欧盟物联网白皮书

Coordination And Support Action for Global RFID-related Activities and Standardisation EU Project Number 216803 CASAGRAS will provide a framework of foundation studies to assist the European Commission and the global community in defining and accommodating international issues and developments concerning radio frequency identification (RFID) with particular reference to the emerging ‘Internet of Things’. WP7: Socio-economic components of RFID usage in the Internet of Things White Paper, v4a (Issued 6 April 2009 WP7 1 DRAFT White Paper WP7 Issued May 2009 1 Introduction 1.1 The Social Connection with the Internet of Things 1.1 Awareness, Public Perception and Social Change 2 Technology enablers of things ubiquitous and Internet of Things 2.1 The Privacy Imperative 2.2 Outline Methodology for Designing Privacy into RFID Applications 2.3 A Standard for Design for Privacy and Security 3 Safety Issues concerning RFID and Radio-based Systems 4 Structure and Governance for the Internet of Things WP7 2 WP7: Socio-economic components of RFID usage in the Internet of Things Contents In principle the Internet of Things (IoT), based upon popular perceptions, may be considered as a structure in which human intervention is minimised, but in which activities are directed at serving human-kind either directly or indirectly and at various levels of human enterprise, domestic, corporate, public, national and international. A paradigm shift in nature and scale is envisaged within the Internet of Things which will inevitably have a profound impact upon society, in much the same way as the Internet and the world-wide-web have impacted upon everyday life and the commercial world. While the level of impact is likely to be different the nature of the impact is likely to be as far reaching and as radical and revolutionary as the Internet itself. In considering the socio-economic issues arising from the developments in RFID and the Internet of Things it is both relevant and important to reflect upon the opinion expressed by the European Economic and Social Committee (EESC) in its published statement of the 18th September 2008. This was in response to a consultation request from the European Commission, under Article 262 of the Treaty establishing the European Community, on the subject of The Internet of Things (exploratory opinion). The conclusions and recommendations presented in this opinion were as follows: “The EESC encourages the EU Commission to: 2.4 Invest in research, to support dissemination (such as the past presidency events) and standard setting activities because they consider the Internet of Things (IOT) domain important. 2.5 Take measures to remove barriers that would hamper the taking-up of the technology. 2.6 Assess whether centralised systems will be able to handle the amount of traffic that can be expected of IOT applications and if local governance (of names and services) are a better approach to manage mass deployment. 2.7 Investigate whether the current existing directives handle the data protection and security requirements adequately or if new legislative measures are needed. 2.8 Consider the need for some laboratories in Europe with combined funding from universities and private companies, in order to ensure that research results are taken up in Europe and to counter a brain-drain of researchers to research facilities and enterprises in other parts of the world (US). 2.9 On the issue of eventual electromagnetic risks - the principle of precaution should apply for these new environments with a high density of wave readers, in particular for the workers in such environments. They should be informed about any potential risks and methods of protection should be put in place. All the same, the question should be seriously assessed, through scientific studies. WP7 3 WP7: Socio-economic components of RFID usage in the Internet of Things 1 Introduction 2.10 Remember that technology development should be done for the people and that there is a need to evaluate the related ethical risks. 2.11 For trans-European services, the European Commission or the independent administrative authority that may regulate the spectrum in the future, should consider the spectrum needs of the Internet of Things. 2.12 Research will be crucial to win the race to deliver computing capacity to handle future real time Internet of Things applications.” Within this opinion statement there is clear support for RFID and the concept being developed for the Internet of Things. Removing barriers to take-up and for research to advance the realisation of the Internet of Things are also explicit in the statement. From a clearly social perspective data protection, privacy, security, ethical risk assessment and safety of systems constitute particularly important issues. Governance is a further issue that is likely to have impact from a social perspective but only features in a closing paragraph, pointing to the notion that the new network poses problems of governance in view of its scale, content and universal standards requirements. There is insufficient reference to international ISO/IEC standards for RFID suggesting that RFID is “currently regulated through private standards and commercial relations with global EPC”. In addressing these issues as part of this communication a more inclusive approach will be adopted. 1.1 The Social Connection with the Internet of Things The word social is indicative of issues of a human nature. It is therefore important to establish how the Internet of Things, and developments towards the Internet of Things, are likely to have the profound social implications suggested above. As expressed in the CASAGRAS white paper on Applications for the Internet of Things, integration with the existing and evolving Internet is, at the very least, a migratory feature of achieving the Internet of Things, in which various categories of application or service may be distinguished: 1. Object-to-Internet-to-human (eg object initiated service that results in an email to a human respondent) 2. Human-to-Internet-to-object (eg human communicates via Internet to activate a control device in the home) 3. Object-to-Internet-to-object (eg object activated control service via the Internet that results in an object or systems activation, control event or information update, possibly with a human interface to allow monitoring of events) 4. Object-to-dedicated IoT infrastructure-to-object (eg similar to 3, but exploiting a dedicated infrastructure and domain features to support a new range of object-oriented applications and services, possibly with human interfaces as appropriate for interactive functions) While the categories indicating explicit human intervention could, depending upon the application, have implications with respect to privacy and security, it should be recognised that the object-to-object category may also have privacy implications if linked to personal information and or activities. WP7 4 In drawing upon this categorisation of applications and the issues raised in the EESC opinion statement the following socio-economic factors can be recognised: Awareness, Public Perception and Social Change Privacy, Security and Risk Assessment Safety Issues concerning RFID and Radio-based Systems Structure, Revenue Streams and Governance While governance is included in this list the other issues clearly come into the considerations and aspects of governance. Adding to this list of issues for which governance assumes a role are issues concerning business models and aspects of application and service. Governance will also need to cover aspects of network functionality and protection. 1.2 Awareness, Public Perception and Social Change One of the principal barriers to take-up of RFID resides in the lack of awareness of RFID and its capabilities. Unfortunately, a decade or so characterised by hype, mis-understanding and misconceptions have suppressed awareness and willingness on the part of non-users to recognise the potential that RFID has to offer. As there are many applications, such as those in retail, travel and leisure that may be seen to involve personal data or potential access to personal data the need may also be seen for privacy protection along with public awareness and measures to gain public acceptance. A European Commission consultation process on RFID, conducted in 2006, revealed that 61% of the 2190 respondents were of the view that the public in general were not sufficiently informed about or aware of RFID. It also revealed privacy to be their biggest concern. While awareness-raising was seen as a necessary expedient in addressing this situation the need was also seen for awareness accompanied by confidence-building directives that demonstrate that privacy is appropriately supported. While public consultation has already been exercised within Europe on RFID and privacy it remains a substantive objective to raise awareness and promote the take-up of RFID. A thematic network is about to be established within the European member states to realise this objective. Privacy and associated security with respect to radio frequency identification (RFID) has been the focus for a great deal of media and campaign attention over recent years, with a lot of emphasis upon the potential infringement of privacy and infringement scenarios. A legislative framework is emerging that helps to distinguish the various facets of privacy and what constitutes violation of privacy. Such developments have been influenced by consumer or campaign concerns. While these and others rightly seek to protect privacy and human rights in respect of technology usage, media hype, exaggerated claims, misconceptions and misinformation often arise that confuse and present difficulties in deriving coherent and effective measures for handling privacy and satisfying consumer and campaign group concerns. It becomes increasingly difficult to exploit technological developments, such as RFID, where multiple factors, including some that are application-specific, impact upon privacy. The situation is exacerbated when technological developments and concepts such as the ‘Internet of Things’ are not sufficiently explained and insufficient attempts are made to seek public acceptance. A seemingly open-ended flow of problems can be seen to arise with respect to RFID and people-related applications where privacy is an important consideration. The solutions derived can be considered robust if techniques for accommodating privacy and associated security issues are clearly identified and effectively applied. When viewed as part of a design methodology these techniques constitute part of a framework or WP7 5 2 Privacy, Security and Risk assessment - A design Approach ‘tool-box’ to be used in selecting techniques and technologies to meet particular application needs. Viewed in isolation privacy protection techniques may yield a degree of confidence on the part of consumers and campaign groups but to have more impact in this respect they need to be viewed in context of overall application requirements. Core to these considerations, particularly within Europe, are the EU directives, and corresponding member state enactments in law that govern the protection of individuals with regard to processing of personal data and freedom of movement for such data. Similar directives, albeit concerned with RFID in particular or data protection in general, may be found in other nations around the world that are likely to have bearing upon privacy and security in relation to the Internet of Things. With respect to RFID in Europe the EC Directive 95/46/EC can be seen to be key. However, as identified in the European Parliament Scientific Technology Options Assessment (STOA) report, RFID and Identity Management in Everyday Life, the directive may not be adequate to accommodate fully the requirements in respect of governance. In view of such limitations it is important from a design perspective to consider national guidelines and supporting principles with respect to privacy and data protection. An example of such guidelines are the OECD “Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data” and basic principles of data protection used in formulating data protection legislation. The concept of Identity Management introduced through the European Parliament Scientific Technology Options Assessment (STOA) report is also significant in this respect and is covered in more illustrative terms in the booklet “RFID & Identity Management in Everyday Life”. In Japan, a set of Guidelines for Privacy Protection, with particular reference to RFID, was issued in 2004 by the Ministry of Internal Affairs and Communications (MIC) and the Ministry of Economy, Trade and Industry (METI). Ten Articles comprise these Guidelines: 1. Purpose 2. Scope 3. Indication etc. of the fact that products are tagged with RFID tags 4. Reservation of the right of final choice of consumers with respect to reading of RFID tags 5. Information offerings concerning social benefits of RFID tags 6. Handling of RFID tags in cases where information is used by linking personal information, databases etc. stored in computers with RFID information 7. Limitations on information collection and use in cases where recording personal information in RFID tags 8. Ensuring of information accuracy where recording personal information in RFID tags 9. Establishment of information administrator 10. Explanation and information offerings to consumers The guidelines draw attention to the view that the problem of privacy protection is due to characteristics peculiar to RFID tags. For example, if RFID tags were removed at the point when a retail store hands a product to a consumer, there would not be a question of risk. However, in the future it is likely that RFID tags will be required to ensure some kind of consumer benefit or satisfy some social and/or societal need. Such developments raise the question of risk and the need for appropriate protective measures. WP7 6 There are a number of useful policy and solution guidance documents to be found that can assist in addressing privacy issues and in designing protection systems. An example of such a document is the AIM Global RFID Expert Group “RFID – Guidelines on Data Access Security”, AIM working document REG 352. The document looks at systemic solutions that prevent unauthorised or inadvertent access to data on an RFID tag and in an RFID system. It is intended to provide guidance to users and systems designers on potential threats to data security and countermeasures available to provide RFID data security. Design methodology for systems where privacy requirements are indicated, also demand attention to risk identification and assessment and appropriate consideration of range of factors that impact on privacy and associated security, including: Directives and legislation on protection of personal data Privacy guidelines and standards Attack and system failure modes and risk assessment Technologies and techniques From the standpoint of privacy-attack a RFID, or comparable, technological system may be considered as an identification and data transfer facility with vulnerabilities that potential attackers, individual or corporate, might exploit with intent to track, gather personal information or otherwise compromise privacy. Understanding attack modes, the effects and criticality of effects is a necessary requirement in seeking effective application-specific solutions. Such an approach is analogous to failure modes and effects analysis (FMEA) used effectively in engineering design. Correspondingly, failure is a further aspect for consideration since in practice systems cannot be expected to be immune from technical failure that can lead to personal data being lost or stolen. However, analysis and contingency can assist in alleviating or minimising such problems. With these considerations in mind a framework may be identified as a basis for developing appropriate risk assessment and application design methodology. 2.1 The Privacy Imperative The privacy imperative is not simply a consequence of RFID, it is clearly arises from a broader base of technological concerns. A recent UK study , undertaken by the Royal Academy of Engineering has drawn attention to these broader issues and provides a contribution to the public debate on information technology in general and its possible impact on privacy. Although its recommendations are focused upon the UK it stresses the importance of influencing policy on an international basis. The broader considerations extend to all aspects of data collection, storage, transmission and processing of data, how they are monitored and managed so that effects are effectively understood and controlled in the interests of privacy. In considering the privacy imperative for RFID it is important to consider it in context of broader information technology issues, particularly where RFID systems are linked to wider communication, storage and processing systems. It is also expedient to consider the legal framework to which RFID relates and the broader information systems’ considerations that relate. Moreover, with expanding usage of RFID and prospectively applications with global dimensions, including those relating to the proposed ‘Internet of Things’, considerations should where appropriate extend to global privacy policy . WP7 7 The Royal Academy of Engineering (2007) , Dilemmas of Privacy and Surveillance – Challenges of Technological Change, ISBN 1-903496-32-2 Perrin, S (2006) RFID and Global Privacy Policy, RFID Applications, Security and Privacy (Edited: Garfinkel, S & Rosenberg, B) Addison Wesley. ISBN 0-321-29096-8 1 1 2 2 In presenting an inclusive framework for considering technologies the Royal Academy of Engineering study distinguishes a roadmap or feature space in which three layers of technologies are defined with components identified on a time line for existing or mass market, early adopter and horizon technologies. The three layers comprise: Connection technologies technologies that affect how organisations move data around, including how they deliver information and services to customers. Included in this category are personal related technologies which in turn include RFID, WiFi, Bluetooth, zigbee and near field communication (NFC) technologies. Disconnection technologies technologies that provide access control to services and resources, to maintain security of data. Included in this category are passwords, PINs, SIM cards, and cryptographic technologies and thus have relevance with RFID. Processing technologies technologies that affect how data are handled internally within organisations, embracing both hardware and software technologies. While such classification can help position RFID as one of a range of technologies that present privacy issues when used in people-based applications it does not indicate the relative significance of these technologies. Unfortunately, much of the attention has been without due consideration of a number of significant associated factors that impact upon the nature and extent to which RFID poses a problem. These factors include: Insufficient attention to the positioning of RFID with respect to other technologies and practices that impact upon privacy. Insufficient attention to the distinction between privacy and security functions. Insufficient understanding of the practicalities of RFID in relation to the scenarios that are presented as examples of privacy and security violation. Insuffic