RFID Technologies: Emerging Issues, Challenges and Policy OptionsAuthors: Marc van Lieshout, Luigi Grossi, Graziella Spinelli, Sandra Helmus, Linda Kool, Leo Pennings, Roel Stap, Thijs Veugen, Bram van der Waaij, Claudio Borean. Editors: Ioannis Maghiros, Pawel Rotter, Marc van Lieshout EUR 22770 EN - 2007
RFID Technologies:Emerging Issues,Challenges andPolicy OptionsInstitute for Prospective Technological Studies2007EUR 22770 EN
RFID technologies AcknowledgementsEditors: Ioannis Maghiros, European Commission – DG JRC – IPTS Pawel Rotter, European Commission – DG JRC – IPTS Marc van Lieshout, TNOAuthors: Marc van Lieshout, TNO Luigi Grossi, Telecom Italia Graziella Spinelli, Telecom Italia Sandra Helmus, TNO Linda Kool, TNO Leo Pennings, TNO Roel Stap, TNO Thijs Veugen, TNO Bram van der Waaij, TNO Claudio Borean, Telecom ItaliaOther Contributors: Other experts participating in the validation workshop which took place on 3 October 2006 in Ams-terdam: Gaynor Backhouse, Intelligent Content, UK Ruud Beugelsdijk, College Bescherming Persoonsgegevens, The Netherlands Massimo Bolchini, INDICOD, Italy Paula Bruening, Center for Democracy and Technology, USA Lew Claiborne, RF SAW Inc., USA Bruno Crispo, Free University Amsterdam, The Netherlands Florent Frederix, European Commission Richard Foggie, Department of Trade and Industry, UK Jeroen van den Hove, Technical University of Delft, The Netherlands Britta Oertel, Institut for Zukunftstudien und Technologiebewertung, Germany Technical Report Series Bart Schermer, ECP.nl and RFID Platform, The Netherlands Jeroen Terstegge, Royal Philips BV, The Netherlands Daniel Tijink, Department of Economic Affairs, The Netherlands 3
RFID technologies Table of contentsList of figures.................................................................................................................................. 9List of tables ................................................................................................................................... 11List of boxes ................................................................................................................................... 13Executive summary ........................................................................................................................ 15Preface ........................................................................................................................................... 21Structure of the report ................................................................................................................... 23Part one: RFID technologies........................................................................................................... 271. RFID technologies: system features and future technologies...................................................... 29 1.1. Introduction........................................................................................................................ 29 1.2. RFID system features .......................................................................................................... 30 1.3. RFID Infrastructure elements............................................................................................... 34 1.4. RFID middleware ............................................................................................................... 35 1.5. Organizations developing international standards............................................................... 36 1.6. Future tagging technologies ................................................................................................ 37 1.7. Potential challenges of RFID implementation ..................................................................... 402. Spectrum Allocation................................................................................................................... 41 2.1. Regulatory status for using RFID ......................................................................................... 42 2.2. Efficient use of spectrum allocation (RFID, WiFi, ZigBee).................................................... 433. RFID Standards .......................................................................................................................... 45 3.1. EPCglobal ........................................................................................................................... 45 3.2. International Organization for Standardization (ISO)........................................................... 47 3.3. ISO/IEC 14443.................................................................................................................... 50 3.4. European Telecommunications Standardization Institute – ETSI .......................................... 50 3.5. Conformance testing........................................................................................................... 52 Technical Report Series 3.6. Interoperability Issues ......................................................................................................... 524. RFID technologies: RFID system features ................................................................................... 53 4.1. The RFID systems perspective............................................................................................. 53 4.2. RFID system perspective ..................................................................................................... 54 4.3. RFID lifecycle description................................................................................................... 61 4.4. Typology of RFID usages..................................................................................................... 64 5 4.5. RFID usage in business domains ......................................................................................... 70 4.6. Summary and conclusions .................................................................................................. 71
Table of contents Part two: Market perspectives and socio-economic issues ............................................................. 73 5. RFID market perspectives .......................................................................................................... 75 5.1. Actors and stakeholders ...................................................................................................... 75 5.2. Market key drivers .............................................................................................................. 85 5.3. Strengths, weaknesses, opportunities, threats ...................................................................... 88 5.4. Market forecasts and trends ................................................................................................ 89 5.5. RFID patents ....................................................................................................................... 92 5.6. RFID and SMEs ................................................................................................................... 94 6. Socio-economic aspects of RFID ................................................................................................ 95 6.1. Framework of the study ...................................................................................................... 95 6.2. Methodology and reading guide ......................................................................................... 95 6.3. Theoretical framework on adoption and diffusion of technology ........................................ 96 6.4. Trust and acceptance of RFID technology ........................................................................... 99 6.5. Diffusion and adoption of RFID .......................................................................................... 104 6.6. RFID: Employment, training and education ........................................................................ 112 6.7. Conclusions and recommendations .................................................................................... 115 7. Privacy aspects of RFID.............................................................................................................. 119 7.1. Introduction........................................................................................................................ 119 7.2. The sensitivity of RFID towards privacy infringements ........................................................ 119 7.3. Privacy in RFID systems...................................................................................................... 121 7.4. Privacy threats within the tag-reader system ....................................................................... 123 7.5. Privacy threats at the backend of the RFID system .............................................................. 124 7.6. Open and closed RFID systems .......................................................................................... 125 7.7. Strategies to cope with the privacy threats .......................................................................... 126 7.8. Privacy laws ....................................................................................................................... 126 7.9. Self–regulation.................................................................................................................... 128 7.10. Technical solutions ........................................................................................................... 130 7.11. Conclusions ...................................................................................................................... 132 8. Security aspects of RFID ............................................................................................................ 133 8.1. General overview of RFID security threats .......................................................................... 133 Technical Report Series 8.2. Security threats for the tag .................................................................................................. 133 8.3. Security threats for the air interface..................................................................................... 133 8.4. Security threats for the reader ............................................................................................. 134 8.5. Security measures for the tag .............................................................................................. 135 8.6. Security measures for the air interface ................................................................................ 136 8.7. Security measures for the reader ......................................................................................... 1366 8.8. Security measures for other parts of RFID systems............................................................... 137 8.9. General security evaluation of RFID ................................................................................... 137 8.10. RFID security challenges in a broader perspective ............................................................ 139
RFID technologies 8.11. Security aspects of RFID in EU-research projects............................................................... 142 8.12. Conclusion ....................................................................................................................... 146Part three: RFID case studies.......................................................................................................... 1499. Searching the dynamics of RFID-practices ................................................................................. 151 9.1. Selecting the appropriate cases ........................................................................................... 152 9.2. Main conclusions from the case-studies.............................................................................. 15410RFID in animal tagging .............................................................................................................. 159 10.1. Overview RFID in animal tagging ..................................................................................... 160 10.2. Illustrative examples ......................................................................................................... 163 10.3. EU activities in animal tracking ........................................................................................ 163 10.4. European legislation ......................................................................................................... 168 10.5. Discussion of EU approach............................................................................................... 170 10.6. US approach to electronic identification........................................................................... 170 10.7. Discussion ........................................................................................................................ 17211. RFID in healthcare ................................................................................................................... 175 11.1. Description of cases.......................................................................................................... 176 11.2. RFID applied to objects: medication and equipment traceability....................................... 176 11.3. RFID applied to objects: services operation support .......................................................... 178 11.4. RFID for people identification and localization in healthcare............................................ 179 11.5. Lessons to learn ................................................................................................................ 181 11.6. Recommendations for European policy............................................................................. 18212. RFID in the ICT-sector.............................................................................................................. 183 12.1. Description of cases ......................................................................................................... 183 12.2. Drivers and barriers: lessons to learn for Europe ............................................................... 18713. RFID in identity cards .............................................................................................................. 189 13.1. Overview of RFID in identity cards ................................................................................... 189 13.2. RFID in e-passports........................................................................................................... 191 13.3. RFID and identity cards in EU........................................................................................... 197 Technical Report Series 13.4. Financial institutions cards ............................................................................................... 199 13.5. Discussion ........................................................................................................................ 20114. RFID in Public transport........................................................................................................... 205 14.1. RFID in public transport ................................................................................................... 206 14.2. Case 1: the Netherlands.................................................................................................... 208 7 14.3. Case 2: London ................................................................................................................ 213 14.4. Case 3: Venice.................................................................................................................. 217 14.5. Discussion ........................................................................................................................ 218
Table of contents Part four: Policy analysis and recommendations ............................................................................ 223 15. Policy analysis and recommendations ...................................................................................... 225 15.1. European RFID stakeholders and markets ......................................................................... 225 15.2. EU-wide benefit of RFID ................................................................................................... 227 15.3. Issues for public policy intervention ................................................................................. 229 15.4. Policy options to further research needs............................................................................ 235 15.5. Policy recommendations .................................................................................................. 237 Annex 1: References....................................................................................................................... 243 Annex 2: Acronyms ........................................................................................................................ 249 Annex 3: Regulatory status RFID in the UHF spectrum.................................................................. 251 Annex 4: Self regulation: guidelines and code of practices............................................................. 255 Annex 5: European activities in E-passports ................................................................................... 259 Annex 6: Overview on ID documents in Europe ............................................................................ 261 Annex 7: RFID in European public transport projects .................................................................... 263 Annex 8: RFID pilots and trials within the EU and the US.............................................................. 265 Annex 9: Full contents.................................................................................................................... 267 Technical Report Series8
RFID technologies List of figuresFigure 1-1 Diagram describing operation of the RFID system. .................................................... 30Figure 1-2 Passive and active RFID tags packages ...................................................................... 31Figure 1-3 Frequency used by RFID systems............................................................................... 32Figure 1-4 RFID middleware – ALE layer as defined by EPCGlobal ............................................ 35Figure 1-5 Surface Acoustic Wave (SAW) Tags............................................................................ 38Figure 3-1 RFID frequencies and relevant standards ................................................................... 45Figure 4-1 Positioning of RFID-system........................................................................................ 53Figure 4-2 Classification of technologies around RFID ............................................................... 55Figure 4-3 NFC architecture ....................................................................................................... 59Figure 4-4 RFID lifecycle........................................................................................................... 62Figure 4-5 3-tier reference model ............................................................................................... 64Figure 4-6 Application usage model........................................................................................... 67Figure 5-1 RFID value chain....................................................................................................... 76Figure 5-2 Map of RFID offering actors....................................................................................... 77Figure 5-3 RFID applications evolution ...................................................................................... 86Figure 5-4 Average TAG price per application 2006-2016.......................................................... 87Figure 5-5 Technologies appropriate to the different level of TAG cost and volume.................... 87Figure 5-6 RFID hype cycle........................................................................................................ 89Figure 5-7 RFID, worldwide size and growth, 2004-2010 .......................................................... 90Figure 5-8 Total RFID market projections 2006-2016 ................................................................. 91Figure 5-9 RFID tag market forecast ........................................................................................... 91Figure 5-10 IDTechEx (elaboration) and Gartner forecasts comparison ......................................... 92Figure 5-11 Total spend on RFID systems, service and tags by territory......................................... 92Figure 6-1 Innovation diffusion process theory ........................................................................... 97Figure 6-2 Revised innovation diffusion model........................................................................... 98 Technical Report SeriesFigure 6-3 Technology acceptance model .................................................................................. 98Figure 6-4 Unified theory of acceptance and use of technology ................................................. 99Figure 7-1 Abstract view on privacy risks in EPC network .......................................................... 122Figure 8-1 A general RFID architecture....................................................................................... 134Figure 8-2 Relationship of RFID research projects to policy issues.............................................. 143Figure 8-3 RFID projects by application area.............................................................................. 143 9Figure 8-4 Roadmap: towards a RFID policy in Europe .............................................................. 145Figure 9-1 Expected diffusion of RFID tags, 2006-2016. ............................................................. 151Figure 9-2 Expected value of RFID tags in different application domains.................................... 153
List of figures Figure 11-1 Functionality of the Assetrac system .......................................................................... 177 Figure 11-2 Attitude of patients towards monitoring vital functions .............................................. 180 Figure 12-1 CocaCola RIFD equipped automate, ready for NFC use ............................................ 185 Figure 12-2 Functionalities of JTON mobile wallet ....................................................................... 186 Figure 14-1 Actors involved in RFID in Dutch public transport .................................................... 209 Figure 14-2 Various service levels as distinguished by TLS (PoS: Point of Sale) ............................. 211 Figure 14-3 Actors in the London oyster transport ticketing project .............................................. 215 Figure 14-4 Venice public transport boat...................................................................................... 217 Figure 15-1 Position of EU countries in adopting RFID................................................................. 226 Figure 15-2 SWOT analysis of EU-wide implementation of RFID ................................................. 228 Figure 15-3 RFID systems approach ............................................................................................. 229 Technical Report Series10
RFID technologies List of tablesTable 1-1 Frequency bands and applications ............................................................................ 31Table 2-1 RFID frequency bands and applications .................................................................... 41Table 2-2 EU27 UHF spectrum allocation................................................................................. 42Table 2-3 UHF spectrum allocation in other Europe countries .................................................. 43Table 3-1 EPCglobal protocol.................................................................................................... 46Table 4-1 RFID tag types versus identification, location and state.............................................. 62Table 5-1 SWOT analysis of RFID market perspectives ............................................................. 88Table 5-2 Patent ownership summary (RFID Journal Live) ......................................................... 93Table 6-1 Phases in the development of innovation diffusion processes .................................... 97Table 6-2 Factors contributing to trust ....................................................................................... 101Table 6-3 Factors contributing to perceived risk ........................................................................ 102Table 6-4 Overview of retailer advantages and disadvantages................................................... 106Table 6-5 Overview consumer benefits and drawbacks............................................................. 108Table 6-6 Potential benefits of RFID-applications in various application areas .......................... 110Table 7-1 Consumer concerns related to RFID. ......................................................................... 120Table 7-2 The impact on privacy from RFID vs other technologies – Europe ............................. 121Table 7-3 Direct and indirect privacy threats, originating from RFID-systems ............................ 123Table 8-1 Summary of security evaluation................................................................................. 138Table 8-2 Security risks per application area ............................................................................. 140Table 9-1 Distribution of cases over societal domains ............................................................... 151Table 9-2 Characteristics of RFID application domains ............................................................. 152Table 9-3 Summary of findings from the case-studies ................................................................ 154Table 10-1 Distribution of cases in animals and farming over worldwide regions........................ 160Table 10-2 Distribution of cases in animals and farming within countries of Europe ................... 161Table 10-3 European cases animal identification and tracking. .................................................. 162Table 10-4 Overview of electronic identification devices used in IDEA project ........................... 164 Technical Report SeriesTable 10-5 European regulations and directives on (electronic) identification ............................. 168Table 11-1 Evolution of RFID use in healthcare........................................................................... 175Table 11-2 Distribution of cases of RFID in healthcare................................................................ 176Table 12-1 Distribution of RFID cases over worldwide region..................................................... 184Table 13-1 Applications domains for RFID in identity cards. ....................................................... 190Table 14-1 Distribution of Sony FeliCa card in public transport in Asia....................................... 206 11Table 15-1 Overview of issues for public policy intervention ...................................................... 230Table 15-2 Overview of actor related policy issues .................................................................... 234Table 15-3 Overview of research issues ...................................................................................... 236
RFID technologies List of boxesBox 7-1 1980 OECD guidelines on the protection of privacy and transborder flows of personal data. ..................................................................... 126Box 7-2 Privacy guidelines by centre for democracy and technology working group on RFID. ................................................................... 129Box 7-3 Enforcement of compliance of RFID with fair information principles ......................... 131 Technical Report Series 13
RFID technologies Executive summary Radio Frequency Identification (RFID) technology, an enabling technology for automatic identificationbased on radio waves, will impact the daily lives of European citizens in many different ways. Minusculedevices, called RFID tags are attached to objects and emit information which aptly positioned readers maycapture wirelessly. Such tags and readers come in various shapes and forms, have technological capabili-ties that can open up new application areas and are already in use to improve efficiency and reliability. Theyalso facilitate the coupling of the physical reality to the virtual world, infusing it with digital functionalityand triggering the move towards the so called Knowledge Society. The technology is complex but mature enough for immediate deployment. However, due to its en-abling character, it is still under constant evolution – as is evidenced by the increasing number of RFID re-lated patents (65% increase in 2004). The RFID market is still in its infancy with most applications not beinglarge-scale and the forecasted economic benefits (Return-on-Investment) still unclear. However, the tech-nology providers’ market for RFID is global and Europe houses a few of the world’s strongest RFID suppli-ers. At the same time the end-user market is specialised in diverse application areas, mainly local andusually dependent on emerging opportunities in the public sector domain. Technology Consultants IDTechExpredict that in 2007 a total of 1.7 billion tags will be sold and that the global RFID market value (includingall hardware, systems, integration etc) will be 3.8 billion Euros, rising to 21,3 billion Euros by 20171. Many Europeans already use RFID-equipped cards to access, for instance, their work premises or payfor their public transport fare. The technology is also successfully used for animal tagging, in order to pro-tect the consumers from a host of animal diseases or help them trace their lost pets, and as anti-fraud pro-tection in luxury items. RFID technology is forecasted to spread rapidly over the next decade as soon as tagcosts fall enough to allow item-level-tagging. In addition to private sector activities, there are ongoing ini-tiatives both at European and Member State level which demonstrate, on the one hand, an overall compa-rable activity to that of the US but on the other considerable differences (in magnitude and speed of uptake)among EU countries. Early adopters are expecting to gain considerable experience on which they antici-pate commercial profits, while laggards hope to be able to avoid ‘teething problems’. However, the massive adoption of RFID introduces challenges such as concerns over possible eaves-dropping over the air interface or over the potential danger of privacy abuses as a result of the ubiquitous,silent and invisible character of the technology. The European Consultation process (over 2000 participants)highlighted the fact that inadequate privacy safeguards will impact acceptance of RFID negatively; trust isthus a major issue. There are also other issues to be addressed at European level: those related to raisingconsensus on standards, achieving cross-border and cross-sector interoperability and adequate spectrum al-location in order to increase the agility of the market. It is very important for Europe to be prepared forrapid deployment in RFID and also to implement initiatives which will allow European citizens to benefit Technical Report Seriesfrom this new technology while avoiding the risks it carries.Objective and scope of the RFID study A study on “RFID-Technologies: Emerging issues, Challenges and Policy options” was commissionedby the European Commission’s DG Joint Research Centre, Institute for Prospective Technological Studies(DG JRC-IPTS) to further investigate RFID technologies and their socio-economic implications. The studylooked at technological, market, societal and legal issues so as to identify and analyse barriers and oppor- 151 Data published at: http://www.the-infoshop.com/study/ix49177-rfid.html
Executive summary tunities for Europe, in order to propose policy options focussing on European citizens’ needs. The summary that follows presents the major policy options proposed, a European SWOT analysis, the main issues analysed and the structure of the report that follows. European SWOT for RFID deployment The study has identified, mainly through the analysis of the specific application areas, related strengths, weaknesses, threats and opportunities for Europe. Although, it is unlikely that all EU countries will be able to equally benefit from item-level-tagging applications due to the diversity in the structure of their manu- facturing sectors, it is expected that they will all be able to profit from human-centred applications. In health, public transport and animal tracking areas, RFID enable the alignment of information processes that allow considerable efficiency gains and improved end-user convenience (e.g. increased safety in the sensitive health area, more efficient supply and use of public transport means, locating animals). Law enforcement is driving RFID take up in animal tracking and more secure travel documents and RFID is expected to have a positive impact on national security and the fight against terrorism. The table below summarises the find- ings: Strengths Weaknesses - Europe houses part of the big RFID suppliers; - Many European countries with only marginal attention - High market potential; for RFID; - Leading EU countries with RFID focused attention (UK, - No level-playing field for RFID across countries; France, Germany, The Netherlands, Italy); - No harmonised frequency policy in the EU; - Focus of attention comparable to USA. - Vulnerable image of RFID - Trust issue. Opportunities Threats - Increasing efficiency of production, trade and services; - High initial and high transition costs; - Creation of new services, new workplaces; - Rapid technological evolution may help displace a - Spur for economic development technology before it is widely adopted; - Increased convenience in citizens’ everyday life; - High hidden costs (societal and organisational such as for training and education); - Increased security, reliability and trust; - Possible job losses due to wide deployment; - Stimulation of research and development of related technologies (enabling, enhancing and concurrent). - If not implemented properly, RFID may bring a num- ber of threats to privacy and security (Function creep, surveillance capacity). On the other hand, market integration seems to be the first challenge for Europe to tackle while bal- ancing the efficiency gains for businesses with the perceived benefits for citizens emerges as the next chal- lenge. However, Europe’s responsibility goes beyond achieving very low cost tags which would enable a future where item-level-tagging is possible; the opportunity comes from developing high-end, added-value market applications promising accurate and actual data-based quality, improved personal safety and secu- Technical Report Series rity and extensive convenience. The biggest opportunity for Europe in embracing this technology seems to be the realisation of the vision of an integrated physical and virtual world life where RFID technology is the ubiquitous, always-on, seamless bridge to and from both worlds. Emerging issues and challenges With RFID out of the laboratory and into the mainstream of business and society, a debate as to the likely and desired implications of the technology on the socio-economic fabric should take place. The study16 identified a lot of opportunities but also challenges that need to be openly debated. To begin with, the study identified many technical challenges (e.g. in developing advanced RFID tags, linking to wireless networks, merging with sensor devices, improving reliability, setting standards, and testing and certification) and some market ones (e.g. high initial investment costs, uncertainty as to which standards or which technologies
RFID technologieswill persist, adoption issues as a result of low trust, etc…). Nevertheless, the study would like to draw at-tention to a number of issues for which consensus will be needed before decisions on the scope and thefocus of future initiatives may be taken. Some of them are described below: 1. Currently, a major drawback to wide-spread deployment of RFID systems is the overall attitude of people towards them. In general today, social acceptance and trust of RFID is quite low – as a re- sult of insufficient privacy and security safeguards and also the lack of awareness – and may impede take up of RFID technology. However, it is not sufficient to make the technology secure and reliable. The perception of security depends on the individual’s reaction to both the risks and the countermea- sures adopted. Individuals will need to be appropriately educated if their perceptions are to closely match deployed RFID security reality. 2. Ethical issues are also at stake (e.g. over the use of RFID implants) and the development of European good ethical practice is a first step towards addressing them. Due to the complexity of advanced RFID systems, a process needs to be defined which will identify and counter emerging security and pri- vacy threats, prior to the deployment of RFID systems. 3. The foreseen wide-spread use of RFID applications and its enabling capacity raise various security and privacy concerns. Most of them are being dealt with through improved technological design, taking into account security and privacy throughout the value chain and also by judging the sensi- tivity of the case to security and privacy issues. Various initiatives, at EU level, to tackle RFID pri- vacy and security concerns already exist; for example, the Article 29 Working Party has expressed its views on minimising data collection and preventing unauthorised forms of processing through im- proved use of the technology. However, it is the appropriate mix of self-regulation, through the cre- ation of codes of conduct and of legislation that would need to be enforced that is at the heart of the debate on further initiatives required. 4. The impact on employment is not clear and should be monitored. Pessimistic forecasts say that de- ployment of RFID technology may result in about 4 million job losses (over a 10 year period in the US). However, no major disruption of the labour market is expected, apart from the forecasted short- age of skilled professionals which will impact rapid deployment. Moreover, RFID will create new jobs, related to data processing and service-related jobs and the overall resulting economic growth may also contribute to the creation of additional workplaces. It is clear that training activities will be needed as new kinds of skills will be required both for professional workers (development) and end-users (customisation). 5. High initial costs for setting-up RFID systems, uncertainty on the future of the most promising tech- nologies of today, the lack of well established standards and finally hidden societal, and organiza- tional costs (e.g. training) are well-known barriers for smaller companies which are reluctant to adopt the technology. 6. Dependability of RFID information systems, especially in sensitive application areas such as health, Technical Report Series signals the need to design appropriate fallback procedures in case there are system failures. This ob- viously adds to the costs of deployment and represents yet another barrier. 7. There is a clear gap between leaders and followers in RFID adoption in Europe. This may limit the foreseen benefits of a larger European market and constrain the development of high-end applica- tions which promise to enable a new generation of services for citizens. Moreover, closing the gap has positive growth implications as ‘local’ European firms will play an important role in the challeng- ing ICT transformation processes that RFID brings. 17 8. The direction a European harmonized frequency policy should take is still under debate. However, the question as to whether reserved spectrum bandwidth in the EU will be sufficiently large for fu- ture applications is already important. For comparison purposes, the US administration has reserved bandwidth that is 10 times larger.
Executive summary 9. As a result of the wireless and invisible nature of RFID information exchange enhanced testing and certification procedures are needed in order to ensure that, for example, requirements concerning privacy and security are fulfilled (e.g. kill command works according to specification). A vendor-neu- tral solution to the establishment of certification of providers, approved system integrators, RFID consultants and trainers is needed. 10. Although there are many available technical standards (ISO, EPCGlobal), semantic interoperability is also needed so as to allow the structured exchange of information in RFID-based systems as in- formation is application specific. This type of standard would increase usability of information stored on tags and produced by sensor networks. Insufficient semantic interoperability of RFID systems may restrict benefits from their deployment, especially for globally operating systems. 11. RFID systems produce a lot of data locally and collision avoidance is a practical requirement that needs to be addressed. Advanced RFID systems, serving geographically distributed needs, generate huge amounts of data which are difficult to manage in real time and which are expected to create a new burden on the global network infrastructure; especially when the system architecture foresees centralised data storage. Moreover, in today’s complex business processes where the value chain is composed of different companies, issues related to data ownership, control and liability will need to be addressed. Proposed policy options The study looked at a number of RFID issues in general and also focused on the analysis of five selected application areas (animal tagging, healthcare, public transport, identity documents and the ICT sector) where implementation in Europe is well advanced, in order to draw conclusions as to what is at stake for Europe. As technological evolution is continuous, achieving a balance between reaping the benefits and avoiding the pitfalls associated with its implementation is inevitably a moving target. Given the enormous socio-economic potential of this particular technology, a debate on what role Europe should play in this areas has been launched. Whatever the result of this debate, Europe ought to tread a fine line between is- sues that are considered to be of vital importance for the market players, and the interests of the citizens. Moreover, the EU should take up this opportunity to drive the realisation of the vision of a European Infor- mation Society where services integrating the real and the virtual worlds are on offer. Bearing in mind that there are various intervention instruments (technological, legal, or through stim- ulation of self-regulation) at the disposal of the policy maker, the study presents the following policy options: 1. Europe will benefit from stimulating cross-border take up of RFID applications primarily through setting-up a harmonised frequency policy and then through stimulating consensus on standards and interoperability issues. Moreover, promotion of best practice, financial support of cross-border pilot and trial programmes, and fostering SME participation in the area will contribute to helping fight mar- ket fragmentation and bringing all EU Member States closer to the European Information Society vi- Technical Report Series sion. 2. The Internet of Things (the billions of tagged objects that will enable access to back-end information systems) will require a service for registering and naming identities, the Object Name Service (ONS), which should be interoperable, open and neutral to particular interests. Europe should position it- self in the appropriate international fora to exercise its responsibilities in this area. The report has also identified the need to establish a debate on RFID in Europe as well as the need for18 further technological and legal research as primary recommendations for action. 1. European society needs an information campaign on RFID systems to raise awareness as to the likely benefits and possible risks of the wide-spread application of this technology. A debate should also be launched with a view to making the preferred and ethical use of the technology more explicit to all.
RFID technologies2. A closer look at the existing legal framework is deemed essential. Further study is also needed to de- velop a process for establishing guidelines and best practices which aim to build safeguards against emerging RFID risks.3. As a result of the enabling character of the technology and its multi-sensor data integrating capabil- ities, there is a clear need for further technological research to improve efficiency, robustness and security. More research will be needed into: a) advanced tag-reader systems; b) the enhancing of security and ‘privacy by design’ for complex applications; c) the impacts of almost permanent exposure to very low intensity radio waves produced by ubiq- uitous always-on RFID devices; d) the re-skilling of the professional population to foster market expansion; e) how to foster creativity and innovation spirit to help create additional and more advanced links between the physical and the virtual worlds. Technical Report Series 19
RFID technologies Preface This report is the result of a study on RFID, commissioned by the Institute of Prospective TechnologyStudies (IPTS), of the Directorate General Joint Research Centre (DG JRC) of the European Commission.The objective of the study is to inform the policy process within the European Union on the socio-eco-nomic and technological developments taking place with respect to RFID, analysing prospects and barri-ers to RFID technologies, and the broader technological, economic, social and legal challenges, to cometo a well-founded set of research and policy recommendations. The scope and detailed specification of re-search has been prepared by IPTS. The study has been performed by two research organisations: TNO (TheNetherlands) and Telecom Italia (Italy) in cooperation with IPTS, between December 2005 and January2007. During this period, the European Commission has organised an open public consultation process onRFID and issued a communication on the subject. The study has been clustered around a number of research challenges: • the presentation of a state of the art overview regarding RFID technologies, the relation of RFID technologies with a broader set of ICTs (existing and emerging networks), the analysis of the state- of-the-art concerning frequency allocation and standards, and an analysis of usage typologies of RFID; • the analysis of market perspectives and socio-economic aspects; the latter were narrowed down to aspects concerning users and trust relations, privacy and security; • the analysis of the introduction of RFID in a number of application areas; the application areas cho- sen were: the use of RFID for animal tagging, the use of RFID in the health sector, the use of RFID within the ICT-sector itself, the use of RFID in identity cards, and the use of RFID within public transport systems; this was a deliberate choice, given the surplus of attention for and information about RFID within logistic processes; • the analysis of the results of the previous steps in terms of policy relevance and the formulation of policy recommendations. To validate the findings of the project team, a validation workshop has been held on October 2006.The results of the validation workshop have been used to enrich and complement the report. Many authors have contributed to make this report possible. Marc van Lieshout was overall projectleader of the project. More in detail: Marc van Lieshout has written chapters 8, 10, 11 and 16 and togetherwith Sandra Helmus chapter 15; Luigi Grossi has written chapters 4 and 6 and together with Claudio Boreanchapters 2 and 3; Graziella Spinelli has written chapters 12 and 13; Leo Pennings has written chapter 14and together with Linda Kool chapter 7; Thijs Veugen has written chapter 9; and finally chapter 5 was writ-ten by Roel Stap and Bram van der Waay. Technical Report Series 21
RFID technologies Structure of the report The report that follows is composed of four parts. The first part details the technological dimension ofRFID systems including the situation on standards and spectrum allocation. The second part presents RFIDmarket parameters and raises socio-economic issues. The third part presents five case studies from differ-ent application sectors and draws conclusions as to the specific areas of development as well as for thewhole RFID market in Europe. The last part analyses the situation and presents recommendations for fur-ther initiatives in Europe. The contents of the first four parts are presented in more detail below:Part 1: RFID technologies The state-of-the-art in RFID technology is presented as well as other technologies which: (i) enableRFID usage (e.g. Ethernet or Bluetooth); (ii) enhance it by adding further functionality to basic RFID capa-bilities (like Near-Field-Communication (NFC) or functionalities offered by middleware); (iii) are compet-ing with it (such technologies are divided into those which enable identification, location or informationon state). The report provides a prospective analysis of alternative tagging technologies, which may replace RFIDin the future, like Surface Acoustic Waves, optical tags or DNA tags. It also describes technological limita-tions of RFID (for example, those resulting from the physical properties of radio waves) and possible solu-tions to these problems. The currently available spectrum allocation and frequency regulatory status for using RFID in the EUand world-wide is presented, as well as a description of the most common standards on the market (EPCGlobal, ISO and ETSI). The first part ends with a proposal for a typology of RFID applications, which considers business usecriteria as well as the sensitivity of application areas in terms of privacy protection. It uses this typology todraw conclusions about the drivers for further development of intelligent applications facilitating globalcollaboration and automation.Part 2: Market perspectives and socio-economic issues The main forces driving the RFID market evolution are presented in an inventory which provides in-formation about the main actors on the global RFID market, such as tag manufacturers, system integrators,software providers and consultants. It also provides web links to their sites. This is followed by an analysisof the RFID market showing that the change of application profile is largely driven by the tag price. Appli-cation areas where a relatively high tag price is acceptable (e.g. e-documents, e-payment, access control) Technical Report Serieshave already been developed, and in the next few years the rapid development of applications demandinglow-cost tags, (e.g. asset management, supply chain and retail logistics) should be expected. The pros and cons of RFID usage are analysed from both the retailer’s and the user’s perspective. Lackof regulation for spectrum allocation in some countries, limitations of technology (e.g. interference of radiosignal with metals and water), possible carriers for SMEs (e.g. high initial investment) and forecasts of im-pact of RFID on employment and likely implications are also presented. Finally, an exhaustive analysis of privacy and security challenges are also included. Privacy threats, like 23‘sniffing’ the tag information, using tags to track a person, function creep and strategies to counter them areanalysed. Threats to security and countermeasures are also discussed as is a methodology of security eval-uation, based on the relation between the costs of attack and the cost of countermeasures.
Structure of the report Part 3: Case Studies of RFID implementation Five application areas were selected to describe state-of-the-art deployment in Europe of RFID tech- nology: animal tagging, healthcare, public transport, identity cards and the ICT sector itself. Analysis in the respective areas is organised around key criteria such as: drivers/barriers, threats/opportunities, role of stake- holders including Member State governments, the technology involved and the likely role for Europe as a whole. The in-depth analysis of such criteria helped determine the drivers and barriers for future RFID usage, the stakeholders’ perspectives on the identified drivers and barriers and the perceived European mar- ket potential and length of time to adoption. The main issues shaping the policy evaluation include the di- versity in stakeholder strategies due to variations in Member State markets and structure of the economy, the perceived EU-wide benefit and the role of the public sector in helping to achieve these benefits. For each of these application areas conclusions as to future developments of RFID systems are drawn and presented briefly below: • Animal tracking is potentially a huge market segment. The overarching incentive for the introduction of animal ID is that it would enable quick response in animal disease crises (e.g. Foot and Mouth Dis- ease, or Avian influenza). Barriers and opportunities for further development are presented. • In healthcare, RFID may be used to track medicines, prevent patients from taking the wrong drugs or track hospital assets. This would prevent theft and allow optimal usage of equipment. RFID may also be used for patient identification and localisation (e.g. in a crowded environment). In general, RFID can considerably improve performance and reduce costs of healthcare but it also creates new challenges. • RFID is already used in the area of public transport. RFID-based tickets and public transport cards increase efficiency and convenience and are well received by the users. Main barriers are the mas- sive financial investments and the high complexity of such systems leading to costly down-times. • In the area of identity cards, the main driver for RFID use was the need for increased security (e- passport) in the fight against terrorism. Today, both security and privacy concerns drive further tech- nology improvements. Perhaps, the more positive reaction of consumers towards contactless credit cards is a hopeful message indicating future acceptance likelyhood. • In the ICT sector, many companies have started to explore ways to manage and track assets in the ICT department in order to optimize professional personnel work. NFC technology is forecasted to spread widely with its incorporation in mobile devices to be used in contactless payments or con- tact-less ticketing. No significant barriers to RFID deployment in this sector are foreseen. Part 4: Policy analysis and recommendations Finally, the report presents an analysis of all data presented. This leads into conclusions and recommen- dations which aim to address a number of overarching questions and thus set the basis for a debate in Eu- Technical Report Series rope on RFID applications. The impact on EU market integration and what role the public sector plays in stimulating and supporting the realisation of EU-wide benefits is discussed. Research initiatives are also dis- cussed and proposed in this section. In essence, the report proposes a way through which Europe may stim- ulate initiatives to address the issues presented and thus reap the foreseen benefits of the wide-spread deployment of RFID technology.24
RFID technologiesAnnexes The report has a number of annexes which present: 1. List of references 2. List of acronyms 3. A word-wide inventory of regulatory status of RFID in the UHF spectrum; 4. A description of selected guidelines and code of practices regarding the implementation and use of RFID technologies; 5. An overview of European activities in e-passports 6. An overview of European activities in other type of e-documents (national ID cards, electronic signature cards, healthcare identity cards, electronic documents for social insurance) 7. RFID in European projects related to public transport 8. Statistics of RFID pilots and trials within the EU and the US divided by application areas. 9. Full table of contents to facilitate reading and procedural and organisational details of this fairly complex process. Technical Report Series 25
RFID technologiesPart one
RFID technologies 1. RFID technologies: system features and future technologies1.1. Introduction ing, factory automation, and animal tagging. The most common application of RFID technology RFID stands for Radio Frequency Identifica- today is for tracking goods in the supply chain,tion. The main goal of an RFID system is to carry tracking assets, and tracking parts from a manufac-data on a transponder (tag) that can be retrieved turing production line. Other application areas in-with a transceiver through a wireless connection. clude the control of access to buildings, networkThe ability to access information through a non- security, and also payment systems that let cus-line-of-sight storage in a tag can be utilized for the tomers pay for items without using cash.identification of goods, locations, animals, andeven people. Discerning specific information from Nevertheless some technology related issuesthese tags will have profound impacts on how in- still condition the possible applications. As an ex-dividuals in commerce and industry keep track of ample, liquids, water especially, absorb radiationstheir goods and each other. Early use of this tech- while metals reflect it. This means that passive tagsnology concerned the evolution of barcode appli- applied to bottles of water or to aluminium canscations, changing the application scenario can be hardly read though placed very carefullyperspective (the main differences with barcodes with respect to the reader antenna and with dielec-will be investigated in Section 1.2.4). tric support. This is due to the properties of the ra- diations in relation to their wavelength It is true for The acronym RFID, Radio Frequency IDenti- HF tags but even more relevant for UHF tags.fication, encompasses a number of technologiesusable to identify objects by means of radio waves. The three basic components of a typical RFIDThe origin of the technique is the “Identification system are an antenna or coil, a transceiverFriend or Foe” IFF system used in World War II by (reader with decoder), and a transponder (RFIDthe Royal Air Force, that was able to get a code tag) with electronically programmed information.back only from “friendly” aircrafts identified with In an RFID system, an antenna continuously emitsRADAR. Under this very wide umbrella the term is radio signals at a given frequency. When atoday mainly referring to systems where electronic transponder (that is set to detect that specific fre-equipment can “read” information from a multi- quency) comes into contact with these signals, thetude of “tags” by means of radio waves. The RFID badge is activated and communicates wirelesslytag can come in various shapes e.g. as a paper with the reader through the modulation of trans-sticker, just as barcode tags are, as a plastic Credit mittance frequencies. Through the use of an an-Card, or even as a rugged, chemicals and heat re- tenna, the information that is stored on thesistant, plastic capsule. The tag might be even transponder can be read or written from thepowered by a very small battery to support local transponder. Typically, the antenna is packagedfunctions such as storing temperature readings or with the transceiver into a larger structure called Technical Report Seriesenhancing the reach of the radio communication. a reader (interrogator) that is in charge of the sys- Although RFID is a mature technology, it took tem’s data communication and acquisition. Theseveral years for a large scale implementation to data that is obtained and analyzed by the readeroccur. The first ones were in the United States. The can then be transported to a computer. The gen-implementation eventually included supply chain, eral design of a simple RFID system is displayedfreeway toll booths, parking areas, vehicle track- through the following figure: 29
1. RFID technologies: system features and future technologies Figure 1-1: Diagram describing operation of the RFID system. A very important feature of the reader is the light, compact, and have unlimited life spans. capacity to avoid collisions among the RFID tags The contactless smartcards, plastic with a using specific methods. By using collision avoid- ance a reader can perform multiple readings ac- credit card size that can be accessed through a celerating the overall reading process in radio reader device, are often confused with pas- comparison with barcode systems. The perform- sive RFID. Although the communication method ance of collision avoidance systems are evaluated is quite the same, the contactless smartcards have in number of readings per seconds. The typical on-chip processing and memory capability that is collision avoidance systems are based on Aloha not needed on RFID. RFID just holds an identifier and slotted Aloha process,2 well known in litera- while contactless smartcards might hold personal ture. The use of an efficient collision avoidance identification data, complex encryption capabili- system is essential to calculate the data transmis- ties, or application specific logic. sion rate of the reading process. The active tags are typically powered by an internal battery (that lasts several years but whose duration strictly depends upon the application) 1.2. RFID system features and are utilized for long read-range applications up to 100 m. Active badges can continuously emit 1.2.1. Passive, semi-passive, active a detectable signal and are typically read/write with a higher total memory. Due to these in- RFID tags can be characterized as either ac- creased capabilities, active tags are heavier, more tive or passive. Traditional passive tags are typi- expensive, and have limited life spans. cally in “sleep” state until awakened by the reader’s emitted field. In passive tags, the reader’s Another category of tags is commonly referred field acts to charge the capacitor that powers the to as semi-passive (also called semi-active and/or badge. Due to the strength of the signal that is re- battery assisted RFID). These tags communicate quired, passive tags are most often used for short with the reader as if they were passive tags but read-range applications (<1.5 m) and require a have a battery on board in order to support spe- Technical Report Series high-powered reader with antenna capable of cific functions, e.g. to store periodic temperature reading the information. Passive tags are often very information from an onboard temperature sensor.30 2 Aloha, developed in the 1970s for a packet radio network by Hawaii University: sender finds out if there is a collision with transmitted data and retransmits data after some time in case there is collision. In case of Slotted Aloha, time is slotted and data can be transmitted at the beginning of one slot so reducing the collision duration.
RFID technologies Figure 1-2: Passive and active RFID tags packages1.2.2. Frequency results in a number of frequency bands in use around the world for RFID application. A com- The capabilities of the RFID system are also monly accepted scheme categorizes these fre-very dependent on the carrier frequency at which quencies in four ranges that are summarized in theinformation is transported. Due to government table hereafter including also typical system char-regulation, different parts of the electromagnetic acteristics and areas of application.spectrum are assigned for different purposes. This Table 1-1: Frequency bands and applications LF HF UHF Microwave Frequency Range < 135 KHz 10 ... 13.56 MHz 860 … 960 MHz 2.4 … 5.8 GHz Read Range ~10 cm ~1 m 2~5m ~100 m Coupling Magnetic, Electric Magnetic, Electric Electromagnetic Electromagnetic Frequency bands used by RFID systems are be used to increase the penetration into materialsassociated to different part of ISO 18000 standard and water, but give shorter range (inductive cou-as described in Section 3.2.1. Different frequen- pling). Higher frequencies can increase the range Technical Report Seriescies have to be used for different applications: a (so called UHF backscattering RFID tags) but be-rule of thumb for this is that lower frequencies can come very sensitive to environmental conditions. 31
1. RFID technologies: system features and future technologies Figure 1-3: Frequency used by RFID systems 1.2.3. Factors affecting reading capability circuitry. It can be shown that the intensity of the magnetic field decreases in intensity It has to be made clear that though the tech- with distance through a factor that can be nology promises a number of fancy characteris- approximated to one over the cube of the tics, its real application is not straightforward. The distance 1/d.3 This means that doubling the possibility of reading RFID tags is conditioned by distance, the capability of reading the tag critical and sometimes rather non-deterministic with the same reader is decreased to 1/8. In factors. It is intuitive that if the tag is “too far” other words to read a tag at a distance twice from the reader then no reading can take place. the original distance the reader should yield On the contrary it might be extremely useful to a magnetic field with power eight times the exactly know how to increase the reading dis- original power used. tance up to what is needed by a specific applica- UHF passive tag systems use the so called tion. Another myth is that anything might be backscattering: once the tag is activated by tagged with an RFID, but the truth is that certain the reception of a radio wave, it activates materials have characteristics affecting the read- and “sends” back a radio wave with the an- ing capability. swer message. In this case the factor that in- Trying to put some order in these factors they dicates the relation between the power of Technical Report Series can be summarized in: the reader and the reading distance is one over the square of the distance 1/d.2 This is • Radio technology and reading distance why UHF is used where the reading of pas- LF and HF passive tag systems use electric sive tags is needed at greater distances. and magnetic3 coupling; this means that the Active tags are powered by an internal en- reader yields a magnetic field and the tag is ergy source and thus they do not need to capable of modifying it in a way that the extract power from a magnetic or electro-32 reader can sense. The magnetic field should magnetic field. They are capable of over- have enough “intensity” to power the tag coming the passive tags distance limitations 3 In the following reference will be made always to magnetic coupling as electric coupling is far less applied.
RFID technologies and support applications with a reading dis- hard to predict what would be the behav- tance of 100 m or even more. iour of a RFID system in such rugged situa- tions. Radio waves are reflected, absorbed• Radio frequency and tagged materials and mixed with other radio waves. One Radio waves, as well as light, are absorbed RFID technology might work better than by some materials, notably water, and re- the other and this can only be identified flected by others, namely metals, in differ- through field trials. ent ways depending on their frequency. The described factors are the reason for This means that a passive RFID applied on which in most cases prime contractors sug- a bottle of water or, worst case, on a beer gest that after the business case has been can, might be hardly read. HF tags might stated and the application process has been be used to tag bottles of water better than engineered to benefit most from the RFID UHF. They can also be used on metal ob- application, a limited experiment is imple- jects by separating them from the metal by mented in the actual place in order to bet- some millimetres thick dielectric that al- ter identify the technologies to be used. lows the magnetic field to transit through the coils of the antenna (not being diverted by the metal of the tagged object). 1.2.4. RFID and barcodes UHF passive tags applied to bottles of water Although it is often thought that RFID and bar- can be read only if they are applied on the codes are competitive technologies, they are in fact side of the bottle turned towards the an- complementary in some aspects. The primary ele- tenna of the reader: if the tag is on the other ment of differentiation between the two is that RFID side then the radio waves are weakened by does not require line-of-sight technology. Barcodes transiting through the water and the read- must be scanned at specific orientations to estab- ing is compromised. In the case of metals, lish line-of-sight, such as an item in a grocery store, appropriate packaging is needed in order to and RFID tags need only be within range of a reader avoid interference of the answer message to be read or ‘scanned.’ Although RFID and barcode with the waves reflected by the metal sub- technologies offer similar solutions, there are signif- strate. icant advantages to using RFID:• Reading geometry • Tags can be read rapidly in bulk to provide a nearly simultaneous reading of contents, The magnetic (or electromagnetic) field such as items in a stockroom or in a con- generated by the reader is somehow ori- tainer. ented by the reader antenna and power is induced in the tag only if the orientation of • Tags can be read in no-line-of-sight condi- the tag antenna is appropriate. A tag placed tions (e.g. inside packaging or pallet). orthogonal to the reader yield field will not be read. This is the reason that guided man- • Tags are more durable than barcodes and ufacturers to build circular polarized an- can withstand chemical and heat environ- Technical Report Series tenna capable of propagating a field that is ments that would destroy traditional bar- alternatively polarized on all planes pass- code labels. Barcode technology does not ing on the diffusion axis. Linear antennas work if the label is damaged. need a more accurate positioning of the tag • Tags can potentially contain a greater but can operate at longer distances. amount of data compared to barcodes,• Environmental factors which commonly contain only static infor- mation such as the manufacturer and prod- The sites where usually RFID are needed uct identification. Therefore tags can be 33 are never empty spaces: they are filled up used to uniquely identify an object. with metal shelves, heating water pipes, moisture, fork lifts moving around, and • Tags do not require any human intervention communication radio equipment. It is very for data transmission.
1. RFID technologies: system features and future technologies • Changing the data is possible on some RFID 1.3. RFID infrastructure elements tags Once a tag is placed, the basic components It is easy to see how RFID has become indis- needed to collect the tag information and pass it to pensable for a wide range of automated data col- the proper application are the readers and the lection and identification applications. The distinct RFID middleware. The readers are the devices ca- advantages of RFID technology, however, intro- pable of activating the tags and having them pro- duce an inevitably higher cost. RFID and barcode vide their data. RFID middleware is the software technologies will continue to coexist in response system needed to perform a “sensible” reading, i.e. to diverse market needs. RFID, however, will con- whenever a contemporary reading of multiple tags tinue to expand in markets for which barcode or is needed it discards duplicates and selects the similar optical technologies are not as efficient. only data relevant to the application. 1.2.5. Security 1.3.1. RFID readers Security encryption methods can be embed- Though manufacturers pursue the possibility ded onto the tag to ensure that the information on of a universal reader capable of reading any kind it can only be read or written by authorized users. of tag, the current situation is that each type of tag The creation of encryption specifications for RFID can by read by dedicated equipment. This means tags by the standards organizations, now in that an HF Reader is needed to read an HF tag and progress, is a vital step for ensuring widespread a different reader is needed to read a UHF one. protection. Security encryption algorithms have al- ready been established for the 13.56 MHz-based A characterization of readers for passive and ISO/IEC 14443 standard used for automatic fare active tags is presented below: collection in public transit applications. • Readers of Passive RFID tags: In order to create high security RFID systems - High power emitted (max 4W) in order to a defence against the following individual attacks activate passive RFID tags would be needed (see also Chapter 8): - High power consumption (rank of Watts) • Unauthorised reading of a data carrier in - Operating ranges of some meters order to duplicate and/or modify data. - Passive Readers can read simultaneously • The placing of a foreign data carrier within a number n of RFID tag with a reading the interrogation zone of a reader with the speed of some seconds (n>100) intention of gaining unauthorised access to - Reader comprises the antenna, anti-colli- a building or receiving services without sion systems (microprocessor + software + payment. memory), RF transceiver, network inter- faces (Ethernet, Wi-Fi, GSM, etc.) • Eavesdropping into radio communications and replaying the data, in order to imitate a • Readers of Active RFID tags: genuine data carrier (‘replay and fraud’). Technical Report Series - Low power emissions (10-20 mW) When selecting a suitable RFID system, con- - Reduced power consumption (rank of sideration should be given to crypto-logical func- mWatts) that allows integration in hand- tions. Applications that do not require a security held devices function (e.g. industrial automation, tool recogni- - Long ranges (20-100 m) tion) would be made unnecessarily expensive by the incorporation of cryptological procedures. On - Active readers can read simultaneously the other hand, in high security applications (e.g. different RFID tags (hundreds of RFID tags)34 with high reading speed (milliseconds) ticketing, payment systems) the omission of cryp- tological procedures can be a very expensive mis- - Readers include an antenna that can be in- take if manipulated transponders are used to gain tegrated, an anti-collision system (micro- access to services without authorisation. processor + software + memory), a RF
RFID technologies transceiver, network interfaces (Ethernet, 1. Filtering: thinking of a stream of tag-read Wi-Fi, GSM, etc.) events generated by the readers, the filter- ing functions chooses, on the basis of proper criteria, which ones deserve to be1.4. RFID middleware processed by the application layer; as an example, in some cases, when a tag is read The RFID Middleware is referred to, by soft- twice by the same reader within a few sec-ware manufacturers (Forrester, 2005) and by EPC- onds, only one event might have to be re-global (EPCglobal, 2004), as the set of functions in ported;between the pure RFID technology components,in first place the readers, and the business applica- 2. Routing: once the tag-read event has beentions capable of exploiting the value of the tech- accepted for forwarding by the filtering function, the Routing Function, on the basisnology. of proper criteria, is capable of delivering it These functions can be summarized in: to the correct application; Figure 1-4: RFID middleware – ALE layer as defined by EPCGlobal 3. Data Management: the accepted events are readers be controlled by the other Middle- as well recorded on some storage in order ware functions; to allow for queries on e.g. the history and performance monitoring; 6. Application Adaptors: as in point 5 the Ap- plication Adaptors allow business applica- Technical Report Series 4. Device Management includes the control tions to interoperate with the RFID and management functions of the readers: Middleware. collects and handles alarms, allows for soft- ware download, configuration of frequen- On the Middleware subject, a specification cies and power emissions, etc. activity is being carried out by EPCglobal in order to define the capabilities that have to be supported 5. Device Adaptors; at the moment there is no agreement upon the protocol interface (nei- by the ALE Layer (Application Level Events Layer) in order to allow for the EPCglobal Information and 35 ther official nor industry standard) to make readers work with other systems; the De- Discovery Services (see Section 3.1). Figure 1-4 de- vice Adaptors refer to the software code picts the RFID Middleware also with reference to that has to be provided in order to allow ALE Layer and Interface.
1. RFID technologies: system features and future technologies 1.5. Organizations developing The purpose of EPCglobal is to provide the international standards technology to increase efficiency and reduce er- rors in the supply chain, achieved by the use of As RFID technology continues to expand, the low cost RFID tags and a framework for global in- need for establishing global standards is increas- formation exchange (see Section 3.1 for the EPC ing. Many retailers have completed RFID trials standards). EPCglobal is a joint venture of GS1 (for- within their supplier communities, adding pressure merlyEAN International) and GS1 US™ (formerly on manufacturers and suppliers to tag products be- Uniform Code Council, UCC). fore they are introduced into the supply chain. However, manufacturers cannot cost-effectively 1.5.2. Global data synchronization manage RFID tagging mandates from disparate re- tailers until global standards are established. This Global Data Synchronization (GDS) is an process requires the creation and acceptance of emerging market in Supply Chain Management. It data standards that apply to all countries, and it re- is the foundation for next-generation applications quires scanners to operate at compatible frequen- such as RFID-based tracking, and more. GDS is cies. designed to keep supply chain operations synchro- nized by ensuring that basic product data, such as the description and category stored by one com- 1.5.1. EPCglobal pany, matches the data stored by its trading part- In 1998, researchers at the Massachusetts In- ners. Organizations submit product data in a stitute of Technology (MIT) Auto-ID Center began specific format to data pools around the globe, and global research on RFID. The Auto-ID Center fo- the data is then validated against a global data reg- cused on: istry. • Reducing the cost of manufacturing RFID Standards for GDS are guided by the Global tags. Commerce Initiative (GCI), a collective group of • Optimizing data networks for storing and retailers and manufacturers. The standards are being developed by the European Article Number- delivering large amounts of data. ing Association International and The Uniform • Developing open standards for RFID. Code Council (EAN and UCC). These standards as- sign attributes to product data that enables manu- The work of the Auto-ID Center has helped facturers, suppliers, retailers, and other participants make RFID technology economically viable for in the supply chain to share product-related data pallet and carton-level tagging. The Auto-ID Cen- across the globe. For example, manufacturers ter closed in October 2003, transferring all its RFID could have their product catalogue accessible technology and information to the EPCglobal or- worldwide, and retailers could search for any type ganization. of product and take advantage of unlimited global EPCglobal is a member-driven organization of access. leading firms and industries focused on developing global standards for the electronic product code 1.5.3. International Organization for Technical Report Series (EPC) Network to support RFID. The EPC is at- Standardization (ISO) tached to the RFID tag, and identifies specific events related to the product as it travels between The International Organization for Standard- locations. By providing global standards on how ization (ISO) is a network of national standards in- to attach information to products, EPC enables or- stitutes of 148 countries working in partnership ganizations share information more effectively. with international organizations, governments, in- The vision of EPCglobal is to facilitate a world- dustries, and business and consumer representa- wide, multi-sector industry adoption of these stan- tives. The ISO asserts jurisdiction over the Air36 dards that will achieve increased efficiencies Interface (the frequency spectra used for RFID throughout the supply chain—enabling companies transmission) through standards-in-development to have real-time visibility of their products from ISO 18000-1 through ISO 18000-7. These are rep- anywhere in the world. resented in the United States by the American Na-
RFID technologiestional Standards Institute (ANSI) and the Federal As the leader in developing internationalCommunications Commission (FCC). RFID standards, AIM Global strives to educate the community. The company is participating as the The International Organisation for Standardi- RFID Association Sponsor for a series of sympo-sation (ISO) in collaboration with the International siums worldwide to build consensus about stan-Electrotechnical Committee (IEC) has produced a dards for using RFID technology on commercialset of standards for the interface between reader airplanes. Aircraft manufacturers Boeing and Air-and tag, operating at various radio frequencies. As bus plan to collaborate; both companies are mov-mentioned, these standards are numbered in the ing toward RFID adoption based on the Airseries ISO/IEC 18000-n. Transport Association (ATA) automated identifica- There is strong interest currently in the UHF tion and data capture guidelines.frequency band between 860 MHz and 960 MHz.The ISO standard, currently being published, is 1.5.5. Ubiquitous ID CenterISO/IEC 18000-6, with options for two differingcommunications protocols, type A and type B. It The Ubiquitous ID Center was created to de-is likely that the recently agreed EPCglobal Gener- velop technologies such as RFID and others thatation 2 standard will be incorporated into ISO will enable the automatic recognition of items with18000-6 as type C. the ultimate objective of creating a ubiquitous computing environment. In April 2004, China, Previously, only a relatively small amount of Japan, and Korea agreed to participate in Ubiqui-bandwidth at restrictively low power was availablein Europe in the newly exploited band around 900 tous ID-related events, each signing agreements toMHz. This is because the frequency range be- conduct joint research with the goal of establishingtween 902 MHz and 928 MHz as used in North Ubiquitous ID Centers and T-Engine DevelopmentAmerica is assigned to the Global System for Mo- centres in each country. T-Engine is the develop-bile (GSM) services in Europe. The situation has ment platform for ubiquitous computing technolo-improved immensely following the recent ap- gies.proval by European standards bodies of the use often channels at 2 Watts Effective Radiated Power(ERP) in the band from 865.6 MHz to 867.6 MHz, 1.6. Future tagging technologiestogether with five additional lower powered chan-nels. The European Telecommunications Standards Though radio technology for identificationInstitute (ETSI) has recently produced and ap- purposes has been a revolution with respect to theproved technical standards to meet these parame- proven laser based barcode, future identificationters. While the available bandwidth may prove to technologies will not necessarily be using radiobe a restriction in the long term, the increase of waves. In the following an overview is given ofradio frequency (RF) power to 80% of that allowed some of the more promising automatic identifica-in North America means that the performance in tion technologies currently under study or in veryterms of range will be quite similar in both regions. early industrial phase based on radio waves as well as laser readers. Technical Report Series1.5.4. AIM Global 1.6.1. Surface Acoustic Waves (SAW) 4 AIM Global is the global trade association forthe Automatic Identification and Mobility industry The promise of the SAW technology is to bethat manages the collection and integration of data able to provide very low cost radio readable tags.for information management systems. Serving The SAW tags are classified as “chipless” tags be-more than 900 members in 43 countries, AIM cause there is no need for a real processing chip toGlobal is dedicated to accelerating the use of au- operate them. Once the SAW tag receives thetomatic identification data collection (AIDC) tech- radio signal from the reader, a simple transducer 37nologies around the world. translates it into acoustic waves on the surface of4 http://www.rfsaw.com
1. RFID technologies: system features and future technologies the tag. Metallic structures precisely built on the perform very well both on metals and water thus tag reflect, according to a definable scheme, the overcoming the constraints of HF and UHF RFID. acoustic wave back to the transducer that converts The drawback is that the tag code is hard-coded it again into a radio signal. The overall effect is by the tag manufacturer and is not modifiable. very similar to a conventional RFID but, having no Moreover effective ways to avoid collisions have need of a processing chip, the cost is dramatically yet to be identified. reduced. From experiments it seems that SAW tags Figure 1-5: Surface Acoustic Wave (SAW) Tags 1.6.2. Embedded tags to have a unique electronic signature of the per- son that can be used through a cross referencing Tagging will move from being something at- database in a number of ways. tached to an object to become a standard part of the object “fabric”. RFID are technologies that Other identification techniques are at the can substitute the barcode as soon as 2007 in the horizon, based on cellular tagging. The problem mass market. They are already replacing barcode here is that cells die and are shed so the tags on pallets and in certain market sectors. Their would need to be replaced continuously. This value in the production and distribution chain is kind of tagging is likely to be used extensively very big since they facilitate reading at a dis- for medical treatment. It may provide tagging for tance. There are several flavours of RFID tags, the duration of the cure. Tags are already used in passive, active, rewriteable, etc. For application medical treatment to identify cancerous cells, or within the area of person identification the ones as a marker for guiding robots during surgical op- that fit better are the passive RFID. Being passive erations. Some leading edge technologies have there is no need for a battery and the chips can already demonstrated the possibility of associat- stay “dormant” for tens of years till an appropri- ing nano-antennas to the cell DNA. Nano mark- ate electromagnetic field activates them and read ers are also under consideration for medical the values stored. Although there are already a number of people who have chosen to be tagged diagnoses and they may be used for identifica- tion. However the possibility offered by RFID Technical Report Series it is still an open question whether it will be a mass-market identification or be restricted to tags, their low cost, easy implantation and read- some niches. Pets and livestock in many coun- ing are shifting the question to the social accept- tries are already tagged (in livestock, tags are re- ability rather than on finding alternative placing the branding). It is surely technologically technologies. Research in this area is both in and economically feasible to inject any newborn basic science and in cross disciplinary ap- baby with a RFID tag and from that moment on proach.538 5 Examples of advanced research areas: a) Underskin Implant of RFID for personal identification, Amal Graafstra, http://www.bmezine.com/news/presenttense/20050330.html b) RFID embedded in cardboard boxes by Beamfetch, http://www.rfidjour- nal.com/article/articleview/1588/1/72 c) RFID embedded in tires by Michelin, http://www.rfidjournal.com/article/articleview/269/1/1/
RFID technologies1.6.3. UWB tags6 The prototypes (Massachusetts Institute of Technology) are currently built on an Eurocent UWB (Ultra Wide Band) RFID tags transmit sized piece of plastic that has a number of ran-signals over multiple bands of frequencies simulta- domly positioned glass micro spheres. When theneously and transmit for a much shorter duration system is lighted by means of a laser beam it re-than those used in conventional RFID. This type of flects light with a very specific scattering pattern.tags consumes less power than conventional RF The pattern is analysed by a system that can pre-tags and can operate across a broad area of the cisely identify the single tag instance. The tag canradio spectrum. UWB tags can be used in close be hardly reverse-engineered: it is practically im-proximity to other RF signals without causing or possible to build a tag with those micro spheres onsuffering from interference because of the differ- the basis of its scattering pattern. Moreover differ-ences in signal types and radio spectrum used. ent readers might get different results thus allowing Parco Wireless company has prepared a for a robust certification of the identity of the tag.demo area to show UWB tag advantages. The The costs are expected to be comparable to thosedemo area recreates a hospital environment. By of the barcode tags when mass produced.using UWB tag patients can be localised as wellas medical and paramedical instruments. 1.6.5. DNA tags8 With respect to passive tags, UWB tags do not In order to develop anti-counterfeit systems ainterfere with electronic equipment used in hospi- new technology is being explored: tags which usetals. The actual transfer speed (100 kbps) is going DNA fragments. There are already companiesto be 24 Mbps within 2 years according to Parco (such as the American Applied DNA Science)Wireless. Each tag emits its ID signal every secondand can be localised by a system of receivers with which are developing systems to embed botanic5 cm precision. Four antennas are enough to cover DNA fragments into tags; DNA is among the mostan area up to 2000 square meters depending on resistant code structures: Applied DNA Sciencethe building structures in the area. guarantees that this type of tagging can be read- able for as long as 100 years. It is likely that most Today an UWB tag costs about 40 euros. benefit will be realised when using this type of tag- ging directly in passports, bank checks, etc…1.6.4. Optical tags7 1.6.6. Software tags9 Optical tags fall in the Physical One WayFunction (POWF) class. They have the drawback Software tags are also very promising. Theof needing fairly complex arrangements to be read, technology of software tags differs considerablynamely the extremely precise positioning of the tag from other tags but software tags show great over-with respect to the laser beam of the reader. This lap in functionality with other hardware basedmakes them not practical for most applications tags. Software tags will for instance be used in tag-with respect to passive and active tags. A promis- ging on-line information.ing characteristic is in the capability to provide dif-ferent codes to different angled readers thus An example of software tags is given by Sema- Technical Report Serieseffectively partitioning information. This might pedia.org.10 Through a Semapedia application it isprove useful in several business applications with possible to create a specific picture (resembling asupport for high security. large square filled with little black squares) able to6 http://www.rfidjournal.com/article/articleview/1285/1/1/7 http://www.sciencedaily.com/releases/2003/11/031113070248.htm http://web.media.mit.edu/~brecht/papers/02.PapEA.powf.pdf http://www.trnmag.com/Stories/2002/100202/Plastic_tag_makes_foolproof_ID_100202.html 39 http://web.media.mit.edu/%7Epappu/htm/res/resPOWF.htm8 http://www.csmonitor.com/2004/0318/p14s02-stct.html, http://www.dnatechnologies.com/process/9 http://www2.districtadministration.com/viewArticle.aspx?articleid=12610 http://www.semapedia.org/
1. RFID technologies: system features and future technologies represent, and being associated to, an Internet link a central product catalogue database – a (Semapedia links to Wikipedia information). Once process that results in challenges for large- the picture is created it must be printed out and scale implementations. placed on a physical object whose internet link is • Configuration and management of readers an address. The information about the physical and devices – When a large number of tagged object is then obtained by just taking a pic- readers and related hardware devices are ture with a cellular phone and processing it deployed across multiple facilities, configu- through simple software. By this technique it is ration and management can be challenging. possible to place a simple small paper picture The implementation of automated devices close to every monument and then reach the asso- for these processes is essential. ciated information on the Internet by taking a pic- ture of the tag and processing it. • Data integration across multiple facilities – In an enterprise with multiple facilities that are geographically distributed, it is increas- ingly difficult to manage data in real time 1.7. Potential challenges of RFID while at the same time aggregating it into implementation the central IT facility—a process that can In addition, to choosing the appropriate place a significant burden on the network tag/reader technology in a specific application infrastructure. area, the following list represents potential chal- • Data ownership and partner data integra- lenges to consider when implementing an RFID tion – When there are different companies solution: involved in business processes, such as • Large volumes of data–Readers scan each commonly found in the Retail supply chain, RFID tag several times per second, which it can create issues pertaining to the owner- generates a high volume of raw data. Al- ship and integration of the data, thereby though the data is redundant and discarded compromising the integrity of the solution at the reader level, processing large vol- architecture. umes of data can be difficult. • Data security and privacy – Depending on • Product information maintenance – When the nature of the business application and a high volume of RFID tags are processed the solution scenario, security and privacy by the reader, the attributes of each tagged challenges could have a significant impact product must be continually retrieved from on the architecture. Technical Report Series40
RFID technologies 2. Spectrum allocation The capabilities of the RFID system are very higher for UHF and microwave RFID system, de-dependent on the carrier frequency at which in- pending on propagation conditions as well as onformation is transported. The use of lower fre- regulatory limits.quencies provides larger wavelength and acoupling effect between RFID tag and reader Due to government regulation, different partsmore similar to primary and secondary coupling of the electromagnetic spectrum are assigned toinside inductors (see also Section 1.2). This causes different use purposes. The three frequency rangesthe range to be shorter in LF (~125 kHz) and HF that typically distinguish RFID systems are low, in-(~13.56 MHz) bands than in UHF (~900 MHz) termediate, and high. There are currently four fre-and microwave bands (>2.45 GHz): for UHF and quency bands in use around the world for RFIDmicrowave as a matter of fact, the coupling be- applications. Within these bands a number of fre-tween tag and reader is performed by backscat- quencies are addressed by RFID standards andtering (the electromagnetic wave is propagated used by manufacturers in proprietary applications.from the reader and reflected by the RFID and These frequency ranges and associated informa-modulated according to the specific information tion describing typical system characteristics andof RFID tag). The range that can be achieved using areas of application are presented through thethe same radiated power as in case of LF is much Table 2-1. Table 2-1: RFID frequency bands and applications Frequency Band Characteristics Typical Applications Typical Range Low Frequency 125-135 kHz Access control Few centimetres 30-300 kHz Short to medium read range Animal Identification ITU Band 5 Inexpensive Inventory control Low reading speed Car immobilizer High Frequency 13.56 MHz Access control Few centimetres (could 3-30 MHz Short to medium read range Smart Cards be slightly enhanced using ITU Band 7 Potentially inexpensive particular antennas) Medium reading speed Ultra High 433 MHz Railroad car monitoring Under 10 meters Frequency 860-960 MHz Toll collection systems 300-3000 MHz 2.45 GHz ITU Band 9 Long read range High reading speed Line of sight required for micro-wave backscattering systems Expensive Technical Report Series Super High 5.8 GHz Toll collection systems 100 m and over Frequency Line of sight required for UWB Localization 3-30 GHz micro-wave backscattering ITU Band 10 systems Expensive Frequency bands used by RFID systems are associated to different parts of ISO 18000 standard as de-scribed in Section 3.2.1. Different frequencies have to be used for different applications: a rule of thumbfor this can be associated to the fact that lower frequencies can be used to increase the penetration into ma-terials and water, but give shorter range (inductive coupling). Higher frequencies can increase the range (so 41called UHF backscattering RFID tags) but become very sensitive to environmental conditions.
2. Spectrum allocation 2.1. Regulatory status for using RFID making the frequencies available for RFID appli- cations. This process is well underway worldwide. Frequency bands are defined through national regulation: any RF equipment is allowed to be Table 2-2 presents UHF spectrum allocation powered only if complying with these regulations. characteristics concerning the 27 EU Member This applies also to RFID applications in various States of the European Community and Table 2-3 ways. LF band is basically unregulated and thus presents the spectrum allocation characteristics of LF RFID are freely used (e.g. electronic car key, au- selected remaining countries in Europe. The status tomatic coffee machines, etc.).The 13.56 MHz, code “IP” means that no regulations are available 433 MHz, 2.45 GHz frequencies were originally at the moment but work is in progress, while the allocated globally for Industrial, Scientific and code “NA” stands for no information available. In Medical (ISM) non-commercial applications and, the EU25 area it can be seen that issues in most not considering possible local regulations, are li- countries should be solved during the year 2006, cense-free.11 except in Italy and Hungary where some decisions still have to be taken. It should be noted that the The UHF frequency range needed for EPC- unavailability of UHF frequencies in some coun- global compliance (860-960 MHz) that is not a li- tries might heavily undermine their capacity in the cense-free band has a different status. In this case future to keep the pace with international com- each country has taken up the responsibility of merce. Table 2-2: EU27 UHF spectrum allocation Country Status Frequency Power Protocol Comments Austria OK 865.6-867.6 MHz 2 W erp LBT New regulations in place since 2 February 2006 Belgium IP 865.6-867.6 MHz 2 W erp LBT New regulations should be in place in 2006 Bulgaria IP 865.6-867.6 MHz 2 W erp LBT New regulations should be in place in 2006 Cyprus IP 865.6-867.6 MHz 2 W erp LBT New regulations should be in place in 2006 Czech Republic OK 865.6-867.6 MHz 2 W erp LBT Denmark OK 865.6-867.6 MHz 2 W erp LBT New regulations in place since January 2005 Estonia IP 865.6-867.6 MHz 2 W erp LBT New regulations should be in place in 2006. License possible. Finland OK 865.6-867.6 MHz 2 W erp LBT New regulations in place since 3 February 2005 France IP 865.6-867.6 MHz 2 W erp LBT New regulations should be implemented in July 2006 Germany OK 865.6-867.6 MHz 2 W erp LBT New regulations in place since 22 December 2004 Greece IP 865.6-867.6 MHz 2 W erp LBT New regulations should be in place in 2006 Hungary IP 865.6-867.6 MHz 2 W erp LBT Implementation is in progress Ireland IP 865.6-867.6 MHz 2 W erp LBT New regulations should be in place in 2006 Technical Report Series Italy IP 865.6-867.6 MHz 2 W erp LBT Conflict with band allocated to tactical relays military application. Temporary licenses available. Latvia IP 865.6-867.6 MHz 2 W erp LBT New regulations should be in place in 2006 Lithuania IP 865.6-867.6 MHz 2 W erp LBT Individual license required. New regulations should be in place in 2006 Luxembourg IP 865.6-867.6 MHz 2 W erp LBT New regulations should be in place in 2006 Malta IP 865.6-867.6 MHz 2 W erp LBT Individual license required. New42 regulations should be in place in 2006 11 To check the ISM Bands reference can be made to “European Radiocommunications Committee (ERC) within the European Conference of Postal and Telecommunications Administrations (CEPT)” at http://www.ero.dk/eca-change .
RFID technologies Country Status Frequency Power Protocol Comments Netherlands OK 865.6-867.6 MHz 2 W erp LBT New regulations will be in place since 27 February 2006 Poland OK 865.6-867.6 MHz 2 W erp LBT New regulations in place since October 24th 2005 Portugal IP 865.6-867.6 MHz 2 W erp LBT New regulations should be in place in 2006 Romania OK 865.6-867.6 MHz 2 W erp LBT New regulations in place since April 7, 2006 Slovak Republic OK 865.6-867.6 MHz 2 W erp LBT New regulations in place Slovenia IP 865.6-867.6 MHz 2 W erp LBT New regulations should be in place in 2006 Spain OK 865.6-867.6 MHz 2 W erp LBT New regulations will be in place by January 2007 Temporary licenses available. Sweden OK 865.6-867.6 MHz 2 W erp LBT New regulations approved 13 Dec 2005. In the law since 1 Jan 2006 United Kingdom OK 865.6-867.6 MHz 2 W erp LBT New regulations in place as of 31 January 2006 Table 2-3: UHF spectrum allocation in other European countries Country Status Frequency Power Protocol Comments Bosnia Herzegovina NA Croatia IP 865.6-867.6 MHz 2 W erp LBT New regulations should be in place in 2006 Iceland OK 865.6-867.6 MHz 2 W erp LBT Macedonia, FYR NA Norway IP 865.6-867.6 MHz 2 W erp LBT New regulations will be in place in 2006 Serbia NA Montenegro NA Switzerland OK 865.6-867.6 MHz 2 W erp LBT Turkey IP 865.6-867.6 MHz 2 W erp LBT Conflict with band allocated to tactical relays military applications2.2. Efficient use of spectrum sive RFID). Considering this, it can be assumed allocation (RFID, WiFi, ZigBee) that the emitted power of active RFID systems (tags and readers) is significantly lower than the emit- The selection of the technology to be used ac- ted power related to passive RFID systems. The Technical Report Seriescording to the application scenario is a hard issue disadvantages connected to spectrum occupancyto solve because it has to take care of several fac- are related to the use of passive RFID for bandstors that rely upon the application requirements that can be used by other wireless system becausebut also upon the availability of spectrum re- a passive reader may occupy a significant portionsources. By using passive RFID systems (tags and of the spectrum not allowing other systems to workreaders) the tags do not need batteries but the over- properly.all power emission radiating from the reader has tobe much higher than battery operated active RFID An example of this is the 2.45 GHz ISM band 43systems (where the power source of the tags itself where technologies like WiFi, Bluetooth and Zig-can be used to send a response from an interroga- Bee coexist (see Section 4.2 for information abouttion without waiting for an electromagnetic field these technologies). If active RFID tag technologycoming from the reader in order to enable the pas- is used, the effect can be considered similar to hav-
2. Spectrum allocation ing multiple ZigBee networks situated in a limited - Types of material of the tagged objects area: in that case the spectrum can be crowded but (problems with fluids) the power level can be maintained low enough to - Operational environment (propagation guarantee the correct functionality of the networks. environment can significantly change its If a 2.45 GHz passive RFID system is placed inside a WiFi network, it can seriously affect the WiFi effect according to the frequency range) performance. So attention has be paid into the • Cost: combined use of active and passive RFID tech- nologies and the frequency band choice because - Referred to the RFID tags; the application behaviour can be affected by it. - Referred to the RFID readers; In general the choice of the frequency band - Referred to the RFID system (middleware has to take into account the following points that and network infrastructure). are strictly connected to application requirements and cost of the final solution: Therefore, in order to guarantee multiple radio solutions in a limited area, attention has to • Application requirements: be paid to the choice among the passive RFID tag - Range of readings; solutions; the trade-off with active tags can be - Number of simultaneous readings per sec- found considering the cost of the active RFID tags ond; and the fact that battery operated systems could - Frequency of readings (it can discourage require replacement (it strictly depends upon ap- the use of active RFID tags); plication requirements and frequency of readings). Technical Report Series44
RFID technologies 3. RFID standards As RFID technology continues to expand, the special reference to EPCglobal standards. It has toneed for establishing global standards is increasing. be noted that the electromagnetic power that is ra-Many retailers have completed RFID trials within diated by the reader in order to read the tags has atheir supplier communities, adding pressure on relevant impact on the maximum distance be-manufacturers and suppliers to tag products before tween the reader and the tag: increasing power en-they are introduced into the supply chain. However, ables increasing the read distance and themanufacturers cannot cost-effectively manage RFID technology exploitation potential. The radiatedtagging mandates from disparate retailers until power can be measured in different ways. As anglobal standards are established. This process re- example US standards allows a maximum radiatedquires the creation and acceptance of data stan- power of 4W EIRP (Equivalent Isotropic Radiateddards that apply to all countries, and it requires Power) while European standards allow for 2Wscanners to operate at compatible frequencies. ERP (Effective Radiated Power). If the power radi- ation characteristics have to be compared then it Figure 3-1 provides an overview of the rele- should be noted that 2W ERP is equivalent tovant RFID standards and their relationships with 3.28W EIRP thus comparable to the US 4W. Figure 3-1: RFID frequencies and relevant standards Technical Report Series3.1. EPCglobal12 standards on how to attach information to prod- ucts, EPC enables organizations to share informa- EPCglobal is a member-driven organization of tion more effectively. The vision of EPCglobal is toleading firms and industries focused on developing facilitate a worldwide, multi-sector industry adop-global standards for the electronic product code(EPC) Network to support RFID (see also Section tion of these standards that will achieve increased1.5.1) The EPC is attached to the RFID tag, and efficiencies throughout the supply chain—en-identifies specific events related to the product as abling companies to have real-time visibility of 45it travels between locations. By providing global their products from anywhere in the world.12 EPCglobal ratified Standards can be downloaded at: http://www.epcglobalinc.org/standards_technology/ratifiedStandards.html
3. RFID standards The Board Of Governors of EPCglobal is com- inant position with respect to Asia or Europe: sup- posed by the following enterprises: P&G, GS1, ply chain requirements are the same all over the Sony, Lockheed Martin, Wal*Mart, DHL, HP, world. On the other hand, probably in virtue of the Metro, Cisco, Novartis, Johnson&Johnson, OAT nationwide availability of UHF frequencies, the Systems, USA DoD. It is composed by leader com- US appears to be in front of the others in terms of panies (20% user and 80% technology) that are trials and operational RFID automated installa- using RFID, most notably the giant U.S. based tions. Whereas Wal*Mart and the DoD play the Wal*Mart supermarket chain, and houses very few star role in the US, in Europe METRO and TESCO run short behind.13 technology providers. This distribution mimics the intentions of EPCglobal in order to ensure that sup- In Table 3-1 an overview of the different EPC ply chain process requirements, settled by user protocols is summarized: the recent EPCglobal companies, lead the standardization process: RFID Generation 2 protocol (chosen by Wal-Mart for its should be kept functional to supply chain pur- RFID adoption) is reported as Class 1 Version 2 ac- poses. In this situation the US do not have a dom- cording to EPC Protocol naming. Table 3-1: EPCglobal Protocol14 Protocol Frequency Description Class 0 UHF Read-Only – Manufacturer pre-programming Class 0 Plus UHF Read-Write Class 1 HF/UHF Write-once, Read-Many (WORM) Class 1 Ver. 2 UHF WORM Class 2 UHF Read-Write Tag With reference to the EPCglobal framework of the most discussed in the last year because it the relevance of the specification activity being promises good range and performances. carried out to define the framework architecture As a general consideration it should be said should be noted. This activity has the objective to that the currently relevant EPCglobal specifications allow for the worldwide retrieval of information, are the low level technology, i.e. the tag radio in- from manufacturing to retail, regarding some prod- terface, and the coding, i.e. the Electronic Product uct item. Each organization involved in the man- Code –EPC. The first one is critical to allow the ufacturing and distribution of some product might possibility of reading worldwide the EPC tags and publish, by means of the “Information Service” the second one allows the possibility of having a component, information regarding the local treat- unique worldwide way of coding the tags. The ment of the product item. During the whole other published specification, namely ALE, is to be process down to the actual exploitation of the considered as more manufacturer related in order product item, this information can be made avail- to foster the independent development of supply able to consumers too, by means of the “Discov- chain applications and RFID infrastructure. Still ery Service” and the “Object Naming Service” under development is the other relevant and prob- Technical Report Series (ONS) through a system similar to the Domain ably even more impacting EPC Information Ser- Name Service-DNS of the Internet. vices (EPC-IS) interface. When available this will The recent EPCglobal Generation 2 protocol allow the automation of supply chains among dif- (chosen by Wal-Mart for its RFID adoption) is one ferent companies. 13 The organization has set itself tough targets in developing standards and interfaces for most of the elements of an RFID system, as follows: a) The Electronic Product Code (EPC), b) The standards for the ID System describing the functions, interfaces and communications pro-46 tocols for the reader and tag, c) EPC Middleware that will sit between RFID readers and enterprise applications, ensuring that erroneous, duplicated and redundant information is filtered out, d) The Object Name Service (ONS) that will be operated by Verisign under con- tract to EPCglobal, e) The EPC Information Service (EPC-IS) that will store, host and provide access to serial number specific informa- tion about products as they pass along a supply chain, f) The EPC Discovery Service providing subscribers to EPCglobal and EPC-IS with additional information about individual items for tracking and tracing purposes. 14 The latest protocol is highlighted
RFID technologies3.2. International Organization for • 18000-7 Part 7 – Parameters for Air Interface Standardization (ISO) Communications at 433 MHz The International Organization for Standard- The first part is the defining document that ex-ization (ISO) is a network of national standards in- plains how the standard works and the rest are di-stitutes of 148 countries working in partnership with vided by frequency. A revision to all the parts ofinternational organizations, governments, indus- 18000 will include fixes to the standards based ontries, and business and consumer representatives. actual issues discovered during the use of the stan-The ISO asserts jurisdiction over the Air Interface dards along with the addition of the capabilities to(the frequency spectra used for RFID transmission) use batteries and sensors with the existing tech-through standards-in-development ISO 18000-1 nologies. Work has started on this area at the endthrough ISO 18000-7. Members15 of ISO are world- of 2005.wide national organizations for standardization. Forexample the United States are members throughAmerican National Standards Institute (ANSI), 3.2.2. 18000-1 Part 1 – generic parametersFrance through Association Française de Normali- for the air interface for globally ac-sation (AFNOR), Italy through Ente Italiano di Unifi- cepted frequencies16cazione (UNI). ISO/IEC 18000-1:2004 defines the parameters International Organization for Standardization to be determined in any Standardized Air Interface(ISO) in collaboration with the International Elec- Definition in the ISO/IEC 18000 series. The subse-trotechnical Committee (IEC) has produced a set ofstandards for the interface between reader and tag, quent parts of ISO/IEC 18000 provide the specificoperating at various radio frequencies. As men- values for definition of the Air Interface Parame-tioned, these standards are numbered in the series ters for a particular frequency or type of air inter-ISO/IEC 18000-n and detailed in the following. face, from which compliance (or non compliance) with ISO/IEC 18000-1:2004 can be established. ISO/IEC 18000-1:2004 also provides description3.2.1. ISO/IEC 18000 information tech- of example conceptual architectures in which nology AIDC techniques - RFID for these air interfaces are often utilized. item management - air interface ISO/IEC 18000-1:2004 limits its scope to • 18000-1 Part 1 – Generic Parameters for the Air Interface for Globally Accepted Frequen- transactions and data exchanges across the air in- cies terface at Reference Point Delta. The means of generating and managing such transactions, other • 18000-2 Part 2 – Parameters for Air Interface than a requirement to achieve the transactional Communications below 135 kHz performance determined within ISO/IEC 18000- • 18000-3 Part 3 – Parameters for Air Interface 1:2004, are outside its scope, as is the definition or Communications at 13.56 MHz specification of any supporting hardware, • 18000-4 Part 4 – Parameters for Air Interface firmware, software or associated equipment. Technical Report Series Communications at 2.45 GHz ISO/IEC 18000-1:2004 is an enabling stan- • 18000-5 Part 5 – Parameters for Air Interface dard that supports and promotes several RFID im- Communications at 5.8 GHz (Withdrawn) plementations without making conclusions about • 18000-6 Part 6 – Parameters for Air Interface the relative technical merits of any available op- Communications at 860 to 960 MHz tion for any possible application. 4715 The complete list of ISO members is available at: http://www.iso.org/iso/en/aboutiso/isomembers/index.html16 http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=34112
3. RFID standards 3.2.3. 18000-2 Part 2 – parameters for air protocol values for RFID systems for item identifi- interface communications below cation in accordance with the requirements of ISO 135 kHz17 18000-1. It relates solely to systems operating at 13.56 MHz. ISO/IEC 18000-2:2004 defines the air inter- face for radio-frequency identification (RFID) de- ISO/IEC 18000-3:2004 has two modes of op- vices operating below 135 kHz used in item eration, intended to address different applications. management applications. Its purpose is to provide The modes, whilst not interoperable, are non-in- a common technical specification for RFID de- terfering: vices to allow for compatibility and to encourage • Mode 1 is based on 15693 with inter-operability of products for the growing RFID additions/changes to better suit the Item market in the international marketplace. ISO/IEC management market and improve the com- 18000-2:2004 defines the forward and return link patibility between vendors; parameters for technical attributes including, but not limited to, operating frequency, operating - The Interrogator to Tag data rate is 1.65 channel accuracy, occupied channel bandwidth, kbps (fc/8192) or 26.48 kbps (fc/512); spurious emissions, modulation, duty cycle, data - The Tag to Interrogator data rate is 26.48 coding, bit rate, bit rate accuracy, bit transmission kbps (fc/512). The protocol extension has a order. It further defines the communications proto- precursor data rate ~ 52.97 kbps (fc/256) col used in the air interface. and a main reply data rate ~105.94 kbps ISO/IEC 18000-2:2004 specifies: (fc/128). • the physical layer that is used for communi- • Mode 2 is a high speed interface. cation between the interrogator and the tag; - The Interrogator to Tag data rate is 423.75 • the protocol and the commands; kbps; • the method to detect and communicate - The Tag to Interrogator data rate is with one tag among several tags (“anti-col- 105.9375 kbps on each of 8 channels. lision”). Both of the MODES require a license from the It specifies two types of tags: Type A (FDX) and owner of the Intellectual Property, which shall be Type B (HDX). These two types differ only by their available on terms in accordance with ISO Policy. physical layer. Both types support the same anti- collision and protocol. FDX tags are permanently powered by the interrogator, including during the 3.2.5. 18000-4 Part 4 – parameters for air tag-to-interrogator transmission. They operate at interface communications at 2.45 125 kHz. HDX tags are powered by the interroga- GHz19 tor, except during the tag-to-interrogator transmis- ISO/IEC 18000-4:2004 defines the air inter- sion. They operate at 134.2 kHz. An alternative face for radio-frequency identification (RFID) de- operating frequency is described. vices operating in the 2.45 GHz Industrial, An optional anti-collision mechanism is also Scientific, and Medical (ISM) band used in item Technical Report Series described. management applications. Its purpose is to provide a common technical specification for RFID de- vices that may be used by ISO committees devel- 3.2.4. 18000-3 Part 3 – parameters for air oping RFID application standards. ISO/IEC interface communications at 13.56 18000-4:2004 is intended to allow for compatibil- MHz18 ity and to encourage inter-operability of products 18000-3 ISO/IEC 18000-3:2004 provides for the growing RFID market in the international48 physical layer, collision management system and marketplace. ISO/IEC 18000-4:2004 defines the 17 http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=34113 18 http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=34114&ICS1=35&ICS2=40&ICS3 19 http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=34115
RFID technologiesforward and return link parameters for technical teroperable proprietary solutions but this might notattributes including, but not limited to, operating be a problem as the applications for active tag sys-frequency, operating channel accuracy, occupied tems are mostly localized. Other related standards,channel bandwidth, maximum EIRP, spurious as those for DSRC20 (Dedicated Short Range Com-emissions, modulation, duty cycle, data coding, munications), might take over ISO.bit rate, bit rate accuracy, bit transmission order,and where appropriate operating channels, fre-quency hop rate, hop sequence, spreading se- 3.2.7. 18000-6 Part 6 – parameters for airquence, and chip rate. It further defines the interface communications at 860 tocommunications protocol used in the air interface. 930 MHz21 ISO/IEC 18000-4:2004 contains two modes. ISO/IEC 18000-6:2004 defines the air inter-The first is a passive tag operating as an interroga- face for radio-frequency identification (RFID) de-tor talks first while the second is a battery assisted vices operating in the 860 MHz to 960 MHztag operating as a tag talks first. Industrial, Scientific, and Medical (ISM) band used in item management applications. Its pur- Mode 1: Passive backscatter RFID system - pose is to provide common technical specifica-The FHSS backscatter option or the narrow band tions for RFID devices that may be used by ISOoperation RFID system shall include an interroga- committees developing RFID application stan-tor that runs the FHSS backscatter option 1 RFID dards. ISO/IEC 18000-6:2004 is intended toprotocol or in narrow band operation, as well as allow for compatibility and to encourage inter-one or more tags within the interrogation zone operability of products for the growing RFID mar- Mode 2: Long range high data rate RFID sys- ket in the international marketplace. ISO/IECtem - This clause describes a RFID system, offering 18000-6:2004 defines the forward and return linka gross data rate up to 384 kbps at the air interface parameters for technical attributes including, butin case of Read/Write (R/W) tag. In case of Read not limited to, operating frequency, operatingOnly (R/O) tag the data rate is 76.8 kbps. The tag channel accuracy, occupied channel bandwidth,is battery assisted but back scattering. By using of maximum EIRP, spurious emissions, modulation,battery powered tags such a system is well de- duty cycle, data coding, bit rate, bit rate accu-signed for long-range RFID applications. racy, bit transmission order, and where appropri- ate operating channels, frequency hop rate, hop This air interface description does not explicit sequence, spreading sequence, and chip rate. Itclaim for battery assistance in the tag, also real further defines the communications protocol usedpassive tags or tags for mixed operation are con- in the air interface.ceivable. ISO/IEC 18000-6:2004 contains one mode with two types. Both types use a common return3.2.6. 18000-5 Part 5 – parameters for air link and are reader talks first. Type A uses Pulse In- interface communications at 5.8 terval Encoding (PIE) in the forward link, and an GHz adaptive ALOHA collision arbitration algorithm. Type B uses Manchester in the forward link and an Technical Report Series This part has been withdrawn at the final vot- adaptive binary tree collision arbitration algorithm.ing in 2003. No ISO 18000-5 standard is thusavailable and it will not become a standard unless ISO/IEC 18000-6:2004 has been updated toan ISO member puts forward a new proposal and include the EPCglobal Generation 2 specificationstarts the lengthy standards process all over again as Type C as well as fix issues in relation to TypesIt is here mentioned for completeness. The lack of A and B. This is published as an Amendment to thethis standard will cause the emergence of non-in- standard.22 4920 More details are available at http://grouper.ieee.org/groups/scc32/dsrc/worldwide/inde.html21 http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=3411722 http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=43923
3. RFID standards 3.2.8. 18000-7 Part 7 – parameters for air Part 1: Physical characteristics interface communications at 433 Part 2: Radio frequency power and signal in- MHz23 terface Amd 1:2005 Bit rates of fc/64, fc/32 ISO/IEC 18000-7:2004 defines the air interface and fc/16 for radio-frequency identification (RFID) devices op- erating as an active RF Tag in the 433 MHz band Part 3: Initialization and anti-collision used in item management applications. Its purpose Amd 1:2005 — Bit rates of fc/64, fc/32 is to provide a common technical specification for and fc/16 RFID devices that may be used by ISO committees Amd 3:2006 Handling of reserved developing RFID application standards. This stan- fields and values dard is intended to allow for compatibility and to Part 4: Transmission protocol encourage inter-operability of products for the Amd 1:2006 Handling of reserved growing RFID market in the international market- fields and values place. ISO/IEC 18000-7:2004 defines the forward and return link parameters for technical attributes including, but not limited to, operating frequency, operating channel accuracy, occupied channel 3.4. European Telecommunications bandwidth, maximum power, spurious emissions, Standardization Institute – ETSI modulation, duty cycle, data coding, bit rate, bit rate accuracy, bit transmission order, and where ap- In the following details are given for the most propriate operating channels, frequency hop rate, relevant ETSI standards with relationship to RFID. hop sequence, spreading sequence, and chip rate. Among them, EN 302 208 has been approved in ISO/IEC 18000-7:2004 further defines the commu- 2005 and is relevant to EPCglobal Class 1 Gen 2 nications protocol used in the air interface. specifications. 3.4.1. EN 300 330 3.3. ISO/IEC 1444324 EN 300 330: Radio Equipment and Systems - ISO 14443 defines a proximity card used for Short range devices, Technical characteristics and identification that usually uses the standard credit test methods for radio equipment to be used in the card form factor defined by ISO 7810 ID-1. Other 9 kHz to 25 MHz and inductive loop systems in form factors also are possible. The RFID reader the frequency range 9 kHz to 30 MHz. uses an embedded microcontroller (including its own microprocessor and several types of memory) This standard defines the characteristics of and a magnetic loop antenna that operates at RFID systems operating at LF and HF. 13.56 MHz. Part 1: Technical characteristics and test The standard consists of four parts and de- methods25 scribes two types of cards: type A and type B. The main differences between these types concern Part 2: Harmonized EN under article 3.2 of Technical Report Series modulation methods, coding schemes (part 2) and the R&TTE Directive26 protocol initialization procedures (part 3). Both type A and type B cards use the same high-level 3.4.2. EN 300 220 protocol (so called T=CL) described in part 4. The T=CL protocol specifies data block exchange and EN 300 220: Electromagnetic compatibility related mechanisms. The diffused MIFARE cards and Radio spectrum Matters (ERM); Short Range comply with ISO14443 part 1, 2 and 3 type A. Devices (SRD); Radio equipment to be used in the50 23 http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=37978 24 http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=28728 25 http://webapp.etsi.org/action/V/V20060324/en_30033001v010501v.pdf 26 http://webapp.etsi.org/action/V/V20060324/en_30033002v010301v.pdf
RFID technologies25 MHz to 1000 MHz frequency range with Part 1: Technical characteristics and testpower levels ranging up to 500 mW; methods31 The standard is relevant to UHF (433 MHz Part 2: Harmonized EN under article 3.2 ofand 860-960 MHz) RFID. Nevertheless the power the R&TTE Directive32limitation to 500mW allows only for a limited readrange (<1m). 3.4.5. EN 300 32833 Part 1: Technical characteristics and test EN 300 328: Electromagnetic compatibility methods27 and Radio spectrum Matters (ERM); Wideband Part 2: Harmonized EN covering essential re- transmission systems; Data transmission equip- quirements under article 3.2 of the ment operating in the 2,4 GHz ISM band and R&TTE Directive28 using wide band modulation techniques; Harmo- nized EN covering essential requirements under article 3.2 of the R&TTE Directive3.4.3. EN 302 208 The standard is relevant to microwave (2.45 EN 302 208: Electromagnetic compatibility GHz) RFID.and Radio spectrum Matters (ERM); Radio Fre-quency Identification Equipment operating in theband 865 MHz to 868 MHz with power levels up 3.4.6. EN 300 67434to 2 W; EN 300 674: Electromagnetic compatibility The standard is relevant to UHF 860-960 and Radio spectrum Matters (ERM); Road Trans-MHz RFID. These UHF channel allocations for port and Traffic Telematics (RTTT); Dedicated ShortETSI countries allow 2W (ERP) operation. The stan- Range Communication (DSRC) transmissiondard will permit operation in Europe of product equipment (500 kbit/s / 250 kbit/s) operating in thebuilt in compliance with ISO 18000-6. EN 302 5.8 GHz Industrial, Scientific and Medical (ISM)208 provides for the operation of RFID at UHF fre- band;quencies. It should be noted that this has not yetbeen endorsed by all EU countries. Dedicated Short Range Communication (DSRC) at 5.8 GHz - ElectroMagnetic Compatibil- Part 1: Technical requirements and methods ity and Radio Spectrum Matters (ERM); Road Trans- of measurement29 port and Traffic Telematics (RTTT); Technical Part 2: Harmonized EN under article 3.2 of characteristics and test methods for DSRC trans- the R&TTE Directive30 mission equipment (500 kbit/s /250 kbit/s) operat- ing in the 5.8 GHz Industrial, Scientific and Medical (ISM) band.3.4.4. EN 300 440 Part 2: Harmonized EN under article 3.2 of EN 300 440: Electromagnetic compatibility the R&TTE Directive Technical Report Seriesand Radio spectrum Matters (ERM); Short rangedevices; Radio equipment to be used in the 1 GHz Sub-part 2: Requirements for the On-Boardto 40 GHz frequency range; Units (OBU)27 http://webapp.etsi.org/action/PE/PE20050805/en_30022001v020101c.pdf28 http://webapp.etsi.org/action/V/V20060324/en_30022002v020101v.pdf29 http://webapp.etsi.org/action/OP/OP20060714/en_30220801v010102o.pdf30 http://webapp.etsi.org/action%5CV/V20040903/en_30220802v010101v.pdf 5131 http://webapp.etsi.org/action/V/V20010907/en_30044001v010301v.pdf32 http://webapp.etsi.org/action/V/V20010907/en_30044002v010101v.pdf33 http://webapp.etsi.org/action/OP/OP20060922/en_300328v010701o.pdf34 http://webapp.etsi.org/action/PU/20040810/en_3006740202v010101p.pdf
3. RFID standards 3.5. Conformance testing and tags applied in EU should be readable in Asia and the US, and vice versa. Poor standardization EPCglobal has given to a company named might cancel any benefit of the technology. MET35 the mandate to organize the so called EPC- global inc. Hardware and Performance Testing Asset Management – This means that assets Programs. Only this centralized lab is allowed to (i.e. valuable equipment as well as containers of certify the compliance to EPCglobal standards. spare parts) within a company are tagged e.g. for This applies only to manufacturers that want their a better production process control. In this case, equipment to be marked as EPCglobal compliant. while standards are useful in order to develop a Would manufacturers want to sell their equip- product market, they are not essential: as the tech- ment in Europe, they should be as well certified by nology operates inside each company, a single ETSI accredited labs. But this should be also com- vendor solution can fit the requirements and allow pleted by compliance to other directives as those for the development of innovative solutions. concerning Electro Magnetic Compatibility (EMC). People and animal identification – While pro- As far as the testing equipment, it probably prietary solutions might be acceptable in a first could be said that there is no special need: proba- phase, in the long term standard approaches will bly any telecommunication conformance testing be mandatory in order to exploit the technology. lab should be already skilled enough to certify the An RFID identity card should eventually be glob- compliance of some RFID equipments to the ETSI ally readable by means of devices complying with standards and to the different national and Euro- a global standard. The same criteria apply to ani- pean directives. mal identification in order to allow for the tracking It should be noted that conformance testing across borders. of RFID equipment is mainly relevant for the ex- E-payment – This case is similar to the previ- tended supply chain, namely the one where the ous one also in terms of the technology. The bank- same tag is companion to a product from its man- ing sector might have enough power to develop ufacturer premises down to the consumer home. their own solutions and impose them to manufac- In the case of the so-called “closed loop” supply chain, where the tags are applied on the contain- turers. ers which are used to move goods inside the com- Toll payment – Highway toll payment should pany and never exit, then compliance is much less also be standardized to support “roaming” like relevant: all that is needed is that the tag can be services across different operators and/or coun- read by the readers and in these cases this is en- tries. sured by using technology of a single manufac- turer. Access Management – This refers to solutions deployed inside a company or an organization in more general terms. Each employee holds a per- 3.6. Interoperability issues sonal RFID badge that (included in an access con- trol system using identifiers such as biometrics) Standards are generally critical where there is Technical Report Series allows the entrance in protected areas. Though this the need to ensure interoperability among systems developed by different manufacturers and, in more application does not require a global standard, general terms, where the development of a prod- RFID standards for people identification are de- uct market requires fostering. For RFID a number sired. of application examples is hereafter reported, dis- Car keys – Each car manufacturer might in- cussing interoperability issues. stall proprietary solutions as each key should just Integrated Logistics – Standards are clearly work with the reader installed inside the car. Man-52 needed as tagged items can be shipped worldwide ufacturers’ de-facto standards are emerging. 35 http://www.metlabs.com/pages/RFID.html
RFID technologies 4. RFID technologies: RFID system features In Section 4.1 we scope RFID to some basic world around us. This Section presents a visioncomponents and define two distinguishing usage how to use RFID in the most optimal manner.scenarios which we will use throughout the rest ofthis deliverable. 4.1.1. RFID definition and positioning Section 4.2 focuses on the key technologies In order to be able to position RFID in rela-for future RFID implementation. Based on the clas- tion with other technologies, to place it in a con-sification of technologies around RFID we present text, we use the view presented in Figure 4-1. Thishere a schematic overview of technologies and view contains readers as well as tags. It shows thattheir capabilities in relation to RFID. RFID provides functionality to exchange RFID data In Section 4.3 a view is presented on the RFID (RFID Comm) and to store application data on thetag lifecycle process and the states in the lifecycle. tag. However, the application data itself is not partFinally, a future development of the technology is of the RFID definition, but can be used e.g. by apresented. sensor application. In Section 4.4 a typology on RFID usage is The figure shows RFID technology, consistingpresented. Based on a three layered viewpoint of readers and tags. When it is complemented withmodel and a usage domain model, the RFID usage storage and/or sensors a more advanced (sensor)typology is described. In this chapter different tag can be constructed.usage domains are positioned against RFID related In order to interpret information on tags, theaspects. reader must be connected to some information processing system. This connection can be made via different wired or wireless network technolo-4.1. The RFID-systems perspective gies (Network & Data Comm). The main capability RFID offers is to link The figure shows also that there are otherevents from the real world, actual movement of technologies which are based upon (part of) RFIDobjects, to business control software. In other and extend them. Near Field Communicationwords RFID helps to virtualise some of the real (NFC) and Mifare are such technologies. Figure 4-1: Positioning of RFID-system Technical Report Series Implementation Technical 53
4. RFID technologies: RFID system features 4.1.2. Two views on using RFID tionality. Notwithstanding the differentiation in technology, the features of virtualisation (identifi- Two perspectives (or abstract usage domains) cation, location and state) will remain the same. can be discerned when looking at how RFID can Certain technologies are specifically designed for be used in present and future environments: one of these aspects, e.g. a temperature sensor to • RFID for business process automation collect the temperature state of an object. Others In this perspective RFID is used to auto- offer information about two or all three aspects. mate a single business process. This can be a very large business process, but the focus RFID is designed for identification, but offers is on the internals of this business process also limited location information. After all, at the and how to automate them. moment the RFID tag is scanned by the RFID reader, the location of the tag is also known. • RFID for business domain computerization Therefore also the location of the object the tag is In this perspective RFID is used in an en- tire business domain. Therefore we speak attached to is known about computerization; entire processes RFID can also be used to collect state infor- will change due to the use of RFID within mation. Some tags have memory which can be the domain. used freely, for instance to store specific context The main capability RFID offers is to link information about the object. events from the real world, for instance the actual This all turns RFID into a promising technol- movement of objects, with business control soft- ogy for implementation in a (sensor based) net- ware. The next paragraph discusses this in more work. detail. 4.1.3. Aspects for object virtualization 4.2. RFID system perspective In order to virtualize an object into the com- This section presents an overview of the rela- puter three aspects are important: tionship of RFID with network technologies. To en- • Identification able a fruitful comparison, we will introduce a An object in the real world must be identi- typology to indicate the relation between RFID fiable in order to uniquely collect informa- and network technologies: they enable each other, tion about that object and, if desirable, they enhance each other, or they are concurrent change it. to each other. • Location Each identifiable object in the real world 4.2.1. Classification of technologies has, at a specific point in time, a specific around RFID location. • State We identify three classes to order the relation The state of an object is the determination between RFID and network technologies: Technical Report Series of specific characteristics of that object, • Enabling technology other then its identity and its location, e.g. • Enhancing technology its colour, temperature, etc. Movement and speed of the object is also dimension of • Concurrent technology state. In Figure 4-2 these classes are mapped onto RFID is not the only technology which can be the RFID positioning figure from section 4.1 and54 used to collect these aspects. A number of other will be used to characterize the different technolo- technologies are available that offer similar func- gies.
RFID technologies Figure 4-2: Classification of technologies around RFID Implementation Technical On top of the RFID model introduced in the enabling technologies. They make a remote andprevious section, the three classes are drawn, each or mobile RFID reader possible.pinpointing to distinct aspects of RFID: the en-abling class on top of the network, the enhancingclass on top of the RFID extensions and the con- • Local Area Networks (LAN)current class on top of the basic RFID functional- LAN networks can be used to distribute theity. Each of these classes represents a different way RFID readers over a remote location withinto compare RFID with other technologies. a building or premises. Some of them are We do not imply that network technologies wireless, others are wired. Note that in eachare uniquely positioned towards one of the identi- case the RFID reader must be equippedfied aspects of RFID. A technology such as Zigbee with the appropriate interface, or an adaptercan be placed in more than one class. Zigbee can device must be added. Note that most RFIDbe seen as a LAN technology, connecting RFID readers on the market today still have onlyreaders in a larger network. But Zigbee is also part a serial (RS232/RS485) interface.of the concurrent class because it can compete - Ethernet / UTP (IEEE 802.3)with active RFID in offering a solution for identifi- A cable technology very widely used tocation and location. connect computers to a network, Internet or intranet. The network topology are4.2.2. Enabling technologies stars (connecting local computers), con- nected to each other possibly forming a The enabling technology class is about com- very large network.munication technologies which enable the use of Speeds between 10 Mbits/s and 1 Gbits/s Technical Report SeriesRFID and increase the application area of RFID. are common, the current standard is 100As shown in Figure 4-1, this class is about con- MBits.s.necting the RFID readers with the back-end of - UWB (IEEE 802.15)RFID systems. Without a network only local RFID UWB stands for Ultra Wide Band, a wire-solutions are possible, for instance a standalone less technology still in development.PC or PDA with a RFID reader. Due to enabling UWB does not have its own single fre-technologies it is possible to distribute RFID read- quency; it uses existing frequencies ofers around a larger area. 55 other technologies. By using very low Examples of often used communication tech- transmission power it stays within thenologies to connect RFID readers onto a network background noise of the other technolo-are listed below. Note this paragraph is about the gies, so there is no interference. Depend-
4. RFID technologies: RFID system features ing on the range, with UWB speeds rang- GSM/GPRS can operate in three different ing between 1Mpbs (100m) and frequencies: 900 Mhz, 1800 Mhz and 400Mbps (4m) this technology is ex- 1900 Mhz. GPRS can reach speeds up to pected to hit the mass market by 2008. 52 kBits/s - Wifi / WLAN (IEEE 802.11) - UMTS A wireless network technology, often The Universal Mobile Telecommunica- used as a wireless version of Ethernet. tions System is introduced as the succes- Speeds between 11Mbits/s and 54Mbits/s sor of GSM/GPRS. Therefore it is called a are commonly used. third generation (3G) mobile communi- cation technology. Speeds of 384Kbits/s - ZigBee (IEEE 802.15.4) are possible and in theory even 2Mbits/s. This network is especially designed for At this moment it starts to become avail- low power, mesh networks. Therefore it able, but is still expensive to use. is very suitable to connect sensors and RFID readers. It will last a long period of - WiMAX time with one battery, typically 3 years. It The Worldwide interoperability for Mi- can easily adapt to changes in network crowave Access is an emerging standard topologies if sensors are moved around, which will come to the market in the next added or removed. couple of years. First field trials are al- ZigBee can only transfer limited amounts ready taking place. In theory ranges up to of data, several 100kbits/s within the en- 50km are possible and speeds up to tire ZigBee network, so individual ele- 80Mbit/s at short distances. WiMAX is ments can only transmit a portion of that seen as an alternative for GSM and per time-period. UMTS, but also for ADSL or cable con- In general such mesh networks are called nections. At this moment it is too early to Wireless Sensor Networks (WSN). These predict the future of WiMAX. networks are self organizing, enabling a • Personal Area Networks (PAN) dynamic multi hop infrastructure. This PAN networks are used when the RFID means that the network topology can reader are located at very close distance (up continuously change while the network to a few meters) to the person operating keeps its functionality and each node can them. In most cases the RFID reader will be communicate with all the other nodes. mobile and connected to or integrated with Topology changes can occur due to fail- a PDA or mobile phone. ure of one of the nodes or because the nodes are mobile and move, constantly - Bluetooth changing the wireless nodes in reach. Has been developed for replacing the local wires around a computer, some • Wide Area Networks (WAN) people call it therefore a wireless wire. It WAN networks are used when the RFID is described in the IEEE 802.15.1 stan- readers must be distributed over a much dard. Speeds are between 1 and 10Mbits/s and it has a range of 1-100 me- Technical Report Series larger area compared to LAN technologies or when a user does not have access to the ters depending on the class. local LAN networks. Bluetooth starts to become standard in most laptops and mobile phones, en- - GPRS abling easy wireless access to a number GPRS stands for General Packet Radio of devices. A drawback of Bluetooth is Server. It is an addition on GSM (Global that it needs relatively much power, so System for Mobile Communications), a battery based devices like mobile phones network which many countries use for56 have to be recharged more often. their mobile phone infrastructure. De- pending on the used local network oper- Pencil-like RFID readers with a Bluetooth in- ator, mobile phone coverage over the terface to a mobile phone or PDA start to become entire country is not exceptional. available.
RFID technologies4.2.3. Enhancing technologies log, etc. In most cases the additional memory on a tag is used to store just static data which can be The enhancing technology class is about tech- updated from time to time.nologies which extend the usage of RFID, they en-hance RFID. By adding extra functionality upon RFID in itself is not a very secure technology.the basic RFID capabilities on the tag, new appli- Tags can easily be read using a reader and thecations become possible. Some of these additions wireless communication can be monitored by oth-fit perfectly in the passive RFID tag model, they do ers. For situations where more security is needed,not need a power source of their own. Others need for instance access control to buildings, special se-an additional battery on the tag. They also want to curity extensions are developed. They make it pos-perform tasks when the tag is not within the field sible to communicate, in a secure manner, secretsof a reader, therefore a more predictable energy between the tag and the reader. The two most im-source is needed like a battery. Note that some ex- portant standards which make this possible are thetensions are made just on the tag (memory), other smartcard standards of Philips: Mifare and Sony:extensions need changes both on the tag and in Felica. Most commonly they are used in companythe reader (security) while some extensions take cards to unlock doors, logon to computers, etc.place outside the direct scope of RFID (serviceplatform). Battery-based extensions In the next three subsections different enhanc- A battery is needed to make additional func-ing technologies will be discussed. We will look tionality of the RFID tag possible. Therefore, aat powerless extensions, battery based extensions major factor in extending RFID is the developmentand devices that combine the reader and tag func- of small, powerful, flexible batteries. By combiningtionality. a RFID tag and such a battery, a device is created with the form factor of a credit card. The batteryPowerless extensions offers a constant power supply on the tag, even if the tag is not within the field generated by the The two most important powerless extensions reader.of a RFID tag are adding: To save energy most tags are active only dur- • Memory ing very short periods of time. The active periods • Security are controlled by timers, e.g. tag is activated to take a measurement once a minute. For this type of Additional memory is a very common exten- tags lifetime of 3-7 years is possible.sion; most RFID tags are capable of storing addi-tional data. This is a necessity if a specific ID must There are three main purposes to add a bat-be stored on the tag, next to the factory UID (Uni- tery to a RFID tag:versal IDentifier). The factory UID is determined • To add functionality on the RFID tag, induring the production process of the tag and each most cases sensors.tag has memory to store the UID. • To boost the communication range between Other use of additional memory is storing in- the tag and the reader. Technical Report Seriesformation about the object it is related to. For in- • When the tag has a boosted communica-stance colour, size or maintenance track record of tion range, it becomes possible to let thethe object, etc. Also biometrical data can be stored RFID tag initiate an event by itself, insteadin the memory of the tag, for instance in your pass- of waiting until it gets interrogated by aport. Biometrical devices can scan your fingerprint reader.or eye and compare it with the data on the pass-port to check if you are who you say you are. At Additional functionalitythis moment there are no tags which allow chang- 57ing the program of the tag itself to change its be- Adding a battery to an RFID tag opens ahaviour. Only configuration parameters which whole new range of possibilities: adding sensorscontrol the behaviour of the tag can be stored in to the tag, measuring an external aspect in the realmemory. Think about starting or stopping a sensor world. For instance, temperature, humidity, a toxic
4. RFID technologies: RFID system features substance, movement, etc. Measurement informa- In combination with a sensor this provides a pow- tion can be stored on the tags’ memory and can be erful tag. For instance, by putting a movement sen- read via a RFID reader. Measurements can be sor on an active RFID tag, a surveillance monitor taken at certain intervals, for instance every system for a museum can be build. Putting an ac- minute. But also event based measurement is pos- tive movement tag on the back of each painting, sible, when the temperature raises above a certain these paintings can be monitored at all times. threshold for instance, the timestamp of that event When a painting is removed from its place, this is logged. event can directly be reported to the surveillance system. The very moment someone, thief or per- Using this mechanism, it becomes possible to sonnel, is moving the painting, the sensor on the pinpoint to specific events, for instance the mo- tag will trigger an event and the tag will emit a sig- ment an object was undesirably defrosted. Imagine nal. If the painting is scheduled to move, the alert the situation when deep frozen fish food was will be notified but nothing will happen. But if the moved from a cooling container into a cooling painting is not scheduled to move, the alert may truck and was left for 2 hours in the sun. After- alarm security officers. In fully automated (i.e. vir- wards it was frozen in again within the truck. tualized) systems, it will become possible to inte- Using temperature logging tags these fluctuations grate the various planning and alert systems, in temperature can be traced and reported back to leading to fully automated alarms when something responsible parties. is occurring which has not been foreseen by the integrated system. But even with less sophisticated Communication range boost systems, the thief can be tracked by the paintings- tag within the museum using the location algo- RFID tags which use a battery to boost its rithms of the active RFID solution. communication range, are called “active RFID” tags. They use a different frequency than passive Combination of reader and tag in one device RFID, but they work in the same way as passive RFID tags. Most active RFID systems can cover an Besides adding power and functionality, there area within range of maximum 200m in an ideal is a third method of enhancing RFID: combining situation. In reality physical obstacles such as the tag and reader into one device. This offers two- walls, metal (cars), water, etc have a significant in- way communication between both devices, each fluence. device can act as either a tag or a reader. Espe- cially for mobile equipment, e.g. a PDA or mobile Because an active RFID tag transmits a signal phone, this can be a useful feature. Sometimes the of its own, special signal strength algorithms can PDA acts like a tag, communicating with existing be used to determine more precisely the location readers. On other moments the PDA can read of the object. In contrast, passive RFID-systems, RFID tags itself. which have typically a read range of about be- tween 0.1 and 0.5m, can give an accurate (0.1 - The only technology at this moment which is 0.5m tolerance) location of the tag if it is in the using this approach is NFC: Near Field Communi- field of the reader. At the moment the tag has left cation. NFC started as cooperation between the reader field, the location becomes unknown. Philips and Sony in 2002, Nokia joined soon af- Technical Report Series terwards. NFC is designed, as the name already in- Tag event initiation dicates, for very short range (10 cm) wireless communication. Its purpose is to securely trans- Active RFID tags have the opportunity to ini- port small amounts of data mainly for configura- tiate an event by themselves. Because the commu- tion purposes or initiating actions and/or nication range is in most cases large enough to communication. It uses the 13.56 MHz RFID fre- cover the entire desired area, tags have the oppor- quency and has a data exchange rate of up to 42458 tunity to communicate data to readers at all times. kbit/s.
RFID technologies Figure 4-3: NFC architecture NFC is a smart combination of existing and complex. With NFC you only have to holdnew technologies. For secure communication it re- the two devices close to each other andlies on Mifare / FeliCa. Both technologies are com- the necessary configuration informationpatible with each other and are using widely can be exchanged in a secure manner.accepted standards for secure RFID. Payment pos- • Configure consumer appliances to interactsibilities are added using existing SmartCard tech- with each other. For instance holding yournology. Besides combining all these existing mobile phone next to the audio systemtechnologies, the only really new feature of NFC is will automatically configure the mobiletwo-way communication.36 This makes it possible phone and the audio system to startto exchange information between two NFC de- streaming your favourite mp3s.vices in an efficient manner. The focus of NFC is • Configure the train ticket you need. Just byon small amounts of data and not on streaming holding your NFC enabled phone / PDAdata flows. It can however be perfectly used to set towards a map of the railway stations, theup a streaming data flow, automatically configur- exact e-ticket from the current station to-ing all the aspects needed to make the stream flow. wards the desired station can be transmit-In case of configuring a WiFi connection, think Technical Report Series ted to your device.about the IP address and mask the IP address of theDNS server, WEP key, etc. • The SmartCard technology within NFC can assist in the payments for goods or The main application areas for NFC: tickets, using a standard way to specify • Configure the device to use securely an how much money between which parties existing communication network such as must be transferred. A special service WiFi or Bluetooth. Setting up the neces- provider, a bank for instance, will perform sary keys, IP addresses, etc. can be quite the actual money transfer. 5936 Two-way communication is defined as a mode where both communication partners are able to initiate communication. However, in a session it is possible that one or both partners are sending information; the first one with requesting data, the second optionally with re- sponse information.
4. RFID technologies: RFID system features The future of NFC is still uncertain. At this UID. However, in more distributed application do- moment a number of field trials are happening all mains a central operating registry is responsible for over the world. There are still a very limited num- the search and discovery of object information. In ber of mobile phones equipped with NFC, let the EPCglobal architecture the ONS (Object Name alone WiFi base stations, TVs, camera’s etc. The Server) is responsible for this functionality. technology is promising in its capabilities. Making it all work depends not only on technology but RFID middleware is a complex subject which also on standards, interoperability, and service is in full development at this moment. This is out- providers. side the scope of the deliverable. RFID middleware 4.2.4. Concurrent technologies Enhancing technologies not only apply to the The concurrent technology class is about net- RFID tag and/or reader themselves, but also to the work technologies which offer (part of) the same information systems which process the RFID events. functionality as RFID does, they are concurrent to- Using RFID events within existing applications, wards RFID. As introduced in section 4.1.3 , we such as Enterprise Resource Planning (ERP) or Cus- have described RFID based on three aspects: tomer Relationship Management (CRM), poses the • Identification need of some form of adaptation. This functionality • Location is performed by the so called RFID middleware. • State This middleware has four major tasks: 1. Be able to connect RFID readers from dif- The following three paragraphs describe ferent manufacturers. Unfortunately there today’s most important technologies which can is still not a single standard to connect a also be used to implement that specific aspect. RFID reader. So adapters for each manufac- This tends not to be a complete list. turer are still necessary. Identification 2. Filter the RFID event stream. When hold- ing a RFID tag within the field of a RFID For identification purposes the most obvious reader produces a flow of events telling that alternative of RFID is the barcode. A barcode is a the tag is still in the field. In most cases only visual image containing black and white bars in a the entrance of the tag is important. There- certain pattern. Using an optic device like a cam- fore all the “double reads” of the RFID tag era or laser reader, the barcode can be read and must be filtered out. the code deciphered. The advantage of barcode is that it is extremely cheap. The disadvantages are 3. The RFID tag contains in most cases only a its vulnerability to physical damage, the need for a (U)ID, an unique number. The existing ap- line of sight between the barcode and the reader plications do know nothing about these and the lack of dynamic content (memory, sensor, numbers, so they must first be converted etc) (See also section 1.2.4). into known references of the object the tag Technical Report Series is attached to. For instance in the case of a Another possibility for identification of an chair, the serial number. object is the use of an existing wireless commu- nication infrastructure, for instance WiFi. Each 4. At this stage the object is identified in a WiFi enabled device has a wireless interface know manner and the event is ready to be with its own identification within the WiFi net- send to the existing application. Unfortu- work, its MAC (medium access layer) address. nately each application had its own inter- Each base station within the WiFi network knows face demands. So again an adaptation layer which MAC addresses are available within its60 is necessary to be able to interface with the field, and therefore which WiFi devices are pres- application and deliver the RFID event. ent. By linking a WiFi device one-to-one to an In single application domains it is relatively object, identification of that object becomes pos- simple to discover object information based on the sible.
RFID technologies Especially in situations which already have a cation accuracy close to the 0.5m, thus similar toWiFi network this can be a useful and cheaper so- passive RFID.lution than installing RFID readers and tagging allthe objects. Note that when operability is needed In a similar manner WiFi can be used for lo-between different sites, technically meaning differ- cation purposes. Existing equipment, such asent WiFi networks, things get complicated because PDA’s or laptop, can be pinpointed to a certainall the WiFi devices must be known on all loca- WiFi-base station. This provides a rough but verytions, without necessarily giving them access to cheap location mechanism. It just uses the existingthe entire (company) network. WiFi network which is already in use. A small soft- ware extension can provide the location informa- UWB can be used in a similar manner for tion.identification and location. Special UWB tagswhich continually transmit a unique ID are de- As explained in the previous section on loca-tected by location detectors. Time, place and op- tion, UWB can also be used for location purposes.tionally direction are being measured, resulting in When even the range of active RFID becomesan absolute location within the UWB network too small, other options remain: using networksarea. with a global coverage (GPRS) or GPS. GPS uses A new emerging technology which has prom- satellites to determine the location of the GPS de-ising aspects to be used for identification and loca- vice. On other cases computer vision can be usedtion is Zigbee. For more information and to identify and locate. Perhaps even ultrasound orapplications of Zigbee see section 4.2.2. infrared sensors can be used, although the range is not necessarily larger then active RFID. A special note on identification: there is a riskin using technology related identification, e.g. the RFID can be used for location based services.factory UID in a RFID tag, to identify an object. In Using passive RFID objects or people can be lo-case of loss of a tag or unrepairable damage, it is cated on a specific location at a certain point ofproblematic to acquire a new tag with the same time. These locations can be anywhere in theUID. So although the object is still the same, it gets world, but are only snapshots in time. Using ac-a new identification. Using an identification tive RFID provides a lot more real time locationscheme which is separated from the technology capabilities, but only in a local area. For advancedavoids this problem. For instance using tags with location based service several technologies,memory to store their own ID. among which RFID, can be combined generating a more accurate view of the location of the objectLocation / person. Passive RFID does only offer a discrete solu- Statetion to determine the location of objects. Onlywhen the tag is within the field of the RFID reader Adding state information is no different toit can be located, in fact it can be related to the lo- RFID than to any other technology discussed incation of the reader itself. In the same manner bar- this deliverable, in both cases sensors are an addi-codes could be used for location purposes too. tion. Sensor technology is a special field which is Technical Report Series outside the scope of this deliverable. With active RFID the location of a tag can bedetermined in a much larger area with respect to Relation with RFIDpassive RFID and for some types of active tags dis-tances up to 100m are possible. When using trian- In Table 4-1 a comparison is made betweengulation methods between the measurements of the different RFID tags available on the marketseveral active RFID readers, a more precise accu- today and the three aspects discussed in this para-racy is possible. Using such methods can bring lo- graph: identification, location and state. 61
4. RFID technologies: RFID system features Table 4-1: RFID tag types versus identification, location and state Identification Location State LF ++ + n/a 37 HF ++ + + HF active ++ ++ ++ UHF ++ + n/a From this table it can be concluded that all 4.3. RFID lifecycle description RFID tags are useful for identification purposes. Location is mostly dependent on the range, there- In this section the different states in the life- fore active RFID is best, then UHF and with LF and cycle of a RFID tag are described. There are four HF it is still possible but only for local positioning. major states: fabrication, pre-deployment, deploy- State information together with RFID is at this mo- ment and removal. Each of these states is de- ment only possible in the HF range. There is no scribed in more detail in the next subsections. technical reason for this, but they are the only ones Figure 4-4 presents the four major states in the life- on the market today. Most of them need additional cycle of a tag and their relations. power, therefore HF active has a ‘++’ indication. Figure 4-4: RFID lifecycle 4.3.1. Fabrication 4.3.2. Pre-deployment The first step in the life of a RFID tag is its fab- After the tag has been fabricated it must be rication. Depending on the market growth RFID made ready to be deployed in an operational en- Technical Report Series will be produced in massive entities, lowering the vironment, it must be pre-deployed. In this phase price per tag. At this moment the price of passive the tag must be physically and functionally con- RFID tags is about $0.25, and is still being re- nected to the object. duced. One expects the price to decrease to a few cents per tag within the next ten years. During fab- Physically connecting the object can be done rication each tag gets its own unique identifica- by simply gluing it onto the object, but also more tion, the factory UID. If the customer wants its own reliable and durable solutions are available. A lot62 ID in the tag, it must be programmed during the of development is going on into smart packaging. pre-deployment phase. Plastic containers are developed with an RFID tag 37 The authors do not know of any LF or UHF tags with state capabilities at this moment
RFID technologiesencapsulated within the walls of the container. on the backbone generated by the readers can be-This poses high demands on the heat endurance come an issue.of the tags. In some usage scenario’s tags are being reused RFID tags can not be read by a human with- and attached to other objects. This requires thatout special equipment. Often it is desirable that tags be physically and functionally removed fromthe object is still human identifiable. This makes it the object and moved back to the pre-deploymentnot only necessary to attach the RFID tag to the state. Especially when the internal ID of the tagobject, but also a human readable label sometimes was used, removing the functional relation can becombined with a barcode for backwards compat- difficult because the same ID must now be relatedibility has to be attached to the object. to another object; requiring that all references in all information systems must be removed. This is Making the link between the physical object not an easy task because there is no track record ofand the internal ID of the RFID tag requires an ac- all the places (RFID readers) the object has visitedcurate and computerized mapping process. Often during its life time. Therefore re-using RFID tags isafter a (random) RFID tag is put onto the object, only practical when the internal ID is not used butthe object is scanned by a reader and the link be- instead a tag independent ID.tween the specific object and the ID of the tag ismade. Registering the object – tag relation is a very Another issue when re-using tags can occurcostly process which must not be underestimated. when the use of the object changes, but still the same RFID tag must be used. Thus the same ob- If one does not use the internal ID of the tag ject is used in two different value networks, bothbut a specific ID such as the EPC code, the tag using the same RFID tag. A good example is a bot-must also be programmed. After attaching the tag tle of medicine with an RFID tag. In the first valueto the object, the correct unique code can then be network the bottle is tracked from the factory toprogrammed into the tag identifying the object in the pharmacist. The second value network startsa universal manner. Note that this step can be per- when the bottle is sold to a patient, based uponformed by the manufacturer of the tag, pre-deploy- the prescription of a general practitioner. The RFIDing the tags for its customers. In most cases this is tag can then be used to hold the prescription ofonly possible when ordering very large quantities how the patient should use the medicine.at once. In most cases the RFID tag will be physically After these steps the tag is ready to be de- and/or logically removed from the object whenployed. there is no longer a purpose of tracking the object. For example once it is sold to the customer, there4.3.3. Deployment is no need for the tag anymore. In these cases the tag moves to the removal state of its life cycle. Now the object has an RFID tag onto it. Aninformation system registers which object haswhich ID. The object is ready for operational 4.3.4. Removal of tagsusage. This is still far from a plug&play scenario. It The final stage of the life-cycle of each tag is Technical Report Seriesis still very difficult to set up a RFID environment its removal. Removal of tags can be induced bywith a read rate of more then 99%. In most cases different reasons:it starts with read rates not higher than 80% which • During manufacturing faults can be madeshould increase by fine tuning the system. At all rendering the tag useless.times it is wise to be prepared for these uncertain-ties and be able to deal with them in the RFID mid- • During pre-deployment and deploymentdleware and applications. Also the deployment of the tag can be physically broken. Somethe readers is not always easy; placing antennas, physical problems can occur which make 63connecting them to the readers. Connecting the the tag useless.readers to the middleware via the local IP network, EPC Class 1 tags have the capability to de-serial interfaces, or other means takes a lot of ef- stroy themselves, so as to enhance privacyfort. In case of large deployments also the traffic protection.
4. RFID technologies: RFID system features • After deployment the tag can be no longer configuration types and business usage domains needed, it has reached the end of its life. We will first position business aspects and In all these cases the tag has ended its func- technology to each other. Then, we will formalise tional life time. This does not necessarily mean the usage typology on the basis of information- or that it has reached also its physical lifetime. Prob- privacy sensitivity and their business usage do- ably in most cases the tag will not be removed mains. Specific RFID based applications as well as from the object itself. In order to meet the cus- more abstract application domain groups can be tomer’s requirements that a tag – having ended its positioned to demonstrate their demands on par- ticular technology. functional life-time – can no longer be used to monitor or track a customer, tags are being devel- At the end of the section we will illustrate the oped in such a way that they can be “shutdown”. usage typology in three use cases selected from This results in a broken tag which physically is still different business domains. The three use cases de- present but will never react to a reader again. EPC scribe possible scenarios in healthcare, personal Class 1 tags already have this capability. identification and food control. 4.4.1. Realization framework 4.4. Typology of RFID usages Figure 4-5 below presents a 3-tier reference Within this section we will present an appli- model which positions the business viewpoint as- cation usage domain model which can be used to pects and the technical implementation aspects in characterize RFID based application in terms of one model. Figure 4-5: 3-tier reference model Technical Report Series Within this framework the business viewpoint In the technology viewpoint we identify com- aspects identify business roles, business objects munication, information and processing technol-64 and business functions. The specification of these ogy like e.g. WiFi, Bluetooth, Mifare and database items and their mutual relationship forms the base systems like SQL server. Also ERP implementations of a business system that needs to be implemented like SAP are part of this viewpoint. with technology.
RFID technologies The layer in between forms the functional solu- focus on privacy/security up to a high demand fortion component viewpoint, and can be considered the protection of information. We have identifiedas a more abstract, implementation independent here two main groups: “physical object” and “per-layer which transforms the business specification sons and animals”. In fact everything can be con-onto the specification of (generic) functional com- sidered as a physical object; however, from theponents with preferable standardized functionality privacy perspective it is useful to make a differenceand interfaces. The primary objective for this layer is between these groups. Within the “physical ob-to create a solution independent specification which ject” group we distinguish between objects withenables an architecture where business adaptation no information storage, with temporal and withand solution technology changes are invisible for permanent information storage or reference.each other. In the first category we identify objects and Let us illustrate the model with a medical lo- primarily focus on the tracking and monitoring ofgistic value network example. A value network in- any object. No information related to object iscludes three business roles responsible for the stored.supply, distribution and reception of medicines. The In the second category, objects are identifiedsupplier role is played by the manufacturer of the for which during a particular period of time infor-medicine; the distribution role is performed by a lo- mation is stored or referenced. For example track-gistic partner while the hospital is the receiver of the ing and tracing applications in the logistic domain,medicines. These roles together form the medicine where information about packages is stored onlylogistic value network. The logistic partner in this until delivery of the package. The removal of infor-network is special, because their business services mation is based on the event that a package leavesare unique and based on organization specific logis- a certain application domain while the object itselftic functions. is not necessarily removed. From the software solution component view- In this second category, the information aboutpoint the implementation of this business function an object is stored during the (relevant) lifecycleis realized with the help of a tracking and trace of the object. In this category information about ancomponent and real time tracing information. A object is stored for a longer period of time andunique combination of different solution compo- there will be a higher demand for information se-nents and interfacing concepts makes this system curity than in the first category.work more efficiently than the competitors’ solution. In the “persons and animal” group we distin- The technical realization viewpoint focuses guishes between fixed and “loosely coupled” iden-on the technology, necessary to implement the tification, optionally with or without informationcomponent view. Software applications like e.g. storage. Loosely coupled identification means thatSAP ERP in combination with RFID based local- there is no physical fixation between the person orization technologies can be used to realize the lo- animal and their identification. For example, cardgistic business function for the logistic partner. based identification methods are considered asFrom the business point of view, the technical so- loosely coupled while ID cards are not alwayslution should provide two types of flexibility: the linked with the person or animal. In case where Technical Report Serieslogistic partner should be enabled to adapt current persons or animals have implants or physicallyimplementations of a logistic business function coupled ID mechanism we consider them aswithout changing the technical solutions. On the “fixed tagging” systems.other hand, new technologies have to be intro-duced without disturbing current business func- The horizontal axis plots the business usagetions. These two aspects are important for up to domain. The business usage domain identifies fourdate and reliable business system. categories of business environments where applica- tions are used. The most left category identifies a 65 single organization located on one site. The main4.4.2. Usage typology model drive of using an automated application is the effi- In the model below (Figure 4-6) we use the ciency of a current business process or process step.vertical scale for information protection from less The second and third category focuses respectively
4. RFID technologies: RFID system features on a single organization with multiple sites and tions are in general based on standards; standards multiple collaborative working organizations. Both on technology, security, frequencies and informa- categories have an increasing complexity in terms tion. Especially the information standards are im- of dependencies with other applications and organ- portant to guarantee the exchange of all type of izations. The last category identifies globally con- information. Besides standards on information syn- nected organizations which try to make the tax we recognize semantic as well as classification collaboration efficient and easy. An important char- standards. acteristic for all these domains is standardization and the use of enabling technology. Finally, we recognize in this partition a sec- ond important characteristic: the increasing de- In the first category the application is working mand for enabling technologies to build globally in a more or less standalone setup. In general the main focus is on the optimization of the business connected networks to support globally collabo- process or process step while collaboration with rated organizations. In paragraph 4.2.2 we have other organizations is not a focus point. Low cost identified the enabling technologies which in- and proprietary solutions are populating this cate- crease the applicability of RFID. It is clear that in gory. In the fourth category we have the globally a globally connected business usage domain there connected organizations. Globally working solu- is a higher demand for this type of technologies. Technical Report Series66
Figure 4-6: Application usage model RFID technologies67 Technical Report Series
4. RFID technologies: RFID system features In the following section 4.5, appropriate ex- generated (e.g. “register incoming good” or “regis- amples of business scenarios making use of the ter outgoing good”). In these setup organizations usage model presented above, will be elaborated. start building experiences with RFID usage and the Based on (IDTechEx, 2005b) we have identified integration with internal business applications. main usage application domains based on forecast In terms of the 3-tier reference model we can for volume and/or society impact. The model identify an existing value network by their busi- shows that current RFID based applications are ness objects, business functions necessary to pro- mostly positioned in the lower part of the model; duce their service or product. RFID is used in this applications handling physical objects within a constellation to optimize one or more processes single- and multi-organization business environ- by enabling particular functionality in the solution ment. In the introduction of this document we component layer. The initially functional costs and have identified these applications as business the benefits aimed at have to justify the investment process automated applications. Generally, these in RFID technology. Basically, this RFID typology applications are using low cost tags and focus on is driven from current businesses and the need to improving efficiency in an organization or an ex- improve the efficiency or the quality of the process isting value network. or supply chain. Future applications are foreseen to be posi- In case of RFID for business domain comput- tioned in the upper part of the model. This means, erization usage the main driver is to provision a applications making use of increasing and more large group of business roles with generic event in- sensitive information about persons and animals formation. Information systems from different busi- which require increased security and safety func- ness roles are interested to receive event tionality. At the same time the business usage do- information. With the help of a generic sensor net- main shifts more and more to organizations in work a wide variety of information can be sup- value networks and globally connected organiza- plied to different roles. Efficiency and quality tions. A special category of application domains improvements are the main drivers here to start are the sensor network based applications. This this usage scenario. type of application is based on the existence of a generally useable sensor network. This network is principally not biased to a particular application 4.4.4. Proprietary versus standardized domain, and will serve different type of domains. RFID solutions In the application domain usage model the 4.4.3. Business scope business domain aspects refer to the demand for a proprietary or standardized RFID solution. As men- RFID in the context of business process au- tioned before, current RFID based application do- tomation is particularly used to achieve specific mains are generally developed to diminish costs (primarily role- or organization specific) optimiza- of current business processes. In these types of ap- tion and efficiency without changing current serv- plications there is generally no need for sophisti- ice provisioning to an existing value chain. The cated functionality and there is no vision on future drive for many of the use cases is to diminish the collaboration with other organizations. This leads Technical Report Series costs while improving the quality of the process. In to relatively simple and proprietary solutions. this usage scenario human performed business processes are replaced by automated RFID based However in business domain computeriza- functions. For example, an application supporting tion the lack of an existing value network and of a storehouse needs information about the objects the support for a variety of potential business roles, in the store and the activities around storage and a standardized and open RFID based solution is retrieval of goods. In pre-RFID times humans sup- preferred. Within such an environment it will be ply these applications with appropriate informa- easier to integrate with future (customer) roles and68 tion about the incoming and outgoing goods. RFID to fulfil their requirements. The lack of support for adds automatic identification and location func- (open) standards may restrict the potential business tions to this process, and based on these informa- opportunities. For example, when a sensor net- tion elements the appropriate event type is work provider is not able to share a common in-
RFID technologiesstalled infrastructure and support open access stan- ment these protection mechanisms, this problemdards, additional costs have to be made to connect needs to be addressed also at the level of the infor-new business partners. This will result in higher mation system.operational costs for their sensor network. Also, if In the case of business process automation theproprietary identification mechanisms are used for focus for useable tags is especially on identifica-objects and/or locations, it will be hard to guaran- tion of objects and location. For example, the busi-tee object identification to all objects without mak- ness process of registration of incoming anding extra workarounds. outgoing goods identifies the goods and the loca- In RFID supported cases we see a variety of tion where the goods are read to generate the ap-tag types, frequencies, used identification code propriate event. Objects in this business scenariotypes and information standards. The type of fre- type generally associate information with some-quency used is determined by the required relia- times location and identification information onlybility with respect to the environment and material and other times with temporary information. Theof the tags’ object. Low- (LF) and high frequency way RFID is enabling this functionality differs from(HF) passive tags are mostly used in today’s appli- the stored reference information (an address wherecation domains and in supply chain. Because of the object related information can be found) or thethe tendency to enhance process integration be- storage of information itself. In the first type thetween different organizations, there is an increas- RFID stored data is only address information. Ining demand for (open) standards. The RFID air this configuration there is generally less pressureprotocol (ISO/IEC14443) and object identification on security of information stored in RFID tags. The(EPC) standards are examples of standardization to security and safety functionality is part of the ac-increase the extensibility and compatibility of companying information system.RFID technology. In case information is physically stored on the tag there is a higher risk for information misuse.4.4.5. Information sensitivity and RFID Because security and storage functionality makes the tag more expensive, most applications will tag types make use of reference information instead of dis- Information- or privacy sensitivity is essential tributed stored information.to the future of RFID technology. Because of the Applications related to high value informationability to link physical objects and persons in the and the requirement for offline information accessreal world with information, RFID becomes a po- will make use of this more expensive type of tags. Intential threat for misuse of sensitive information. the upper right corner of the model in Figure 4-6As we have seen, the model distinguishes between some application domains are identified which mayphysical objects and person and animals. justify these requirements. For example, the ability In general we distinguish four potential tag re- to access offline patient health record informationlated information threats: may be critical in special occasions, while in other cases the information has to be protected against • Ability to access the information misuse. This type of value network may justify the • Ability to read information high costs of these tags. Technical Report Series • Ability to change information RFID suppliers are working hard on the de- • Ability to delete information velopment of new types of tags and reader func- tions. Active tags, microwave frequencies, smart The first threat is based on the simple com- active labelling (SAL) and ubiquitous sensor net-munication method between tag and reader. It is working (USN) are interesting developments forespecially easy to access the information on the the development of the internet of things andtag in this case. In more complex systems informa- global connected organizations. Based on these 69tion can be protected against reading, changing developments new universal functionality accel-and deleting through encryption, authorization erates the support of new business opportunitiesand authentication (see Chapter 9). Although, (e.g. electronic health record and food trackingthere are enhancing technologies today to imple- and tracing applications).
4. RFID technologies: RFID system features 4.5. RFID usage in business domains pabilities of information on a tag, there is no need for the patient to have an online connection. To illustrate the RFID usage typology scenar- ios we will present some example of business sce- In relation to the layered reference model we narios. These examples illustrate RFID technology see that the box of drugs participates in two differ- in a variety of business domains, where the initial ent value networks. In both cases RFID tags are approach is to improve a current business used to store information, in the logistic value net- processes. In a second step an example is given of work the object identification information is stored the migration to a business domain computerized while in the second value network medical in- environment and the potential role of RFID in such struction information is stored as well. To avoid a system. double tagging, measures have to be taken to as- sure that one and the same tag can be used in both cases. Replacing the old tag with a new one will 4.5.1. Example business scenario health- result in definitive removal of the object from the care logistic value network. Information about the lo- gistic information in the first value network can no Today, several pharmacy producers, suppliers, longer be accessed via the original tag. distributors and pharmacists are using RFID tags on medical packaging to automate their collabora- Another option is the reuse of the original tag tive production and delivery process. RFID tech- and identification, but how do we guarantee that nology is used to control the different steps in the the pharmacy producer adds a more expensive tag value network and to share this information with to the medicine with the writable functionality? other stakeholders in the value network. In today’s use cases the passive tag variant is mostly used Tag- and information standardization solve while the primary function is the identification and this problem partly. A standardized identification localization of medicines. To support this value mechanism could identify the medicine uniquely network a simple passive read only tag is suffi- in both networks. However, the main challenge is cient, while information is shared via an accessible the division between business opportunities and information system. When the proper drug is deliv- corresponding costs. ered at the pharmacist the resulting service of this value network is completed. However, besides this 4.5.2. Example business scenario elec- logistic value network the pharmacist is part of an- other value network with the general practitioner tronic identity cards and the patient. The pharmacist provides in this Identity cards and passports are excellent ex- network the delivery of the prescribed medication amples of a paper based identification technology to the patient. The general practitioner is responsi- for persons. The ID-card and passport prove that a ble for the prescription of the drug and the opera- person is who he said he is, primarily based on a tional instructions. The problem in this network is photo and the authenticity of the card or passport. how the instructions are joined to the delivered Because of the limited functionality and capability medication. Experience shows that groups of pa- of these paper based identification mechanisms, tients are not always able to understand and fol- there is a need for another and safer mechanism. Technical Report Series low the instructions with sometimes serious consequences. To solve this problem a spoken Based on latest technology developments drug instruction could help this group of patients. RFID is used in combination with paper based Based on an existing device which translates text identification mechanism. In addition to the read- into spoken words, the operational instructions able information in the card or passport, RFID adds can be stored on the medicine and provide the pa- the possibility to store electronically person spe- tient with personalized instructions. The pharma- cific biometric information. The main objective cist receives from the general practitioner the here is the higher level of protection of the stored70 medical operational instructions and digitally information; however, RFID enables also automa- writes the instructions on a writeable tag. An RFID tion of particular authentication functions like e.g. based speech device reads these instructions and iris scan or finger print checking. Experience tells them to the patient. Because of the storage ca- shows that all traditionally written information can
RFID technologiesbe changed or manipulated. With the help of RFID From a RFID perspective the associated informa-an extra technical obstacle is created to prevent tion of the slaughtered cow disappears and newcorruption of the electronically stored information. object-tags will be created and attached to the as-Besides this, it opens the possibility to automate sociated beef products.parts of the identification functionality. After all, By identifying meat products with read-writeperson specific information is electronically stored tag types, more detailed information could be pro-on a device which can be read out wirelessly, vided to consumers. However, this case shows thatwhile these characteristics can be checked with consumers will need a universal reader to interro-e.g. an eye-scan or a finger print verification. Even gate this type of information. Also information ona real time DNA scan might be possible in the fu- the tag should be stored according to common in-ture. formation standards. Today there are lots of entrance systems Based on current meat-sensor research, thiswhich work on a traditional LF or HF RFID tag. In opens up the possibility for active tags reporting ifcombination with a passive RFID tag with ex- the beef is proper for consumption. Although thistended memory capabilities, person specific infor- seems an expensive mechanism, it could preventmation can be stored on the tag. Because of the food poisoning and related medical and litigationsensitivity of the stored information, extra attention costs. Based on this example, we may concludeshould be given to the protection of the informa- that systems like this can only be elaborated ontion by unauthorized persons. People wearing standardized technical solutions to assure the in-these types of identification tags are not aware teroperability between the associated value net-when information is read or not. Also the protec- works.tion of re-writing of information is an issue to ad-dress. In the future tags will be created wherepeople are able to interfere in the exchange of in-formation between tag and reader, e.g. based on 4.6. Summary and conclusionspressing a simple button through fingerprint recog- We have described RFID technology from dif-nition. With the help of this type of tags a higher ferent, technically oriented, viewpoints. Today’slevel of protection can be achieved. usage analysis shows two abstract fields of usage application; business process support and business4.5.3. Example business scenario food domain computerization and the respective appli- quality cation usage domain for sensor networks. In this chapter we have described RFID from a technol- Today there is a high demand from society to ogy, usage, standards and frequency point of view.food producers in the food chain to guarantee the Based on these viewpoints we draw the followingquality of meat that consumers buy. Consumers conclusions:want suppliers to show them the origins of the beef • RFID is an important technology to use inor the type of food the pigs have had. Since many the implementation of a universal sensoryears cows and other animals are identified with network; RFID is an appropriate technologyhelp of RFID technology while information about to transfer real-world objects and correspon- Technical Report Seriesthese animals is already stored. In particular high ding events to feed information systems withtech farmers use these tags to track and trace ani- real time information. Furthermore, RFID ismals and store information about food quality, dis- well equipped to provide sufficient contextease and medication. Traceability of the animal information with the generated events.however stops at the time of its death. The meatproducts are then provided with printed informa- • The drive for universally usable, sensor net-tion about the type of meat and the process fol- work based applications will create a de-lowed, while detailed information about the mand for more standardization to increase 71particular animal is omitted. An interesting aspect the compatibility and the usability of RFIDin this scenario is the fact that an object disappears based information systems. Besides stan-from the real world while offspring objects require dardization on RFID technology (tags andan association with the disappeared animal-object. reader functionality) more standards on the
4. RFID technologies: RFID system features information semantic level of RFID tag • There is a variety of technologies which can stored information is needed. This type of enable and/or enhance RFID. These combi- standards will increase the usability of tags nations make the use of RFID in a variety of and (sensor) information for different pur- application domains possible. Readers can poses. Also the interaction between compa- become mobile and or distributed tags can nies will be easier if both parties use the be enhanced with sensors and other func- standardized information. tionality. At this moment there is not an ob- vious killer combination, the market will • An important point of interest is how to at- have to determine which combinations be- tach the appropriate tag to an object. To en- come standard. In the usage application do- able the exchange of the same tag between main model the tendency seems to be that different value networks, criteria or rules the development from RFID based applica- have to be defined to determine which type tion goes from business process automation of tag has to be attached to which type of scope up to domain computerization. For product. Especially when there is a public the last type of usage application more en- interest the government or European Com- hanced and sophisticated tags are neces- mission may setup rules for special product sary. categories to determine the tag type. Technical Report Series72
Market perspectivesPart two and socio-economic issues
RFID technologies 5. RFID market perspectives Several technologies are included under the might span over more boxes or just cover a part ofRFID umbrella and each one has its own market a single one. Moreover the boxes are ordered fromimplications. The major role no doubt will be left to right with growing value: each one uses asplayed by applications for the retail supply chain, source the output of the boxes on the left, adds itswhere a massive deployment of RFID hardware own value and feeds into the boxes on its right.and software is expected. This is however, still nothappening except where forced by retail giants Two main flows (from left to right) are repre-Wal*mart in USA, METRO and Marks & Spencer sented. The first refers to the “Chip Tags”, the onesin the EU. Nevertheless it should not be neglected that are built around a silicon38 core. There are sil-that there are a number of minor and niche appli- icon foundries building the chips and others put-cations where RFID technology is successfully and ting the chips together with the antennas. The thirdwidely exploited including, but not limited to, lo- box refers to companies that produce the productgistics, personal identification, ePayment, and tick- to be consumed (e.g. rolls of sticking labels or hardeting. packages for reusable tags) having the RFID en- closed. These first three boxes are fed by a “licen- This chapter attempts an analysis of the main sors of inventions” box referring to the RFID patentforces driving the RFID market evolution, what ac- holders, for example Intermec holds a relevanttors are involved and what is the role they play. Al- number of these.though some market figures will be provided, thefocus is rather on the dynamics of the market try- On the second row a single box represents theing to figure out what could be the evolution path. manufacturing of the chipless tags: no chip impliesThe discussion will start with the description of the that no integration with the antenna is needed;market actors, then what are felt to be the key driv- packaging of the tags in consumables is howeverers and finally the market figures. still needed. On the bottom rows we see the manufactur- ers of hardware, namely readers and reader anten-5.1. Actors and stakeholders nas and printers etc., and software providers for middleware and applications.5.1.1. The RFID value chain At the end of the chain the companies that The RFID applications value chain is quite make things work in broad terms are identified.complex. IDTechEx proposes a scheme (Figure 5-1) These span from business process consultants thataiming at encompassing in a few blocks the main focus on “why” and “where” the RFID technologyindustrial activities involved. It has to be noted that deserves to be applied, down to system integra-the proposed structure does not mean that any real tors, knowing “how” to make the hardware and Technical Report Seriescompany should exactly fit into one box: some the software work together. 7538 Polymer chips might be considered as well in this box although nowadays they are mainly in R&D phase.
5. RFID market perspectives Figure 5-1: RFID value chain39 Finally, companies providing for system oper- refers to the components that are developed for a ations and management services, outsourcers, and specific application and/or tuned to meet the re- service providers are rated at the top of the value quirements of a specific customer. chain. On the basis of these criteria/axes, a number of companies has been mapped on a chart with re- 5.1.2. Market actors spect to their products and services. Four main In a study published by Milan Polytechnic in “clusters” of companies have been identified (See 2005 a scheme has been proposed for the cluster- Figure 5-2). A list of the technology players in each ing of the companies operating in the RFID market. cluster is also provided. Please note that, as there One axis presents the activities that compose the is not a deterministic way to assign a company to already described value chain,40 while the other a specific cluster, the company names hereafter re- axis proposes three component levels. The Hard- ported might be somehow arbitrary. Nevertheless ware level encompasses all the physical elements: the list is deemed useful in order to allow the tags, readers, antennas, etc. The “Middleware and reader to associate some real world names with DataBase” level owns the software infrastructure the clusters. The names are to be considered as ex- components that are common to most applications amples and the proposed lists are thus not exhaus- (thus named “application independent”). The third tive; their cardinality does not represent the real level is named Application and Processes and number of companies in the cluster. Technical Report Series76 39 Source IDTechEx, 2005a. Note that “Deposited thin film RFID” and later on “Laminar transistor circuits” refer to technologies, currently under research, making use of polymers instead of silicon. 40 Though the value chain proposed in the cited study does not exactly match the one by IDTechEx, nevertheless the activities can be quite easily mapped one to the other.
RFID technologies Figure 5-2: Map of RFID offering actors Technology developers and resellers mation & Telecommunication Systems. Mu- solutions builds and manages a complete This cluster includes those actors that provide platform for µ-chip solutions.RFID specific hardware components (tags, readers,antennas, printers, …) independently of whether • Motorola,they are developers or resellers. In this cluster http://www.motorola.com/mot/doc/0/202_companies that carry out hardware design and en- MotDoc.pdf (US)gineering activities (e.g. the ones that develop on Motorola, with 150000 employees, head-demand customized packaged tags) are also in- quartered in Illinois, USA, is a leader included. wireless and broadband communications systems. Their “Seamless Mobility” vision5.1.3. RFID tag manufacturers aims at technology to get and stay con- nected simply and seamlessly to the peo- • HITACHI, ple, information, and entertainment. h t t p : / / w w w. h i t a c h i . c o . j p / P r o d / m u - Motorola had sales of US $36.8 billion in chip/index.html (JP) 2005. Motorola BiStatix™ is a new solution Technical Report Series Headquartered in Tokyo, Japan, is a lead- that allows the creation of cost-effective ing global electronics company, with ap- “smart labels.” Radio frequency identifica- proximately 340,000 employees tion (RFID) antennas are printed on materi- worldwide. Fiscal 2002 (ended March 31, als using conductive non-metallic ink. 2003) consolidated sales totaled 8,191.7 billion yen ($68.3 billion). The company of- • Philips, fers a wide range of systems, products and http://www.semiconductors.philips.com/pr services in market sectors, including infor- oducts/identification/index.html (EU) 77 mation systems, electronic devices, power Royal Philips Electronics of the Netherlands and industrial systems, consumer products, is one of the world’s biggest electronics materials and financial services. Mu-solu- companies and Europe’s largest, with sales tions is a Hitachi RFID division under Infor- of EUR 30.4 billion in 2005. With activities
5. RFID market perspectives in the three interlocking domains of health- Components developers and resellers care, lifestyle and technology and 158,000 • Alien Technology, employees in more than 60 countries, it has http://www.alientechnology.com/ (US) market leadership positions in medical di- agnostic imaging and patient monitoring, Alien Technology is a venture funded, pri- colour television sets, electric shavers, vately held company. They provide UHF lighting and silicon system solutions. Radio Frequency Identification (RFID) Philips provides a complete range of RFID products and services to customers in retail, ICs including smart cards, tags, labels and consumer goods, manufacturing, defence, readers. They address a number of applica- transportation and logistics, pharmaceuti- tions, from low-cost smart label ICs for cals and other industries. Alien’s products high-volume supply chain management ap- include RFID tags, RFID readers and related plications through next generation 32-bit training and professional services. Alien smart-computing platform for powerful employees about 235 people worldwide. multi-application smart cards. The company’s corporate headquarters is in Morgan Hill, CA and sales offices are in the • Siemens, US, Europe and Asia. Alien is a member of http://www.automation.siemens.com/rfid/in EPCglobal. dex_76.htm (EU) Siemens (Berlin and Munich) is a global • AVID, leader in electrical engineering and elec- http://mail.avidid.com/web/index.htm (US) tronics. The company has around 461,000 AVID Identification Systems, a privately employees both for manufacturing products held company was founded by a veterinar- and developing customized solutions. The ian in 1985 and is a major supplier of mi- company focuses on the areas of Informa- crochips in the United States and around tion and Communications, Automation and the world. AVID invented, designed, intro- Control, Power, Transportation, Medical, duced and implemented the microchip and Lighting. In fiscal 2005 (ended Septem- based pet recovery system as it is globally ber 30), Siemens had sales from continuing known today (37 patents to date). Horses, operations of EUR 75.4 billion and net in- cattle, dogs, cats, other companion animals come of EUR 3.058 billion. Siemens offers and livestock, etc. are able to be perma- a complete RFID portfolio – from products nently identified with a secure unique num- and systems, technical and operational ber. They provide syringe delivery systems, consulting as well as process design up to multi-mode reading systems, and pocket technology, process and IT integration. size readers are examples of standards set • Texas Instruments, by AVID. AVID is headquartered in 3185 http://www.ti.com/rfid/ (US) Hamner Ave, Norco, CA, USA. Texas Instruments (TI) is a global semicon- • CAEN, ductor company and one of the world’s http://www.caen.it/rfid/index.php (EU) leading designers and suppliers of real- CAEN is based in Viareggio, (150 employ- Technical Report Series world signal processing solutions. The ees) Italy and is specialized in manufactur- company’s other businesses include Sen- ing mission critical electronics systems: sors and Controls, as well as Educational - design and manufacture electronic and Productivity Solutions. Headquartered equipment for the Nuclear and Particle in Dallas, Texas, TI has more than 34,000 Physics such as Low Voltage & High employees worldwide with corporate, sales Voltage Power Supply Systems, Front- and manufacturing facilities in more than End and Data Acquisition Electronics;78 30 locations across Asia, Europe and the Americas. TI is the world’s largest inte- - design and production of high reliability grated manufacturer of radio frequency electronics for Space applications and identification (RFID) transponders and collaborates with the main Space Agen- reader systems. cies (NASA, ESA, ASI, CNES);
RFID technologies - complete microelectronics design serv- based Teklogix Inc. Psion Teklogix is head- ice for digital, mixed/analog ASICs and quartered in Mississauga, Ontario, Canada complex FPGA designs, with a wide of- with additional corporate offices located in fering of HW and SW Intellectual Proper- Europe, the United States, Asia, Latin Amer- ties (IP) blocks; ica and the Middle East with about 600 em- - readers and tags for UHF Radio Fre- ployees. quency Identification technology. • Sirit, http://www.sirit.com/ (CA)• Intellident, Sirit Inc. has been providing Radio Fre- http://www.intellident.co.uk/ (EU) quency Identification (RFID) solutions to Intellident, (part of the £1.2 billion LINPAC customers worldwide since 1993. The group), design, build and deliver advanced company designs, manufactures and sells wireless tracking solutions, based on inno- RFID products which support a broad range vative RFID and bar code technologies. The of RFID tags (EPC and ISO) and frequencies company is based in Manchester, UK. (LF/HF/UHF). On April 13, 2006, Sirit Inc. acquired the assets of SAMSys Technologies• Intermec, Inc. including all of its RFID products and http://www.intermec.com/eprise/main/Inter- solutions. SAMSys Technologies Inc. (SAM- mec/Content/Technology/RFID/RFID (US) Sys), founded in 1995, was a world-leading Intermec Technologies Corp. is a leader in provider of radio frequency identification global supply-chain solutions and in the de- (RFID) hardware solutions and RFID inte- velopment, manufacture, and integration of gration consulting services designed to wired and wireless automated data collec- evaluate and recommend optimal RFID so- tion, RFID (radio frequency identification), lutions to enhance existing business mobile computing systems, bar code print- process. Sirit is headquartered in Missis- ers, and label media. Based in Everett, sauga, Ontario, Canada. Washington, the company has 2,700 em- • Sarnoff, http://www.sarnoff.com/prod- ployees worldwide. ucts_services/communications_solutions/rf/• PSC, http://www.psc.com/ (US) index.asp (US) PSC Inc. is a global provider of data-cap- Sarnoff Corporation produces innovations ture solutions for retail supply chains. Its in electronic, biomedical and information broad array of products and services in- technology. Founded in 1942 as RCA Labo- clude point-of-sale scanning, warehousing ratories, it develops breakthroughs in ICs, & distribution, and wireless networking. lasers, and imagers; drug discovery, manu- PSC is a privately held global company. facture and delivery; digital TV and video Rival Datalogic acquired PSC from the pri- for security, surveillance, and entertain- vate equity firm Littlejohn & Co. for around ment; high-performance networking; and $195 million in 2005. With a presence of wireless communications. Its history in- 750 plus employees in more than 100 cludes the development of color TV, the liq- countries, PSC’s headquarters and major uid-crystal display, and the disposable Technical Report Series manufacturing facilities are located in Eu- hearing aid, and a leadership role in creat- gene, Oregon, while sales and service of- ing the new U.S. digital and HDTV stan- fices are located throughout the Americas, dard. It is a subsidiary of SRI International Europe, Asia and Australia. and is headquartered in Princeton, NJ, USA.• PSION, http://www.psionteklogix.com (US) • Symbol, http://www.symbol.com/prod- Psion Teklogix Inc. is a leading provider of ucts/rfid/rfid.html (US) rugged mobile computing solutions to a Symbol Technologies, Inc. engages in the 79 range of industries around the world. It was design, development, manufacture, and formed in September 2000 as a result of the servicing products and systems used in merger between U.K.-based Psion Enter- enterprise mobility solutions. Its products prise division of Psion PLC, and Canadian- include data capture products, mobile
5. RFID market perspectives computing platforms and software man- in Chicago, IL, USA, and has 28 other lo- agement tools, wireless infrastructure, and cations in 19 countries with about 2500 radio frequency identification infrastruc- employees. ture and tags, and are sold as both inte- grated solutions and individual devices. Symbol Technologies was founded in 5.1.4. System integrators 1973 and is headquartered Holtsville, Here are included the technically smart com- New York. panies that provide typically small turn key RFID • TEK Industries, systems making work together hardware and soft- http://www.tekind.com/rfid.htm (US) ware infrastructure components. They typically TEK Industries is a privately held company operate in deep contact with customers cooperat- based in Vernon, CT, USA. TEK Industries of- ing with them in the identification of the (techni- fers a full range of readers, handheld data cal) needs and proposing alternative solutions. collection terminals, and specialty RFID tags. Eventually they will provide the needed hardware and software components, may be produced on • UPM Raflatac, their own, and install them at the customer prem- http://www.rafsec.com/homeb.html (EU) ises and ensure they work together correctly. The In January 2006, RF and contactless tech- most of them will not take care of application spe- nology developer UPM Rafsec has merged cific aspects. with label-maker Raflatac to form UPM • Aeroscout, Raflatac. The combined Finland-based http://www.aeroscout.com/ (US) company has 2,300 employees and annual sales of 850 million EUR. UPM Raflatac de- AeroScout provides enterprise visibility so- velops and manufactures RFID (radio fre- lutions that bridge the gap between Wi-Fi, quency identification) tags used in e.g. RFID and GPS. AeroScout enables stan- product identification and supply chain dards-based location and presence-based management. UPM UPM is a world lead- applications for indoor and outdoor envi- ing RFID tag manufacturer and a pioneer of ronments where real-time visibility of assets the EPC (electronic product code) standard, and people is required to drive revenues or specialized in high-quality, high-volume cut costs. Aeroscout is base in San Mateo, production. The company is headquartered CA, USA. in Tampere, Finland and it has a factory in • Checkpoint Systems, Jyväskylä, Finland. Sales offices are in the http://www.checkpointsystems.com/de- USA, Netherlands, Germany, China, Japan fault.aspx?page=epcrfid (US) and Singapore. Checkpoint Systems, Inc., is a multinational • Xtag, manufacturer and marketer of technology- http://www.xtagltd.co.uk/ (EU) driven solutions for retail security, labelling, Xtag is a Leeds, UK, based firm providing and merchandising. Checkpoint is the lead- RFID specialized solutions for healthcare. ing provider of radio frequency- (RF) based Their Xtag Baby System is a leading infant shrink management solutions to the global Technical Report Series protection system. retail industry. The company has some 4000 employees and is headquartered in • Zebra Technologies, Thorofare, NJ , USA. http://www.zebra.com/id/zebra/na/en/index /products/printers/rfid.html (US) • Feig Electronic, Zebra Technologies is a global provider of http://www.feig.de/ -> OBID (EU) rugged and reliable specialty printing solu- FEIG ELECTRONIC GmbH has specialized tions, including on-demand thermal bar in contactless identification (RFID), door80 code label and receipt printers and sup- controllers and traffic sensor technology. plies, plastic card printers, RFID smart label FEIG ELECTRONIC was established in 1970 printer/encoders, certified smart media, and and employs about 150 staff members. The digital photo printers. Zebra Tech. is based company is located in Weilburg, Germany.
RFID technologies • Savi Technology,41 • CISCO, http://www.savi.com (US) http://www.cisco.com/web/strategy/retail/R Savi Technology provides supply chain FID.html (US) asset management, security and collabora- CISCO Systems Inc. is a global company tion software that is uniquely integrated that manufactures and sells networking and with automatic data collection and identifi- communications products and provides cation systems to provide real-time logistics services associated with that equipment and solutions. Founded in 1989, Savi Technol- its use. In their Application Oriented Net- ogy is headquartered in Sunnyvale, Califor- working (AON) solution, intended to add nia, USA with offices in London, South application level value to networking Africa, Taiwan and Singapore. equipment, they provide the Connecterra RFID middleware solution. CISCO has • RFCode, more than 38000 employees, worldwide of- http://www.rfcode.com/ (US) fices, and is headquartered in San Jose, CA, RF Code is a developer of hybrid RFID data USA. management software and enabling tech- • Globeranger, nologies. They provide software suite for http://www.globeranger.com/ (US) Auto-ID data collection and distribution. GlobeRanger is the leading provider of RF Code manufacture active RFID tags and RFID, mobility and sensor-based software readers. RF Code is a privately-held com- solutions. iMotion platform serves as the pany headquartered in Mesa, Arizona, foundation for GlobeRanger and its partners USA. to develop, deploy and manage edge solu- tions. Founded in 1999, GlobeRanger is5.1.5. Software providers headquartered in Richardson, Texas, USA with some 50 employees. These are the companies that are focused on • Microsoft,the development and integration of the software http://www.microsoft.com/industry/retail/socomponents needed for RFID applications. These lutions/rfid.mspx (US)components can be at the middleware & DB level Microsoft Corporation engages in the devel-as well at the Application & Processes level. Here opment, manufacture, licensing, and supportmight be identified both small local software of software products for various computinghouses that cooperate with system integrators to devices worldwide. It operates in three divi-provide complete solutions, and big players like sions: Platforms and Services, Microsoft Busi-Oracle, BEA, etc. ness, and Entertainment and Devices. • BEA, Microsoft’s RFID infrastructure taps the http://www.bea.com/content/products/webl power of the .NET Framework, SQL Server ogic/rfid/index.htm (US) and Visual Studio .NET to make integration BEA Systems, Inc. (BEA) is provider of en- and deployment of RFID easier and less terprise application and a line of service costly. Microsoft was founded in 1975 and Technical Report Series is headquartered in Redmond, Washington infrastructure products to facilitate serv- and has 71,000 Full Time Employees. ice-oriented architecture (SOA) implemen- tations. BEA has acquired in 2005 • OATSystems, Connecterra, one of the first developers of http://www.oatsystems.com/ (US) RFID middleware. BEA is active in EPCglobal OATSystems, Inc. is a leader company pro- as contributor and leader of working groups. viding software to support businesses based The company is headquartered in San Jose, on RFID framework. As a pioneer in the de- CA, USA, and has some 4000 employees. velopment of RFID technology, OAT has 8141 In June 2006 Savi Technology has been acquired by Lockheed Martin.
5. RFID market perspectives been setting the standards in RFID since the forms, databases, and applications; and ex- first times for over half a decade. OAT’s tend those applications to mobile workers multinational client base consists of over 75 through mobile and Wi-Fi technologies. customers in retail, CPG, consumer elec- The company operates through two seg- tronics, manufacturing, life sciences, aero- ments, Infrastructure Platform Group and space and defence. Headquartered in iAnywhere Solutions, Inc. The Sybase RFID Waltham, MA. architecture and complementary RFID so- lution consists of modularized plug-and- • Oracle, play products.. The company was founded http://www.oracle.com/technologies/rfid/in in 1984 and is headquartered in Dublin, dex.html (US) California. Full Time Employees: 3,715. Oracle Corporation, together with its sub- sidiaries, engages in the development, man- • TIBCO, ufacture, distribution, servicing, and http://www.tibco.com/solutions/rfid/de- marketing of database, middleware, and ap- fault.jsp (US) plication software. It offers software license TIBCO Software, Inc. provides business in- updates, product support, and other serv- tegration and process management soft- ices. The company operates in five seg- ware. TIBCO’s solutions include three ments: New Software Licenses, Software categories of software: Business Process License Updates and Products Support, Management Software, Business Optimiza- Consulting, On Demand, and Education. tion Software, and Service-Oriented Archi- Oracle Sensor-Based Services are a compre- tecture. TIBCO is an independent provider hensive set of capabilities to capture, man- of business integration software and stan- age, analyze, access, and respond to data dards-compliant RFID solutions. The com- from sensors such as RFID, location, and pany was founded in 1985 and is temperature. Oracle Corporation was headquartered in Palo Alto, California. Full founded in 1977 and is headquartered in Time Employees: 1,505. Redwood City, California. Full Time Em- ployees: 56,133. 5.1.6. Consultants and main contractors • RedPrairie, These are mostly multinational organizations http://www.redprairie.com/uk/default.aspx that lead business projects for medium large or- (EU) ganizations. They provide the whole solution start- RedPrairie provides comprehensive, inte- ing from the business processes analysis down to grated solutions for supply chain manage- the actual system deployment, that is typically sub- ment to a variety of industries. The contracted to system integrators. This cluster can technology suite includes warehouse man- be subdivided into the big technical players (IBM, agement and quality control, transportation HP, SAP, etc.) and the business consultants (De- and global trade management, workforce loitte, Accenture, etc.) that are extending their con- performance management, event manage- sultancy on technical aspects. ment, slotting, visibility, performance meas- Technical Report Series • Accenture, urement, and RFID for EPC / ISO http://www.accenture.com/ (US) compliance and mobile resource manage- ment. Stokenchurch, UK(EMEA HQ), Accenture, Ltd., through its subsidiaries, of- Waukesha, Wisconsin (HQ) fers management consulting, technology, and outsourcing services worldwide. It oper- • Sybase, ates in five segments: Communications and http://www.sybase.com/products/mobileso- High Tech (CHT), Financial Services (FS), lutions/rfid_anywhere (US) Products and Services (PS), Resources (RS),82 Sybase, Inc. provides enterprise and mobile and Government. The company was software solutions for information manage- founded in 1995 and was formerly known as ment, development, and integration in the Andersen Consulting and changed its name United States. Its solutions integrate plat- to Accenture, Ltd. in 2001. Accenture pro-
RFID technologies vides clients with total end-to-end RFID so- an organization of member firms around the lutions through its broader supply chain and world providing professional services and technology capabilities, including enterprise advice, focused on client service through a integration, supply chain execution systems global strategy executed locally in nearly implementation and infrastructure services. 150 countries. With 135,000 employees Accenture, Ltd. is based in Hamilton, worldwide, Deloitte delivers services in four Bermuda. Full Time Employees: 123,000. professional areas—audit, tax, consulting, and financial advisory services—Deloitte• ATOS, Consulting offers consultancy services on http://www.atosorigin.com/wp_RFID.htm RFID business process methodology and (EU) strategic assessment. Atos Origin is a leading international IT services provider. The company, that is also • HP, the official worldwide IT partner for the http://h20223.www2.hp.com/ (US) Olympic Games, offers the entire spectrum Hewlett-Packard Company provides prod- of information technology consultancy and ucts, technologies, solutions, and services services. Its areas of expertise include con- to individual consumers, small and medium sulting, systems integration and outsourc- sized businesses, and large enterprises ing. Currently generates an annual turnover worldwide. The company provides industry of more than 5.5 billion euros and employs standard servers and business critical a workforce of 47,000 in 40 countries. Atos servers and a number of other computer Origin has the capability to provide consul- technologies. HP and OAT deployed RFID tancy and design, build and operate RFID at multiple locations across HP’s supply technical solutions. Atos Origin is quoted chain to provide real-time visibility of in- on the Paris Euronext Premier Marché and ventory and goods movement. HP and OAT trades as Atos Origin, Atos Euronext Market developed best practices for delivering Solutions, Atos Worldline, and Atos Con- RFID solutions in manufacturing and distri- sulting. bution operations and now offer this inte- grated, tested solution to other customers.• Cap Gemini, Hewlett-Packard was founded in 1939, is http://www.capgemini.com/resources/suc- headquartered in Palo Alto, California. Full cess-stories/by_solution/rfid/ (EU) Time Employees: 150,000. Capgemini is one of the world’s foremost providers of Consulting, Technology and • IBM, Outsourcing services. The company helps http://www-03.ibm.com/solutions/business- businesses implement growth strategies, solutions/sensors/index.jsp (US) leverage technology, and thrive through the International Business Machines Corpora- power of collaboration. Capgemini employs tion (IBM) operates as an information tech- approximately 60,000 people worldwide nology (IT) company worldwide. It has and reported 2005 global revenues of 6.954 three segments: Systems and Financing, billion euros. As one of the early RFID pio- Software, and Services. The company offers Technical Report Series neers, they have deployed RFID for clients its products and services to a broad range in multiple industries and around the globe. of sectors. IBM’s RFID offerings span from They are actively involved with Electronic consultancy to actual implementation and Product Code (EPC) standards, and are cur- outsourcing fo applications such as supply rently leading several RFID pilot projects. chain management or asset management. The company is based in Armonk, New• Deloitte, York. Full Time Employees: 341,750. http://www.deloitte.com/ (EU) • Lockheed Martin, 83 Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its mem- http://www.lockheedmartin.com/ (US) ber firms, and their respective subsidiaries Lockheed Martin Corporation engages in and affiliates. Deloitte Touche Tohmatsu is the research, design, development, manu-
5. RFID market perspectives facture, integration, operation, and sustain was founded in 1939 and is headquar- of technology systems, products, and serv- tered in Los Angeles, California. Full Time ices. The company’s Information and Tech- Employees: 123,600. nology Services segment provides IT and • SAP, related, and other technology services to http://www.sap.com/solutions/business- federal agencies and other customers. Lockheed Martin Corporation has entered suite/scm/rfid/index.epx (EU) the RFID market with the acquisition of SAP AG engages in developing and licens- Savi Technology, Inc.(Savi), a provider of ing business software solutions. Its solution active radio frequency identification portfolios support the business processes of (RFID) solutions. Lockheed Martin was approximately 25 industries, including high founded in 1909 and is headquartered in tech, retail, financial services, healthcare, Bethesda, Maryland. Full Time Employ- and the public sector. Powered by the SAP ees:135,000. NetWeaver platform, SAP business applica- • Manhattan Associates, tions enable enterprises of various sizes http://www.manh.com/ (US) around the world in managing customer re- lationships, partner collaboration, and sup- Manhattan Associates, Inc. engages in the development and provision of supply chain ply chains and business operations. As a software solutions for the planning and ex- market leader in solutions that link RFID ecution of supply chain activities. Its solu- data to business application software, SAP is tions include Integrated Planning Solutions, actively supporting standards bodies that Integrated Logistics Solutions, Performance are seeking to develop ways to implement Management, and Logistics Event Manage- this promising technology in a practical and ment Architecture. Manhattan Associates responsible way. SAP was founded in 1972 has a team of qualified RFID professionals and is headquartered in Walldorf, Germany. that has significant experience in supply Full Time Employees: 35,873. chain operations. The company was • SUN Microsystems, founded in 1995 and is headquartered in http://www.sun.com/software/products/rfid/ Atlanta, Georgia. (US) • Northrop-Grumman, Sun Microsystems, Inc. focuses on provid- http://www.it.northropgrumman.com/offer/ ing products and services for network com- enterprise/rfid.html (US) puting. It provides network computing Northrop Grumman Corporation provides infrastructure solutions that consist of com- products, services, and solutions in infor- puter systems, network storage systems, mation and services, aerospace, electron- support services, and professional and ics, and shipbuilding to the military, knowledge services. These services enable government, and commercial customers the company’s customers to architect, im- in the United States and internationally. plement, and deploy systems within their The company provides airborne radar, information technology environments. The Technical Report Series navigation systems, electronic counter- company also offers a range of system/net- measures, precision weapons, airspace work architecture, implementation, and management systems, space systems, ma- rine and naval systems, communications management, as well as consulting, skills systems, government systems, and logis- migration, and training. Sun Industry Solu- tics services. Northrop Grumman provides tions comprise a set of pretested, RFID-spe- support to companies in implementing cific solution architectures that use Java RFID within their supply chains. For System RFID Software and thirdparty prod-84 nearly 2 decades Northrop Grumman has ucts to address specific industry problems. performed as a systems integrator of Auto- Sun Microsystems was founded in 1982 and matic Information Technology, AIT, in- is headquartered in Santa Clara, California. cluding RFID, solutions. The company Full Time Employees: 31,000.
RFID technologies5.1.7. Non offering related actors thoughtful discussions as well as allowing for debate with delegates and speakers from the On different planes from the one depicted, private sector, public administration andother entities that might have a role on RFID issues other interested groups.can be considered. These are e.g. customer organ-izations, standardization bodies, governments. Allof them play a regulating role aiming at achieving 5.2. Market key driverscommon agreements and protecting public inter-ests. As they will mainly react to the market evolu- 5.2.1. Radio standards and spectrum allo-tion rather than play a leadership role, they will cationnot be considered in this discussion. Everybody agrees on the fact that RFID stan- • Indicod ECR, dards are available. Indeed there are a lot of them http://www.indicod-ecr.it/progetti/index.php incompatible one with the other. At the radio level, (EU) two of them are emerging as the most relevant: Indicod-Ecr is an institute that associates 13.56 MHz ISO18000-3 and UHF (860-960 MHz) more that 30.000 industrial enterprises of ISO 18000-6 as they are almost worldwide adopted large consumption and active modern dis- (in the sense that the same tag is readable in USA tribution in Italy. Its mission is the improve- and in Europe as well; see Section 3.2 for a general ment of the large consumption companies’ overview of ISO standards). The first one allows for operation effectiveness and efficiency. With tags to be read from a distance of a few centimetres reference to the RFID, Indicod-Ecr is taking and thus is suitable for ePayments, eTicketing, per- care of the diffusion in Italy of the EPC stan- sonal identification. The UHF tag can be read from dard, developed by Ean International in col- a reader placed some meters away and this makes laboration with the Massachusetts Institute it suitable for logistics and supply chain applica- of Technology. tions. It should be noted that the ISO-18000-6 UHF • EPCglobal, spectrum standard though endorsed in most coun- http://www.epcglobalinc.org/ (US) tries by local legislation has not yet been made completely available by governments for actual ap- EPCglobal is leading the development of in- plications, as happens in France, Italy, Turkey. This dustry-driven standards for the Electronic situation blocks initiatives and market development. Product Code™ (EPC) to support the use of Radio Frequency Identification (RFID) in Relevance should be given to EPCglobal that today’s fast-moving, information rich, trad- is the only body active on the definition of global ing networks. It is a subscriber-driven organ- standards for the Supply Chain on radio level, cod- isation comprised of industry leaders and ing level, software interface level in order to allow organisations focused on creating global for an open supply chain and goods traceability. standards for the EPCglobal Network™. Their goal is increased visibility and effi- 5.2.2. RFID versus barcode ciency throughout the supply chain and higher quality information flow between As was described in 2.2.4, RFID technology Technical Report Series companies and their key trading partners. presents advantages over BarCode technology (no line of sight, environment independent, etc). Also, • Privacy Commissioners Conference, RFID tags can be read through e.g. the sides of a http://www.privacyconference2003.org carton aggregated package. Major drawbacks are The theme of this year’s Conference is “Prac- technological and related to known interference of tical Privacy for People, Government and radio signals with metals (reflecting radio waves) Business”. In this, the 25th year of the confer- and water (absorbing radio waves) that makes it ence looks forward to exploring advances in hard to use this technology on water bottles (almost 85 privacy and building platforms and solutions solved with EPCglobal Class 1 Gen 2 tags) and on that enhance the privacy choices of all citi- beer cans. RFID is a new technology and still re- zens. The aim is to provide the opportunity quires fine tuning of antennas and readers in order for Commissioners to engage in private and to achieve a high rate of read success.
5. RFID market perspectives The barcode technology is mature and is reli- and distribution processes, improving quality con- able at higher level than RFID. Moreover the tag it- trol and thus allowing for cost savings and overall self has negligible cost (see Section 5.2.5). One of better performances. This can be achieved by the main drawbacks is the need for human inter- thinking of internal processes in a completely new vention in reading the tag in order to find the tag way and restructuring the company. This would re- on the package and to point the laser reader on it. quire major expenses and investments with the in- volvement of consultants for the reorganization of Last but not least the barcode only identifies a the processes specialized firms to identify the class of items while RFID (actually EPC) has the proper RFID technology (active/passive, frequency, capability of identifying the item itself. packaging, reader gates,…), software companies Retail supply chain is today still relying heav- providing applications, system integrators to put ily on barcode technology and the drivers to move together the new system with legacy systems. The to a new expensive and not yet stable technology question is what would be the return of these in- are to be carefully evaluated by all actors (see: The vestments: most companies today feel that the ROI issue). added value of putting RFID to work does not de- serve the required effort. 5.2.3. The “return on investment” challenge 5.2.4. Privacy concerns This is the main issue put forward by firms Since RFID tags can be scanned at a distance, evaluating the opportunity of introducing RFID people having with them items tagged with RFID technology. Most companies being forced by could be scanned by RFID readers without them Wal*Mart to supply goods tagged with RFID have being aware. And if there is some way to associate chosen the so called Slap-N-Ship solution: they just the tagged items with the identity of people (e.g. the added RFID printers station on outbound logistics fidelity card or the bank card used when the items gates and tag packages while they are being where bought) then there is a privacy abuse issue. shipped. This is also called the “Compliance” or Although Class1Gen2 are claimed to be very secure “Mandate” solution, the minimum investment and they can be “killed”, still there is no way to en- needed to comply with the retailer requirements. sure that this is effectively done and, any how, peo- This makes the point in the sense that it is felt by ple are very concerned with the possible misuse of companies as an add-on cost affecting retail prices. the technology. Retailers are consequently very The point made by RFID technology manu- concerned on the issue because if they adopt the facturers and consultancy firms is that this technol- RFID technology, customers might prefer to choose ogy can support the automation of the production more privacy enhanced solutions. Figure 5-3: RFID applications evolution42 Technical Report Series86 42 Source: ASK
RFID technologies It has to be noted that these concerns are not rier e.g. a paper sticker), the royalties for patentsreferring to “people identification” applications and indeed is influenced by the still small demand.that are already being successfully deployed (Fig- From a hard technology standpoint the researchure 5-3). The focus is here put on the possible as- being carried out on polymer based IC, and on al-sociation of the identity of people and the tagged ternative radio technologies (e.g. Digital Chiplessitems they are carrying with them. Without them Tag), might bear results in short time. Metallic inkbeing aware, a reader might get the data of e.g. the printing is already used to “print” antennas on themedicine they are carrying in the bag, thus en- tag package instead of using photolithographyabling the identification of their health status. technology. Figure 5-5 presents categories of tech- nologies related to cost and volume of tags.5.2.5. The tag cost The price performance contest will probably Currently (April 2006) major technology not be an issue, at least in logistics applications.providers say they might accept big orders of pack- In fact EPCglobal philosophy sounds like “keep allaged Class1Gen2 RFID tags for 0.20 USD each. intelligence out of the tag”: the tag is needed justThe tag price is decreasing but the added cost is to identify goods and putting too much informa-not yet acceptable for applications at item level tion on those might result in greater possibility for(except for valuable goods), see Figure 5-4. Tag counterfeiting. Moreover the logistics RFID mar-price is expected to drop within a few years down ket will be volume based. A different evolutionaryto the 0.05 USD that, analysts say, will boost the path might take place for active tags: as prices fallwide scale adoption of item level tagging. The tag down and as, once purchased, active tags are ex-price is dependent on a number of factors related pected to function for some time, manufacturersto the silicon chips, the packaging (putting to- might push more capabilities on board in order together the chip with the antenna on a suitable car- keep the prices high. Figure 5-4: Average TAG price per application 2006-2016 Figure 5-5: Technologies appropriate to the different level of TAG cost and volume Technical Report Series 87
5. RFID market perspectives 5.2.6. Goods traceability this context it is preferable to be a follower than a leader with respect to IT innovation. This reflects As already mentioned the Electronic Product what is a common feeling, especially in case of Code (EPC), information component of the RFID tag SMEs that typically are reluctant to invest in ICT in- encompasses the identification of each single item, novation because this implies either the training and whereas the bar code is capable of the identifica- allocation of skilled resources or expensive out- tion of an item class. This means that the EPC on, sourcing solutions. In both cases resources would e.g. a heating equipment, allows ideally anybody be diverted away from the core business. The dis- to go back to where and when it was built, with ruption of this situation might come from external which components etc. This helps very much the (international) competition that will probably force maintenance of the equipment as the field techni- ICT “laggards” to recover the situation in order to cian can rapidly identify the spare parts needed for that specific item. The manufacturer can as well cooperate with peers and widen the market reach. check for problems common to that specific ship- ment and eventually recall the equipment to solve possibly harmful defects. This would highly en- 5.3. Strengths, weaknesses, hance the quality of the products as well as the opportunities, threats “after sales” services. Moreover, Governments have the opportunity to require manufacturers to be able A SWOT Analysis is “a strategic planning tool to rapidly recall defective goods, either equipment used to evaluate the Strengths, Weaknesses, Op- or food, possibly relevant to the same shipment, in portunities, and Threats involved in a project or in order to ensure population safety. a business venture or in any other situation requir- ing a decision”.43 Though no decision issue is being tackled in this document, this tool might be 5.2.7. “IT doesn’t matter” paradox found nevertheless helpful to give a more synthetic From a more general standpoint, there is a still view on the question whether, in very general ongoing discussion on the fact that a company in- terms, it is worthwhile to a company to make in- vesting in IT does not necessarily perform better vestments in RFID technology. Table 5-1 presents than the others. A provocative article (Carr, 2003) a mapping of the described market drivers on a sustained that IT is becoming a commodity (is a SWOT analysis chart, together with other elements widely available not differentiating resource) and in presented in more details later in the study. Table 5-1: SWOT analysis of RFID market perspectives STRENGTHS: What are the factors that make it valuable? OPPORTUNITIES: What are the factors pushing for it? - Technology characteristics: radio readable, programmable, - RFID can help European small companies in finding new compact, robust, low power, ways to aggregate and compete with larger companies; - Maturity: the technology providers market is well devel- - An enhancement of the overall quality of the production oped; can be achieved with an automated monitoring; - Large scale projects are moving onward and give feedback - Keeping update with the technology will allow to keep valuable field experience; customers (e.g. Wal*mart); Technical Report Series WEAKNESSES: What are its actual limitations? THREATS: What bad factors might hamper the investment ex- - Technology limitations: e.g. the tagging of metal or water ploitation? rich (including food) stuff is often unreliable; - By making poor analysis about where are the technology - Still expensive in terms of tag, equipment, implementation benefit in the foreseen RFID application, there is the risk of for a number of applications; missing real benefit; - Lack of well established standards: many are in place and - In some cases the undervaluation of non technical issues poor agreement on which ones will survive. (e.g. fear for security issues by people) might lead to unsuc- cessful results; - Though the technology is quite mature, patents on RFID88 are continuously being submitted: the most promising technology today might be displaced by a new one before the mass adoption. 43 http://en.wikipedia.org/wiki/SWOT_Analysis
RFID technologies5.4. Market forecasts and trends As far as the hype cycle for RFID technologies and applications (Figure 5-6) (Gartner, 2005c), most of them are still considered to be immature.5.4.1. RFID maturity: the hype cycle Though with sometimes questionable distinctions, Technology consultant Gartner propose the Gartner’s position is that much resonance hasRFID Hype Cycle scheme (Gartner, 2005a), pre- been given to the potential of RFID but still theresented in Figure 5-6. This is a curve that will be tran- is a number of scattered technologies under thesited by any new technology at different speeds. same umbrella without a common rationale andInstead of a time axis there are five maturity phases. most applications are still mainly just a matter forThe other axis represents the “visibility” factor indi- newsletter’s breaking news. Nevertheless, takingcating how much the technology/application is into account the colour code (light blue ones) ofunder the spotlights. the bullets on the curve, it is clear that they agree on the fact that in a few years a number of them The interest in a technology, in very general will become mature. Apart from military applica-terms, Gartner says is initially triggered by somedemonstration or proof of concept which is given tions that are subject to quite peculiar rules, theresonance by the media. Then enthusiastic expec- maturity is being currently reached by asset track-tations will take the stage with often unrealistic ing and management applications (healthcareprojections. After a number of failures the atten- and/or industrial) and in others where tags can betion will be lost while the technology is still there reused (Library Management, Returnable Assets).and becomes better understood in its potential and This can be easily explained by considering thatlimitations. At that point it starts to be applied in an the tags are still expensive and their reuse can dra-effective way through the availability of mature matically lower OPEX44 components in ROI cal-products. culations and make the application profitable. Figure 5-6: RFID hype cycle45 Technical Report Series 8944 Operational Expenditures (OPEX) are the on-going costs for running a system while Capital Expenditures (CAPEX) refer to the cost of sys- tem development45 Source: Gartner 2005a
5. RFID market perspectives It has to be noted that Gartner’s analysis does previous chapters, the term RFID encompasses a not take into account RFID for personal identifica- very broad variety of technologies and application tion. areas and forecasts often refer to only a few appli- cation areas. As an example Gartner (Gartner, 5.4.2. Market forecasts 2005b) claims that the RFID market will experi- ence an annual growth rate somewhere between Any RFID market forecast should be carefully 30% and 50% in the years 2004-2010 ending up evaluated with respect to the actual market it is re- ferring to. A number of figures are made available at 3 billion USD in 2010 (see Figure 5-7). They say to the public at conferences and on the web as this refers to “the use of RFID technologies within well as in specialized reports, and they seem to a supply chain environment to improve the visi- propose sometimes contrasting numbers. In the bility, management and security of cargo ship- following we will provide for a rationale to under- ments or supply chain assets, such as conveyances stand figures provided by Gartner Research and or valuable mobile assets. The applications and IDTechEx. hardware that are used outside of the above envi- The first issue to take into account is the un- ronment were excluded. These would include derlying market segmentation. As explained in the consumer uses, such as contactless smart cards.” Figure 5-7: RFID, worldwide size and growth, 2004-2010 This means that they include in the forecast IDTechEx (2005a) provides an overall forecast both passive and active RFID technologies of all for RFID technology. With this approach the kind in Supply Chain applications. They exclude (about) 12 billion USD figure in 2010 is compati- any non supply chain related application (in ad- ble with but not directly comparable to the Gart- dition to the explicitly cited contactless smart ner’s 3 billion USD. Neither is the 2006 IDTechEx Technical Report Series cards) and thus animal identification, highway 2500 million USD vs. Gartner’s 700 million USD toll payment, patient tracking and blood-patient in the same year. cross check in healthcare, and, (it is not clear) The IDTechEx report provides some more ship container management and tracking. More- data as depicted in Figure 5-8. The bottom series over, although not explicitly tackled by Gartner, represents the tag (both passive and active) market we might assume that the forecast refer to both value which is then splitted into the different appli- CAPEX (needed HW and SW and other infrastruc- cation areas in Figure 5-9. The two bottom series90 ture as well as initial set-up services including (“Item” and “Pallet/Case”) in Figure 5-9, can be as- consultancy) and OPEX (consumables and oper- sumed as the only ones referring to supply chain ational services) related to RFID projects. applications.
RFID technologies Figure 5-8: Total RFID market projections 2006-201646 Though IDTechEX does not provide a splitting the tags costs. By extrapolating this observationof the non-tag costs (hardware, software, services) and applying it to the two bottom line series in Fig-per application area, we can have an indication ure 5-8, we can get values comparable to Gartnerby observing in Figure 5-9 that these are more than ones. Figure 5-9: RFID tag market forecast47 Technical Report Series 9146 Source IDTechEx, 2005a47 Source IDTechEx, 2005a
5. RFID market perspectives A comparison is proposed in Figure 5-10 Figure 5-11: Total spend on RFID systems, where it can be seen that the two mainly agree on service and tags by territory48 the dimension of the market but IDTechEX seems to forecast a steeper growth. Figure 5-10: IDTechEx (elaboration) and Gartner forecasts comparison 5.5. RFID patents The number of patents assigned between year 1974 through 2003 is 427949 and 697 in the year 2004, with a year on year increase of 65% in the last few years.50 These numbers give an idea of the growth of interest by manufacturers in this field. A study made by RFID Journal in 200551 reports It is also evident that the major share is taken some 150 patents to be relevant to RFID market. by Supply Chain applications that make almost These are classified into four Technical Quality half of the total. Nevertheless it should be noted Ratings hereafter reported: that, though item level tagging will determine an exponential growth of passive tag volumes, it is ex- 1. The most significant blocking RFID patents. pected that the other applications will keep the They usually include a breakthrough tech- pace. Among these, importance is given to animal nical specification and will be extremely tagging and electronic payment. difficult or impossible to work around. 2. Important patents with key technical inno- As far as geographical market distribution, it vation that appear to be difficult to work should also be noted that East Asia, which cur- around when designing certain RFID prod- rently stays quite behind Europe and US is ex- ucts. pected to gain the greatest share, as manufacturing will probably be massively moved to China. 3. Useful patents with significant technical in- Nowadays, Europe is placed quite behind the US novation but narrower scope. While they but it is expected to gain a comparable positioning have technical merit, there are alternative (Figure 5-11). It should also be noted that Europe solutions that could be implemented if nec- Technical Report Series has still national frequency allocation issues to be essary. resolved, that might put obstacles to the diffusion 4. Secondary patents that – while perhaps of EPCglobal applications in EU. useful for some special products –appear only marginally useful in mainstream RFID applications.92 48 Source IDTechEx, 2005a 49 http://www.highimpactip.com/report_intro.htm 50 http://www.centredoc.ch/en/centreE.asp/0-0-2667-132-76-0/, http://www.dutchrfid.com/artikelen/rfid/rfid-watcher-for-patents.html 51 http://www.rfidjournal.net/live05/IP/Room_miss_100pm_stewart.pdf
RFID technologies Table 5-2 presents these 150 patents in 2005 that all of them are US based with the exception ofby owner company and rank. It should be noted Tadiran that is Israeli based. Table 5-2: Patent ownership summary (RFID Journal Live52) Company A-Patents B-Patents C-Patents Total Intermec 7 13 9 23% Checkpoint 1 8 10 10% Motorola 3 5 6 10% Micron 1 5 7 7% Avid 2 2 — 5% Lucent 1 3 2 5% Samsys — 3 2 3% TI 1 — 2 2% Sarnoff 1 1 — 2% 3M 1 — — 2% Alien 1 — — 2% Marconi — 2 1 2% Northrup — 2 1 2% Tadiran 1 — — 2% Tek 1 — — 2% U of Pittsburgh 1 — — 2% Others — 20 25 19% It should be noted that, with reference to the additional nine patents on a “RAND” (reasonablehighest RFID volume application i.e. integrated lo- and non-discriminatory) condition. But EPCglobalgistics and EPCglobal, there is an ongoing legal did not recognize the Intermec patents to be criti-war on how the patents should be used. Patents cal and Intermec thus revoked the offer and issuedholders are demanding high licensing fees (5%), four patents portfolios.that no one is considering to pay. The most critical On an opposite side Alien Technology and oth-issue regards Intermec that claims a number of ers53 have formed an RFID Consortium and selectedtheir patents is critical to Class1 Gen2 RFID, the MPEG LA (http://www.mpegla.com/index1.cfm) asmost recent and promising EPCglobal spec. Nowa- administrator of the consortium patents. The char-days Intermec and Alien Technology are disputing ter of the Consortium has not yet been published.a legal battle on ten patents, the first saying theywere infringed by the second and the second As more than 4000 patents refer to RFID tech-claiming that the patents are themselves invalid. nology with some 270 companies involved and 20 major patents owners it is likely that some litiga- Technical Report Series Nevertheless a couple of initiatives are to be tion and/or licencing costs will be passed to users,reported. The first one was originated by Intermec also taking into account that a number of keythat – with its “Rapid Start RFID Program” – has patents are not referable to any particular specifi-initially offered five critical patents for free and an cation and so cannot be easily overcome. 9352 http://www.rfidjournal.net/live05/IP/Room_miss_100pm_stewart.pdf53 http://rfidtribe.com/news-05-12-19.html
5. RFID market perspectives 5.6. RFID and SMEs turers are providing all-in-a-box packages made by e.g. Reader+Antenna+Printer+Software needed It can probably be said that every on-going to properly tag goods just when they are next to RFID project has been initiated by a big com- be shipped. All analysts agree on the fact that this pany either running the project entirely on its RFID application has negative ROI. Project costs own or it has also forced other companies, also will sooner or later be passed on to the final cus- small ones, to get the technology. As explained tomer. in the “Demand key issues” paragraph, the fact is that today putting the RFID technology in place A widespread usage of RFID in the supply is very expensive in terms of equipment, consul- chain and a more pervasive knowledge and cul- tancy to set up the equipment, human effort and ture about when and where it is to be successfully cultural leap and consultancy to reorganize applied, will eventually drive SMEs to integration processes. of RFID technologies into their processes. The result is that smaller firms, when forced, As far as non supply chain related RFID, it has adopt the so-called “slap-n-ship” or “compliance” to be recalled that - as it often happens - the diffu- solutions: just what is needed to comply with the sion of these technologies within the mass market requirements issued by vital customers e.g. might also pull SMEs to adopt some of them to Wal*Mart and METRO. For this purpose manufac- benefit their businesses. Technical Report Series94
RFID technologies 6. Socio-economic aspects of RFID RFID is a technology which enables a low- • Which of these aspects are applicable tocost connection between the physical world and RFID technology in general and which oflarge-scale networks. It is to be expected that such these aspects are specific for the various ap-a technology has far reaching implications for our plied RFID tag classes?society. The wide spread application of this tech- • What are possible (positive and negative)nology raises privacy and security concerns; other effects of the RFID technology on the work-implications of the application of this technology place and the employment market andcan be foreseen in the social interaction between which conclusions can be drawn on thecitizens, and in economic transactions between basis of analysis of these effects?actors in the market. This issue also includes thehuman aspects related to the use and acceptance • What kind of different training requirementsof this technology, i.e. awareness, trust, and user can be foreseen in relation to the wide-related issues of technology transfer. spread adoption of RFID technologies and which conclusions can be drawn in this It is important for technology developers and context concerning the development andpolicy makers to be aware of the socio-economic supply of adequate training facilities?and legislative implications of large scale RFID de-ployment, so that in technological developmentand policy making appropriate measures can be 6.1. Framework of the studytaken to incorporate accepted social values in de-velopment and application of this technology. 6.1.1. Aims and objectives The application of RFID might have specific The aims and objectives of this chapter are toeffects on the workplace (i.e. cost reduction and generate an assessment of the socio-economic anddevelopment of new services) and as a conse- legal-ethical aspects that may hinder or promotequence have large effects on the employment mar- the diffusion of RFID in Europe. The study has toket in general. An adequate legal framework will analyze what main barriers to adoption exist inbe necessary to guarantee a widespread adoption order to clarify what makes adoption problematic.and application of RFID technology. This analysis also has to elaborate on what can be In this chapter three issues will be dealt with said about cultural differences with respect torelated to the socio-economic and legislative as- adoption issues.pects of the widespread deployment of RFID in our The study results into a systematic appraisalsociety: of barriers and problems to widespread deploy- • Legal, social and economic aspects of the ment and adoption of RFID in Europe. This study widespread deployment of the various RFID has the form of an essay. The essay describes dif- Technical Report Series classes identified; ferent relevant perspectives and develops an argu- mentation for further policies and practices based • Influence of the introduction of RFID on the on both an assessment theory-based framework workplace and the employment market; and an evidence based framework • Training requirements due to the wide- spread adoption of RFID technologies. • In order to elaborate on these issues the fol- 6.2. Methodology and reading guide lowing questions have to be answered: 95 In order to deal with the socio-economic/leg- • Which legal, social and economic aspects islative issues described above the following of the widespread deployment of RFID can methodological approach was applied. The ap- be identified? proach consists of two main parts.
6. Socio-economic aspects of RFID The first part entails a systematic inventory and many decades. Research in this area has become analysis of legal, social and economic aspects of the particularly important to fields of organizational widespread deployment of RFID technology, spec- behaviour and management of information sys- ified according general issues and (if relevant) ac- tems, given the diffusion of technologies in homes cording to issues related to specific RFID tag classes. and deployment of information technologies in or- This analysis also includes the user related ganizations. This research area also includes stud- processes of diffusion and acceptance of RFID-tech- ies on the acceptance, adoption and usage of RFID nology. In section 6.4 we describe various aspects technology, although results of research related to of diffusion and adoption of RFID-technology. In this topic are still rather scarce. section 6.5 we deal with aspects of trust and accept- Diffusion and adoption of RFID technology ance of RFID-technology. can be considered first of all from the viewpoint of The second part (section 6.6) includes the in- diffusion of innovation. General theories on inno- ventory and analysis of labour and employment is- vation diffusion will also apply to the introduction sues in relation to the application of of RFID technology in organisations. The same is RFID-technology and in addition gives an true for more specific theories on technology ac- overview of training issues related to the operat- ceptance. ing issues of RFID technology. To analyze the socio-economic and legal as- 6.3.1. Main theories on diffusion of inno- pects of the wide-spread deployment of RFID the vation and technology acceptance following methods were applied in this study: Various primary theories have been devel- trend analysis based on desk research and impact oped with regard to the acceptance of information analysis and policy options analysis based on ex- technology: i.e. Innovation Diffusion Process The- pert discussions. ory, Theory of Reasoned Action, Technology Ac- Each task was carried out on the basis of desk ceptance Model, Theory of Planned Behaviour research (analysis of concept and models, various and the Socio-Technical Systems Theory. opinions, written statements and reviews of trends All these theories are in general terms applica- and developments) and discussions in the project ble to the process of introduction, acceptance and team. application of RFID technology. It goes beyond the Based on an analysis of these issues a num- framework of this study to discuss these theories ber of conclusions have been formulated concern- in more detail. However, some insight into main ing awareness activities, marketing efforts and theories on diffusion of innovation and technology training requirements which will be needed or can acceptance might be helpful in understanding the be foreseen in relation to the widespread adoption process of diffusion and acceptance of RFID tech- of RFID technologies. nology. 6.3.2. Innovation diffusion process theory 6.3. Theoretical framework on adop- tion and diffusion of technology In 1962 Rogers published the first version of Technical Report Series his book ‘The Diffusion of Innovations’, in which This section brings into focus the process of he presented his Innovation Diffusion Process The- adoption and diffusion of RFID technology. An im- ory. portant aspect from the perspective of diffusion and adoption of RFID technology is the issue of The model defines a process by which mar- user perception in relation to the use of RFID ap- ket actors adopt a new innovation (see Table 6-1). plications. This issue is related to research on inno- Actors must first become aware of the innovation.96 vation diffusion and also to technology acceptance Once awareness of an innovation is established, and adoption in general terms. market actors can at any point enter a persuasion stage during which the actors seek and process in- Information technology adoption research has formation in order to decide whether to adopt the been a key stream in the behavioural sciences for innovation. The timing of the active portion of this
RFID technologiesstage is highly dependent on the individual and This persuasion stage is followed by an imple-the context in which the individual is operating. mentation stage in which the actors enact the de-At several points in time, the market actors may cision. Finally, actors revaluate or confirm theirmake a decision not to adopt, to postpone adop- decisions to adopt and/or their implementation oftion, to continue the search for information, or to the decision. The result may be either continuanceadopt the new innovation. or discontinuance of the adoption. Table 6-1: Phases in the development of innovation diffusion processes PHASES TYPOLOGY ACTIVITIES 1 Knowledge/Awareness People learn about the innovation 2 Persuasion People are persuaded as to the merits 3 Decision People decide to adopt 4 Implementation People implement the innovation 5 Confirmation People reaffirm or reject the decision It is understandable that not everybody will frequency distribution and on basis of this curvego with the same speed through such an adoption he subdivides a population in five general cate-process. Rogers has made plots of the percentage gories of people regarding their role in innovationof people who adopt an innovation in relation to processes (with average occurrence in a normaltime. This generates a hyperbolic-form cumulative population in %) (See Figure 6-1): Figure 6-1: innovation diffusion process theory54 In general, supporting innovators and early ence the awareness phase (see Figure 6-2). Theyadopters will give a boost to innovation processes. also identified some characteristics of the decisionBut the time frames for adopting an innovation can making unit which have an influence on thebe compressed or fairly lengthy. For example, course of the awareness phase. They also discov-awareness of an innovation may precede the deci- Technical Report Series ered that in the persuasion phase a number ofsion to adopt by months or years. Further, the de- product characteristics play an important role incision to adopt and the implementation of the the innovation diffusion process:decision may be separate acts and may be sepa- • Relative advantagerated in time (Reed, Erickson, Ford and Hall,1996). • Compatibility • Complexity As an extension of the Innovation DiffusionModel, Rogers (1995) and Reed and Hall (1998) • Ability to carry out trials with the product 97have identified some prior conditions which influ- • Ability to observe the product.54 Source Rogers, 1962
6. Socio-economic aspects of RFID Figure 6-2: Revised innovation diffusion model55 6.3.3. Technology acceptance model outcomes. ‘Useful’ refers to ‘capable of being used advantageously.’ In contrast, PEoU is the percep- In studying user acceptance and use of tech- tion about the degree of effort needed to use a par- nology, the Technology Acceptance Model (TAM), ticular system. In this case, ‘ease’ is conceptualized first developed by Davis in 1986, is one of the as ‘freedom from difficulty or great effort.’ Accord- most cited models (see Figure 6-3). According to ing to the TAM, if a user perceives a specific tech- the TAM, ‘perceived usefulness (PU)’ and ‘per- nology as useful, he will believe in a positive ceived ease of use (PEoU)’ are primary motiva- use-performance relationship. Since effort is a fi- tional factors for accepting and using new nite resource, a user is likely to accept an applica- technologies. PU is the degree to which a person tion when he perceives it as easier to use than believes that use of technology will produce better another (Rander and Rothchild, 1975). Figure 6-3: Technology acceptance model56 Technical Report Series98 55 Source: Rogers 1995, Reed and Hall 1998 56 Source: Davis, 1986
of Acceptance and Use of Technology (UTAUT). RFID technologies6.3.4. Unified theory of acceptance and use of technology This model (see Figure 6-4) was found to outper- form each of the individual models (Venkatesh et A large number of studies have been con- al., 2003). In this model also social influences andducted using the original Technology Acceptance facilitating conditions are taken into account asModel or an extended version. In an attempt to in- well as issues like age, gender, previous experi-tegrate the main competing user acceptance mod- ences and how voluntary actual use is for a user.els, Venkatesh et al. formulated the Unified Theory Figure 6-4: Unified theory of acceptance and use of technology576.4. Trust and acceptance of RFID their actions and any errors they could make be- technology come more serious. Trust becomes very important when users may suffer physical, financial or psy- The success of a technological innovation de- chological harm because of the actions of RFIDpends heavily on the adoption by consumers. In technology. This section describes various aspectsthis context the development of trust between the of trust in relation to the acceptance and adoptionservice provider, the consumer and the systems is of RFID technology.of paramount importance. Therefore we analysehere the relation between trust and acceptance ofRFID technology. 6.4.1. Definition of trust The concept of RFID technology has a rather Many different definitions of trust exist. In thebroad meaning in terms of technologies applied. general definition of Rotter (1980) trust is ‘a gener- Technical Report SeriesA main difference between various technologies is alized expectancy that the word, promise, oral orbased on the kind of RFID tag classes which are written statement of another individual or groupused: active tags or passive tags. can be relied upon.’ In the context of RFID tech- nology, this means that the RFID technology can Trust is an issue related to RFID technology, be relied upon to do what it was instructed to do,but in general trust will be of more importance meant to do and clarified to do.when it is related to ‘active’ tags than it is for ‘pas-sive’ tags because when tags become more active But it is also necessary that people are in a sit- 99and are more sophisticated the implications of uation in which they are or might be vulnerable to57 Source: Venkatesh et al. 2003
6. Socio-economic aspects of RFID actions of someone else. Without this vulnerabil- Affective aspects of interaction ity there is no need for trust. In the context of RFID technology this means that people are no longer The communication and interaction principle controlling the software directly, but that they let implies that rather than focusing singularly on the the process act on their behalf and that they ac- trustworthiness of a system, the design should also cept the risks that this may entail. address the affective aspects of interaction be- tween RFID supported commercial services and Therefore Bickmore and Cassell (2001) have the consumer and addresses the emotional impact defined trust in relation to the application of tech- of system usage. nology as ‘people’s abstract positive expectations, that they can count on this technology to care for The term ‘affect’ encompasses mood, emotion them and be responsive to their needs, now and and feelings. Affect is a fundamental aspect of in the future’. human beings and as such influences reflex, per- ception, cognition and behaviour. Affective qual- Patrick (2002) defines trust in this context as ity is the ability of an object or stimulus to cause ‘user’s thoughts, feeling, emotions, or behaviours changes in one’s affect. Perceived affective quality that occur when they feel that technology can be of a system has a positive impact on users’ per- relied upon to act in their best interest when they ceived usability of the system. give up direct control’. Although cognition has received more atten- Another aspect is that trust in information sys- tion than affect in the past decades, researchers in tems is often seen in the tradition of cognitive psy- several disciplines have realized the importance of chology. While this approach has made affect and emotion (Ping, 2005). Studies in neu- considerable contributions to computer science and systems engineering, it is to be expected that ropsychology and social psychology assert that af- it will not facilitate our further understanding of fect or emotion occurs before cognition, but also trust and adoption of RFID technology. intervenes with cognition. Affect and cognition can both be considered information processing systems, In the technical literature trust is considered as but with different functions and operating parame- a purely cognitive process. It is often treated as a ters. The affective system is judgmental, assigning utility function that system users try to maximise for positive and negative valence to the environment their own benefit. However, trust is a non-cognitive rapidly and efficiently. The cognitive system inter- function that cannot always be approximated well prets and makes sense of the word. Although efforts by mathematical constructs. Approaching trust exist to bring affect and emotion concepts into stud- within its social context may provide a more pro- ies on user acceptance of technology, most of the ductive alternative. Seen from this perspective, two existing studies are based on the assumption that observations are important; human beings are rational and behave based on logical information-based thinking. Asymmetry in data collection Collecting personal data by tracking the ac- 6.4.2. Trust-risk model of RFID success tivities of individuals will be unacceptable for the consumer if it is not reciprocal or transparent. That Patrick (2002) has developed a model of ac- Technical Report Series is, not knowing which organisation is collecting ceptance of new technology (in his specific situa- the data, how this data will be used, how to cor- tion developed for the acceptance of intelligent rect errors in the data and whether to expect a re- agents), based on the separation of trust from per- turn describes the relationship as non-reciprocal ceived risk. This model is an extension of the e- and not transparent and introduces asymmetry commerce loyalty model developed by Lee, Kim & making it unacceptable for the consumer. Moon (2000), which is used to describe user atti- tudes towards e-commerce applications and trans-100 The fact that our profile is formed under cir- actions. This model could also be applied to trust cumstances that are well beyond our control, we in relation to RFID technology. cannot influence and that it is invisible to us intro- duces considerable stress to the relationship irre- The idea behind the model of Patrick is that spective of whether the profile is accurate or not. feelings of trust and risk can be established quite
RFID technologiesindependently, and together they determine the tion may, or may not be related to the actual riskfinal success of the technology. Trust contributes of the technology employed in the technology sys-to the acceptance of the technology in a positive tem.direction; while risk contributes in a negative di- In the trust-risk model of technology success,rection. The effect is that the two factors interact developed by Patrick (2002), a number of factorswith each other, so that technology connected are identified which contribute to trust and a num-with a low degree of trust may still be successful if ber of factors which contribute to perceived risk.there is also a low perceived risk. But it is also pos-sible that in very risky situations no amount of trust In Table 6-2 various factors contributing tois able to offset the risk perceived by a user, and in trust will be identified and described in short andsuch a situation it will become very difficult to ac- specific recommendations will be connected withcept the involvement of a specific technology. each of these factors with regard to the building of trustworthy RFID technology. In Table 6-3 the It is important to stipulate that the model deals same will be done for the various factors contribut-with risk perceived by the user, and this percep- ing to perceived risk. Table 6-2: Factors contributing to trust Factors contributing to trust Descriptions Design recommendations Ability to trust People possess a basic trust as a relative stable Developers should take into account that personality characteristic, but people do not users may differ in their baseline level of trust. have the same baseline level of trust. Some people will need more reassurance than others that the technology can be trusted. This means that interfaces must be flexible and be able to provide more information and reassurance for users that require it. Experience Users can change their willingness to trust Designers should support a sharing function based on their experiences, of their own or so users can share and spread their (hopefully because of hearing about experiences of others. positive) experiences. Predictable Systems and interfaces that perform reliably and Developers should ensure that the interface is Performance consistently are more likely to be trusted by users. consistent and predictable. This means adopting Also response times should be consistent and a style guide or the use of interface guidelines in predictable, in stead of variable and unpredictable. all parts of the system. Comprehensive Systems that provide comprehensive information Technology systems must provide an image of information about their operation are more likely to be their operation so that users can develop a understood, and more trusted. mental model of the way the system works. This also means allowing the users to observe and track the actions performed by the technology, both in real-time and after the fact. Shared Values If users feel that the technology values the things Values between technology and their users can that they would, they will have more trust in the be shared explicitly, i.e. by involving informal agent. In interpersonal relationships, these shared social dialogues between user and system Technical Report Series values are often built through informal interactions, such as small talk conversations. Communication The amount and effectiveness of communication The system should repeat its instructions, so that between the agent and the user also determines it is clear what the user understood. Error the amount of trust by the user. Continual messages should indicate what was understood feedback is important here. and what needs to be clarified. Through communications it should be made clear what the capabilities and limits of the systems are. Interface design The look and feel of the software that is used to Most of the generic attributes of good interface 101 control the system, including factors as appearance, design also apply to designing system interfaces. functionality and operation, can contribute to trust by the user.
6. Socio-economic aspects of RFID Table 6-3: Factors contributing to perceived risk Factors contributing to perceived risk Descriptions Design recommendations Risk Users have a basic or baseline level of perceived System designers should design systems Perception risk. Basic approaches to risk assessment are: features that address each of these areas of risk Bias fatalism: users feel that they have no control assessment. hierarchy: users feel that risks have to be dealt with A system may contain information to explain by controls and regulation individualism: users feel how users can have control over the risks they that risks should be taken when appropriate for are taking. the individual enclave: users feel that risks are systemic and have to be minimised by the suppliers of the technology Uncertainty By reducing uncertainty also risk perception The more users know about a system and how will be reduced. it operates, the less they are uncertain about the system and the less they will worry about risk taking. Personal If more personal details are being provided to System developers should only ask for Details the system, perceptions of risk are likely to increase. information that is necessary to do the job, and avoid where possible asking for information that the users might consider sensitive. Alternatives Lack of alternative methods to perform a task can Within certain limits system designers should lead to feelings of risk. offer alternative methods to perform a task. Specificity If there is a sole supplier of a service, users may It is useful to offer more than 1 system to the feel that they are at more risk from exploitation user, in order to let him choose a preferred system. than situations where there are multiple s uppliers and systems. Autonomy Probably the most important factor in determining Passive tags are more trusted than acting tags. user’s feelings of risk towards a technology is the Systems can learn by monitoring what advice degree of autonomy granted to the system the user accepts or which action he undertakes, and in this way learn by example, which might lead to less risk perception by the user. 6.4.3. Evidence based analysis of acceptance or how this technology would affect them. Con- and adoption of RFID technology sumers were asked to rank a number of pre-pro- grammed benefits, like improved security of Consumer opinions: results of consumer sur- prescription drugs, faster and more accurate prod- uct recalls, improved price accuracy, faster check- veys out times, reduced out-of-stocks etc. According to a survey conducted in October When asked to rank this set off potential ben- 2003 amongst more than 1000 U.S. consumers, efits of RFID, 70% identified recovery of stolen the majority of those polled were unfamiliar with goods and improved food and drug safety high on RFID (CAP, 2004). Over three-quarter of the sam- the list. A majority – 66% - also placed cost savings Technical Report Series ple – 77% - had not heard of RFID. Confirming the on the top of the list of benefits, although some general lack of knowledge about this technology, consumers were also concerned that RFID use nearly half of the group aware of RFID had ‘no would instead raise prices. Consumers placed ac- opinion’ about it. cess to marketing-related benefits, like in-aisle The unfamiliarity with the concept of RFID companion product suggestions, at the bottom of extended even to those consumers who might be the list. using it. Many of the survey respondents did not The most significant concerns expressed by102 know that the consumer passes they were using consumers familiar with RFID related to privacy. did employ RFID technology. In response to both open-ended and prompted Consumers who did have an opinion about questions (with pre-programmed answers), privacy RFID expressed a variety of views about whether emerged as a leading concern. Approximately
RFID technologiestwo-third of consumers identified as top concerns The potential benefits from RFID that are mostthe likelihood that RFID would lead to their data important to European consumers relate to intrin-being shared with third parties, more targeted mar- sic product improvements, such as better anti-theftketing, or the tracking of consumers via their prod- measures, and improved security, safety and qual-uct purchases. Main reasons for their position are ity.the fear for increased marketing or government The possibility of savings to consumers stem-surveillance. ming from decreased manufacturers and retailer A consumer survey conducted in 2004 by two costs was also deemed important by respondents.market research companies revealed similar results Of somewhat lesser importance are supply chain(BIGresearch & Artifact, 2004). Of more than 8000 improvements like reduced out-of-stocks. Manyindividuals surveyed, fewer than 30% of con- consumers said that they would be willing to buysumers were aware of RFID technology. Further, an RFID-enabled product to get the benefits thatnearly two-third of all consumers surveyed ex- are most important to them. However, fewerpressed concerns about potential privacy abuses. would consider paying more to receive those ben-Their primary concerns were on RFID’s ability to efits.facilitate the tracking of consumers’ shopping Privacy related issues are the most significanthabits and the sharing of that information among concern about RFID among European consumers.business and with the government. More than half of the respondents expressed con- cern about the possibility of consumer data being The RFID Consumer Buzz survey broke re- used by third parties, the potential for trackingspondents into two categories: ‘RFID-aware’ and consumers via their product purchased, an in-‘RFID non-aware’ consumers. Interviewers de- crease in direct marketing, and the possibility thatscribed how RFID works to the latter group prior to tags could be read at a distance. Health and envi-asking them about perceived benefits and con- ronmental issues were of somewhat less concern.cerns associated with the technology. During the open European consultation on An interesting observation is that people who RFID “Your Voice in Europe” (see chapter 8.11.3),were aware of RFID were more practical about a large majority of responders see security and pri-balancing the positives and the negatives. Those vacy issues as the main concern. In general onewho were not aware seemed to be surprised to could conclude that consumer perceptions relat-learn about the technology, and they gravitated ing to RFID in the European countries were fairlymore toward the potential negative impact of similar to those identified in the U.S. research...RFID. A conclusion from this observation could be Awareness of RFID in the U.S. was also low, but itthat it is better to inform people about the positive was a bit higher than in Europe. That is not surpris-applications than to wait for them to discover the ing given the heightened visibility of RFID in thetechnology on their own. U.S. as a result of the emphasis by the U.S. De- A study carried out in 2005 by Capgemini partment of Defence and large retailers such as Wal-Mart.(Capgemini, 2005) on what European Consumersthink about RFID identification and the implica- The importance assigned to potential benefits Technical Report Seriestions for business reveals in general the same re- was similar in Europe and the U.S., although thesults. According to this study overall just 18% of order varied slightly. For example, European con-European respondents had heard of RFID, with the sumers rated ‘Improved anti-theft capabilities” aslowest awareness recorded in the Netherlands and the most important benefit, followed by ‘faster re-the highest in the UK. covery of stolen items”. In the U.S., the order was revered. Interesting is that this study concluded that ofthose who have heard of the technology, percep- U.S. consumers expressed somewhat greater 103tions were mixed, with most viewing RFID concern than Europeans about privacy-related is-favourably or having no opinion. Only 8% of Eu- sues, such as the potential use of consumer dataropean consumers have an unfavourable percep- by third parties and increased direct marketing.tion of RFID. This may be a result of the increased visibility
• The organisation operating the system6. Socio-economic aspects of RFID around RFID and activity by consumer advocacy groups in the U.S. should be transparent about the system’s purpose, the technologies used, the loca- Protection of consumers: guidelines and tions of RFID tags and readers, and who is codes of practices accountable for the proper use of the sys- tem; In order to deal with consumer concerns re- • The system should be protected by appro- garding the use of RFID, various organizations priate security controls, and subject to in- have developed on the basis of self-regulation ternal and independent audits; guidelines and code of practices to protect con- sumers These guidelines and code of practices also • RFID tags should not be used to store or serve as a basis for a further dialogue with con- process personal information. Any other sumers and consumer organizations. With the fur- data should be erased from the tag before it ther development of RFID technology also these is released from the organisation’s control; guidelines and code of practices might need adap- • Where personal data must be associated tation to new ways of application of RFID. with the system, that personal data should be limited to that which is required for op- Self regulation by the suppliers of RFID appli- eration of the system, and should be de- cations will help to generate trust amongst con- stroyed after use; sumers and users of these applications. By publishing guidelines and code of practices the • No member of the public should be forced, RFID applications are made transparent to the coerced or tricked into accepting an item users. This gives the users the possibility to get in- with an RFID tag attached. The public sight in the aims and objectives of the data collec- should be able to remove or destroy tags, tion and it reveals to the user to which extend and provided with instructions on how to these data are used to support these aims and ob- do so. jectives. They also give the user the possibility to complain against misuse of the system. Self regulation does not come instead of a 6.5. Diffusion and adoption of RFID proper legal system to regulate the use of RFID technology, but it has two advantages: 6.5.1. Introduction • It helps to generate trust amongst users, be- In this chapter we will see how we can apply cause in the eyes of the users it raises the the theoretical framework on diffusion, and adop- credibility of the suppliers that the RFID tion of technology to RFID technology. technology will be used in a proper and transparent way. One main observation in the model of Rogers is that awareness precedes the decision making • It makes it possible to develop a legal frame- process on RFID application and that the next step work for RFID application which defines a in the innovation diffusion process is acceptance basic legal regulation without a need to go and implementation of RFID technology (or rejec- Technical Report Series into to many details, which would lead to a tion of the technology). large amount of administrative burden, and which might block further innovation and Several market research studies have revealed development of RFID applications. a very low awareness amongst consumers on the existence and meaning of RFID. One might expect By comparing different guidelines and code that the same is true for many producers and sup- of practices a number of issues come forward pliers or intermediary organisations in the supply which are important for the acceptance of RFID by104 chain. Without a certain level of awareness of the users i.e.: RFID technology the next phases in the innovation • The RFID system and any data stored or diffusion process (decision making, acceptance processed within it should be used only for and implementation) will not take place or at least the stated purpose; will be staggered.
RFID technologies So awareness creation amongst all the actors Not many RFID implementations haveinvolved will be very important for a well thought reached stage 4 yet; many implementations aredecision making process on RFID implementation. still in stage 1 or 2. The main reason for this is that RFID for sup-6.5.2. Stages of diffusion and adoption of ply chain applications and certainly for other ap- RFID plications is relatively new and no large-scale implementations have yet been carried out. Prod- The possible stages of diffusion and adoption ucts are often not completely faultless and as aof RFID in an ideal situation have been described consequence it often takes considerable time to in-by Loretto (Loretto, 2005). stall and perfect the RFID hard- and software in each location. This description includes both the phases ofthe innovation diffusion process as described by Part of the problem to date is also that the em-Rogers, but also the ‘perceived usefulness (PU)’ phasis has been on the advantages for retailers, butand ‘perceived ease of use (PEoU)’ of the Technol- not on other companies in the value supply chain.ogy Acceptance Model of Venkatesh et al. In an The result is that many companies do not realise theideal situation, according to Loretto, the stages of potential benefits of the technology. This is not onlydiffusion and adoption of RFID could be described true for the retail sector, but it is especially true foras follows: application domains in the public sector, like healthcare, public transport, governmental services. • Stage 1: At this stage many adopters will be applying RFID technology to their supply So, RFID is still a complex technology in chain operation as a result of the require- which little experience has been gained in most ments of key trading partners. At this stage organisations. The implementation of RFID has far some supply chain benefits will be realised reaching consequences for organisations and de- for inventory, packing, shipping and order mands fundamental preparation. The preparation fulfilment, but the application of RFID will time is relatively long at the moment, due to the be seen as cost. immature technology and the limited experience with RFID. • Stage 2: The next stage will involve the in- creasing integration of RFID mature tech- There is also sometimes a barrier in the fur- nologies into existing IT infrastructure in ther development of RFID applications by nega- order to recoup investment and realise ad- tive opinions among consumers in relation to the ditional ROI benefits. Integration may then RFID technology: privacy issues are one of the have immediate impacts on asset manage- main issues here, but also other drawbacks can be ment efficiencies and order reconciliation stipulated by consumers. performance. The only way to jump the adoption barrier is • Stage 3: At the moment integration has ex- through collaboration between all actors involved in the value chain for products or services: this tended RFID into existing infrastructure, it means i.e. the involvement of IT developer, the will be possible to realise further gains in Technical Report Series manufacturer, retailer and consumer right from the supply chain efficiencies by fundamentally beginning of the development of new RFID-appli- changing the way business is undertaken. cations. This will require business process re-engi- neering to ensure that people, processes A proven step-by-step implementation of and technologies are aligned to support RFID is effective and goes from study or proof of business objectives. concept, pilots and small–scale projects to large- scale rollout • Stage 4: Fully integrated systems can then 105 be used to rapidly identify business issues This process has already started by the inno- and respond to those issues along the sup- vators and early innovators and it is now time for ply chain. Being able to do that will enable the early and late majority to take the necessary more effective meeting of consumer needs. initiatives to start RFID application developments.
6. Socio-economic aspects of RFID As identified by Rogers, this development will run advantages is the ability to remove inefficiencies through different phases of a diffusion of innova- from current supply chain management by using tion process. real time inventory information. We will give an overview of advantages for retailers and we will also mention some disadvantages for retailers. This 6.5.3. Issues in the RFID adoption in the information in based on findings in a study on retail industry: advantages and dis- RFID adoption in the retail industry (USA Strate- advantages for retailers gies, Inc. 2005). RFID technologies has been in existence since These advantages and disadvantages give in- the 1950s, but in the present situation adoption of sight into the ‘perceived usefulness (PU)’ and ‘per- RFID in the retail environment is mainly stimulated ceived ease of use (PEoU)’ of RFID for retailers (see by large companies and to a less extend by the in- Table 6-4 for a summary of these advantages and herent benefits of the technology on its own. disadvantages). In paragraph 6.5.4 the same Several factors are driving retailers to push for overview of advantages and disadvantages is given RFID implementation, but one of the significant for consumers. Table 6-4: Overview of retailer advantages and disadvantages Retailer advantages Retailer disadvantages Real time inventory information Cost and return on investment Decreased labour costs Middleware issues Prevention of theft, shrink and inventory write off Consumer feedback Totally integrated opportunities Retailer advantages: tion at P&G noted that if the company could reduce stock out levels from 8 to 10% to 2 to a) Real time inventory information 3% of sales, the return on investment in RFID RFID provides retailers with real-time inven- would more than pay for itself. tory information that can help to prevent stock outs, locate stock within a store to avoid b) Decreased labour costs “shrinkage’ of inventories, and can help to en- RFID provides technology that practically able retailers to use more yield effective pric- eliminates the need for human checking of ing strategies. stock. Accenture estimates that effective RFID A recent study cited in the Harvard Business solutions can help retailers reduce a wide Review (Corsten, Daniel and Gruen, 2004) array of costs: receiving by 50 to 65%, stock- analysed what shoppers do when they face a ing by 22 to 30%, checkout by 22 to 30%, stock out of a desired product. The results cycle counting by 40 to 60% and physical confirmed what many retailers feared. Across counting by 90 to 100%. (Chappell, Garvin et the entire retail industry stock outs on aver- al 2003). Technical Report Series age, cost each retailer approximately 4% of sales. Consumers are not patient with stock c) Prevention of theft, shrink and inventory outs: in fact fewer than half will purchase a write off replacement item, with almost a third going “Shrink” is a retailing term used to describe elsewhere to find the item. inaccurate inventory counts as a result of cus- Across the retail industry stock out levels re- tomer theft, employee theft, inaccurate inven- main near 8%, and represent a key issue that tory counts due to misplaced items, and stock retailers hope to reduce drastically with RFID reordered because items are on a display shelf106 (Convert, James 2004). One manufacturer cur- in another area of the store. The 2000 Retail rently using RFID technology to help to reduce Survey Report estimates that shrink represents stock out statistics is Proctor and Gamble. Paul 1, 69% of sales for retailers (University of J. Grieger, the director of supply-chain innova- Florida, 2000).
RFID technologies RFID technology has the potential to alert staff that the culmination of sales and inventory in- when items are being removed illegally, or formation can prepare retailers better to avoid when they have been misplaced within the stock outs and shrinkage. It is not the cost of store. hardware to read RFID sensor chips that is This can assist in theft reduction and also pro- worrying the retail industry; it is the integra- tion of existing software with RFID informa- vide real-time accurate inventory counts auto- tion which will cost much more money. matically. Inventory write-offs occur when goods are no b) Middleware issues longer fit for consumption, the goods are no RFID middleware extracts the data from RFID longer in demand by consumers, or they have readers, filters it, aggregates the information, been damaged while in the retailer’s posses- and routes the data to enterprise systems. sion. RFID technology offers solutions to track After distilling the data, the middleware sell-by-dates of each product on the shelf. passes it along to applications like enterprise The collection and utilization of this informa- resource planning (ERP), supply chain exe- tion will help retailers maintain a better inven- cution (SCE), customer relationship manage- tory management system that can react to ment (CRM) and warehouse management demand much more quickly than current sys- (WM) systems. Other potential functions in- tems clude monitoring and managing the RFID reader network. Many retailers have cited is- d) Totally integrated opportunities sues with data quality, control and device In addition to improving the supply chain, the monitoring and management problems as advent of RFID technologies will offer retail- obstacles to the implementation of RFID ers new and unlimited marketing opportuni- middleware (Liar 2004). ties. Tracking a customers’ purchases before c) Consumer feedback they leave the store offers retailers informa- tion that can immediately be used for the Metro AG’s pioneering Future Store is the first entire operation to fully utilize RFID technol- cross selling of other related products. In-store ogy. The Boston Consulting Group published suggestive selling allows retailers to commu- a report on the working of the Future Store, nicate with shoppers while they are shopping which showed increased customer satisfac- in an effort to encourage them to buy an ad- tion (The Boston Consulting Group, 2003). ditional and/or complimentary item. The share of customers that chose either fully The implementation of RFID technology will or highly satisfied rose from 34% to 52% after offer retailers also the ability to change their the store changed from a traditional retailer to pricing moment by moment. Real time inven- the ‘Future Store’ model. However not all cus- tory can allow for automatic price changes to tomers are convinced. The same study maximize their yield on high-in-demand showed that although 42% of customers are items. Yielding maximum prices for items ac- using the store more frequently a 20% of cus- cording to store supply and demand levels tomers surveyed are using the store less fre- will increase incidental sales for all retailers. quently. Not all customers will happily utilize Technical Report Series There are also some disadvantages for RFID the RFID related technologies available to adoption for retailers. them.Retailer Disadvantages 6.5.4. Issues in the RFID adoption in the a) Cost and return on investment retail industry: advantages and dis- advantages for consumers The introduction of RFID will lead to addition 107 costs, while the anticipated ROI time frame is In general, consumers in retail shops are rel- unclear, because the true cost savings are dif- atively oblivious to RFID technology and capabil- ficult to predict and the only visible benefit in ities. However, there are a number of consumer the beginning of an implementation project is protection groups that are operating websites and
6. Socio-economic aspects of RFID blogs aimed at galvanizing support for legislation lated to consumer adoption of RFID we will give limiting RFID and what companies can do with the an overview of consumer benefits and consumer technology. To get a better insight into issues re- drawbacks (see for a summary Table 6-5). Table 6-5: Overview consumer benefits and drawbacks Consumer benefits Consumer drawbacks Consumer savings Hidden placement of tags Improved security/ authenticity of prescription drugs Unique identifiers for all objects worldwide Efficient recalls will reduce deaths and injuries Massive data aggregation Hidden readers Individual tagging and profiling Consumer benefits uals who purchase the items. As radio waves travel easily and silently through fabric, plas- a) Consumer savings tic, and other material, it is possible to read RFID will allow companies to better match up RFID tags sewn into clothing or affixed to ob- supply and demand. Manufacturers will not jects contained in purses, shopping bags, suit- produce vast quantities of products that will cases etc. Not knowing if reading of RFID tags not sell and retailers will not overstock exces- is possible or takes place is very annoying for sive amounts of products destined to sit on people. store shelves gathering dust. RFID will enable companies to more quickly identify goods b) Unique identifiers for all objects worldwide that can or need to be discarded or replen- The Electronic Product Code (EPC) potentially ished. This in turn will give the customer ac- enables every object on the planet to have its cess to better and fresher products and in the own unique identification code. This technol- long term might also lead to a decrease in ogy could lead to the creation of a global item pricing for the consumer registration system in which every physical b) Improved security/authenticity of prescription object is identified and linked to its purchaser drugs or owner at the point of sale of transfer. RFID will be used to distinguish genuine prod- This is potentially a positive aspect in some ucts from counterfeit products. This is espe- respects for the consumer, but in terms of pri- cially important for healthcare applications and vacy issues, it could lead to serious abuses. medicine prescriptions. Currently, consumers c) Massive data aggregation have i.e. no ‘fool-proof’ method available which allows them to vetting their drug pre- RFID technology requires the creation of mas- scriptions, which could lead to potential health sive databases containing unique tag data. issues associated with ingesting counterfeit These records could be linked with personal drugs (with i.e. wrong doses or ingredients). identifying data. The main concern here from a consumer perspective is privacy and a threat Technical Report Series c) Efficient recalls will reduce deaths and injuries of misuse of the data. RFID can be used to identify and recall out- d) Hidden readers dated products or unsafe projects. This is es- pecially import in the food area, because it Readers could be placed (out of sight) into will improve food safety and enhance con- nearly any environment where consumers or sumer safety. products are located. RFID readers have al- ready been experimentally embedded into floor tiles, woven into carpeting and floor mats,108 Consumer drawbacks hidden in doorways, and seamlessly incorpo- a) Hidden placement of tags rated into retail shelving and counters, making RFID tags can be hidden in objects and doc- it virtually impossible for consumers to know uments without the knowledge of the individ- when or if he or she is being ‘scanned”. With-
RFID technologies out further regulation, there is the potential cause a lot of knowledge concerning user accept- threat for any number of abuses. ance and adoption has been gained in this sector. In the meantime the landscape of RFID-applica- e) Individual tracking and profiling tions has been enlarged and we see now a rapid If personal identity were linked with unique penetration of RFID in various other domains, both RFID tag numbers, individuals could be pro- in the public sector and the private sector. filed and tracked without their knowledge or consent. For example, a tag embedded in a The largest number of case studies in the IDTechEx database is on pallet/case tracking and shoe could serve as an identifier for the per- these case studies are mainly related to the retail son wearing it. sector. But recently also a number of item-level For these reasons consumer organisations tagging case studies have been included in the both in the USA and Europe have expressed database and they equal now the number of pal- their feelings of distrust around the introduc- let/case studies. Especially in the item-level tag- tion of RFID and have asked for solutions or ging we see many new application areas. Roughly proposed solutions themselves. (Privacy equal to these two categories is the number of card Rights Clearinghouse, 2003; The European categories, payment key fob and e-passport case Consumers’ Organisation). studies. It is expected that a lot of new case stud- ies on card systems will be included into the data-6.5.5. Drivers and rationale in RFID adop- base in the near future as case studies in financial, access and other cards will be added since the tion world’s credit, debit, account and identification Even with extensive writings on adoption and cards gradually move over to RFID for conven-diffusion of innovations (Rogers, 1983) the adop- ience, reliability and reduced cost of ownership bytion of new and emerging technologies with the issuer/operator (see also Annex 8 which pres-unique characteristics is still not well understood. ents an overview of EU-US cases in categories that the IDTechEx database deals with). It is not uncommon that new technologies, asthey pervade the social fabric, generate misunder- Next in order is the vehicle tagging area,standing, mistrust, hostility or irrational fear. His- which is lucrative not only because of the hightory is full of people and groups that fought against prices of the tags, but also the high prices of thethe introduction of new techniques or their conse- systems.quences. Based on a further analysis of the IDTechEx Today RFID technology lies at the centre of database we can identify the following RFID-ap-social debate because of its perceived effects on plication sectors (presented in order of number ofdata protection and privacy, on health and safety, case studies in the database):or also on employment and labour practices. This • Pallet/casedebate reaches a climax because RFID has left the • Item Levellab and is fast entering the mainstream of businessand society. • Card (incl. key fob) Technical Report Series • Vehicle Business adoption of RFID is relatively newand therefore as with most new information tech- • Ticketnologies its true potential both independent and in • Conveyanceconjunction with other technologies is not yet fully • Intermodal container/ULDunderstood. • Passport6.5.6. The broad landscape of RFID appli- • Clicker/immobiliser 109 cations • Air baggage In the previous sections we went into detail • Peoplein the application of RFID in the retail sector, be- • Animals
6. Socio-economic aspects of RFID While the prices of the tags for pallet/chase ing. Of course the usage of medicines is highly applications can be rather low, the unit prices in sensitive personal information. Therefore it has to general are somewhat higher. This is especially the be guaranteed that the pharmaceutical industry case for applications in the medical sector, the air- doesn’t collect any personally identifiable infor- craft sector and the library sector, because in these mation of the patient during this process. So it is sectors a superlative performance of the tags is re- clear that several privacy and data protection is- quired. Also the prices of RFID-applications in sues are related to the RFID application in drug cards and passports are high, which makes these distribution. applications very profitable for suppliers. The same is true for RFID-applications in vehicle tracking. At the level of the patient RFID-applications can help to record which medication was taken New applications are also seen in the textile and in what quantity and in this way lower the per- industry, where RFID is used to raise the efficiency centage of errors in medicine intake. The benefits in textile production and distribution, but also for sought here are better patient compliance of drug managing the quality control of the goods from taking. Especially with an increase of older people raw material to end products. in our society this is an important application. An important new area for RFID applications is healthcare. IDTechEx predicts that the market for Table 6-6 shows that the larger application of RFID in healthcare will grow from $ 90 million in RFID might generate a number of socio-economic 2006 to $2.1 billion in 2016. One of the applica- benefits. It is obvious that the price–development tion areas here is the authentication of drugs. By of the tags is only one factor in the adoption and establishing a kind of electronic pedigree of every broad application of RFID. The development of drug, it will be possible to follow the medicine some potential markets might be not as price-sen- through the whole distribution chain in order to sitive as often is believed, because of the social authenticate the medicine at the point of dispens- benefits which (also) might be realised. Table 6-6: Potential benefits of RFID applications in various application areas58 POTENTIAL BENEFITS APPLICATION Cost Increased Crime Better Removal of AREA Reduction Sales Reduction Service Safety Tedious Procedures Laundry/Rented Textile X X X Library Books, DVD’s etc. X X X X Parts for aircraft & Other Machinery X X X X X Blood Bags & Samples X X X X Military X X X X X Book Retail X X X X X Drugs Prescription X X X X X X Technical Report Series Cigarettes X X X X X X Postal X X X X X Other Consumer Packaged Goods (CPG) X X X X X X110 58 Adopted from: IDTechEx, RFID in action, 2006.
RFID technologies6.5.7. RFID and the new consumer or the detail. Based on these data a more personal ap- new citizen proach is possible, both for retailers but also for all kind of public services. This may cause fundamen- RFID can help to reduce the inefficiencies in tal transformations to the way consumers and citi-supply chains. This is a main advantage of RFID zens will be served in the near future.for suppliers of products and services. Especiallyin a situation where competition is growing andsuppliers are forced continuously to lower profit 6.5.8. Conclusionsmargins. A main issue in the debate around the adop- On the other hand, there are also very signif- tion and diffusion of RFID is the privacy debateicant social and market changes that directly affect (see also chapter 8 on this aspect). This issue hasconsumer behaviours (we do not see a difference yet to be concluded and needs to be taken seri-in the behaviour of consumers or citizens in this ously by the RFID industry and other actors in-respect, so if we use the term ´consumer´ we also volved, because if no adequate solutions are foundmean ´citizen´?. Socio-demographic changes such for this issue, this could have a negative impact onas increased number of dual-income, single-par- the rate of implementation of RFID in society.ent and technology-familiar households have sig- By focusing on the privacy debate one mightnificantly altered the consumer behaviour (Kim, however forget that also other social-economic,2002). legal and ethical issues are involved in the adop- A core component in strategies to reach the tion and diffusion of RFID. Privacy is mainly annew consumer is the development of attractive issue which is related to consumer acceptance orconsumer experiences. The reason for this is that lack thereof. However diffusion of innovation in-traditional factors of competition, such as price volves all actors in the value chain, not only thelevel, selection and location, although still impor- consumers, but also the suppliers and intermediarytant, are no longer sufficient to achieve competi- organisations.tive differentiation. This is because the shopping Another main issue in all technology accept-experience of the new consumer is also affected ance models is the balance between the ‘per-by a number of store-related factors, such as am- ceived usefulness (PU)’ and ‘perceived ease of usebience (temperature, scent, music etc), service (PEoU)’. These two factors are main determinantsquality in the store, store perceived image and sit- for the acceptance and use of new technology.uational elements such as crowding, time andbudget availability of the consumer. In this chapter we have refrained on discus- sions on privacy issues (these are discussed in de- This means that a shopping experience has to tail within chapter 8 of this report) but we havebe driven to a maximum of efficiency and at the discussed some of these other socio-economic,same time also towards a maximum of pleasure legal and ethical issues we referred to. We have il-and entertainment. lustrated these issues by applying the diffusion of The new consumer is more knowledgeable innovation theories to RFID in various markets.about comparable product costs and prices; more Technical Report Series Despite first appearing in tracking and accesschangeable in retail and brand preferences, show- applications in the 1980s, the potential of RFIDing little loyalty, self-sufficient, yet demanding has only been recognised relatively recently. Usingmore information. The new consumer holds high RFID tags, it is possible to identify and track ob-expectations of service and personal attention; and jects and people without time delays, withoutis driven by three new currencies: time, value and human intervention and thus without variableinformation costs. With even smaller, smarter and cheaper tags How can RFID in this context help to meet the and readers, RFID is opening up amazing value 111demands of the new consumer? RFID makes it pos- chain possibilities. Through RFID technology com-sible to use personal data associated with individual panies can improve efficiency and visibility, cutconsumers. These data can be used to reconstruct costs, better utilise their assets, produce highertheir private activities at an unprecedented level of quality goods, reduce shrinkage or counterfeiting
RFID technologiesby RFID, and inevitably leading to a reduction of The impact of RFID on employment shows,labour costs. Administrative staff and jobs that in- in this respect, similarities with the impact of In-volve bar code scanning such as cashiers in super- formation Technology (IT) on employment. Al-markets or jobs in distribution centres, run the risk though the adoption of IT has led to jobof becoming obsolete. A report from the US Yan- displacement in particular sectors of the industry,kee Group, published in 2004, forecasted that ef- employment in the services sector has increasedficiency advantages of RFID will cost 4 million (OECD, 2004; 2005). At the same time, IT has be-employees their jobs (Yankee Group, 2004). come an essential element for economic growth which has created jobs indirectly (OECD, 2004; The lack of attention for the impact of RFID 2005).on employment in these reports is in this respectremarkable. One could argue that this lack of at- However, the full benefits of IT can only betention is a reflection of the current state of devel- realized by improving skills of employees, byopment of RFID, where the focus is mainly on training management, by implementing organiza-overcoming technological hurdles. On the other tional innovations and integrating IT in companyhand, as the public spotlight is on privacy con- strategies (OECD, 2004; 2005). This holds as wellcerns, other issues, such as job loss, remain under- for RFID. One of the key challenges to fully real-exposed. According to a UK report on RFID ize the success of RFID will be education andapplications in healthcare the public’s attention is training. This will be the focus of the followingmainly focused on privacy violations but job losses chapter.are a far more likely and dramatic outcome ofRFID adoption.(Wireless Healthcare, 2004). Workplace However, this view is disputable for the fol- The WSM (‘Work Standards Model’, devel-lowing reasons. Firstly, the loss of jobs is expected oped by The International RFID Business Associa-to be a gradual development coupled to a long tion – RFIDba59 - to assist organizations intransition period of at least 10 years from bar code quantifying and assessing their required workplacescanning towards RFID applications (Yankee skills and knowledge to successfully implementGroup, 2004). Due to this long period the loss of RFID) gives a hint of the significant impact the im-jobs is not expected to result in a disruption of the plementation of RFID in business processes willlabour market. have on the workplace. Employees (end-users) will Secondly, there are indications that the roll- need new skills to successfully work with the im-out of RFID will create new jobs as well. Several plemented systems. The emphasis will be, evenanalysts predict a transition towards more added- more than before, on [real-time] processing of in-value positions such as information (data process- formation that is collected from different sources,ing) and service related jobs. The RFID tools, and applications. This will transform theapplications will give companies access to large character of the new information workplace be-amounts of data that have to be processed to gen- yond that of traditional knowledge work (Forrester,erate actual, value-adding knowledge. 2005). Thirdly, RFID could create new jobs in an in- However, the actual number of studies con- Technical Report Seriesdirect way, as RFID is likely to increase productiv- ducted on the impact of RFID on the workplace isity gains across a wide range of industry sectors. very limited. The few reports that have been pub-This will spur economic growth, which in turn will lished on this matter focus on privacy issuescreate more jobs (IBM, 2005; Reeding, 2006). This (RAND, 2005; NVVIR, 2005). Although employ-line of thought emphasizes innovation and the de- ers have already many options available to them tovelopment of new service products that RFID will control and monitor employee presence, the ap-create. plication of RFID in access and tracking systems 11359 RFIDba is a global, not-for profit, vendor-neutral, educational trade association focused on serving end-users who have a need for edu- cational programs that will help them achieve successful implementation and deployment of RFID technologies. The Association is de- veloping internationally accepted standards for RFID education, training, and certification based on the RFIDba WSM
6. Socio-economic aspects of RFID will make data collection and processing on a Using the definition of the European e-skills large scale even easier. It will create new ways to Forum, an analysis can be made of the kind of monitor employee location, behaviour, and per- shortage that is currently observed for RFID. The formance. Forum distinguishes between three types of short- ages (European e-skills Forum, 2004): Current applications are often limited to ac- cess control systems (NVVIR, 2005). The expecta- • Shortage: quantitative lack of skilled per- tion is however that RFID will be widely applied in sonnel; organizations. This can have considerable conse- • Gap: A competence shortfall between cur- quences for employee privacy. In 2006, two work- rent and needed competence levels; ers of the US company Citywatcher were • Mismatch: A difference between the com- implanted with a RFID chip (MSNBC, 2006). An- petence of the trainee or graduate and em- other example is a store of McDonalds (US) where ployers’ expected competence needs. employees are checked whether they have washed their hands after using the toilets, which was made The results of the survey did not only show a possible by the application of RFID technology. quantitative lack of skilled RFID workers (there are not enough people that can perform RFID jobs); it Whilst in these examples clients or employ- also found that current RFID workers do not have ees have chosen themselves for the RFID chip im- the required competences. This implies that the plant, many employees are unaware of the shortage of skills is also a qualitative gap between possibilities of RFID applications and the conse- what competences RFID workers currently have quences for their privacy. The ease of automatic and what employers actually need. There is some data collection and the fact that RFID can function debate on whether this gap is of a structural nature without direct contact between tag and reader in- (that might require policy interventions). Some hold creases the possibilities for illegal collection of that the gap will dissolve quickly with the rollout of data (NVVIR, 2005). Open and transparent guide- RFID, as the number of organizations offering spe- lines (regulations) and open information practices cial training programmes is growing significantly. are very important in the implementation of appli- cations aimed at surveillance, control and moni- Before turning to what types of competences toring, to guarantee employees’ privacy. are required, it should be noted that the current focus of the shortage of skills is on RFID profes- sionals, rather than end-users of RFID applications. 6.6.2. Training requirements and training fa- The demand for skilled end-users is likely to be- cilities in relation to the widespread come more important in the (near) future, when adoption of RFID technologies applications are implemented on a large scale. Skills: shortage, gap or mismatch? Two types of skills in particular were identi- fied as critical to the successful implementation of A widely recognized problem is the shortage RFID applications: radio technology skills and soft- of RFID skills. A survey conducted in February ware/business process/data architecture skills 2006 by the Computer Technology Industry Asso- (CompTIA, 2006). Radio technology requires a Technical Report Series ciation (CompTIA),60 to gain a deeper understand- combination of knowledge of the frequency spec- ing of the current RFID skills in industry, found that trum of radio waves with RFID knowledge (such 75% of the respondents believe that the pool of as RFID standards, air protocols, data coding, elec- talent in RFID is insufficient. From this 75%, 80% tronic product code formats, installation, mainte- believes that the lack of skilled individuals in RFID nance and testing skills). The second type of skills will hinder adoption. This number is significantly requires knowledge of middleware, the functional- higher than in 2005, when 53% said it would have ity of software (real-time data acquisition and data114 a negative impact (CompTIA, 2006). filtering), integration of specific applications etc. 60 CompTIA is an international organization with the aim to advance the growth of IT industry and those working in it. They have 20.000 members in 102 countries and offer vendor neutral certification programmes on several subjects, such as RFID (since March 2006). http://www.comptia.org
RFID technologiesTraining 6.7. Conclusions and recommendations In order to address the skills gap, several or- The widespread application of RFID not onlyganizations have developed their own RFID certi- raises privacy and security concerns, but also farfication programmes to train staff and overcome reaching implications of the application of thisthe differences in competences. As a result of their technology can be foreseen in the social interac-survey and discussions with industry experts, tion between people and in the economic trans-CompTIA started their RFID certification pro- actions between actors in the market.gramme in March 2006. It is focused on radiotechnology and includes the following domains: In this chapter the socio-economic aspects of RFID applications have been discussed, together • Interrogation Zone Basics with some legal and ethical issues. This subject • Testing and Troubleshooting also includes the human aspects related to the use and acceptance of the RFID, i.e. awareness, trust • Standards and Regulations and user related issues of technology transfer. • Tag Knowledge Based on a theoretical framework it is made • Design Selection clear that these socio-economic aspects are impor- • Installation tant for the widespread acceptance and use of RFID Therefore technology developers and policy • Site Analysis (i.e. Before, during and after makers should be aware of these aspects and take installation) appropriate measures to incorporate accepted so- • Radio Frequency Physics cial values in the development, application and implementation of the RFID technology. • RFID Peripherals Having said this, an important observation is Training courses of other organizations such that results on socio-economic research on accept-as RFID4U, RFIDSolutions and OTA Training are ance, adoption and use of RFID are still ratherapproved by the CompTIA Learning Alliance scarce.(CLA). The same is true for the second topic in this The International RFID Business Association chapter: the effects of RFID on the workplace and(RFIDba)61 has developed a ‘Work Standards the employment market and the development ofModel’ (WSM) to assist organizations in quantify- education and training in relation to RFID.ing and assessing their required workplace skillsand knowledge to successfully implement RFID. In relation to the issue of education and train-The model describes all work processes, tasks and ing one could also mention the issue of awareness,task elements, tools and equipment as well as the which is still lacking. As a result of consumer sur-knowledge, skills and abilities of the workers to veys one could conclude that RFID is still a ratherquantify and codify the work.. It can be used to unknown concept amongst consumers: only 30%understand how work processes, tools or knowl- of the consumers in the USA, and only 18% of theedge might be changed due to the introduction of consumers in Europe are aware of the existenceRFID and to identify the required level of expertise and application of RFID, the rest has never heard Technical Report Seriesof different employees (Squires & Neary, 2006). of the concept before.This model, therefore, focuses mainly on end-usersof RFID. This means that for consumers even the first phase of the process of diffusion of innovations, as defined by Rogers, hasn’t started yet. In this chapter we do not restrict ourselves to the analysis of consumer aspects, but we look at 11561 RFIDba is a global, not-for profit, vendor-neutral, educational trade association focused on serving end-users who have a need for edu- cational programs that will help them achieve successful implementation and deployment of RFID technologies. The Association is de- veloping internationally accepted standards for RFID education, training, and certification based on the RFIDba WSM.
6. Socio-economic aspects of RFID the introduction of RFID in the whole value chain, introduction and acceptance of RFID. Trust con- so including manufacturers and suppliers, retailers tributes to the acceptance of the technology in a and other intermediary organizations, and positive direction; while risk contributes in a neg- users/consumers in various sectors in our society.. ative direction. The effect is that the two factors in- teract with each other, so that technology Taking the retail sector as an example we connected with a low degree of trust may still be have started to analyze which factors influence the successful if there is also a low perceived risk. But acceptance and implementation of RFID and it is also possible that in very risky situations no which advantages and disadvantages of RFID can amount of trust is able to offset the risk perceived be identified. by a user, and in such a situation it will become Conclusion is that for many different reasons, very difficult to accept the involvement of a spe- many companies are still in the first phases of cific technology. adoption and implementation of RFID. This is even In order to deal with consumer concerns re- more the case in various other sectors of our soci- garding the use of RFID, various organizations ety. One of the reasons is that RFID is a complex have developed on the basis of self-regulation technology, in which still little experience is guidelines and code of practices to protect con- gained in most organizations. Further pilots and sumers A number of such guidelines and code of experiments around RFID implementation, with practices have been selected and are described in involvement of all main partners (so also the users) this report (see Annex 4). will overcome a lot of problems and will stimulate the learning and acceptance process. Main drivers It is also very important to note that: for this development are perceived benefits, the existence of dominant supply chain pressure, and Development of awareness activities is very the existence and adoption of standards for intel- important to make consumers, but also other ac- lectual property ad ownership of the data gener- tors in supply chains for products or services, ated by the RFID systems. aware of the existence, benefits and existing draw- backs regarding the widespread introduction and In relation to the introduction of RFID not implementation of RFID. It is important to realise only technological and cognitive knowledge is im- these awareness activities from a neutral point of portant, but also the affective quality of the whole view. Therefore the EC could initiate or stimulate RFID system should be taken into consideration. these developments. Perceived affective quality of a system for instance has a positive impact on user’s perceived usability Pilot activities and experiments are important of the system. initiatives to learn to overcome all the pitfalls which might arise when a company or a public or- The same is true for pre-existing knowledge ganisation start to implement RFID. It is important on the system. People who know already what to develop such initiatives along the lines of RFID is are in general more positive on the effects proven step-by-step introduction of RFID: from of RFID than people who just learned about the study or proof of concept, pilots, and small-scale existence of RFID. This observation also pleads for projects to large-scale roll outs. Technical Report Series an extension of awareness activities both for the consumers and the other actors in the supply chain It is also important to involve all relevant or value chain. parties in the development and implementation process: so also potential users/consumers A main conclusion regarding the theoretical should be involved from the very beginning of analysis of the issue of trust and RFID is that the such an initiative. The development of such a basic level of trust is different for different people. pilot projects and experiment is a main respon- Some people are very trustful, while others have a sibility of the market itself. However, in order to116 high basis level of distrust. disseminate the knowledge gained and the expe- Another observation is that feelings of trust rience which has been built up, it might be help- and risk can be established quite independently, ful if the EC could give some support to these and together they determine the final success of activities.
RFID technologies A lot of research is going on regarding the fur- tant task for the EC. Also issues related to the ren-ther development of hard- and software for RFID. ovation of the work place due to the implementa-However, most of this research is technology tion of RFID need further attention.based and takes cognitive behaviour of the con-sumer as a point of departure. Emotional aspects RFID is only a part of the introduction of newalso to a large extend influence the acceptance or information and communication technology in therejection of the RFID technology. Therefore re- retail sector and in other commercial or publicsearchers should also analyse the affective quality sectors. It is a part of the introduction of ubiqui-and affective aspects of RFID systems into their re- tous computing and ambient intelligence in com-search projects. In general we could conclude that panies, shops and homes. This new technologythe methodology for such research is still under- will have an impact on the consumer, but at thedeveloped. We could not identify any specific same time, due to all kind of socio-economic de-study on these aspects in relation to RFID systems. velopments in society, we also see the emergenceWe recommend that the EC supports such studies of the new consumer. This new consumer will alsoand stimulates the widespread application of the develop – in a direct or indirect way - new de-results of these studies. mands regarding the use of new technology. The positive and negative implications of the A further analysis of the role of the new con-widespread implementation of RFID on employ- sumer in relation to the development of new tech-ment and overall work force are still unknown. nology will be fruitful for the further developmentThe development of a conceptual model to analy- of the RFID systems, but also for other technologyses this impact and the further monitoring of these systems which have to serve the consumer or citi-developments could be considered as an impor- zen of the future. Technical Report Series 117
RFID technologies 7. Privacy aspects of RFID7.1. Introduction ful consideration. The OECD mentions a study done by the EU Article 29 Working Party on Data The objective of this chapter is to position the Protection, a group that has been established invarious privacy consequences of RFID in a general accordance with article 29 of the European pri-framework that underscores the relationship of vacy directive 95/46/EC. (Article 29, 2005a) ThisRFID with privacy on three distinct levels. To start study supports the findings of the OECD with re-with, we will present some results and observa- gard to the privacy implications of RFID. Thetions that show the importance of dealing ade- OECD and the Article 29 Working Party share thequately with privacy in case of using RFID. This view that in relation to RFID, privacy and securitysets the scene. The by now ‘classical’ view on pri- are two sides of the same coin and require an ap-vacy will be presented, followed by an extension proach in which they are both tackled together.of this view for RFID. A distinction we introduce, During an OECD-workshop, held in Octoberis the distinction between closed and open RFID 2005, participants also addressed the double-sid-systems, i.e. systems in which data are confined edness of privacy and security, complementingwithin the system and systems that communicate that it might be possible to include security safe-with other systems and that exchange (personal) guards that may have positive implications on pri-data. Dealing with the privacy implications of vacy. (OECD 2006b) The Italian member of theRFID can be done on the basis of one of the three Data Protection Commission, Stephania Congia,following perspective: enforcement by law, self- stated that “the majority of basic principles are al-regulation and technical measures. Referring to the ready laid down in the OECD guidelines, EU di-first, the EU-privacy directive (95/46/EC) sets the rectives, the Council of Europe Convention, butscene and is overall still valid. Self-regulation is a that RFID technology has an impact on personalmeans that enforces commitment by interested dignity and integrity as well as on freedom ofparties. The US Centre for Democracy and Tech- movement and that personal data can benology has organised commitment in a set of processed without the knowledge of the individ-RFID-privacy guidelines. Finally, technical meas- ual.”(OECD 2006b, p. 14) The EU-workshop onures can be used to enhance privacy. For con- RFID, held early May 2006, once more proved thesumer issues it is demonstrated that it is possible to importance of tackling privacy and security as twoadhere to the OECD Fair Information Principles by dominant aspects for successful introduction ofincluding specific forms of profiling and use spec- RFID. Much of the workshop, devoted to privacy,ification to the tag and reader information. This security, health effects and employment was ded-elaboration shows the viability of a ‘privacy by de- icated to underscoring how privacy and securitysign’ approach. might profit from each other in improving user ac- ceptance of RFID. The double-sidedness of privacy and security requires attention right away, since it Technical Report Series7.2. The sensitivity of RFID towards deals with embedding privacy regulations in the privacy infringements standards that are developed just now on the var- ious aspects of the RFID system (encompassing In a recent OECD report, privacy is indicated tags, readers, middleware and the adjacent back-as an important aspect of RFID-developments. The end information systems).OECD states that “[W]ithout addressing privacy re-lated issues carefully, appropriately and transpar- A recent study, performed by Capgeminiently … backlash by consumers and citizens is a (2005) supports the concerns that are raised by the 119potential risk that could limit long-term benefits OECD and the Article 29 Working Party. Capgem-and development.” (OECD 2006a, p. 15) In the ini concludes that overall awareness for RFID inview of the OECD, privacy is an asset of RFID that Europe is low, and on average lower than in theneeds to be taken on board, and that requires care- United States (18% in Europe versus 23% in the
7. Privacy aspects of RFID USA). Within Europe, awareness is highest in the This indeed is an important message. The more UK (24%) and lowest in the Netherlands (12%). one becomes familiar with the opportunities RFID Though US consumers expressed greater concern technology offers, the higher the critical awareness for privacy related issues than European con- that the technology may impose privacy threats. sumers, Europeans did put privacy issues “at the For Europeans, the highest ranked privacy threats top of the list, leaving no doubt that companies are consumer data used by third party, tags that must address these concerns as they communicate can be read from a distance, tracking of consumers with their customers about the technology.”62 via product purchases, and being targeted more Overall, the higher the awareness, the higher the with direct marketing (see Table 7-1). response to expected privacy concerns of RFID. Table 7-1: Consumer concerns related to RFID63 Issues of concern EU [%] USA [%] Consumer data used by third party 59 69 Tracking of consumers via product purchases 55 65 Tags could be read from a distance 52 42 Targeted more with direct marketing 52 67 Environmental impact 44 45 Health issues stemming from RFID 35 56 RFID tags that can be eaten/dissolved 31 43 The table shows priorities in the USA to be Gemini. The third threat is related to profiling spe- different from the priorities in the EU, with privacy cific groups on the basis of shared characteristics concerns in the USA overall higher. The biggest which make people part of social networks. The gap between the USA and Europe is in prioritising privacy threat here is, for one, the intrusion in the health issues (dangers from RFID radiation), where intimacy of the personal sphere, and for another the USA prioritises these issues considerably the identification of people belonging to a network higher than Europeans. on the basis of shared characteristics (profiling), which may lead to inappropriate assumptions In a study, performed at the Humboldt Uni- about individual persons. Technology paternalism versity of Berlin, people were invited to indicate what they perceived as potential major privacy relates to the enforcing power of RFID to control risks of RFID.(Spiekermann 2006) They identified behaviour of persons. Examples provided are the the following list of threats: smart shelves that raise alarm when objects are re- placed wrongly, and cinema’s that signal when 1. Unauthorised access people bring with them their own (RFID-tagged) food and drinks. The fifth issue refers to the use of 2. Tracking of objects via data RFID in linking objects to people, for instance in 3. Retrieving social networks order to register deviant behaviour. An example is that objects can be linked to people (a can bought Technical Report Series 4. Technology paternalism at a supermarket and thrown out of the car after 5. Making people responsible for objects. consumption). The first two of these threats are related to the The Capgemini survey presented an other in- direct use of RFID: they relate to violation of con- teresting result. Table 7-2 compares the perceived fidentiality and security of communication and the impact on privacy of RFID relative to other tech- direct use of data to monitor people, and are in nologies, such as mobile phone, credit cards,120 line with the first four threats identified by Cap smart cards, etc. Though some of the technologies 62 CapGemini (2005). p. 4 63 Percentage of consumers saying “concerned” or “extremely concerned. Capgemini (2005), p. 11
RFID technologiesmay have RFID embedded in them (for instance access control badges and smart cards. It is inter-access control badges and smart cards) the tech- esting to note that in all cases only 10% of con-nologies are rated as if they are independent from sumers or less considered the privacy impact ofeach other. RFID is rated to have a higher or equal RFID to be less than the privacy impact of the al-privacy impact for all technologies that were pre- ready existing technologies! This implies that RFIDsented. 45 and 46% respectively rated the privacy is considered to be a technology with a very highimpact of RFID higher than the privacy impact of privacy profile. Table 7-2: The impact on privacy from RFID vs other technologies – Europe64 Consumers saying RFID has … Greater impact Same impact Lesser impact Don’t know Mobile phones 36 33 10 21 Debit cards 36 29 7 26 Credit cards 41 31 8 20 ATMs 41 32 8 19 Frequent shopper/loyalty cards 42 33 7 18 Access control badges 45 31 6 18 Smart cards 46 28 6 20 Camera phones 34 32 10 24 The survey of Capgemini thus underscores the the conditions a person needs to develop and de-statements of the OECD and the Article 29 Work- termine oneself. One needs to have the opportu-ing Party that privacy implications of RFID have to nity to protect oneself for the intrusion in onesbe taken seriously. The survey indicates that the private life in order to create prosperous condi-consumer does not expect the introduction of tions for realising autonomy and self-determina-RFID to lead to cost reductions. The consumer tion. This is part of the classical approach ofdoes however perceive potential benefits of the privacy. It hinges on what can be labelled as ‘rela-technology such as car anti-theft measures, faster tional privacy’. Due to the rise of information sys-recovery of stolen items, improved security of pre- tems and the ubiquitous presence of data in digitalscribed drugs, improved food safety and quality, form, the traditional concept of (relational) privacyand potential consumer benefits (such as faster has been extended to include ‘informational pri-check-out, better price accuracy, improved access vacy’, privacy in which the data shadow of a per- son is at stake. Alan Westin’s famous dictumto products and information). These potential con- defines informational privacy as “the claim of in-sumer benefits are ranked low on the list, which is dividuals, groups or institutions to determine forin combination with the high profile for privacy re- themselves when, how and to what extent infor-lated issues, reason to start raising awareness of the mation about them is communicated.” (Westin,consumer on benefits and potential dangers of 1967) In Germany, one finds reference to the ‘in-widespread introduction of RFID. formationelle Selbstbestimmung’ (self-determinacy over one’s own information) in the German Con- Technical Report Series stitutional Law (Article 8, Paragraph 9):7.3. Privacy in RFID systems “If somebody cannot overlook with sufficient In the classical sense of the concept, privacy certainty which information concerning certainrelates to the right of shielding off the home envi- areas is known to his social environment … he canronment, the intimacy of life, confidential commu- be significantly hindered from planning and decid-nication, and safeguarding the integrity of the ing in a self-determined way … If somebody has tobody. Privacy was, and is, considered to be one of reckon with the registration of his participation in 12164 Source Capgemini, 2005
7. Privacy aspects of RFID a meeting or a citizens’ initiative by the authorities A literature review shows that authors address and with the danger that risks for him are involved, a broad range of privacy issues, related to several he will perhaps not exercise his corresponding forms (‘scenario’s’) of intrusion in the personal basic rights.”65 sphere of people.68 The starting point for our own RFID is a means for identification. The iden- analysis is presented in Figure 7-1 (adopted from tification can be of products, services or persons66 (Garfunkel, 2005, p. 36). Though Figure 7-1 refers (cf. OECD, 2006b). In most cases, RFID-tags will to the EPC network, we think it is useful for more be related to products. When however, a person is generic purposes. In Figure 7-1, two direct privacy correlated to specific products by means of a threats are identified: one in relation to the tag- token, an index or another pointer, the identified reader system, and one in relation to the informa- information becomes personal information (or in- tion that is collected and disseminated outside the formation that enables the identification of a per- tag-reader system. The first kind of threat is the one son). Due to the ‘enabling’ characteristics of that is most directly related to RFID. It focuses on RFID-tags – they can be used everywhere, in any the privacy implications of the tag-reader-system situation for any purpose – the threat to privacy is itself. The second kind of threat relates to the use a major concern, for the public, companies and of data collected by means of an RFID-system. The governments alike (albeit for different reasons). As data that are disseminated by the tag-reader-sys- stated in the introduction, several bodies have in- tem may be collected in a database, for instance to dicated to perceive privacy as a kind of critical success factor for the widespread use of RFID. The monitor pallets in a supply chain management sys- near past has shown that trials with RFID – even tem, in case of electronic payments, etc. This kind trials in which the utmost care was given to pri- of threat is not uniquely determined by the RFID- vacy considerations – led to public arousal, due to system, but due to RFID the threats may be aggra- perceived risks regarding the privacy.67 vated and have very specific dimensions. Figure 7-1: Abstract view on privacy risks in EPC network69 Technical Report Series 65 Quoted in: Von Locquenghien, K. (2006). p. 61-62. 66 Distsinction made by Jeroen Terstegge, Corporate Privacy Officer, Philips. 67 See http://www.boycottgillette.com/on the controversy surrounding Gillette using RFID to monitor buyers of Gillette razors; see http://net-122 works.silicon.com/lans/0,39024663,39118760,00.htm for the privacy concerns surrounding the introduction of RFID in Metro; see http://www.spy.org.uk/cgi-bin/rfid.pl for an argument about the privacy implications surrounding the introduction of item-level tagging by Marks and Spencer. 68 See (Article 29 2005a), (ECP.nl 2005), (Juels 2005), (Garfunkel 2005), (Spiekermann 2006) 69 Adapted from Garfunkel et al.2006, p. 36. N.B.: The opaque circle identifies the direct privacy threat for the tag-reader system, the line through the tag-reader-middleware system identifies the linking of personal identity to a set of unique tags
RFID technologies The privacy threats will – in the end – be specific characteristics of groups of users. Thisthreats to an individual. The threat may however leads to the following matrix, identifying the vari-be a threat to a group of individuals, for instance ous privacy threats that will be discussed hereun-in case of using profiling techniques to identify der. Table 7-3: Direct and indirect privacy threats, originating from RFID-systems Privacy threats Reader-tag system Back-end Individual Unauthorised reading of Aggregating personal information personal information Using data for purposes other than Real-time tracking of individuals originally specified Collective/Group - Profiling and monitoring specific behaviour7.4. Privacy threats within the considered as personal data.70 General consensus tag-reader system exists that cards containing personal data require specific measures to prevent unauthorised persons Privacy threats related to the tag-reader sys- to read the content of the card (for instance in casetem refer to the following issues: of loss of the card, or in case of unauthorised read- • The unauthorised reading of tags, ing of the content of the card). • Real-time tracking of individuals. People consider the unauthorised reading of tags to be the most prominent privacy threat (Spiek- ermann 2006). Unauthorised reading is possible,7.4.1. The unauthorised reading of tags especially in case of using UHF-based tags with A tag may contain personal information. Iden- reading ranges of approximately 7-10 m. EPCglobaltity cards and specific forms of public transport pushes the market towards adapting UHF-basedcards (seasoning tickets, for instance) will contain tags in order to enable multiple readings (higheridentifiable information. They may contain directly bit-rate possible) and towards the introduction ofidentifiable information on the card such as name smart shelves. The threat is most serious in case ofand birth date. They also may contain data that item-level tagging. Implementation schemes offunctions as a key for a database in which personal item-level tagging show that this will not happeninformation is stored. The privacy threat in the first on a large scale in the coming five to ten years. Oncase is obvious. When the data can be read out, a the other hand field trials are occurring in whichdirect link can be made to a person. If other data specific items are tagged. Next to the read range, itis collected as well on the card (multi-purpose is necessary that the tag data can be read out. Thiscards) a link may be made to these other data, thus presupposes that the data on the tag is not en-revealing additional information about the holder crypted and that protocols are used which enableof the card. In case a card holds indirectly identi- any reader to read out the data. Spiekermannfiable information (a pointer that may refer to infor- (2006) indicates that this was the case with the EPCmation about an identifiable person in a database), Generation 1 tags. When the tag can not be read Technical Report Seriesthe privacy threat is indirectly present. Only when out directly, read out can be attempted by means ofthe intruder is able to link the pointer to the real eavesdropping. Eavesdropping is a special class ofperson, privacy will be invaded. Within Europe, a privacy threat. For this kind of threats a number ofdispute is continuing on whether all identifiable technical conditions have to be fulfilled, such asdata should be considered as personal data (Arti- those concerning the read range and the clearcle 29 WP, 2005). This is a difficult to solve issue. availability of the data. Regarding the first aspect,Private companies oppose a too strict definition; one may determine a relation between read rangein their view pointers and tokens should not be and privacy issues. In general, there is a strict cor- 12370 This argument was spelled out in the consultation following the publication of the Article 29 Working Party report on RFID. See (Article 29 2005b).
7. Privacy aspects of RFID relation between frequency used and read range; out the person knowing it, invades the privacy of using UHF frequencies enlarges the read range to the person. A person need not only be identified as 7-10 metre, the 13.56 MHz read range (commonly a person, but s/he can also be identified as part of in use for smart card applications) has a read range a group on the basis of a specific token (such as of 1.5 m and proximity cards only work at dis- an identity card which may reveal the nationality tances of approx. 10 cm. Juels (2005) discerns be- of the individual). For this situation the Article 29 tween different sorts of read ranges and argues that Working Party discerns specific privacy risks, in- the tag-to-reader eavesdropping range and the cluding the risk that deploying this kind of tech- reader-to-tag eavesdropping range outpace the nologies “will cause a boost in data to be nominal read range as specified in standards and processed by a wide variety of controllers, giving product requirements. Within smart cards, which cause to concern”.71 may contain personal information, the use of en- cryption may prevent successful eavesdropping. Authentication handshake protocols, in which the 7.5. Privacy threats at the backend of reader and the tag have to make themselves known the RFID system to each other and where successful communica- tion will only be established when they recognise The threats mentioned above, correlate di- each other, may be used to enhance secure com- rectly with the RFID-reader to tag communication munications. and the direct use of these data. Most privacy threats however refer to the collection and subse- quent use of information outside the tag-reader 7.4.2. Using tags to track persons system. Tags with unique IDs can easily be associ- This is identified by Spiekermann as being the ated with a person’s identity and smart cards with second biggest threat to privacy as identified by their own processing capacities may contain sen- the people engaged in her research (Spiekermann, sitive personal information. When linked to data- 2006). Tracking of persons via objects presupposes base systems, privacy threats may occur that are the linkage of identification data with individual not unique for RFID but nevertheless pose serious track movements. Identification data can be ac- problems. We have identified the following pri- quired on the basis of electronic payments, loyalty vacy threats related to the use of data outside the cards, season cards in public transport, etc. When tag-reader system: a person carries an object that is linked to that per- 1. Using data for aggregating personal infor- son (such as a wristwatch) the data of the tag at- mation, tached to the wristwatch may be used as 2. Using data for purposes other than origi- identifiable information for the person carrying the nally specified, wrist watch. It is possible to track the movements of this person by surveying the movement of the 3. Using data to monitor specific behaviours. object for which the tag data are known. The infor- mation can for instance be used to retrieve per- 7.5.1. Aggregating personal information sonal preferences. Information on specific customers in a shop can be collected on the basis By means of data mining techniques it is pos- Technical Report Series of an identifiable loyalty card. The loyalty card is sible to find correlations between hitherto sepa- used to identify the customer and to follow the rated objects (and subjects). When two persons customer during his or her shopping sessions. exhibit similar travelling patterns and spend time Readers in the shop collect information about together during travel, it may be assumed that they shopping habits of the customer, including the are somehow related to each other. This informa- time spent in specific sections of the shop. One tion can be enriched by confronting it with other step beyond is the use of readers to identify very information collected by other sources. When the124 personal items (such as banknotes, medicines and seasoning ticket can be used as an electronic identity cards). Information on these items, with- purse, shopping preferences may be added for in- 71 Article 29 Data Protection Working Party, 2005, p. 6
RFID technologiesstance. Data will be analysed in order to deduct 7.6. Open and closed RFID systemssocial links between persons. This privacy threatwas ranked third in the outcomes of Spiekermann’s To these privacy risks we will add the follow-research. Deducting social networks may be espe- ing two dimensions of RFID systems (OECD,cially interesting for intelligence agencies, for in- 2006a). RFID systems are either open or closed.stance in trying to discover social networks of Closed RFID systems are systems that do not havecriminals: if one criminal can be traced, it is pos- links with an outer environment. According to thesible by datamining and pattern recognition tech- intention of the designer, data that are collectedniques to sort out who else has a similar pattern of within the system do not trespass the system’smovement. This privacy threat is closely related to boundaries and remain entirely within the system.the following one. Data from outside the system will not trespass the system’s boundaries either. Open systems are sys- tems in which data that are collected within the7.5.2. Using data for purposes other than system may be shared with other systems. originally specified An example of a closed system is a logistic RFID data may be collected for use in specific system which uses proprietary solutions for dealingsettings, but subsequently used in other settings. with the data it collects from its tags. The tags areThis is an example of ‘function creep’: though orig- used to identify pallets. Tracking the pallets is eas-inally not perceived, data collected for a specific ier when using RFID since line of sight is not re-purpose turns out to be useful for other purposes as quired and if needed, the tags can have additionalwell. To stay with the example provided under the functionality when combined with sensors (toprevious bullet: under the data retention acts that measure temperature for instance). Additional in-come into existence in Europe, national intelli- formation can be stored, on the level of individualgence agencies may request the data on travel pat- pallets. In case the data collected are only used forterns in order to be able to select travellers who supply chain purposes (following the supplies infulfil a specific profile. This has not been the in- transport), the system is a closed system. In casetended use of this data. In this case one could linkages are made with other systems the systemargue that law enforces the use of data for this typ- may turn from closed into an open system.ical situation. The counter argument can be that An example of an open system is a publicwith a specific design of the data system function transport ticketing system which is used in con-creep may be prevented (for instance by junction with an electronic shopping system, foranonymising data or by having strict rules for the instance by adding e-payment functionality to theperiod of data retention). transport ticketing card for shopping at shopping malls. This functionality may be an interesting one7.5.3. Using data to monitor specific be- for the passenger since for example it may give haviours him or her benefits for shopping in shops related to railway stations. In this situation, however, the pur- Monitoring can be done in real time (see pose of the travelling system and the purpose ofpoint 3 above), but it also can be done on the basis the shopping system are distinct from each other. Technical Report Seriesof aggregated data, that are subsequently analysed Though data sharing may be strictly bound to spe-in order to deduct specific patterns of behaviour. cific rules, set in advance by the responsible au-An example of using RFID technology for individ- thorities, it can not be excluded that misuse of dataual monitoring is the shop-owner who uses an will occur, since data collected for one purposeidentifiable token (such as a loyalty card) to col- may be used for quite distinct purposes. Keepinglect information on shopping behaviour and uses track of the collected data becomes more prob-this information to base decisions related for ex- lematic in an open situation; relations may existample on pricing without the consent of the cus- with third parties outside the system who use the 125tomer. Even when the identity is not known, the information collected for other purposes. This inshop-keeper can try to collect personal informa- the end will lead to a complicated mix of inter-tion on the basis of an identifier (such as a tag re- twined systems in which it becomes increasinglylated to a personal belonging of the customer). difficult to disentangle the various purpose speci-
7. Privacy aspects of RFID fications of each of the systems and see whether Much is expected of the possibility to safeguard they are in line with each other. Issues as ‘informed privacy by technical means (‘Privacy by design’). consent’, ‘purpose specification’, ‘use limitation’ In the following subsections we present the three and the like will have become problematic. strategies in more detail. 7.7. Strategies to cope with the 7.8. Privacy laws privacy threats Started in 1973 with the Principles of Fair Infor- The use of RFID poses privacy threats, either mation Practice as formulated by the US Depart- directly by its tag-reader system or indirectly by the ment of Health, the OECD published in 1980 its possible intrusion on personal information gathered privacy guidelines – which were based on these in RFID-related databases. In attempting to safe- Principles of Fair Information Practice; the European guard privacy, different strategies may be pursued: Directive 95/46/EC in turn was based on the OECD guidelines. The European Directive formed the basis 1. using law, of many national data protection laws within Eu- 2. using self-regulation, rope, in which national differences are of course in- troduced. Many of these are in effect today; they all 3. using technical solutions, encapsulate the same set of principles. This set of In case of RFID all three strategies are used. principles is summarised in Box 7-1 Box 7-1: 1980 OECD Guidelines on the protection of privacy and transborder flows of per- sonal data72 “The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data … continue to rep- resent international consensus on general guidance concerning the collection and management of personal data. … The Guidelines contain the following eight principles. 1. Collection limitation: There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject. 2. Data quality: Personal data should be relevant to the purposes for which they are to be used, and, to the ex- tent necessary for those purposes, should be accurate, complete and kept up-to-date. 3. Purpose specification: The purposes for which data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose. 4. Use limitation: Personal data should not be disclosed, made available or otherwise used for purposes other than those specified except a) with the consent of the data subject or b) by the authority of law. 5. Security safeguards: Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data. 6. Openness: There should be a general policy of openness about developments, practices and policies with re- spect to personal data. Means should be readily available of establishing the existence and nature of personal Technical Report Series data, and the main purposes of their use, as well as the identity and usual residence of the data controller. 7. Individual participation: An individual should have the right a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; b) to have communicated to him, data relating to him (within a reasonable time; at a charge, if any, that is not excessive; in a reasonable man- ner; and in a form that is readily intelligible to him); c) to be given reasons if a request made under subpara- graphs a) and b) is denied, and to be able to challenge such denial, and d) to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, complemented or amended. 8. Accountability: A data controller should be accountable for complying with measures which give effect to the126 principles.” 72 OECD, 2006, p. 23
RFID technologies These eight principles define the information parties than the parties originally responsible forspace in which legal forms of acquiring and pro- the data collection process (OECD, 2006a). Thiscessing data will take place. Some of the princi- addition increases the likelihood that RFID-dataples may be enhanced by using technical means, may turn out to be related to individual persons,some of them require organisational approaches, and seems to be in line with the more stringentfor instance in defining roles and responsibilities approach of the Article 29 Working Party.concerning access to personal data. Two addi-tional principles can be formulated that may be Informed consent is another major challenge.used to control the privacy sensitivity of the appli- The Article 29 Working Party stipulates the needcations in which personal data are collected for informed consent when this is legally required.(Holvast, 2001): Consent should be freely given, should be specific, should entail an indication of the individuals ef- • the principle of subsidiarity: the responsible fective will, should be informed and should be un- agency for the data collection has the re- ambiguous. The Working party provides the sponsibility of choosing that form of data example of a supermarket for which informed con- gathering, storing and processing that lim- sent is required and the example of surgery in its the impact on privacy most. which case there is no need to inform the patient • the principle of proportionality: purpose about the data that is acquired on the tools that are and scope of data collection needs to be used during the surgery. The practice of informed balanced with possible privacy impacts. consent around RFID will have to be sorted out, especially in circumstances when third parties may Overall, consensus exists that the European use the data collected.privacy directive (/95/46/EC) enables a propertreatment of privacy aspects related to RFID. To enable individuals to exert their rights, theSome issues are still contested. The consultation Working Party defines a number of information re-of the report of the Article 29 Working Party on quirements that have to be met to comply with ar-Data Protection showed disagreement between ticle 10 of the Directive. Responsible partiesprivate and public parties about the precise defi- should provide information on:nition of ‘personal data’ (Article 29, 2005b). Pri- • the identity of the controller,vate parties disagreed with the strict approach ofthe Working Party who defined personal data as • the purpose of the processing,“any information relating to an identified or iden- • the recipients (third parties),tifiable person”. They did not consider all RFIDdata to be related to a person and they consid- • the existence of a right of access.ered the approach of the Working Party too re- It continues by presenting the right of accessstrictive. The Working Party especially warned for by individuals (Article 12 of the EU directive). In-the broad scoping of identifiable information in dividuals need to be able to check the accuracystating that “account should be taken of all the of data ànd check the accuracy of the data pro-means reasonable to be used either by the con- cessing.troller or by any other person to identify the saidperson.” (Article 29, 2005a, p.8). The consulta- RFID-data processing has to comply with Technical Report Seriestion revealed a difference of opinions about the similar requirements as other forms of data col-question whether item level tagging based on lection and processing. The European Privacy di-EPC global standards will usually entail a pro- rective addresses the issues responsible partiescessing of personal data. This dissensus has also have to be aware of. It is difficult to judge thebeen acknowledged at the recently held EU Con- practical consequences of a very strict interpre-sultation Workshop on RFID privacy implica- tation of the directive. Concern is uttered by pri-tions.73 To the immediate identification the OECD vate parties who fear the RFID innovationadds that identification may take place some time process (and thereby economic growth) to be 127after having collected the data, may be by other hindered by a too strict interpretation. The OECD73 EU Consultation workshop on RFID: Privacy, security, health and employment issues (16-17 May 2006, Brussels).
7. Privacy aspects of RFID underscores this concern in its recent document 7.9.1. Addressing the issue by NGOs when stating “To safely construct a broad RFID infrastructure, a balance must be achieved be- In November 2003, civil liberty organisations tween regulation and innovation, whereby pri- in the USA (including Privacy Rights Clearing vate sector innovation is preserved and user House, American Civil Liberties Union, Caspian benefits are available, while legitimate concerns and several academics) published a “Position that determine acceptance are identified and ad- Statement on the use of RFID on Consumer Prod- dressed.” (OECD, 2006a, p. 6). ucts.” The Statement was very critical about RFID and stated that “if used improperly, RFID has the Except for the 95/46/EC directive another di- potential to jeopardize consumer privacy, reduce rective may bear importance for RFID applica- or eliminate purchasing anonimity, and threaten tions. This is the European directive 2002/58/EC civil liberties.” (Garfinkel, 2005, p. 36). The organ- on Privacy and Electronic Communication (the isations plead for a moratorium on the deployment ‘e-Privacy directive’), which deals with issues re- of RFID until a formal Technology Assessment has lated to personal data protection rules in case been undertaken. data are generated as a derivative of telecommu- nications traffic (for billing purposes for in- stance). There is some dispute about the 7.9.2. EPCglobal guidelines for EPC usage applicability of this directive to RFID.74 The com- EPCglobal has recently (2005) published a set bination of RFID with Location Based Services of guidelines for EPC usage.75 Components of this might turn RFID in location based data that bear set are: notice, choice, security, record use, reten- a relation with subscription data and the like. tion and consumer education. Notice is given by The combination of RFID with a cell phone, using marks on tagged objects and readers; choice turning the cell phone in a multifunctional de- refers to the possibility consumers may have to de- vice, capable of Near field Communication may activate or remove the tag; security, record use and be a situation in which RFID data should be con- retention are safeguarded by EPC’s statement that sidered to fall under the EU directive. This point “the Electronic Product Code does not contain, of view was presented as a conclusion at the EU collect or store any personally identifiable infor- Consultation Workshop on Privacy, Security, mation.” (quoted in OECD, 2006a, p. 25). This ap- Health and Employment effects. proach hinges on a clear separation between the tag-reader system and the use of the aggregated in- formation in back-end systems, where product in- 7.9. Self–regulation formation can be combined with personal information, such as a loyalty card. Consumer ed- The private sector is willing to be engaged in ucation is perceived to be time consuming; they a form of self-regulation. Self-regulation is in place will have to be educated in order to recognise in case legal regulations are considered to have products with EPC tags. adverse consequences one would like to prevent, in case self-regulation clearly has an added value in safe-guarding public interests and/or in case 7.9.3. Centre for democracy and tech- legal arrangements are not opportune given the nology guidelines for the deploy- Technical Report Series technical state of affairs. In case of RFID one con- ment of RFID technology siders legal arrangements to be out of line, given the still immature technological basis of RFID. This The American Centre of Democracy and opens the way to self-regulation. So far, a number Technology has recently published a draft set of of initiatives have taken place to stimulate self-reg- guidelines for the deployment of RFID technology ulation. (CDT, 2006). The guidelines have been discussed128 74 See for instance the Dutch position paper, written by a Dutch interest group on RFID, hosted by the Electronic Commerce Platform ECP.nl. Within this position paper, it is argued that European Directive 2002/58/EC is not applicable to RFID since no specific telecommunica- tions infrastructure is in place for RFID and no specific operators for RFID are known (ECP, 2005). 75 www.epcglobalinc.org/public_policy/public_policy_guidelines.html
RFID technologieswith and are supported by a variety of important should address privacy and security issuesAmerican stakeholders in the privacy dispute, such as part of its initial design.as Procter and Gamble, Microsoft, VISA USA and 3. Consumer transparency: There should bethe National Consumers League. The guidelinesare based on three general principles: no secret RFID tags or readers. The guide- lines resemble the EPCglobal guidelines; 1. Technology neutrality: RFID technology by the most important elements are equivalent itself does not pose a privacy threat; pri- to the EPCglobal guidelines; a few new en- vacy is threatened due to failing responsi- tries are added. bilities in dealing with the data disseminated by RFID. The guidelines comprise: give notice; choice 2. Privacy and security as primary design re- and consent; onward transfer, access and security quirements: Users of RFID technology (see Box 7-2). Box 7-2: Privacy guidelines by centre for democracy and technology working group on RFID77 CDT Guidelines for deployment of RFID Technology 1. Give notice Clear notice should be provided when information, including location information is collected through an RFID sys- tem and linked to a Personal Identification Information system (PII). Consumers should be notified when entering an environment (public or private) where RFID technology is in use. Consumers should be informed about the purposes of collection and use of the data collected. Consumers should be informed when there is the possibility to deactivate or remove a tag; the burden of removing the tag should not be by the consumer. Consumers should be noticed before the completion of a transaction. The company collecting the data is responsible for providing notice. 2. Choice and Consent Consumers should be notified in case they have a choice for usage or non-usage of RFID. Consumers should be notified in case they have a choice for removing, de-activating or destroying the tag; in case consumers exercise their choice to remove, de-activate or destroy the tag, benefit from a warranty, or benefit from the protection of local law should not be compromised.76 In case linked information is solely used in order to facilitate a service delivered (including the functioning of a de- vice) notice can be given, but consent or choice need not to be solicited. In other cases, consumers should be of- fered the opportunity to consent to such uses. 3. Onward transfer In case personally identifiable information is shared with third parties, the contract with these parties should entail provisions with respect to level of protection of shared data to be equal or greater than afforded by the company collecting the data. 4. Access When personal identifiable information is maintained on the tag itself, individuals should have reasonable access to their information If an individual receives an adverse decision based on linked information about him or herself, that individual shall Technical Report Series have reasonable access to that information. 5. Security Companies should exercise reasonable and appropriate efforts to secure RFID tags, readers and any corollary in- formation from unauthorised reading, logging and tracking. Companies should establish and maintain an information security programme in keeping with industry standards, appropriate to the amount and sensitivity of the information stored on their system. Companies should minimize the information stored on the tags themselves. 12976 This is fully in line with the Sydney declaration (2003) in which it is stated that “Whenever RFID tags are in the possession of individu- als, they should have the possibility to delete data and to disable or destroy the tags”. www.privacyconference2003.org77 Source CDT, 2006
7. Privacy aspects of RFID The various approaches towards privacy ria (part of ISO 15408) describe the following func- guidelines known today are all USA-based. Within tionalities of PET: Europe, discussion about appropriate guidelines • Anonymity: PET enables individuals to get and the role of guidelines vis-à-vis law enforce- services without revealing their identity. ment has to be initiated yet. Discussing guidelines has the advantage above imposing regulations that • Pseudo-identity: PET enables individuals to it opens the debate, raises awareness and enables get services without revealing their identity, the sector to regulate the expected detrimental by giving them a pseudo-identity; the real consequences of RFID themselves, with probably identity is related to the pseudo-identities in better results than when enforced by governments. a database which only can be accessed by Still, self-regulation will always be an add-on to authorised persons. formal regulation and will not replace regulation. • Unlinkability: individuals can use specific services while the use of the services can not be linked to each other. 7.10. Technical solutions • Unobservability: users can use services un- There seems to be general consensus that pri- noticed by third parties. vacy and security are two sides of the same coin in Anonymity is stronger than pseudo-identity; case of RFID. The Consultation Workshop in RFID, unobservability is stronger than unlinkability (Reg- held 16 and 17 May 2006 in Brussels, showed a istratiekamer/TNO, 1995). Looking at the purposes remarkable convergence on this by all partici- of RFID, which is identification of objects or per- pants, both from industry and academia. The sons and linking this to services, the four PET func- OECD and the Article 29 Working Party on Data tionalities need to be explicitly taken into account Protection endorse this view. The Article 29 Work- when developing an RFID-based information sys- ing Party “considers that technology may play a tem. They may serve as systems requirements that key role in ensuring compliance with the data pro- need to be fulfilled. They refer, amongst others, to tection principles in the context of processing per- using encryption techniques in case of storing per- sonal data collected through RFID technology. For sonal data on a RFID tag (or smart card), to pre- example, the design of RFID tags, RFID readers as vent unauthorised access. They also refer to well as RFID applications driven by standardiza- introducing pseudo-identities in case the identity tion initiatives may have a great impact in min- of persons is not strictly required. Pseudo-identi- imising the collection and use of personal data and ties enable using the same RFID-cards for separate also in preventing any unlawful forms of process- domains by enforcing different identities. The PET- ing by making it technically impossible for unau- functionalities may be used for the entire RFID-sys- thorised persons to access personal data.” (Art 29 tem, thus including the back-end systems where WP, 2005, p. 12) usage of the data is made and where linkages be- The OECD refers to many security researchers tween different sources can be prepared. These who argue in favour of considering both privacy approaches do not necessarily address RFID-is- and security issues that RFID raises before stan- sues, since they address more generic privacy con- dards are set and implemented. According to the cerns in dealing with stored and processed data. Technical Report Series OECD “this ‘privacy by design’ approach might Solutions that are more directly related to prove to be more efficient in the long run.”, refer- RFID are solutions that try to keep control over the ring to the other approaches (law enforcement and data flow to the user (by means of killer and self-regulation). (OECD, 2006a, p. 19). blocker tags) in order to prevent information to be Various solutions have been presented for disseminated against the wish of the user, and to tackling privacy issues by means of technologies, offer the users an ‘opt-in’ choice. These solutions but most of them face practical drawbacks. Over- are based on the technical functioning of the RFID130 all, these approaches should be considered as system, especially in the communication of RFID being part of Privacy Enhancing Technologies tag and reader. Other proposed solutions in this (PET). PET is based on minimising data collection vein are using a Faraday cage to shield the tag that may entail personal data. The Common Crite- from being read and reducing or removing the an-
RFID technologiestenna (in first case as a means to reduce the read appropriate technical measures. Security re-range, while in the last case as a means to disable searchers have shown that almost the full set ofthe tag). principles for Fair Information Practices can be met by an appropriate choice of data handling ‘Privacy by design’ means that compliance protocols. Box 7-3 presents an overview of thewith the privacy principles is sought by means of approach. Box 7-3: Enforcement of compliance of RFID with fair information principles78 Scanning with a purpose – Supporting the fair information principles in RFID Protocols Openness through reader and policy identification Today tags can not identify readers they are communicating with. It is proposed to add a unique reader policy ID (RPID) into the inventory command of the reader. This RPID can have a similar structure as the General Iden- tifier Encoding (GID96) of EPC. Purpose specification in inventory command The Platform for Privacy Preferences Project (P3P) discerns twelve abstract purpose types. For RFID, fourteen pur- pose types have been discerned of which thirteen can be encoded as single bits. Five different profiling types can be discerned: - ad-hoc tailoring (immediate and anonymous tailoring; example: providing recommendations on the basis of the content of a shopping basket); - pseudo-analysis (use data to learn about preferences and characteristics of individuals; example: use informa- tion for re-arranging shelves); - pseudo-decision (make customization decisions based on the interests of individuals without identifying them); - individual-analysis (use collected and aggregated data to make personal profiles of individuals); - individual-decision (use the collected information to determine individual preferences and to link them with identified data; this profile allows personal suggestions). The latter profiles include the former. Use limitation through collection types Four different collection types are discerned: anonymous monitoring (collection status information without the need for actual identification); local identification (collection of unique IDs without the need for correlation of events); item tracking (monitoring item movements); and person tracking. By using collection types, boundaries are drawn between the various forms of data collection. Collection limitation by appropriate tag selection One can use selection masks to restrict tag ID collection. This requires the tag ID’s to follow a known structure. This is the case with EPC tags. Watchdog tag In order to empower the user, a so-called watchdog tag can be used. A watchdog tag is an ordinary tag with a battery, a screen and a long range communication channel. It decodes commands transmitted by a reader and makes them available on screen. It can inform the user that some anonymous reader is scanning for tags in its vicinity. It can provide the operators ID, the purpose and type of data collection and the target range of tags. The approach sketched above relates to the mutual authentication (between tag and reader) Technical Report Seriesuse of the Electronic Product Code. It is not a so- one requires readers with bi-directional commu-lution for use by more sophisticated tags, for in- nication (i.e. readers that transmit informationstance in smart cards. Still, it is an interesting about their status to the tag). Today, these readersapproach since it shows the viability of addressing are quite expensive (a few thousands of dollars perprivacy and security measures before standards are piece) which makes the deployment of these read-formulated and deployed. In practice, a number of ers in environments where many of them are re-problems still have to be overcome.79 For one, to quired, prohibitive. Another problem is the factinclude issues such as air interface encryption and that low cost RFID devices do not have the com- 13178 Source Floerkemeier et al., 200579 See (OECD, 2006a), (Juel 2005).
7. Privacy aspects of RFID putational resources to use selected cryptographic Self-regulation is considered as having several methods. The kill tag, though appealing through positive effects: it creates commitment by stake- its radical approach, may kill beneficial uses of the holders, it creates awareness by stakeholders and information that is hidden on the tag as well. This the general public, and it will contribute to com- may be circumvented by using password driven ing to terms with the boundaries of existing pri- tags, i.e. tags that can be re-activated by the user vacy laws. Several initiatives for creating Codes of by means of a password. Using encryption may be conduct are in place yet, most of them being US- hindered by problems of key distribution. based. Europe has a backward position in this re- spect. Codes of conduct handle such issues as notification, choice and consent, transfer to third 7.11. Conclusions parties, access and security. The European directive 95/46/EC and the na- Technical solutions to enforce privacy com- tional laws that are based upon it offer a good pliance may be of various kinds. For one, spe- starting point for tackling privacy issues related to cific technical measures are possible that RFID. What should be questioned is the extent in prevent collection of (personal) data and en- which the Directive is able to deal with the reality hancing control by users (blocker and killer tags, of a situation in which RFID becomes widespread ‘deep sleep mode’, using Faraday cage and de- and is related to personal or identifiable informa- stroying antenna capacity). For another, it has tion. What precisely should be considered as per- been shown that the Principles of Fair Informa- sonal data is still an open issue. Aspects, such as tion Practice can be realised by an appropriate how to practically organise informed consent, will configuration of the reader-tag communication. have to be tackled as well. Privacy Enhancing Technologies enable privacy In the future, the European e-Privacy directive enhancing functionalities of RFID systems, such (2002/58/EC) may become more important for as realising anonymity, using pseudo-identities RFID systems. This will especially be the case for and realising unlinkability and unobservability. the combination of RFID with location based serv- Technical solutions may have a drawback, in ices. For the time being, use of RFID does not seem that they are costly, require managerial re- to comply with the requirements of the e-Privacy sources, or deny useful functionalities of RFID directive. systems to users. Technical Report Series132
RFID technologies 8. Security aspects of RFID8.1. General overview of RFID secu- 8.2.4. Physical destruction rity threats Tags could be physically destroyed by chem- This chapter will contain a general overview ical or mechanical means, or by using strong elec-of security threats of an RFID system, consisting of tromagnetic fields (like in a microwave oven).an RFID tag and a reader. The security threats are Active tags could also be shut down by removingclassified as either threats for the tag, or the air in- or discharging the battery.terface between the tag and the reader, or thereader. 8.2.5. Detaching the tag A tag is separated physically from the tagged8.2. Security threats for the tag item and may subsequently be associated with a different item, in the same way that price tags are8.2.1. Falsification of contents “switched”. Since RFID systems are completely dependent on the unambiguous identification of Data can be falsified by unauthorized write the tagged items by the transponders, this type ofaccess to the tag. This type of attack is suitable for attack poses a fundamental security problem, eventargeted deception only if, when the attack is car- though it may appear trivial at first sight.ried out, the ID (serial number) and any other se-curity information that might exist (e.g. keys)remain unchanged. This way the reader continuesto recognize the identity of the tag correctly. This 8.3. Security threats for the air inter-kind of attack is possible only in the case of RFID facesystems which, in addition to ID and security infor-mation, store other information on the tag. 8.3.1. Eavesdropping8.2.2. Falsification of tag ID The communication between reader and transponder via the air interface is monitored by The attacker obtains the ID and any security intercepting and decoding the radio signals. This isinformation of a tag and uses these to deceive a one of the most specific threats to RFID systems.reader into accepting the identity of this particular The eavesdropped information could for exampletag. This method of attack can be carried out using be used to collect privacy sensitive informationa device that is capable of emulating any kind of about a person. It could also be used to perform atag or by producing a new tag as a duplicate of the replay attack, i.e. the attacker records all commu- Technical Report Seriesold one (cloning). This kind of attack results in sev- nicated messages and later on can either simulateeral tags with the same identity being in circulation. this tag towards the reader, or simulate this reader towards the tag.8.2.3. Deactivation These types of attack render the tag useless 8.3.2. Blockingthrough the unauthorized application of delete orkill commands (Auto-ID center). Depending on the So-called blocker tags (Juels et al., 2003) sim- ulate to the reader the presence of any number of 133type of deactivation, the reader can either nolonger detect the identity of the tag, or it cannot tags, thereby blocking the reader. A blocker tageven detect the presence of the tag in the reading must be configured for the respective anti-collisionrange. protocol that is used.
8. Security aspects of RFID 8.3.3. Jamming two components could be implemented by any kind of fast wireless technology. Jamming means a deliberate attempt to dis- turb the air interface between reader and tag and thereby attacking the integrity or the availability of the communication. This could be achieved by 8.4. Security threats for the reader powerful transmitters at a large distance, but also through more passive means such as shielding. As 8.4.1. Falsifying reader ID the air interface is not very robust, even simple passive measures can be very effective. In a secure RFID system the reader must prove its authorization to the tag. If an attacker wants to read the data with his own reader, this reader must 8.3.4. Relay attack fake the identity of an authorized reader. Depend- A relay attack (Kfir et al, 2005) for contactless ing on the security measures in place, such an at- cards is similar to the well known man-in-the-mid- tack can be “very easy” to “practically impossible” dle attack. A device is placed in between the to carry out. The reader might need access to the reader and the tag such that all communication be- backend in order, for example, to retrieve keys that tween reader and tag goes through this device, are stored there. while both tag and reader think they communicate directly to each other. Smartly modifying this com- 8.4.2. Security threats for other parts of munication could for example in payment systems RFID systems lead to charging the wrong electronic wallet (a smart card with an RFID tag). To make this attack When considering the security challenges of more practical one could increase the distance be- RFID in a broader perspective, one has to take into tween the legitimate card and the victim’s card by account the infrastructure including a back office splitting the device into two components, one where additional information of all tags is stored, communicating with the reader, and one with the and the aspect of convenience in use. A general victim’s card. The communication between these RFID architecture is depicted in Figure 8-1. Figure 8-1: A general RFID architecture Technical Report Series Real-life RFID deployments employ a wide application-specific manner. When an event has variety of physically distributed RFID readers, ac- passed through all filters, it is dispatched to the134 cess gateways, and databases. The middleware components that have registered an interest in receives events from the RFID readers when tags such events. Often, one of these components will are scanned. These events are passed through a store the event in a database, for further process- number of filters, which process the events in an ing.
RFID technologies RFID readers are generally connected to the 3. RFID viruses: An RFID virus starts with ma-middleware using modular drivers much like Win- licious content of a tag. When the tag isdows uses device drivers to communicate with a read out, this initiates a malicious SQLgraphics card. This allows different readers to be query which would disturb a database inused with the middleware, without having to mod- the back office. Although such an attackify the middleware. has not yet been performed in practice (AIM Global, 2003), such a type of threat In addition to event-processing, the middle- cannot be excluded.ware handles different kinds of user interfaces. Auser interface is generally provided for system-management purposes, for example to modify the 8.4.4. Misuse of gateway interfaceseries of filters through which an event is passed. The user interface to the gateway could beThere will also be user interfaces that allow regu- misused by unauthorised people to attack the in-lar users to access the system and use it. For ex- tegrity of the filters and to misguide the productample, in a supermarket distribution centre, there management system.will be a user interface that provides informationon the current stock levels. 8.4.5. Corrupted drivers The middleware also communicates withother software systems, which implement the ap- The drivers that are used by RFID readers toplication’s business logic. To stay with the super- communicate with the middleware could be cor-market example, it is likely that the supermarket rupted. This could be done either by modifying theRFID system is connected to a stock management driver of a legitimate reader, or by replacing the le-system, which orders new stock from suppliers be- gitimate reader with a fake reader that has a cor-fore it runs out. rupted driver. A corrupted driver could be used to attack and misguide the gateway. When considering the broader RFID architec-ture of Figure 8-1, new security risks and counter-measures come to mind: 8.4.6. Attacking the reader-gateway com- munication8.4.3. Tag-borne attacks at back office80 The communication between reader and gateway could be eavesdropped or modified. One could foresee an attack at the back officethrough information stored at the tag, which wasrecently shown by PhD student Melanie Rieback,MSc student Patrick Simpson, Assistant Professor 8.5. Security measures for the tagBruno Crispo, and Professor Andrew Tanenbaumof the Vrije Universiteit in Amsterdam (Rieback et 8.5.1. Security measures to prevent unau-al., 2006). Basically there are three types of RFID thorized modification of tag datamalware which are mentioned in increasing com- (contents and ID) Technical Report Seriesplexity of implementation: An obvious security measure to prevent mod- 1. RFID exploits: Just like other software, RFID ification of tag data is to use read-only tags for systems are vulnerable to buffer overflows, which unauthorized modification is intrinsically code insertion and SQL injection. impossible. Another effective measure, also rec- 2. RFID worms: A worm is basically an RFID ommended for reasons of data management, is to exploit that downloads and executes re- shift all data except the ID to the backend. Some mote malware. A worm could propagate types of tags dispose of an authentication method through the network or through tags. (like the ISO 9798 standard), through which the 13580 We only consider attacks at the back office that are RFID related.
8. Security aspects of RFID reader can be authenticated by the tag such that the reader which also prevents eavesdropping. only authorized readers can modify the tag con- Such advanced tags cannot by read out by intrud- tents. ers, and are still available for legitimate use. An- other measure would be to design the RFID system such that tags are used with a small range which is 8.5.2. Security measures for deactivation just sufficient for the legitimate readers (and Unauthorized application of delete com- thereby shutting out a class of unauthorised read- mands or kill commands can be prevented by ers). using an authentication method (when available). 8.6.2. Security measures for blocking 8.5.3. Security measures for physical de- There are no technical measures to prevent struction the use of blocker tags, but a solution is to ban A counter measure for physical destruction of their use in the standard terms and conditions of the tag would be a close mechanical connection business. between the tag and the tagged item to make it dif- ficult to destroy the tag without damaging the item. 8.6.3. Security measures for jamming To prevent discharging the battery of an active tag one could implement a sleep mode in the tag. It is possible to detect jamming transmitters by performing random measurements or by using permanently installed field detectors. 8.5.4. Security measures for detaching the tag 8.6.4. Security measures for relay attacks A counter measure for detaching the tag from the tagged item would be a tight mechanical bond One way to guard against relay attacks is to between the tag and the tagged item to ensure that shield the tag when it is not used e.g. by putting the tagged card in a Faraday like cage (Kfir et al., removing the tag will also damage the product. In 2005). Another way is to require an additional ac- case of active tags, an alarm function is conceiv- tion by the user (push a button, type in a PIN code able: a sensor determines that the tag has been ma- or use a fingerprint) to activate the tagged card, al- nipulated and transmits the alarm to a reader as though this solution eliminates some of the con- soon as it comes within range. For high value venience of the contactless system. items an option would be to manually check whether the tag is attached to the correct item. 8.7. Security measures for the reader 8.6. Security measures for the air in- terface 8.7.1. Security measures for falsifying the reader ID Technical Report Series 8.6.1. Security measures for eavesdrop- To prevent readers to falsify their ID and ob- ping tain unauthorized access to a tag, an authentica- tion method (when available at the tag) can be An effective measure to reduce the effect of used to authenticate the reader towards the tag eavesdropping is to shift all data to the backend. A (ISO/IEC, 1999). This risk can be further reduced consumer that just bought some tagged object, when the reader has to access the backend during which tag has no legitimate use any more, could the authentication procedure, e.g. to retrieve cryp- use shielding to prevent the tag from being read136 tographic keys. out by intruders. This could be established by wrapping the tag in metal foil or by placing it in Note that these measures are designed to as- an aluminium-coated bag. More advanced tags sure the integrity of a reader that is about to com- have a module to encrypt the communication with municate with the tag. For measures like shielding
RFID technologieswhich prevent an unauthorised reader from com- The use of drivers enables the fact that differ-municating at all see “Security measures for eaves- ent readers can be used to communicate to thedropping” (8.6.1). gateway. From a security point of view the use of different readers should be encouraged because an attack is likely to be specific for one type of8.8. Security measures for other reader or one type of driver, so a diversification of types lowers the impact of a possible attack. parts of RFID systems 8.8.4. Security measures for attacking the8.8.1. Security measures for tag-borne at- reader-gateway communication tacks at back office The communication between reader and To avoid such attacks, the content of tags gateway could be eavesdropped or modified.should be checked by the reader, and regular se-curity measures should be taken to protect thegateway. A typical countermeasure against RFID 8.8.5. Security measures against cloningviruses is to improve the software in the gatewaywhich is able to distinguish a regular tag ID from When considering one tag and one reader asan SQL query such that these attacks can be pre- a system, which has been done in the previousvented from entering a database. sections, the risk of cloning (duplication of the tag ID in a new tag) has been identified. Only in the broad view of the complete architecture, such a8.8.2. Security measures for misuse of risk could be handled: in the database where all gateway interface the different tag IDs (with respect to a specific ap- plication) are collected, a duplicate ID could be To prevent such an attack the user interface detected and in some cases even the clone couldshould be provided with some kind of authentica- be recognized (i.e. be distinguished from the orig-tion mechanism such that only authorised users inal tag).are able to access the gateway. Another measurewould be to place the gateway and the user inter-face in a physically protected room such that onlyauthorised employees that have access to this 8.9. General security evaluation ofroom can access the user interface. RFID Given the security risks of an RFID system,8.8.3. Security measures for corrupted and the available security measures, we can eval- drivers uate the security of RFID. This means incorporat- ing (a qualitative estimate of) the costs of each A possible solution to this problem is to use security measure and on the other hand (a qualita-only signed drivers, i.e. each legitimate driver tive estimate of) the costs of performing a specificshould be digitally signed such that the gateway attack (FOIS, 2004). The comparison of these twocan check that communicating readers contain a types of costs will give insight into the vulnerabil- Technical Report Serieslegitimate driver. ities of RFID systems. 137
8. Security aspects of RFID Table 8-1: Summary of security evaluation Object Threat Cost of performing attack Cost of countermeasures Tag Unauthorized modification of data Medium to high Low to medium Deactivation Low to medium Medium Physical destruction Low to medium Low to medium Detaching the tag Low Low to medium Air interface Eavesdropping High Medium Blocking Low Low Jamming Medium to high Medium to high Relay attack High Low to medium Reader Falsifying reader ID Medium to high Medium The summary of the security evaluation is expenses would go in the management of tags and shown in Table 8-1. The qualitative estimates of readers which have to be loaded with crypto- the costs are explained in the following sections, graphic keys. This would prevent unauthorized followed by a separate section of conclusions. usage of the kill command. 8.9.1. The costs for unauthorized modifi- 8.9.3. The costs for physical destruction cation of data To physically deactivate a tag is easy by To perform an unauthorized modification of means of chemicals or exposure to an electromag- data in case of re-writable tags, the attacker would netic field, or to destroy the antenna. have to acquire a reader that is capable of writing To prevent physical deactivation one could on the tag. Due to the short range involved the introduce a tight mechanical bond between the tag possibility of this attack is limited. The longer the and the tagged item to ensure that removing the range of the reader, the more expensive the attack tag will also damage the product. would be. In general, a read-only tag is less expensive 8.9.4. The costs for detaching the tag than a re-writable tag, so in case the application allows, a replacement by read-only tags would be In general a tag can be easily detached from a fine countermeasure. When the tag has an au- the tagged item, unless some mechanical bond is thentication method available, the costs of switch- placed between the tag and the tagged item. Alarm ing it on are low, most expenses would go in the functions in which tag manipulation is detected by management of tags and readers which have to be a sensor are only available in more expensive ac- loaded with cryptographic keys. To shift all data tive tags. on the tag to the backend requires a new infra- Technical Report Series structure (in the backend and for provisioning of the tags and readers) which brings high initial 8.9.5. The costs for eavesdropping costs, but will fade out later. To perform unauthorized reading of data, the attacker would have to acquire a suitable reader. 8.9.2. The costs for deactivation Due to the short range involved the possibility of this attack is limited. The longer the range of the A deactivation by means of a kill command reader, the more expensive the attack would be.138 requires a dedicated device and usually a pass- A cheap and effective way to prevent eaves- word. dropping is to use some kind of shielding of the When the tag has an authentication method tag, although this would have to be performed for available, the costs of switching it on are low, most every tag. When the tag has an encryption method
RFID technologiesavailable, the costs of switching it on are low; most 8.10. RFID security challenges in aexpenses would go in the management of tags and broader perspectivereaders which have to be loaded with crypto-graphic keys. To shift all data on the tag to the The security risks that are mentioned in thebackend requires a new infrastructure (in the back- previous paragraphs depend of course on the typeend and for provisioning of the tags and readers) of application in which RFID is used. The serious-which brings high initial costs, but will fade out ness of each risk will vary along the different appli-later. cation areas. Therefore, we will analyse the seriousness of the security risks mentioned in sec- tion 8.1 for the most relevant application areas,8.9.6. The costs for blocking which will give some insight in the considerations involved. A blocker tag is relatively cheap and can pre-vent a reader from working properly, although they We consider five application areas of whichonly work for specific anti-collision procedures. the first four are cases within the overall RFIDAn easy countermeasure is to ban their use in the study and the fifth offers an interesting case from astandard terms and conditions of business. security perspective: • Healthcare: consider the environment of a8.9.7. The costs for jamming hospital or clinic. RFID in such environ- ments is typically used for tracking and list- A jamming transmitter has to be powerful ing tagged medicines and blood bags. Alsoenough to jam the tag-reader interface, and it re- persons could be tagged. We consider twoquires some technical experience. The price of the situations in which persons are taggedtransmitter increases with its range. namely doctors that have to be tracked (in A field detector to detect possible jamming which room they are) in case of an emer-transmitters is a dedicated device, and measure- gency, and patients that have to remainments are performed by skilled engineers. within specific areas (e.g. an area for seri- ous psychiatric patients). In the latter case RFID is used for access control at the bor-8.9.8. The costs of a relay attack ders of these areas. To perform a relay attack requires a special • Animal tracking: in some situations animalsdevice to intercept and modify the radio signal, are tagged (externally or internally) in orderand especially the communication between the to trace them in case of an infectious dis-two main components would be sophisticated. ease. Currently this is only done with goats, sheep and pets. To place the smart card in a Faraday save • Public transport: in several cities (e.g. Lon-holder is relatively easy to do. An extra action by don, Porto) and countries (e.g. the Nether-the user before activating the smart card would re- lands) an electronic ticketing system hasquire a more sophisticated card and/or reader. been developed such that only people with a valid ticket can pass the gate and enter the Technical Report Series8.9.9. The costs for falsifying the reader ID bus, tram or train. Some tickets are anony- mous, some are personalised. To falsify the reader ID, an attacker wouldhave to obtain some secret key. The difficulty for • Identity card: some identity cards, like theobtaining such a key depends on the implementa- new passport in the Netherlands, containtion. RFID chips such that the passport can be read automatically. To hinder unauthorised When the tag has an authentication method reading, an initial step is required before the 139available, the costs of switching it on are low, most RFID tag can be read. In this initial step anexpenses would go in the management of tags and optical device will have to look into thereaders which have to be loaded with crypto- passport and read the cryptographic keygraphic keys. which is subsequently used to encrypt the
8. Security aspects of RFID communication between tag and RFID tion about the article can be found like a reader. warranty, the ingredients of the product, etc. • Smart shop: articles in a shop are tagged Within each application area, an estimate of using Object Naming Service (ONS). The the seriousness of the different security risks is tag is not only used for logistics and identi- made. The summary of this evaluation is shown in fication, but also for providing extra serv- Table 8-2, where “N/A” means that this security ices to the customer. The tag number leads risk is Not Applicable to (or not realistic within) to an Internet site where additional informa- this application area. Table 8-2: Security risks per application area Health Animal Public Identity Smart Security risk care tracking transport card shop Unauthorized high tags are relevant for modification impact read-only relevant high impact rewritable of data variants Deactivation linking in N/A frustration N/A privacy vs. database extra service Physical only for possible procedural fraud consumer destruction persons by animal measures right Detaching both persons possible by leads to physical leads to physical consumer the tag and objects animal destruction destruction right Eavesdropping N/A N/A replay attack relevant privacy Blocking N/A N/A sabotage sabotage sabotage Jamming N/A N/A sabotage sabotage sabotage Relay attack N/A N/A possible free transport ID fraud possible Falsifying reader ID N/A N/A replay attack relevant privacy For a clarification of the security risks see sec- lead to patients receiving bad medicines or wrong tion 8.2. The results of Table 8-2 are explained for blood types. A patient whose action radius is each application area in the following sections. bounded by his tag however has a clear motiva- tion for destroying the tag. A possible measure would be to require a valid tag before leaving the 8.10.1. Healthcare area, but this would also have consequences for When the tag number of medicines or blood visitors and hospital personnel. A doctor that is bags could be modified by unauthorised people, being traced by his tag could incidentally destroy the impact of such an action would be high be- his tag, so some alert mechanisms could be built in cause it might lead to patients receiving bad med- for this. icines or wrong blood types. Although the Technical Report Series Detaching the tag of a medicine has the same probability of occurrence and success could be consequence as physical destruction of the tag. low, the high impact of such an attack still justifies The hospital should have alternative ways (e.g. eti- adequate measures to prevent it. quettes) to identify medicines. The main difference The deactivation of a medicine tag in a hospi- is that this tag could be (accidentally) replaced at tal environment for privacy reasons will probably another medicine with possible severe conse- be less useful since the linking between medicines quences. The same reasoning goes for detaching140 and patients is usually performed in a database in the tag on patients or doctors. the back-end. Other security threats like eavesdropping and A physical destruction of a tag on a medicine jamming are possible but seem unrealistic in this or blood bag might cause confusion but will not application area.
RFID technologies8.10.2. Animal tracking of a tag on another ticket is not a serious threat be- cause tickets can only be used once. Most of the tags in this application area areread-only tags, so there is no risk of unauthorized By eavesdropping an RFID communication,modification of data. Since there is also no reason e.g. by putting an eavesdropping device in a gatefor having a deactivation function, this risk is or using an illegal RFID reader, one could be ablehardly applicable. In case of rewritable tags, there to reuse (replay attack) this communicated infor-is a risk of unauthorized modification of the tags by mation to form invalid tickets.the owner, especially in case of fraud. This would Blocking and jamming will probably not leadblock the goal of tracking the animals in case of to free tickets, but could severely frustrate (or eveninfectious disease. However, since all animals are shut down) the public transport system.registered in a central database, this action will notbe effective. A (sophisticated) relay attack could lead to public transport on the cost of other persons. Since The highest risk in this application area is the such an attack is rather elaborate to develop, it willrisk of physical destruction or detachment of the only be interesting when it results in a large num-tag by the animal. This would block the goal of ber of free passages. A detecting mechanism in thetracking the animals in case of infectious disease. back-office could reduce the risk of such an attack.A measure to reduce this risk is to regularly checkthe presence of a valid tag on these animals. 8.10.4. Identity card Note that it might be in the interest of theowner to destroy tags of his animals to avoid being Unauthorised modification of data is ofheld liable by animal health authorities. However, course absolutely undesirable in case of an iden-as noticed before, since all animals are registered tity card. Therefore, in the design of the ID card,in a central database, such an action will not be sophisticated measures are taken to reduce the riskeffective. of such an attack. There’s no reason to implement deactivation8.10.3. Public transport functionality into an ID card, so there’s no risk for deactivation. Unauthorized modification of the contents ofa ticket is very relevant in a public transport tick- The ID card is designed in such a way that de-eting system. The departure or arrival location in a tachment of the tag will usually lead to physicalticket could be changed, or billing information of destruction of the tag. Although the tag of an IDthe ticket could be changed. Some ticketing sys- card could be destroyed accidentally, such de-tems incorporate an electronic purse that could be struction will usually lead to a fraud investigation.uploaded. Eavesdropping (including reading the card The tags in the tickets might have deactiva- with a fake reader) is a very relevant threat fortion functionality for deactivating the tag during RFID based ID cards, so extra measures are takendistribution to the ticket office. There is a risk that in the design of the card. Think for example at the Technical Report Seriespassengers will cause frustration to other passen- risk of a terrorist scanning passports looking for agers by deactivating their tickets during transport. specific nationality to attack.This risk can be limited by using proper authenti-cation mechanisms for the deactivation function. Both blocking and jamming of the communi- cation between ID card and RFID reader can be Physical destruction of the tag, either acciden- considered as sabotage and could even be prohib-tally or on purpose, is a clear risk of such a ticket- ited by law.ing system. Clear procedural measures should betaken to cope with it. A relay attack in an ID card setting makes 141 sense and would eventually lead to ID fraud. On The tickets are usually designed such that a the other hand, the extra measures that are takenpossible detachment of the tag can only be done in the design of an ID card will make such an at-by physical destruction of the ticket. Replacement tack much tougher to complete.
8. Security aspects of RFID 8.10.5. Smart shop and the (predecessors of the) CIP-programme. Besides, there are many academic researchers For cheap articles the RFID tags used will be worldwide who are studying a broad range of se- probably read-only, but for more expensive arti- curity aspects of RFID. Since 2002, Gildas cles one might want to reuse the tags while at the Avoine (a French researcher, currently working same time becoming vulnerable to unauthorized at MIT, USA) maintains a website with refereed modification of data. This might lead to wrongly papers published in journals and conference pro- priced items, extended warranties, etc. ceedings, as well as technical reports and theses For privacy reasons a consumer would like to related to security and privacy issues in RFID sys- deactivate (sleep mode, kill) the tag after leaving tems.82 Most of these research papers concern se- the shop. On the other hand, the producers would curity issues regarding the communication rather see this tag activated because it enables between tag and reader. Briefly, in this area aca- them to provide lots of extra services to the con- demic research is mainly focused on the more sumer. The debate about whether to provide de- expensive smartcard solutions (e.g. electronic activation functionality is still going on . ticketing in public transport, identity cards, healthcare sector) and less on the logistic process The consumer has the right to either physi- (e.g. replacement of barcodes by RFID-tags). cally destruct, or detach the tag to protect his pri- Given the sensitivity of the data processes that vacy. Unauthorised persons could get access to privacy related information on the tag by means of are in use in these domains, the development of either eavesdropping on a legitimate reader or by security mechanisms (by cryptographic tech- faking a legitimate reader ID. The use of fake RFID niques) is of high relevance to the overall devel- readers in a shop could be detected by suitable opments within RFID. Even the less sophisticated scanners. passive and relatively simple tags will be more and more equipped with cryptographic tech- Blocking and jamming are techniques that niques. could be used to frustrate RFID readers and sabo- tage the legitimate use of RFID tags. This section primarily focuses on RFID in the European research programmes and specifically A relay attack could be possible, for example on the security issues of RFID. by a consumer that is paying for a cheap product while he actually bought an expensive product, al- though it’s questionable whether such an attack 8.11.1. Research projects on RFID would be worthwhile in practice. It might for in- A recent overview of RFID research in Eu- stance be easier to just switch the tags of the cheap and the expensive product, or to use a device that rope shows a total of 40 collaborative research fakes the tag of the cheap product (without actu- projects supported by European industry and re- ally communicating with the tag of the cheap search organisations. The European Commission product).81 contributes €153 million to a total investment of €312 million. These research projects are all part of the Fourth, Fifth or Sixth Framework Pro- Technical Report Series gramme. The 40 projects cover a broad array of 8.11. Security aspects of RFID in issues. 41% of the project funding is related to EU research projects interoperability and standards-setting, 16% to re- RFID is an actual research topic in many Eu- search of the radio spectrum, 20% to governance ropean projects and publications, such as the for- aspects and 23% to protection of personal data mal EU research projects in the IST-programme and privacy.142 81 Although not part of this application area, a relay attack could be more useful when an RFID tag is used during payment e.g. by means of a payment card. In such cases it could be possible to pay products with payment cards of other (innocent) people (Kfir et al., 2005). 82 http://lasecwww.epfl.ch/~gavoine/rfid/#papers
RFID technologies Figure 8-2: Relationship of RFID research tential benefits and potential pitfalls of RFID, re- projects to policy issues83 moving many of the risks and uncertainties from the market and so encouraging wide scale invest- ment (EC, 2006a).86 8.11.2. Security aspects of RFID in EU re- search projects A prime example of such a research effort is A wide consultation on wireless smart tags inthe recently launched BRIDGE-project, a €7.5 2004 investigated the need for further research inMillion, three year RFID-project in the Sixth the technology and application domain. The con-Framework programme for Research and Techno- sultation report presented the findings, conclusionslogical Development.84 BRIDGE (‘Building RFID and recommendations from the wide consultationsolutions for the Global Environment’) combines exercise relating to the research needs for the topicresearch institutes, a number of GS1 offices (five of smart wireless tags, which are also known asfrom Europe and one from China), twelve solution RFID (Radio Frequency Identification) or smart tagsproviders and seven business end users. The focus (EC, 2006a). The consultation exercise was under-of BRIDGE is on providing solutions for the sup- taken as part of the process for the preparation ofply chain in a number of application areas (anti- the IST work-programme 2005-2006. In additioncounterfeiting, healthcare, retail, textile, …). It will however, the report also included recommenda-study business based research, provision of infor- tions for longer-term research in the smart wirelessmation services and hardware (sensor, tags) and tag area, research that naturally fits within the timesoftware development. scale of Framework Programme Seven, which will cover the period 2007-2013. The potential applications for RFID are multi-plying rapidly. In the figure below the extended va- From this consultation report it can be con-riety of application areas have been shown. cluded that the respondents considered the pri- vacy and security of RFID tags as a fundamental enabler or a showstopper of smart wireless tag Figure 8-3: RFID projects by application technology. Some research needs that were con- area85 cluded in the field of security were: • Encryption to protect the tag data. • Finding cost-effective solutions for the ex- pected increase of backend system costs. The increased security capabilities on tags will affect backend systems since these will require additional functionality. This will in- crease system costs. • Increased demand for greater security will Technical Report Series require tags with computation capabilities and memory. In the long-term, research is needed into the construction of highly miniaturized devices. The European funded research and relatedpromotional activities aim at helping industry, reg- We looked in more detail to the coverage of se-ulators and consumers to better understand the po- curity aspects of RFID in the 40 research projects 14383 Source: http://ec.europa.eu/information_society/doc/factsheets/5-1-rfid-research-portfolio.pdf84 See http://www.bridge-project.eu85 Source: http://ec.europa.eu/information_society/doc/factsheets/5-1-rfid-research-portfolio.pdf86 URL: http://europa.eu.int/information_society/policy/rfid/index_en.htm
tially) covered: Improving airport efficiency, secu-8. Security aspects of RFID (FP4, FP5 and FP6). Notwithstanding the recommen- dations from the consultation report of 2004, it was rity and passenger flow by enhanced passenger remarkable to find that security was not a prime area monitoring (OPTAG) and Safeguards in a World of of interest. In only two research projects security as- Ambient Intelligence (SWAMI). The projects are pects make part of the research objectives. concisely described below, based on information from the CORDIS-database:87 A search in the CORDIS database revealed the two projects in which security aspects are (par- OPTAG88 Start date: 2004-03-22 End date: 2007-02-01 Duration: 34 month Programme type: Sixth Framework Programme Description: This project aims to harness emerging passenger tracking and identification technologies with the objectives of in- creasing the safety of air travel whilst maximizing the utilization of existing facilities. The proposed system could form an essential component of Airline passenger identification and threat assessment systems through the automated identifica- tion of suspicious passenger movements or through the closer the closer monitoring of individuals considered to pose a risk to secure operations. The project aims to deploy networks of enhanced Closed Circuit Television (CCTV) systems cou- pled to local, direction based, and passenger tracking systems, using far-field RFID tags. There are three main developments required to create the OpTag system: – A compact far-field radio frequency identification (RFID) tag and a reader capable of reading a large quantity of tags within its range without interference. – A high-resolution, panoramic imaging system and corresponding software to follow a target and confirm the iden- tity of the tagged individual or item. The system will be able to work over a network and allow different opera- tors to select different views from the same camera. – An ergonomic user interface to facilitate augmented surveillance, monitoring and targeting of individuals who may pose an economic or security risk to effective airport operations. The security and efficiency environment of airports will also be researched so that the Optag system can be under- stood in context and developed to meet real requirements and with full understanding of the legal and operational fac- tors and IP of the design. SWAMI Start date: 2005-02-01 End date: 2006-07-31 Duration: 18 month Programme type: Sixth Framework Programme Description: This project aims to identify the social, economic, legal, technological and ethical issues related to identity, privacy, trust and security in Ambient Intelligence (AmI). The third report, entitled Threats, vulnerabilities and safeguards in a world of ambient intelligence, discussed the issues of privacy, identity, trust, security and the digital divide, followed by a chap- ter on threats and vulnerabilities and a chapter on safeguards. The final chapter contains the recommendations and con- clusions, which were specifically addressed to the European Commission, Member States, industry, academia, civil society Technical Report Series organisation and individuals. RFID is discussed thoroughly in this report as one of the enabling technologies which can be used in AmI applica- tions. The aspects of privacy, identity, security are discussed for RFID as well. The description shows RFID-related security rity issues at all. Though this is of course not a strict to play a minor role in the research projects. The guarantee that RFID security is totally absent in review of the basic descriptions of the other 38 these projects, at least it shows that attention for144 projects did not reveal a relation with RFID secu- RFID-security is hardly present. 87 URL: http:// cordis.europa.eu/search/ 88 http://ec.europa.eu/research/aeronautics/projects/article_3718_en.html
RFID technologies8.11.3. From research to policy workshops and studies in the field of RFID in order to make a policy plan on the developments of Besides these research projects in the Frame- RFID. Security is one of main topics that are inves-work Programmes, the European Commission tigated in these activities. A picture of the roadmapstarted a Consultation process with conferences, of the European Commission is shown below. Figure 8-4: Roadmap: towards a RFID policy in Europe89 This roadmap was presented on the final con- campaigns to educate consumers. More than halfference on October 16 in Brussels on RFID. of the respondents report that some kind of legis- lation regulating RFID should be considered. A mi- From 3 July to 30 September 2006, an online nority of respondents (14%) mention a preferencepublic consultation was held via “Your Voice in for self regulation and best practices based on theEurope” (EC, 2006c) on future RFID policy.90 In ‘Fair Information Principles’.total, 2,190 respondents (citizens, manufacturers,system integrators, academic and scientific insti- Almost half of all respondents have the opin-tutions, public bodies and regulators, etc.), cover- ion that privacy-enhancing technologies (PETs)ing all the European Union Member States and a should be made mandatory in RFID applications.number of countries from outside the EU) an- A clear majority of respondents (61% ) have theswered questions about: RFID use; Privacy, Data opinion that a RFID tag related to a product in aProtection and Security; Standardisation and Inter- supermarket should be automatically de-activatedoperability; Frequency Spectrum; Research. at the point of sale. Other solutions, i.e. a remov- Technical Report Series able sticker attached to the product itself and a A large majority of all respondents (about two- “proximity tag” with a very short reading distancethirds) have the opinion that the best solution(s) to – are advocated by 46% and 40% of all respon-eliminate or greatly reduce the concerns of secu- dents, respectively.rity, data protection and privacy, which may arisefrom deploying applications of RFID technology, About half of the respondents regard the con-are the development of technical solutions allow- cept of limited distance “proximity tags” as a valu-ing to disable RFID tags and/or awareness raising able (complementary) solution to preserve privacy. 14589 Source EC, 2006d90 http://ec.europa.eu/yourvoice
8. Security aspects of RFID The strong majority of respondents consider a spect to specific applications or scenarios. generic reading distance of up to 10 cm as accept- Each application or scenario would require able for proximity tags. Personal data (e.g., e-pass- its own more detailed and specific security ports) is generally placed in the shortest reading analysis. The (seriousness of the) conse- range. A majority of respondents see the need for quences of removing or destroying RFID tags appropriate security and privacy mechanisms to depend on the application. Depending on be taken by RFID application providers, while a the business case of the application, even a large majority is concerned RFID-enabled moni- Common Criteria accreditation process toring of workers. might be worthwhile. We may conclude that this interest as voiced • The costs are not the only point of view. Also by the people who contributed to the Consultation user convenience, user’s acceptance, inter- process can not be recognized in the European ac- operability, etc. are important factors to take tivities in this field up till now. into account. This would require a case by case analysis. • There is a trade-off between security and 8.12. Conclusion functionality. In general, the less functional- ity a (RFID based) system has the more se- The security analysis of RFID delivers the fol- cure it would be. It could be the case that lowing conclusions. The first set of conclusions refer certain security risks are taken for granted be- to the overall risk analysis performed in section 8.1 cause the functionality involved is badly till section 8.9. The second set of conclusions refers needed. to the risk analysis performed for various applica- tion domains (section 8.10). The last set of conclu- The RFID system is usually part of a larger IT sions refer to the attention for RFID security aspects system which includes the back-office. Since the in European programmes (section 8.11). security chain is as weak as the weakest link, we have to consider the entire IT system. 8.12.1. Conclusions of overall risk analysis The security analysis shows that it is difficult From a financial point of view, the most to draw conclusions on the security of RFID only alarming risk would be the risk that has low costs by observing an RFID tag and a reader. When re- for performing the threat and high costs for taking garding the tags and readers as part of architecture, countermeasures. By analysing Table 8-1, this better weighed conclusions can be drawn. would be the risks of deactivating or detaching the The systems that are used in the back office tag because these are fairly easy to perform and are not RFID specific systems. Much is known countermeasures are more involved. Although about the threats, risks, and countermeasures of much attention in the media is paid to eavesdrop- such systems. The new and possibly more vulner- ping on the air interface because of the privacy able systems are the RFID specific readers and consequences of the consumer, from a security cost point of view indeed the vulnerability of the tags. Especially since tags are usually less sophis- Technical Report Series tag itself is an often overlooked aspect. Since tags ticated elements that cannot contain many secu- are easily removed or destroyed, and countermea- rity mechanisms, it seems worthwhile to store the sures are costly, this can be seen as the weakest least possible vulnerable information in the tags. point of an RFID system. So from a security point of view, but also from an information management point of view, it seems At first sight it seems that a redesign of tags right to shift as much data as possible from the tag might be needed to overcome these risks. How- to the backend. Only the essential elements, such ever, some important considerations have to be as tag ID, should be stored on the tag itself. An-146 taken in mind: other advantage of such an approach would be • These are the results of a general security that less advanced tags can be used which are analysis and a rough cost estimate has been cheaper. Of course some additional investments made. No conclusions can be drawn with re- could be necessary for the back office.
RFID technologies8.12.2. Conclusions of risk analysis per the consumer. There is an interesting debate application domain going on about the deactivation of RFID tags when the customer leaves the shop. By considering different application areas, in- Producers want this tag activated in ordersight was created in the seriousness of the different to offer many new services, but consumerssecurity risks (Juels, 2006). Also the goal of the at- would like to have the possibility to deacti-tacker varied over the different application areas: vate the tag for privacy reasons. • Healthcare: the most important risk for tag- It turns out that each specific application area ging medicines and blood bags is the risk of has its own specific security risks. The risk of unau- unauthorised modification of the tag. Not be- thorized modification of data on the tag is relevant, cause the probability of occurrence is high, but (of course) only for rewritable tags. Some secu- but because the impact of such an ‘attack’ rity risks do not pose a threat in the sense of loss of would be immense and could lead to pa- resources, but are just annoying, frustrating, or tients receiving wrong medicines. When even a form of sabotaging the system. The risk of RFID is used for access control of (mentally detaching the tag is an often underestimated risk, ill) patients, the most important risk would but for some application areas it’s the most impor- be the physical destruction or detachment of tant risk. On the other hand, the risk of eavesdrop- the tag which might lead to patients exceed- ping and consequently infringement of privacy ing their allowed frontiers. When RFID is seems to be overrated for most application areas used for tracing doctors also the main risk is although it’s especially important in the smart shop physical destruction or detachment of the application area (Garfinkel, 2006). tag, although it would probably not be the goal of the doctor to destroy it but it could be a little accident. In this case physical de- 8.12.3. Conclusions on RFID security struction of the tag would lead to doctors within European programmes being less traceable in emergency situations. RFID is an actual research topic worldwide. In • Animal tracking: the main threat in this ap- the academic world a broad range of security as- plication area is the physical destruction or pects of RFID is studied. However, the academic re- detachment of the tags by the animals. The search is mainly focused on the more expensive animals would then no longer be traceable smartcard solutions (e.g. electronic ticketing in pub- in case of an infectious disease. lic transport) and less on the logistic process (e.g. re- placement of barcodes by RFID-tags). In the EU • Public transport: the most important risk research projects (Framework Programmes), only within an electronic ticketing system is the two research projects (out of a total of 40 research chance that illegal tickets (i.e. tickets for projects addressing RFID) have a focus on RFID se- which is paid less) are made. This could be curity aspects. This is in contrast with the results of accomplished by a replay attack after a consultation report in 2004, in which the privacy eavesdropping an RFID communication, or and security aspects of RFID were considered as a by unauthorized modification of the con- fundamental enabler of smart wireless tag technol- tents of a ticket. ogy and in which various research needs were de- Technical Report Series • Identity card: the risk of unauthorised modi- fined in the field of security. It is also in contrast with fication of the contents of the ID card is of the results of the 2006 EU-consultation process on course a very important risk. As with ID RFID which showed a primary focus on security as- cards without RFID, adequate measures are pects as one of the key enabling factors of RFID as taken to reduce this risk. The most important well (in combination with privacy concerns). RFID specific threat for ID cards is the risk of Briefly, we conclude that Europe could further unauthorised reading of ID cards. Therefore, stimulate research on security of RFID, including 147 an initial optical step is required before the the passive RFID tags which are less investigated in ID card can be electronically read out. academic research, and including security archi- • Smart shop: in this application area the tectures of RFID systems. most important risk is the loss of privacy of
RFID case studiesPart three
RFID technologies 9. Searching the dynamics of RFID-practices The broad analysis of the preceding chapters of pound-foolish’ strategy: relatively cheap in terms ofthis study has been used to enrich our understand- investments and required adaptations in the working of the dynamics of RFID-practices. To under- process in the short term but probably no use in thestand drivers and barriers of RFID we have longer term when the entire logistic process has toperformed an in-depth study of the introduction of be revised. Though much can be said about theRFID in a number of practices. Much is already problems that logistic suppliers will face in introduc-known about the use of RFID in the logistic process. ing RFID, it was decided at the beginning of thisGlobally operating firms as Metro, Tesco and study that the focus should be on other domains inWal*Mart all enforce the use of RFID within the lo- which RFID can be used. This study should comple-gistic chain. This is not necessarily the best ap- ment the view on drivers and barriers of RFID intro-proach, given the investment costs suppliers have to duction by studying other application domains.make in realising compliance with the requirementsof these firms. Firms tend to chose intermediate so- An initial survey of RFID application domainslutions (such as the Slap-n-Ship approach; see sec- presented the following distribution of RFID activ-tion 5.1) which may turn into a ‘penny-wise ities: Table 9-1: Distribution of cases over societal domains91 Domain No. of cases Retail, Consumer goods 400 Financial, Security and Safety 316 Passenger and Public transport 278 Leisure and Sports 228 Land and Sea Logistics, Postal 177 Healthcare 142 Manufacturing 135 Animals and Farming 81 Books, Libraries and Archiving 76 Military 43 Laundry 10 Other 4 Table 9-1 represents a broad class of cases, private domain applications. We used this tablefrom initial pilots and field trials to full-fledged roll- (and the more detailed table in Annex 8) as a start- Technical Report Seriesouts of RFID. The table encompasses public and ing point for the selection process. 15191 Source IDTechEx 2006 (visited 12 April 2006)
9. Searching the dynamics of RFID-practices 9.1. Selecting the appropriate cases The first four items have been made part of the description of the case studies as these will be The intention of the study was to use case presented in the following chapters. The last three studies to analyse the dynamics of RFID imple- items have been taken up in chapter 15 (the pol- mentation in a number of domains. We defined as icy evaluation). overall objective that case studies should enable Before choosing the final set of cases, we did to identify: a pilot study on Public transport, in which we re- • Drivers for the future RFID usage. searched the appropriateness of the following set • Barriers to RFID introduction (technologi- of criteria: cal, economic, social, legal). 1. Drivers and barriers. • Perceived market potential for the European 2. Threats and opportunities. market. 3. Role of stakeholders. • Distance in time to adoption. 4. Role of government. • Stakeholders perspectives on drivers and 5. Technology involved. barriers. 6. Role for Europe. Moreover, the case studies should help to The next step was the identification of the re- identify: maining set of four cases. On the basis of desk re- • Differences in stakeholder strategies due to search in which we studied a number of articles variation in Member State markets. and reports dealing with implementation of RFID,92 we identified a number of domains as • Perceived EU wide benefit. promising from a European perspective. The • The role of the public sector in helping to analysis revealed a number of characteristics, achieve this benefit. which we present in Table 9-2. Table 9-2: Characteristics of RFID application domains Technology applications Actors Issues Health Varied uses Hospitals, patients, insurance Quality, privacy, security companies Cultural sector Repository, loan, Libraries, museums, visitors Privacy, data retention add. info Pharmaceuticals Repository, logistics, Pharmaceutical industry, Counterfeiting, additional info, counterfeiting healthcare institutions, patients, logistics of care-system insurance companies Digital rights Tracking, tracing Variety (governments, commercial Appropriate use, privacy, management organisation of various kinds) new business models Technical Report Series Identity cards Identification Governments (National) security, privacy, civil rights Animal tagging Tracking and tracing ‘From farm to fork’, governments, Quality assurance, consumer organizations recall issues ICT sector Supplier of RFID Chip developers; system Competitiveness of EU applications integrators, consultancy firms, … vs USA/Asia152 92 See (Capgemini, 2005), (Garfunkel & Rosenberg, 2005), (Gartner, 2005a), (Gartner, 2005b), (Gartner, 2005c), (IDC, 2004), (IDTechEx, 2005a), (IDTe