ICTSB

1
ICTSB an outline of recent RFID discussions

• Kirit Lathia
• Chairman of the ICT Standards Board
• kiritkumar.lathia_at_nsn.com
• www.ictsb.org

2
What is the ICT Standards Board?

• Created in 1995 - Reaction to convergence of IT,
  telecoms, broadcasting and entertainment
  industries
• Co-ordination in ICT domain
• Involving ESOs and consortia
• Provide European focal point for discussion of
  current issues

3
ICTSB Members

• ANEC
• CEN
• CENELEC
• DVB
• EBU
• Ecma International
• EFTA Secretariat
• EICTA
• ETSI

• European Commission
• ISOC (IETF)
• Liberty Alliance
• NORMAPME
• OASIS
• OMA
• RosettaNet
• The Open Group
• TMF
• W3C

4
What does ICTSB do?

• analyses requirements received from any competent
  source based on concrete market needs
• translates these requirements into coherent
  standards work programmes
• allocates work items to members and reviews
  progress against objectives
• ICTSB (and its WGs) do not produce standards

5
ICTSB and RFID

• Open meeting held Brussels, 24 October
• 30 participants
• Objective - more common understanding on who is
  doing what on RFID standardization issues
• Initial addresses by Commission (Heads of Unit
  responsible in DG INFSO and DG ENTR)
• Presentations by main standards bodies, ANEC
  (consumer perspective)

6
High-level conclusions

• Standardization bodies should understand the
  business process before writing standards
• Consumers should be included in the business
  process if needed
• Distinction between tags, air interfaces and back
  offices should be made
• The need for standards was confirmed but the type
  of standards needed should be further discussed
• Inter-organization communication should be
  enhanced
• Who does what needs to be agreed at an early
  stage
• Bearing privacy in mind, the collected amount of
  data should be kept to the minimum. NB Article
  3.3 of the RTTE Directive (99/05) should also be
  used to address fraud and privacy issues

7
Future developments

• (International) Standards needed in future for
  open RFID systems
• Standards gaps and internet of things
• Future standards/research collaboration should be
  improved (project cluster)
• GRIFS Global RFID Interoperability Forum (GS1,
  ETSI, CEN watch this space)

8
Business model issues

• RFID should be taken in an overall context with
  other data capture technologies, the issues are
  similar (RFID is one of many such)
• The business model concerning registration etc
  may evolve and become more competitive. This
  will reduce suspicion and encourage uptake
• Business model/process needs to include
  user/consumer requirements
• There needs to be a specific assessment of the
  security and privacy risks prior to deployment of
  RFID. Classic standards approach to security
  looks at business model first. In RFID privacy
  scare issue though we are forgetting the business
  model! Go back to first principles what are we
  trying to protect, for whom etc?
• Security/privacy are important, but we also need
  to ensure prevention of fraud

9
RFID and privacy

• Privacy standards issues are mostly horizontal,
  rather than specific to RFID
• RFID is a data carrier, not the data itself
• Legislation on privacy issues is needed first
  before standardization
• There is some talk about a possible standards
  mandate
• Collection of personal data for security purposes
  is one thing, commercial misuse another
• Data can be mined in some cases (eg US) when EU
  forbids this is a societal issue
• Companies already have major consumer data, RFID
  only adds some extra information
• IT incontrovertibly allows more manipulation of
  data, whatever is the societal approach to data
  privacy
• User consent is a key principle (opt-in)

10
RFID and security (1)

• Who is responsible for RFID security
  standardization?
• NB German national RFID security publication
  activity
• NIST RFID Guidelines contain general security
  requirements already (INFSO) NB US-EU dialogue
• Security and privacy are usually bracketed
  together (but perhaps wrongly) but also are more
  general than RFID
• A one-size-fits-all strategy does not work across
  the range of possible applications

11
RFID and security (2)

• Basic security requirements
• Prevent unauthorised access
• Differentiated access
• Unique communication per transaction
• RFIDs must not be cloneable

12
RFID and security (3)

• Three aspects (or subsets) to consider
• (1) RFID subsystem consisting of transponder
  (tag) and interrogator (reader)
• (2) Enterprise subsystem comprising the local
  environment of the readers, the middleware that
  pre-processes the read tag data and the backend
  systems that process the information in order to
  conduct the business process
• (3) Inter-enterprise subsystem consisting of the
  networked infrastructure that provides additional
  services for cross-organisational communication.

13
RFID and registration

• ISO/IEC JTC1/SC31 dealing with item management
• Registration authorities eg NEN should be
  used
• NB also for mobile telecommunications a unique
  identifier system exists

14
Definitional issues

• Definitions eg active/passive/semi-, battery
  powered, etc. needed
• Vocabulary in JTC1 but also (for sensors) in
  IEEE
• TC225/WG has developed some additional
  definitions to be submitted to Commission Expert
  Group and published on CEN web site (link to
  ICTSB) and input to SC31

15
Other issues

• Question of how much of the relevant data is in
  fact on databases in back offices, ie to which
  the RFID chip is an access
• Inter-organizational requirements are not being
  addressed fully (c/f general eBusiness
  transaction problems)
• Encryption should the data be encrypted or
  should the tag be? Depends on use to which data
  is to be put, how it is to be stored/used etc.

16
Extra resources

• New CEN list of definitions (comments welcome)
• ICTSB overview of RFID standards activities
  (living document)
• ICTSB will continue to monitor this issue, may
  hold further meetings (to avoid too many, maybe
  with GRIFS events)

17
Thanks

• John Ketchell on behalf of Kirit Lathia