The IT Law Wiki


RFID (an acronym for Radio Frequency IDentification) is an automatic identification technology, similar in concept to a bar code. It is

an analog-to-digital conversion technology that uses radio frequency waves to transfer data between a moveable subject and a radio frequency waves reader to identify, track or locate that subject.[1]
an automatic identification method that stores and remotely retrieves data via a RFID tag or transponder. A RFID programmer encodes information onto a tiny microchip within a thin RFID inlay. In supply chain applications, these inlays typically are embedded in a tag that looks similar to pressure sensitive labels. RFID inlays can be applied to a wide variety of NoTs. RFID technology offers security and reliability features that enhance trustworthiness in IoT ecosystems.[2]


"The RFID system can be used to identify objects, such as manufactured goods, animals, or people that have a RFID tag affixed to it. The tag has a unique identifier and may optionally hold additional information about the object."

RFID is one of a group of automatic identification and data capturing technologies which also includes bar codes, biometrics, magnetic stripes, optical character recognition, smart cards, voice recognition and similar technologies.[3]

How it works[]

RFID devices have three primary elements: a chip, an antenna, and an RFID reader. A fourth important part of any RFID system is the database where information about tagged objects is stored. An RFID system can be used to identify many types of objects, such as manufactured goods, animals, and people. Each object that needs to be identified has a small object known as an RFID tag affixed to it or embedded within it. The tag has a unique identifier and may optionally hold additional information about the object.

The chip[]

The chip, usually made of silicon, contains information about the item to which it is attached. Chips used by retailers and manufacturers to identify consumer goods may contain an Electronic Product Code (EPC). The EPC is the RFID equivalent of the familiar universal product code (UPC), or bar code, currently imprinted on many products. Bar codes must be optically scanned, and contain only generic product information. By contrast, EPC chips are encrypted with a unique product code that identifies the individual product to which it is attached, and can be read using radio frequency. These codes contain the type of data that product manufacturers and retailers will use to track the authenticity and location of goods throughout the supply chain.

An RFID chip may also contain information other than an EPC, such as biometric data (a digitized image of a fingerprint or photograph, for example). In addition, some chips may not be loaded with information uniquely identifying the tagged object at all; so-called "electronic article surveillance systems" (EAS) may utilize radio frequency communication to combat shoplifting, but not to uniquely identify individual items.

The antenna[]

The antenna attached to the chip is responsible for transmitting information from the chip to the RFID reader, using radio waves. Generally, the bigger the antenna, the longer the read range. The chip and antenna combination is referred to as a transponder or, more commonly, as a tag.

The reader[]

The RFID reader, or scanning device, also has its own antenna, which it uses to communicate with the tag. Readers vary in size, weight, and power, and may be mobile or stationary. Although anyone with access to the proper reader can scan an RFID tag, RFID systems can employ authentication and encryption to prevent unauthorized reading of data.

"Reading" tags refers to the communication between the tag and reader via radio waves operating at a certain frequency. In contrast to bar codes, one of RFID's principal distinctions is tags and readers can communicate with each other without being in each other's line-of-sight. Therefore, a reader can scan a tag without physically "seeing" it. Further, RFID readers can process multiple items at one time, resulting in a much-increased (again as compared to UPC codes) "speed of read."

The database[]

The database, or other back-end logistics system, stores information about RFID-tagged objects. Access to both a reader and its corresponding database are necessary before information stored on an RFID tag can be obtained and understood. In order to interpret such data, RFID readers must be able to communicate with a database or other computer program.

Additional information[]

RFID technologies support a wide range of applications — everything from asset management and tracking to access control and automated payment.

Every RFID system includes a radio frequency (RF) subsystem, which is composed of tags and readers. In many RFID systems, the RF subsystem is supported by an enterprise subsystem that is composed of middleware, analytic systems, and networking services. RFID systems that share information across organizational boundaries, such as supply chain applications, also have an inter-enterprise subsystem.

Each RFID system has different components and customizations so that it can support a particular business process for an organization; as a result, the security risks for RFID systems and the controls available to address them are highly varied. The enterprise and inter-enterprise subsystems involve common IT components such as servers, databases, and networks and therefore can benefit from typical IT security controls for those components.

Early applications of RFID include automatic highway toll collection, supply-chain management (for large retailers), pharmaceuticals (for the prevention of counterfeiting) and e-health (for patient monitoring). More recent applications range from sports and leisure (ski passes) to personal security (tagging children at schools). RFID tags are even being implanted under human skin for medical purposes, but also for VIP access to bars like the Baja Beach Club in Barcelona. E-government applications such as RFID in drivers’ licences, passports or cash are under consideration. RFID readers are now being embedded in mobile phones.[4]

Privacy implications[]

RFID systems support a large variety of business processes, not all of which involve personal privacy. Examples of RFID systems that likely do not have privacy considerations include those supporting industrial processes, animal tracking, and asset management systems in which the assets are never associated with individuals during their life cycle.

However, RFID technologies involve the transmission of information through the open air. When these technologies are used to transfer PII or are associated in any way with individuals, these technologies raise privacy issues regarding surveillance and involuntary identification. The broadcast nature of the transmission and the association of that data traffic with an individual raises privacy concerns as well.

Privacy considerations exist when the system uses, collects, stores, or discloses personal information. An RFID system might use or disclose personal information in one of several ways:

  • Personal information such as a name or account number may be stored on the tag or in a database in the enterprise subsystem.
  • A tag may be associated with a personal item such as a blood sample, a bottle of prescription medicine, or a folder of legal documents that might be outside of the individual’s possession.
  • A tag may be associated with an item that often travels with an individual, such as a tagged box or a vehicle part in an automobile or truck the individual often drives.

The RFID system does not have to store personal information to have privacy implications. For example, the tag on a bottle of prescription medicine may identify the drug in the bottle, but not the identity of the person for whom the prescription was written. Nonetheless, the individual taking the medicine may still perceive the possession of the drug as personal information if scanned and read by another, as it might reveal information about a medical condition that the individual considers private.

Similarly, the individual does not have to own a tagged item for the RFID system to have privacy implications. For example, if an employee carries an employer-tagged computer or tools, then RFID technology potentially could be used to track the employee’s whereabouts. The employee may agree to be on-call after business hours but could consider his or her location during those times as personal information.

While the concepts of privacy and PII are not new, RFID technology is an example of a technology that introduces new complexity to the landscape of privacy considerations for several reasons. For example, RFID technology increases the likelihood that someone can create PII through indirect means. RFID technology creates opportunities to record, store, and process item-specific information related to business transactions more easily than ever before. In addition, the breadth of items in everyday life that will be incorporated into RFID systems is expected to increase in the coming years. The increase in the coverage of information systems in our daily life combined with the increase of the level of detail of information in those systems will likely create new opportunities for combining data elements to generate PII. Advances in Internet search and data mining software also will facilitate the ability to capture PII from large volumes of what previously might have been considered uncorrelated data. All of these trends can occur even if PII is not recorded on tags themselves.

Several inherent features of RFID tags make enforcement of privacy controls more difficult than traditional information technology systems. Organizations may face challenges enforcing privacy policies when they cannot be coupled with effective security controls. RFID uses wireless communication, which is more vulnerable to eavesdropping and other attacks than the wired systems on which most traditional IT systems reside. In many applications, RFID tags will travel between organizations and often will be found in public areas, which means they cannot benefit from physical security commonly provided to most traditional IT systems. In general, RFID computing resources are limited and are not capable of implementing sophisticated technical controls. As this document describes, many techniques exist to mitigate these security and privacy risks, and these are expected to improve over time.

However, the economics of many RFID applications will require low cost tags with limited functionality, which has significant implications for privacy protections. Finally, in many applications, especially those involving passive tags, identifiers can live beyond the usefulness of the application for which they were intended, but still may store PII or be used to generate PII when combined with other data. While traditional IT systems have well-established policies and procedures for the retention and destruction of data, destroying or disabling tags may be infeasible once they are outside the control of the organization managing the RFID system.

RFID technology may introduce new privacy considerations that are not fully understood today. Privacy regulation and principles evolve to meet the demands of new IT systems. For instance, technical advances such as the Internet, electronic databases, and analytic system software have made the collection and sharing of PII easier than it was in a world of paper files. RFID technology further extends the reach of IT systems and the collection and sharing of information that might be considered personal. While today RFID readers typically are located in designated locations to support a particular business process, in the future readers may be ubiquitous and capable of supporting multiple objectives.

For example, today an RFID system might be implemented to provide access control to a facility using RFID-enabled badges. Badge holders are unlikely to possess other tagged items. In the future, badge holders may routinely carry a number of tagged items, and the badge reader may be used to scan them and create a profile as well as authenticate the badge. The data collected might be shared with third parties for justifiable business needs and with legitimate data sharing agreements. The systems might be implemented with disclosure and consent, but may not be effective because individuals and organizations cannot reasonably understand all the potential uses of the data or predict what type of transactions might create PII through indirect inference. For these reasons, new privacy tools and concepts may need to be developed to address the complexity introduced by RFID technology.



See also[]