Published on

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. Du, Cheung, and Chu DESIGNING PRIVACY AND SECURITY PROTECTION IN RFID-ENABLED SUPPLY CHAIN Timon C. Du , Waiman Cheung2, and Sung-Chi Chu3 1 Department of Decision Sciences and Managerial Economics The Chinese University of Hong Kong, Hong Kong 1;; Abstract chain management being balanced with the privacy RFID is an automatic identification system that protection. The provision of guidelines (will uses radio frequency technology in product tags. discuss in next section) such as those that were The technology brings out the greater enhancement published by the Ontario Privacy Commissioner [6] to synchronize the logistics flow and information and the Japanese Ministry of Public Management, flow. Unfortunately, it also introduces the great Home Affairs, Post and Telecommunications [7] to concerns on the privacy and security protection, not protect privacy is a possible, but passive, solution. only on the individual use but also on the supply The aforementioned guidelines work as chain collaboration. This study proposes an on instructions about the extent to which privacy demand access control to protect the information should be protected. However, security tools are flow in an RFID-enabled supply chain. The design needed to achieve true data protection. A privacy considers the role in a supply chain as well as the coin shows the relationship between privacy media of carrying the information. A case study on protection, security boundaries, and security garment industry will be provided for validation. requirements. The security tools should achieve protection from improper access, protection from Keywords: RFID, EPC, Privacy and Security, interference, the integrity of the data, the Access Control, Supply Chian operational integrity of the data, the semantic integrity of the data, accountability and auditing, user authentication, the management and protection Introduction of sensitive data, multi-level protection, and Radio Frequency Identification (RFID) can be confinement to avoid undesired information applied to many areas, such as inventory transfer between system programs [8]. These tools management, theft prevention, asset tracking ensure that the information does not either (people, animals, tools, and vehicles), express explicitly (through placing queries) or implicitly checkouts (highway and tunnel payment or luggage (through inference from related data) flow over the checking), location-based information (travel boundary and invade privacy. The other side of the guides or horse racing), and others. The advantages coin indicates that privacy protection cannot be of RFID tags are that, unlike printed barcodes, they achieved only by security measures, but must also do not need a direct “line of sight,” and multiple feature authentication and non-repudiation, which tags can be identified in a short time (from tens to ensure that data are correctly provided and hundreds per second). Moreover, the tags are received. resistant to dirt, have a large amount of unique This study explores the privacy and security identifiers, and can be read (and written) by readers issues manifested by RFID adoption in the supply without being visible. However, the disadvantages chain. There are many new challenges and our are that the signals that are transmitted from the intention is to address the potential privacy and tags can be read by other equipment within range, security concerns raised and propose a scheme to and interference can occur when more than one articulate the preference in the sharing of RFID- reader is transmitting or more than one tag is based data; such scheme is the basis for the design responding. Possible consumer privacy issues are and development of new technology – on-demand also a concern. access control. The access control is a common However, the growth in the use of RFID term used in database security that mainly which enables the unique identification of objects differentiated in discretionary security mechanisms and invisible tracking, has given rise to increased and mandatory security mechanisms [9]. The concern about the invasion of privacy [1] [2] [3]. discretionary control specifies the access privileges To end consumers, as a result, two notable privacy of users explicitly while mandatory security threats are leaking information pertaining to mechanisms identify the security levels of both personal property, and tracking the consumer’s subjects and objects. However, neither model spending history and patterns and physical provides mechanism to prevent the information whereabouts [4] [5]. Therefore, how can the from flowing from authorized to unauthorized users adoption of RFID technology to improve supply The 9th International Conference on Electronic Business, Macau, November 30 - December 4, 2009
  2. 2. Du, Cheung, and Chu [10]. To support the flow control model such as the has four segments (labeled as ‘E’ in the ensuing lattice model [11] and the RBAC model can be sections next), and in many cases, additional or adopted. In the lattice, the flow relationships are user memory (as ‘A’). In here, we consider RFID organized into classes and the data flowed from one tags that are re-writable (e.g., a passive Gen-2 tag). class to another class are constrained explicitly or The proposed schemes are intended to guide implicitly. Role-based access control (RBAC), on partners to establish preferences when sharing data the other hand, applies permission policy based with other partners and external parties, ensuring solely on the role of a user at the time of accessing privacy is protected and security is guaranteed. The a data source [12] [13]. A role is a function preference of the willing sharing party is derived involved in executing a job with certain authority based on the nature of the data in three different and responsibilities and thus is suitable for dimensions: data sensitivity, data location, and data workflow management [14][15]. Roles are pre- ownership. The coding scheme of the EPC includes determined for a data source. four segments: a header, a company manager For RFID-based data and information sharing number, an object class, and a serial number. The between supply chain partners access policy is header specifies the structure of the encoding on applied base on their relationship of which the role tag, allowing encapsulation of other common of the requesting side is only one of many coding schemes, such as General Identifier (GID), attributes. a serialized version of the EAN.UCC Global Trade The access policy is further determined by Item Number (GTIN) and the EAN.UCC Serial other relationship attributes such as long-term vs. Shipping Container Code (SSCC). The general one-time, dominant vs. causal as well as the parties’ manager number identifies the company or dual willingness to share. The relationship needs to organization that is responsible for maintaining the be determined at the time of sharing as it changes next two segments: object class (O) and serial over time even when data requestor’s role remains number (S). In general, the combination of O and unchanged. Hence, the one-party, pre-determined, S segments can be used to identify a unique item of role-based access control is not applicable to two- a product of a company. The EPCglobal Gen2 party, derived on demand, “relationship-based” standard covers the UHF RFID tags that are access control requirement for sharing RFID-based reusable. User memory is also available on some data. We validate the model using a garment supply tags (based on designs from TI and NXP) to allow chain. An interview to three RFID users was also additional data to be stored other than the EPC. The conducted to verify the model. EPCglobal Architecture Framework [16] defines an architectural view of core services such as ONS, RFID Tags and Privacy Protection for subscribers of the EPCglobal Network. EPCIS In late 1999, a research group, the Auto-ID Center, [17] or EPC Information Services are proposed as was setup at the Massachusetts Institute of the “primary vehicle” for subscribers such as a Technology with sponsors in both the technology supply chain partner to exchange data with others sectors and industrial giants, such as Wal-Mart and (within EPCglobal Network). P&G. The Center proposed a uniquely identifiable “Privacy is the ability of a person to control Electronic Product Code (EPC) stored in a medium the availability of information about, and exposure that follows the new Radio Frequency of, him- or her-self” ( To observe Identification (RFID) standards. These technologies the right to privacy, countries or regions define were then transferred to and commercialized by the their own guidelines according to their cultures. A non-profit making organization EPCglobal Inc. in comprehensive guideline that comprises eight October 2003. privacy protection principles that has been RFID is an automatic identification endorsed by 30 countries was issued by the technology that uses radio frequencies. An RFID Organization for Economic Co-operation and system consists of tags (or labels), Development (OECD) [18]. These guidelines were readers/antennas, and a backend system or a host. adapted to protect privacy and the trans-border There are two kinds of tags: active and passive. flow of personal data following the evolution of the Active tags have a built-in battery, and therefore Internet. RFID is a new medium that facilitates the can transfer a signal over a longer distance (a 100- flow and subsequent sharing of data via meter range) whereas passive tags do not have a international data repositories. Concerns about the power source but derived power from incoming collection, processing, and dissemination of data electromagnetic waves through their antennae by using this new medium must be considered. The power reflection from the reader. eight basic principles are discussed in the context An RFID tag is a good medium to carry and of RFID adoption next. collect data that needs to be shared among supply (1) Collection limitation. Data that allows chain partners. A typical tag contains an EPC which identification should be collected through lawful and fair means with the consent of the data subject. The 9th International Conference on Electronic Business, Macau, November 30 - December 4, 2009
  3. 3. Du, Cheung, and Chu RFID tags should not provide information without Network should provide a due process for the consent of the data subject, and high sensitivity individuals or organizations to do so. data should not be either carried by or associated (8) Accountability. The data collector should with the EPC on tags. Therefore, an appropriate be accountable for compliance with these privacy design of access control and data encryption is protection principles. The EPCglobal Network crucial to the use of such tags. Similarly, should be accountable to both the data collector and EPCglobal should not provide information to individuals (organizations). outside parties without the consent of the data subject. (2) Data Quality. The collected data should Conclusions be accurate, complete, and kept up to date. Whenever new technology is invented to expedite Accordingly, only legitimate data should be written operations, the issue of invading privacy is always to RFID tags, and the data stored at EPCglobal raised, as occurred with the introduction of e- Network (or Internet EPC-IS) that are associated commerce [19] and market research [20]. with the on tag EPC should be maintained in good However, the benefits of new technology can only quality. be enjoyed when a balance between the protection (3) Purpose Specification. Data subjects of privacy and operational efficiency is achieved, should be informed of the purpose of the data and this is no less the case with the introduction of collection nolater than the time of data collection. RFID. Accordingly, the data in an RFID tag can be The objective of this study is to design an collected when read, thus the data subject(s) must appropriate access control scheme that uses be told of and consent to the purpose of collection security tools to ease concerns about privacy as well as the situation where such collection would invasion, while allowing some degree of occur. That is, even when the encrypted data in the information sharing to expedite supply chain tag can be accessed, the associated data in both the collaboration. Companies in a garment supply RFID tag and the EPCglobal Network should still chain were interviewed to verify the design. A data be protected if the purpose of use has not been sensitivity checklist, developed according to the consented to. willingness of supply chain partners to share data (4) Use Limitation. The use of the collected [21], is used to determine where data should be data should conform to the purpose that has been located in any of the five locations. An access specified. Accordingly, the access control control scheme is then complete and becoming a mechanism in the EPCglobal Network should guideline for a partner to determine/develop prevent the disclosure of data to parties that do not preferences of data sharing based on sensitivity, satisfy the purpose of use, except when the data location, partners and partnership. Each partner can subject consents to such disclosure. have individual, and likely different preferences (5) Security Safeguards. Data should be with respect to the same data due to their protected from unauthorized access, destruction, perception of data sensitivity and willingness to use, modification, or disclosure. As RFID tags are share. Some degree of modification would be subjected to damage as they move across the needed for different industries. supply chain, both the data (on tag) ownership and This study serves as a starting point for the tag ownership must take precautionary steps to privacy- and security-assured RFID-based data protect the data from unauthorized use, especially sharing, and many issues are not addressed. The as overwriting the data in the tag, e.g., either proposed privacy and security scheme is a step destroying the data integrity or rendering the tag towards a general solution to RFID privacy issues. useless. Similarly, the data in the EPCglobal Data sharing among supply chain partners is Network should only be accessible to those with relationship-based which is multilateral and often special privileges. with conflicting sensitivity requirements. The data (6) Openness. The development, practice, and sensitivity, data locations and roles of partners are policies surrounding data should be open to the major dimensions of the scheme. Future individuals who voluntarily provide personal data. research should develop on demand “relationship- This means that personal or organizational data that based” access control. This access control ensures are collected through RFID technology should be multilateral sharing preferences can be satisfied. accessible in or via the EPCglobal Network to the The scheme helps partners to place RFID-related data owner, be the owner be an individual or an data to locations such that the privacy and security organization. preferences can be articulated. Tools, such as (7) Individual Participation. Individuals or preference templates and/or a preference organizations should have the right to obtain and specification language, can then be developed for communicate with the data collectors, and to partners to specify the preferences by filling in the challenge and rectify the data. The EPCglobal scheme. Preference specification of individual The 9th International Conference on Electronic Business, Macau, November 30 - December 4, 2009
  4. 4. Du, Cheung, and Chu partners is an important step towards relationship- Perlasca, P. “GEO-RBAC: Spatially Aware based access control. Multilateral data sharing can RBAC,” ACM Transactions on Information then be established by on demand reconciliation of and System Security (TISS), 10 (1), February, the preferences. 2007, pp1-42. [14] Sandhu, R.S., “Lattice-based access control Acknowledgement. This research is partially models”, IEEE Computer, 26, 1993, pp.9–19. supported by the Li & Fung Institute of Supply [15] Sandhu, R.S., Coyne, E.J., Feinstein, H.L. Chain Management & Logistics, The Chinese and Youman, C.E.. “Role-based access University of Hong Kong. control models”, IEEE Computer, 29, 1996, pp.38–47. References [1] Bacon, J., Moody, K., and Yao, W. “A Model of OASIS Role-Based Access Control and Its Support for Active Security,” ACM Transactions on Information and System [16] EPCglobal, “EPCglobal Architecture Security, 5 (4), November, 2002, pp 492-540 Framework”, Final Version, 1 July 2005, [2] Gunther, O. and Spiekermann, S. RFID and ( the perception of control: the consumer’s ecture/architecture_1_0- view, Communications of the ACM, 48(9), standard-20050701.pdf; visited August 28, September 2005, pp.73-76. 2007) [3] McGinity, M., RFID: is this game of tag fair [17] EPCglobal, EPC Information Services play? Communications of the ACM, (EPCIS) Version 1.0 Specification, ratified 47(1), January 2004, pp.15-18. standard, April 12, 2007 ( [4] Ohkubo, M., Susuki, K. and Kinoshita, S. /epcis_1_0-standard-20070412.pdf; visited RFID privacy issues and technical August 28, 2007) challenges, Communications of the ACM, 48(9), September 2005, pp.66-71. [18] OECD, OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal [5] Eckfeldt, B., What does RFID do for the Data, 2002, Organization for Economic Co- consumer? Communications of the ACM, operation and Development, 48(9), September 2005, pp.77-79. [6] Ontario Privacy Commissioner [19] Volokh, E., Personalization and privacy, ( Communications of the ACM, 43(8), August [7] Japanese Ministry of Public Management, 2000, pp.84-88. Home Affairs, Post and Telecommunications [20] Laudon, K., Markets and privacy, ( Communications of the ACM, news/2004/040608_4.html) 39(9), September 1996, 92-104. [8] Castano, S., Fugini, M., Martella, G., and [21] Du, T., Wong, M., Cheung, W., and Chu, S.C. Samarati, P. Database Security, ACM Press “A Privacy and Security Framework for the and Harlow: England: Addison-Wesley, 1995. EPC Network Infrastructure,” BA Working [9] Elmasri, R. and Navathe, S. Fundamentals of Paper Series, WP-06-02, The Chinese Database Systems, 3rd ed., Addison-Wesley, University of Hong Kong, 2006. Reading MA, 2000. [10] Du, T., Lee, E. and Wong, J, Document access control in organisational workflows, Int. J. Information and Computer Security, 1(4), 2007, pp.437-454. [11] Denning, D.E. ‘A lattice model of secure information flow’, Communications of the ACM, 19(5), 1975, pp.236–243. [12] Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., and Chandramouli, R. “Proposed NIST Standard for Role-Based Access Control,” ACM Transactions on Information and System Security, 4 (3), August 2001, pp 224–274. [13] Damiani, M.L., Bertino, E., Catania, B., and The 9th International Conference on Electronic Business, Macau, November 30 - December 4, 2009