summary of stf396 progress autumn m436 cg meeting
TRANSCRIPT
SUMMARY OF STF396
PROGRESSAutumn M436 CG meeting
Overview
Summary of the comments received• General = 111 of 659 (17%)• Editorial = 233 of 659 (35%)• Technical = 315 of 659 (48%)• This relative mix has been maintained even as new comments creep
through (figures change but mix doesn’t)Overview of response• Accept all “Editorial” without detailed review
• Confirm all are addressed in final edit• Many duplications across the comments
• not necessarily the same text but the same concern has been expressed• Document structure requires change
• Analysis moved to annex• Findings made more “hard” (less verbosity)
2
Where are the comments
Clause by clause• Overall (i.e. purpose, scope and structure of document) = 28• Clause 1 = 0 (zero)• Clause 2 = 13• Clause 3 = 18• Clause 4 = 36• Clause 5 = 22• Clause 6 = 46• Clause 7 = 143• Clause 8 = 101• Clause 9 = 120• Clause 10 = 42• Clause 11 = 5• Clause 12 = 69• Annexes = The rest
3
Problems we’ve got to defuse
Mandate 436 responds to an observed concern• RFID appears to be becoming close to ubiquity without public debate on the
privacy issues it raises• RFID whilst becoming ubiquitous is not becoming more visible• RFID is a misleading and abused term and has a wide range of associations
across industry and societyThe document from the ESOs addresses the concern• Sometimes without appearing to be being terribly sensitive to the industry
• Has led to a number of calls that the STF/M436 is aiming to damage the industry• By highlighting the issues and the contribution of RFID technology to the
issues• The industry indicated they consider themselves unfairly singled out with regard to
privacy issues• With an aim to identify the minimum set of standards to address the concerns
• Not finalized at the time when the document was sent to consultation
4
Regulatory data protection definitions
Personal data• shall mean any information relating to an identified or identifiable natural
person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity
Processing of personal data• shall mean any operation or set of operations which is performed upon
personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction
“data subject’s” consent• shall mean any freely given specific and informed indication of his wishes by
which the data subject signifies his agreement to personal data relating to him being processed
5
Some major opinions we’ve got to acknowledge
The Article 29 working group• The unique identity on tags amounts to personal data
• This is not strongly stated in the document (opinion was expressed after the TR was released to consultation)
• PETs in this area need further examination• The PIA has to include a risk analysis
• This is clearly stated in the objectives and requirements of PIA in the TR
The EU Data Protection landscape• The existing provisions need to be reinforced• The ontology begins to address this• Anticipate and allow for changes in current DP legislation expected after the revision of the
current Data Protection Directive• Expect RFID-specific provisions in the revised Data Protection Directive
Linkability is a major threat• Covers the entire system and is shown by the ontology
There is RFID technology available to address many of the concerns• But not a lot of guidance in selecting it
6
A couple of concessions
RFID is not the root cause of all privacy problems• They existed before RFID existed• Other technologies and applications have privacy problems
The RFID industry has the potential to offer considerable societal benefit• Within the constraints of existing laws
However …• The RFID industry has to show it is addressing the concerns• The RFID industry has to acknowledge its role in the privacy debate
• As a source of concern• As a root of trust
Steps needed in the industry …• Adoption of PETs• Development of PETs where there aren’t any• Development and application of PIAs (as an essential step to address privacy
issues)
7
Some of the achievements
We’ve worked through an ontology and that work is being acknowledged and adopted in privacy work in parts of ETSI and in other areas• But we’ve softened our promotion of ontology as the terminology does not sit
happily on the shoulders of the industry partnersWe’ve begun to develop a useful taxonomy for RFID, Privacy and Risk• Also being adopted by other groups in ETSI and outside
We’ve brought RFID issues to light• Mainly showing RFID is not just an RF technology but exists within a system• We’ve shown that privacy, data protection and ITSec are systems issues• We’ve tried to prime the future standards work to recognise that the systems
boundaries will get more and more blurred so all the problems we’ve identified can only get bigger
8
Aims of document re-structuring
Move analysis to annexes• The analysis is proof or verification supporting the recommendations
Need to be more exact about what is needed in phase 2• EN for common European Emblem• EN to specify on the signs the supplementary information to be
displayed in areas where RFID interrogators are deployed• EN for the PIA Process• EN to specify the method of “Privacy by Design”• EN defining a checklist for application of “Privacy by Design” method• EN to specify the method of “Design for Assurance”• EN defining a checklist for application of “Design for Assurance”
method• …
9
Original structure of response
• RFID system architecture– Taxonomy of terms– Ontology of RFID
• With respect to security• With respect to privacy protection
• Consumer, DPP and Security objectives• Environmental aspects of RFID tags and components
• RFID hardware end of life considerations– Data end of life considerations
• Privacy Impact Assessment outline– Role of PIAs– Generic versus industry specific PIAs– Recommendations for RFID industry specific PIAs
• RFID logos and signage– For consumer awareness– For device marking
• Derived requirements from analysis– RFID Logos and signage recommendations
• Standards roadmap– Available standards– Gap analysis and recommendations
10
Analysis
Requirements
Revision of contents in restructuring
4 Summary of findings and recommendations5 Consumer aspects including interaction6 The RFID ecosystem7 Analysis8 Data Protection, Privacy and Security Objectives and Requirements9 Privacy Impact and Data Protection Assessment (PIA) outline10 RFID Penetration (PEN) Testing Outline11 Common European RFID Emblem/Sign12 Environmental aspects of RFID tags and components13 Standardization Gaps Analysis and SummaryAnnex A: Summary of status of RFID standardizationAnnex B: Summary of tag capabilitiesAnnex C: Summary of risk assessment of RFID systemsAnnex D: RFID Penetration TestingAnnex E: Gap analysis in standardisation
11
Structure of TR 187 020 – proposal
Recommendations – not exhaustive (that’s in the document and in development based on the analysis)• EN for common European Emblem• EN to specify the supplementary information to be displayed in areas
where RFID interrogators are deployed• EN for the PIA Process – RFID specific aspects
• Should be part of a PIA framework• PIA framework needs an agreed taxonomy, ontology and
conformance/validation regime• EN to specify the method of “Privacy by Design”• EN defining a checklist for application of “Privacy by Design” method• EN to specify the method of “Design for Assurance”• EN defining a checklist for application of “Design for Assurance”
method
12
Privacy standards requirements
Privacy by design needs to be formalised• Not just an RFID issue but has to consider RFID too
Tag privacy performance specification• Requires a checklist of tag capability against PETs
Interrogator privacy performance specification• Requires a checklist of interrogator capability against PETs
RFID Air Interface (radio protocol) privacy performance specification• Requires a checklist of AI capability against PETs
PIA standards• Method, conformance and application guidance
13
Structure of TR 187 020 –proposal
RecommendationsExisting standards and their gapsAnalysis
Get the core document much smaller• But that may mean the annexes get expanded
14
Attempting to model privacy
15
Person Behaviour
Exhibits
Determines
The simplest expression of the definition of personal data and the attempt to express it for both the direct and indirect cases.
Wider concept
16
Person Behaviour
Exhibits
Determines
Location
Action
Time
Takes place at
Consists of
Happens at
For the wider picture
Examination of behaviour by itself may reveal personal data without needing to carry explicit “personal” dataBehaviour is visible in many parts of the telecommunications environment:• Protocol stack offers data
• Time, location (on the network)
• Application offers data• Action (may also give time and location (geographic))
17
Structure of ESO/STF response
1 technical report• ETSI TISPAN Work item DTR-07044• Analysis and justification for recommendations• Recommendations for phase 2 – new standards and
gap closureOpen consultation with stakeholders• Other impacted standards groups• User and consumer groups• Privacy interest groups
Coordination by group formed from the 3 ESOs
18
Privacy protection by security (PETs)
Common Criteria approach• Pseudonymity
• ensures that a user may use a resource or service without disclosing its user identity, but can still be accountable for that use
• Unlinkability• a user may make multiple uses of resources or services without others being able to link
these uses together• Unobservability
• a user may use a resource or service without others, especially third parties, being able to observe that the resource or service is being used
• Anonymity• ensures that a user may use a resource or service without disclosing the user's identity
Misses a number of key items• Misses a “Consent framework”• Misses the deletion requirement of legislation
• When collected personal data is no longer needed, for the purpose it was collected for, it shall be deleted
19
Signs and emblems - Restructuring
Formerly clause 10 – Signs and emblems• Only one conclusion
• The ISO Emblem with modification to be adopted as European Common emblem to be associated to tagged items and signage
• Two recommendations for phase 2• Development of an EN derived from the ISO Emblem defining the European
Common Emblem to be carried out by CEN• Development of an EN defining the supplementary information on signs to be
displayed in areas where RFID interrogators are deployed• To be consistent with data protection directives• To be developed in consultation with ANEC• Development to be led by CEN with due diligence of result to include ETSI HF and USER
as well as ANEC
• Some exceptions to be noted• Government issued identity tokens with RFID do not need to carry the RFID
emblem (e.g. passports, identity cards)• All of the analysis to be moved to an annex
20
Gaps that are not RFID specific
Adoption and formalisation of key approaches• Design for Assurance
• How can the industry show compliance to this?• Privacy by Design
• How can the industry show compliance to this?
Development of privacy controls• Privacy controls in technology
• Across the RFID system (tag, radio interface, interrogator, back end system)
• Privacy controls in management processesThe challenge• The need for privacy control is racing against the growing use
and development of applications that will introduce new privacy risk.
21