Imminent EC RFID Recommendation Could Prove Helpful for Vexing Privacy Issues
BRUSSELS -- The Internet of Things won’t fly without consumer confidence, said European Consumers’ Organization Legal Officer Emilie Barrau Friday at the IoT Europe 2009 conference. The only way networks that connect objects -- such as radio frequency identification tags and sensors -- and services to the Internet will become a reality is for it to become the “Internet of People,” she said.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Some speakers echoed Barrau’s privacy concerns. Ilias Chantzos, Symantec government relations director for parts of Europe, the Middle East and Asia, warned that RFID systems will be breached. Whether privacy on the IoT will be ensured by more regulation, compliance with existing EU legislation or simply consumer demand is unclear, speakers said. Some tentative answers may emerge in a European Commission recommendation due Monday.
Privacy and security top consumers’ list, Barrau said. The name “Internet of Things” is misleading to the average person because it’s about people as much as about objects, she said. Consumers need to know how the IoT works and what the information it collects is used for, she said. They need to be able to control who has access to the data, Barrau said. But user control is only one aspect of the IoT, she said.
Society is dealing with increased pervasiveness of information technology and depends more heavily on those infrastructures working well, said European Data Protection Supervisor Peter Hustinx. These systems carry risks, he said: What if the infrastructure doesn’t do the right thing? How can we organize a society based on the rule of law and human rights that has so many aspects of Big Brother? As data protection becomes more relevant, it must be more effective and empowering and subject to better “data governance.”
Concerns about the IoT range from how personal data in RFID tags is collected, stored and mined to questions of whether, if everything is online, people should worry about eavesdropping and interception, Hustinx said. Some fear the IoT will be an infrastructure for tracking users without their knowledge, he said. Others worry about profiling and influencing user behavior, he said.
Europe already has a technology-neutral framework of privacy and data protection laws which will be important to the IoT, Hustinx said. It’s unclear who the laws apply to in the context of the IoT and who bears ultimate responsibility for privacy consequences, he said. Hustinx urged companies seeking to use the IoT to perform privacy impact assessments beforehand, and to make it very clear to individuals that they're being observed and why. Businesses usually need explicit consumer consent to leave RFID tags in place after the point of sale, and that should be true for the IoT as well, he said. IoT systems must also be secure to prevent data loss, he said. New regulations are not necessarily the answer, Hustinx said. Existing law needs more guidance and interpretation, and self-regulation is also an option, he said.
Information security is “going very mobile,” Chantzos said. Over 90 percent of all malware allows remote access, he said. The IoT will be a huge infrastructure and every device attached to it will be vulnerable, he said. It’s not just a question of how many holes the system has, but how many people are shooting at it, he said.
RFID will lead to a more mobile, connected world that will rely on front- and back-end systems, basic software and interoperability with consumer devices, Chantzos said. RFID will be present in everything from retail to national security applications, and will affect individual privacy, he said. The systems “will be attacked and successfully compromised,” he warned.
European Retail Round Table Director Paul Skehan dismissed RFID privacy fears. From all the talk, one would think RFID tags are everywhere, but they're barely in the sights of major European retailers, he said, though they're used frequently for tracking pallets. Debate on the tags should be grounded on what’s happening now, not what may come in the future, he said. Retailers aren’t using RFID because they're afraid of what the EC will recommend, he said. They also worry governments will take the recommendation and “run in 27 different directions,” he said.
Discussion of the IoT is taking place in a vacuum, Skehan said. No one disputes the need for data protection, privacy and security, but businesses are already data-mining and profiling, so it’s unclear why RFID is a concern. Retailers “kill each other” to win more customers and if one chain advertises deactivation of RFID tags at point of sale, and consumers flock to those stores, other companies will soon follow, he said.
Retailers aren’t paying much attention to the IoT because they don’t consider it important now, Skehan said. Debate should focus on the values society wants to protect, on the principles needed to safeguard them, on what guidance will be needed and on what information to give customers, he said. Bad behavior should be penalized. But the last thing anyone wants to do is drive innovation out of Europe, a possible consequence of the RFID/IoT debate, he said. -- Dugie Standeford
IoT Europe Notebook…
The Internet of Things isn’t fundamentally new but is moving along an evolutionary path, said Ruprecht Niepold, European Commission advisor to the Director General on radio spectrum policy. The IoT means computers will become things with sensing functions, he said at the final session of the IoT 2009 conference in Brussels Friday. They'll have knowledge of their own status and history and be capable of sensing their environment and executing processes beyond data processing, he said. It’s unclear at what stage the evolutionary process will induce important changes, Niepold said. The Internet as linking structure will remain in the center, but there will be ubiquity of linking things. Objects and their controllers -- sensors that shift in space and time -- will be on the move. The key question is where the information will reside, he said. It probably won’t be on central servers but on distributed servers. Some intelligent objects may monitor themselves and transmit only critical information, managing themselves as sub-networks. Possible free applications could include temperature monitoring and other public services such as car-to-car communications financed by publicly-funded infrastructure, Niepold said. There will also be global services offered for payment, many closed business services such as retail RFID or metering solutions, and many more individual applications such as home automation, he said. The business case for the IoT will likely require a reliable “common core” around whose edges innovations can develop, he said. The IoT will create a need for many more addresses, meaning the world must move quickly to Internet Protocol version 6, Niepold said. Whether the IoT needs domain name system-style management or new top-level domains such as .things or .objects is unclear, he said. The IoT might or might not spur significantly more communications traffic, but having many items in always-on mode could prove a strain, Niepold said. Niepold said he’s not convinced more spectrum will be needed because some IoT traffic will move on mobile networks. There’s ample spectrum for mobile applications but Europe must coordinate it at the pan-EU level, he said. Much of the traffic between things and the Internet could travel over short-range device frequencies. In that case, it will be impossible to license spectrum use for every object, Niepold said. So it will boost the idea of unlicensed spectrum, something the EC is pushing for in its reform of e-communications regulations, he said.