SUMMARY OF STF396

PROGRESSAutumn M436 CG meeting

Overview

Summary of the comments received• General = 111 of 659 (17%)• Editorial = 233 of 659 (35%)• Technical = 315 of 659 (48%)• This relative mix has been maintained even as new comments creep

through (figures change but mix doesn’t)Overview of response• Accept all “Editorial” without detailed review

• Confirm all are addressed in final edit• Many duplications across the comments

• not necessarily the same text but the same concern has been expressed• Document structure requires change

• Analysis moved to annex• Findings made more “hard” (less verbosity)

2

Where are the comments

Clause by clause• Overall (i.e. purpose, scope and structure of document) = 28• Clause 1 = 0 (zero)• Clause 2 = 13• Clause 3 = 18• Clause 4 = 36• Clause 5 = 22• Clause 6 = 46• Clause 7 = 143• Clause 8 = 101• Clause 9 = 120• Clause 10 = 42• Clause 11 = 5• Clause 12 = 69• Annexes = The rest

3

Problems we’ve got to defuse

Mandate 436 responds to an observed concern• RFID appears to be becoming close to ubiquity without public debate on the

privacy issues it raises• RFID whilst becoming ubiquitous is not becoming more visible• RFID is a misleading and abused term and has a wide range of associations

across industry and societyThe document from the ESOs addresses the concern• Sometimes without appearing to be being terribly sensitive to the industry

• Has led to a number of calls that the STF/M436 is aiming to damage the industry• By highlighting the issues and the contribution of RFID technology to the

issues• The industry indicated they consider themselves unfairly singled out with regard to

privacy issues• With an aim to identify the minimum set of standards to address the concerns

• Not finalized at the time when the document was sent to consultation

4

Regulatory data protection definitions

Personal data• shall mean any information relating to an identified or identifiable natural

person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity

Processing of personal data• shall mean any operation or set of operations which is performed upon

personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction

“data subject’s” consent• shall mean any freely given specific and informed indication of his wishes by

which the data subject signifies his agreement to personal data relating to him being processed

5

Some major opinions we’ve got to acknowledge

The Article 29 working group• The unique identity on tags amounts to personal data

• This is not strongly stated in the document (opinion was expressed after the TR was released to consultation)

• PETs in this area need further examination• The PIA has to include a risk analysis

• This is clearly stated in the objectives and requirements of PIA in the TR

The EU Data Protection landscape• The existing provisions need to be reinforced• The ontology begins to address this• Anticipate and allow for changes in current DP legislation expected after the revision of the

current Data Protection Directive• Expect RFID-specific provisions in the revised Data Protection Directive

Linkability is a major threat• Covers the entire system and is shown by the ontology

There is RFID technology available to address many of the concerns• But not a lot of guidance in selecting it

6

A couple of concessions

RFID is not the root cause of all privacy problems• They existed before RFID existed• Other technologies and applications have privacy problems

The RFID industry has the potential to offer considerable societal benefit• Within the constraints of existing laws

However …• The RFID industry has to show it is addressing the concerns• The RFID industry has to acknowledge its role in the privacy debate

• As a source of concern• As a root of trust

Steps needed in the industry …• Adoption of PETs• Development of PETs where there aren’t any• Development and application of PIAs (as an essential step to address privacy

issues)

7

Some of the achievements

We’ve worked through an ontology and that work is being acknowledged and adopted in privacy work in parts of ETSI and in other areas• But we’ve softened our promotion of ontology as the terminology does not sit

happily on the shoulders of the industry partnersWe’ve begun to develop a useful taxonomy for RFID, Privacy and Risk• Also being adopted by other groups in ETSI and outside

We’ve brought RFID issues to light• Mainly showing RFID is not just an RF technology but exists within a system• We’ve shown that privacy, data protection and ITSec are systems issues• We’ve tried to prime the future standards work to recognise that the systems

boundaries will get more and more blurred so all the problems we’ve identified can only get bigger

8

Aims of document re-structuring

Move analysis to annexes• The analysis is proof or verification supporting the recommendations

Need to be more exact about what is needed in phase 2• EN for common European Emblem• EN to specify on the signs the supplementary information to be

displayed in areas where RFID interrogators are deployed• EN for the PIA Process• EN to specify the method of “Privacy by Design”• EN defining a checklist for application of “Privacy by Design” method• EN to specify the method of “Design for Assurance”• EN defining a checklist for application of “Design for Assurance”

method• …

9

Original structure of response

• RFID system architecture– Taxonomy of terms– Ontology of RFID

• With respect to security• With respect to privacy protection

• Consumer, DPP and Security objectives• Environmental aspects of RFID tags and components

• RFID hardware end of life considerations– Data end of life considerations

• Privacy Impact Assessment outline– Role of PIAs– Generic versus industry specific PIAs– Recommendations for RFID industry specific PIAs

• RFID logos and signage– For consumer awareness– For device marking

• Derived requirements from analysis– RFID Logos and signage recommendations

• Standards roadmap– Available standards– Gap analysis and recommendations

10

Analysis

Requirements

Revision of contents in restructuring

4 Summary of findings and recommendations5 Consumer aspects including interaction6 The RFID ecosystem7 Analysis8 Data Protection, Privacy and Security Objectives and Requirements9 Privacy Impact and Data Protection Assessment (PIA) outline10 RFID Penetration (PEN) Testing Outline11 Common European RFID Emblem/Sign12 Environmental aspects of RFID tags and components13 Standardization Gaps Analysis and SummaryAnnex A: Summary of status of RFID standardizationAnnex B: Summary of tag capabilitiesAnnex C: Summary of risk assessment of RFID systemsAnnex D: RFID Penetration TestingAnnex E: Gap analysis in standardisation

11

Structure of TR 187 020 – proposal

Recommendations – not exhaustive (that’s in the document and in development based on the analysis)• EN for common European Emblem• EN to specify the supplementary information to be displayed in areas

where RFID interrogators are deployed• EN for the PIA Process – RFID specific aspects

• Should be part of a PIA framework• PIA framework needs an agreed taxonomy, ontology and

conformance/validation regime• EN to specify the method of “Privacy by Design”• EN defining a checklist for application of “Privacy by Design” method• EN to specify the method of “Design for Assurance”• EN defining a checklist for application of “Design for Assurance”

method

12

Privacy standards requirements

Privacy by design needs to be formalised• Not just an RFID issue but has to consider RFID too

Tag privacy performance specification• Requires a checklist of tag capability against PETs

Interrogator privacy performance specification• Requires a checklist of interrogator capability against PETs

RFID Air Interface (radio protocol) privacy performance specification• Requires a checklist of AI capability against PETs

PIA standards• Method, conformance and application guidance

13

Structure of TR 187 020 –proposal

RecommendationsExisting standards and their gapsAnalysis

Get the core document much smaller• But that may mean the annexes get expanded

14

Attempting to model privacy

15

Person Behaviour

Exhibits

Determines

The simplest expression of the definition of personal data and the attempt to express it for both the direct and indirect cases.

Wider concept

16

Person Behaviour

Exhibits

Determines

Location

Action

Time

Takes place at

Consists of

Happens at

For the wider picture

Examination of behaviour by itself may reveal personal data without needing to carry explicit “personal” dataBehaviour is visible in many parts of the telecommunications environment:• Protocol stack offers data

• Time, location (on the network)

• Application offers data• Action (may also give time and location (geographic))

17

Structure of ESO/STF response

1 technical report• ETSI TISPAN Work item DTR-07044• Analysis and justification for recommendations• Recommendations for phase 2 – new standards and

gap closureOpen consultation with stakeholders• Other impacted standards groups• User and consumer groups• Privacy interest groups

Coordination by group formed from the 3 ESOs

18

Privacy protection by security (PETs)

Common Criteria approach• Pseudonymity

• ensures that a user may use a resource or service without disclosing its user identity, but can still be accountable for that use

• Unlinkability• a user may make multiple uses of resources or services without others being able to link

these uses together• Unobservability

• a user may use a resource or service without others, especially third parties, being able to observe that the resource or service is being used

• Anonymity• ensures that a user may use a resource or service without disclosing the user's identity

Misses a number of key items• Misses a “Consent framework”• Misses the deletion requirement of legislation

• When collected personal data is no longer needed, for the purpose it was collected for, it shall be deleted

19

Signs and emblems - Restructuring

Formerly clause 10 – Signs and emblems• Only one conclusion

• The ISO Emblem with modification to be adopted as European Common emblem to be associated to tagged items and signage

• Two recommendations for phase 2• Development of an EN derived from the ISO Emblem defining the European

Common Emblem to be carried out by CEN• Development of an EN defining the supplementary information on signs to be

displayed in areas where RFID interrogators are deployed• To be consistent with data protection directives• To be developed in consultation with ANEC• Development to be led by CEN with due diligence of result to include ETSI HF and USER

as well as ANEC

• Some exceptions to be noted• Government issued identity tokens with RFID do not need to carry the RFID

emblem (e.g. passports, identity cards)• All of the analysis to be moved to an annex

20

Gaps that are not RFID specific

Adoption and formalisation of key approaches• Design for Assurance

• How can the industry show compliance to this?• Privacy by Design

• How can the industry show compliance to this?

Development of privacy controls• Privacy controls in technology

• Across the RFID system (tag, radio interface, interrogator, back end system)

• Privacy controls in management processesThe challenge• The need for privacy control is racing against the growing use

and development of applications that will introduce new privacy risk.

21