Privacy and Security implications of using RFID technology

Most of us would think that RFID is a newly established or complex technology, however, little do we know that it is actually a tool that we use everyday, and, without which even the simplest tasks would be a hassle. Have you ever wondered how many times you intuitively tap your credit card to make payments, how effortlessly you sign in your office building by tapping your card or your oyster card for your daily travel?

This is all thanks to RFID or ‘Radio Frequency Identification’ Tag technology which allows for distance tracking through low-grade radio frequency. The use of RFID technology can often go unnoticed albeit its wide application in various industries calls for a closer look given its potential privacy and security implications.

What is Radio Frequency Identification Tag technology?

RFID was created back in 1948 by Harry Stockman and was initially utilized for military applications. In today’s world, RFID is used in many sectors for various purposes. RFID tags are a type of tracking system that use radio frequency to search, identify, track, and communicate with items or individuals.

Essentially, RFID tags, like barcodes, are smart labels that can store a range of information from serial numbers to a short description, and even pages of data. This means that is does leave trace and, when attached to the identification of a certain person and thus it can be considered personal data.

RFID is a wireless technology made up of two main parts; i.e. tags and readers. The reader is a device which has one or more antennas that send and receive electromagnetic signals back from RFID tags. These tags, which store a serial number or cluster of information, use radio waves to send their data to nearby readers. RFID belongs to a group of technologies called Automatic Identification and Data Capture (AIDC). You can use AIDC tools to identify items, collect data about them, and send that data to a computer system with little to no human interaction and with a wider reach in terms of physical proximity. 

When are RFID tags most commonly used?

The most common RFID application is in retail and large service providers such as post or hospitals for inventory tracking, control access, staff, patient or equipment tracking etc. It is also commonly used for improving customer experience, microchipping animals and even for searching for hazardous items in airports.

Amazon contact-less shops

Amazon Go has leveraged the use of RFID tags at its Amazon Go stores where customers can freely enter, browse and checkout without human intervention save with the help of AI robots and RFID. All you have to do is enter in the Amazon store using the Amazon Go app, take your item of choice and just walk out and as the tagline of Amazon Go suggests…“just walk out”! Products are strapped with an RFID tag which interacts with your Amazon Go app and items get automatically once they reach a close proximity to your phone and the amount is the deducted from your Amazon account.

Customer traffic flow in retail

By aggregating and plotting RFID item movement throughout a store, retailers can begin to draw conclusions about how people and products navigate the physical confines of the space. Benefits could include: monetizing high-traffic endcaps, tracking in-store cart or product abandonment, removing physical pinch points, understanding how certain product categories or items correlate to different paths in the store at different times of day, days of the week, etc.

Magic mirror

Retailers like Ralph Lauren have taken the leap to introduce smart mirrors to enhance in-store user experience. Imagine a fitting room that uses touch screen monitors in place of mirrors. By geo-locating specific RFID tags, this fitting room tracks the item that is being tried on, shows other available colors and what those might look like on you, shows available complementary clothes, and could provide relevant product information such as the fabric technology. 

RFID tags and the General Data Protection Regulation - personal data or not?

RFID tags can be considered, under the General Data Protection Regulation 2018 (GDPR), an online identifier similar to cookies.

While it is not explicitly considered as personal data under the Regulation’s definition, the EDBP has issued specific guidance on RFID, which strongly suggests that the use of such technology falls under the remit of data protection legislation. The issue is that in practice, RFID may not be considered in scope of the GDPR, since the use of RFID tags is sometimes omitted in commercial contracts or not explicitly mentioned in data processing agreements. 

To understand how RFID may be used in detriment to one’s privacy rights, consider the following example

In 2016, UK animal shelter Battersea Dogs and Cats, launched a campaign called #LookingForYou. Over the course of two weeks, representatives from the animal shelter handed out brochures to potential pet parents in a London mall. Unbeknownst to passersby, the brochures were tagged with RFID chips. As they carried on with their day, seven closely located digital billboards were activated as they passed, showing video images of an adorable dog that seemed to be following them home. If the person approached the screen, the dog moved toward them. It follows, that to comply with GDPR requirements appropriate notice should be given to the data subjects whose data is being processed for this purpose either through a privacy notice or visible physical tag.

Privacy & security risks as highlighted by the European Data Protection Board and GS1 guidelines

Mitigating privacy risks under the GDPR via ‘privacy by design’

RFID can present an untapped potential to businesses as it allows access to a completely unexplored data pool to get insights from. Thanks to RFID technology businesses can prevent fraud, optimise their stock and internal operations by automating certain processes. Also, businesses can draw insights about their customers’ behavior, identify trends and enhance their customers experience and find new ways to market their products.

If RFID is embedded into products itself, complications with user privacy could emerge, and must be considered during the product design and throughout the development and execution phase. 

Aside from the well-known ‘privacy by design and by default’ principle dictated by Article 25 of the General Data Protection Regulation 2018, RFID tags are regulated by the GS1. The GS1 is the international organization responsible for regulating the use of barcodes and similar tracking technologies in various industries.  It is interesting that the GS1 has published various tools and resources which recommending to business that embed RFID technology to perform a PIA and comply with the EU Commission’s RFID recommendations. The recommendation suggests very precise steps that should be taken with the ultimate goal to raise consumer acceptance of RFID technology.

Security issues

The main security issue associated with the use of RFID systems is that they are susceptible to attacks or viruses from hackers and fraudsters. However, there is comfort in knowing that attacks on RFID systems aren’t easy to penetrate. Most modern technology has built-in encryption to prevent hackers from eavesdropping on the sales and customer data being passed through the platform. It’s also difficult for most RFID tags to be infected with a virus since they have low storage capacity. However, as RFID systems do not have a lot of compute power in some cases they are unable to accommodate encryption, such as might be used in a challenge-response authentication system

Another concern lies in that RFID tag data can be read by anyone with a compatible reader. Tags can often be read after an item leaves a store or supply chain. They can also be read without a user's knowledge via unauthorized readers.

Conclusion

Whilst RFID tags provide a wide basis of opportunity for organisations, it seems that the application of the GDPR cannot be neglected. User consent and transparency becomes crucial when a tag has a unique serial number and can be associated to a consumer. It is recommended for RFID users to take steps to secure their data by locking memory banks. Middleware should also be used to prevent man-in-the-middle attacks—where fraudsters place a device between the RFID tag and the reader to intercept the data being transmitted.

If you have any questions about the use of RFID tags or want to chat through any data protection compliance issues generally, then please do not hesitate to get in touch!

Article by Anthi Pesmazoglou @ Gerrish Legal

Previous
Previous

The A to Z of General Counsel Roles

Next
Next

B2B: Battle of the Forms in France