report.
To impart a more balanced approach, the study coins a new phrase: Identity Management, defined as how a person, interacting with an information system, defines what is known and not known about him or her to others using the system—and how this relates to the information known to the persons maintaining the system.
"Identities start to emerge on users as the system registers movements, spending, productivity, preferences, habits and so forth," reads the report. "This gives the maintainers a means of providing feedback according to these identities and control over their users."
Among many examples, the report cites the FIFA World Cup ticketing program that placed RFID chips in citizen tickets. On applying for a ticket, a citizen had to provide personal information that included name, address, nationality, sex, date of birth, passport number, e-mail (optional) and club affiliation. The information was stored in a database and linked to the ID number on the chip. "The chips were only scanned at the entrance of the stadium. The data, however, were shared with third parties such as security agencies, stadium operators and shipping providers," according to researchers. "This led to some privacy groups to accuse Germans football authorities of Big Brother tactics."
The report also criticized a European Commission mandate that all passports issued by European Union countries include an RFID chip that could, in the future, include a biometric indicator such as a fingerprint or face scan. The European Commission is joining a number of countries, including the United States, in mandating electronic passports.
The fear, according to the report, is that the passport information held in databases could be mined improperly for information.
Based on its research, the study indicates five key challenges that lie ahead—and what users and maintainers can do to ease them.
First, RFID users need to know what maintainers can and are allowed to do with RFID data. They should also play a role in developing new RFID environments.
If personal data from different RFID settings are merged, the report suggests it should remain clear who is responsible for handling the data. At the same time, the Privacy Guidelines issued by the European Commission and the concepts of personal data and information self determination need to be reconsidered in light of an increasingly interactive environment. Finally, the report suggests governments should take a clear stance on whether RFID bulk data will be mined for investigation purposes.