Le 18 mars dernier, à Paris, le CNRFID organisait une 1/2 journée thématique consacrée à l’évaluation d’impact sur la vie privée des applications RFID.
Le succès était au rendez-vous avec plus d’une trentaine de participants représentant à la fois les fournisseurs de technologies, les opérateurs d’application RFID, des consultants (techniques et juridiques) ainsi que des académiques.
2. Introduction
RFID and privacy
RFID operator
Legal Environment
Chart of fundamental rights of European Union
Directive 95/46/EC and French “Loi Informatique et Libertés”
Recommendation 2009/387/EC, Mandate M436 et EN 16571
Future European Regulation
Privacy Impact Assessment (PIA/EIVP)
PIA levels
PIA process: the 9 steps
Risk Analysis
Data, Threats, Vulnerabilities, Countermeasures, Residual risk
EN 16571 / ISO 27005 vs. EBIOS
EN 16571
Registration Authority
CSL/CNRFID Software
Agenda
2www.centrenational-rfid.com02/23/2015
3. Privacy is a fuzzy concept but can be summarized…
“the claim of individuals to determine for themselves when, how and to what extent
information about them is communicated to others”
Information: Personal Data
Data Protection
collection, accuracy, protection and use of data collected by an organization
Data Security
protection of collected data
Notion of personal consent
Opt-In
Opt-Out
Personal data and privacy classification
Physical (body integrity)
Personal Behaviour (political, religious, sexual,…)
Personnal communications (phone, emails, social networks, …)
Personal information (gender, age, …)
Spatial privacy (locations, travels,…)
Introduction: Privacy concept
11/07/2013 3www.centrenational-rfid.com
4. Citizen use more and more RFID technologies
Ticketing (transportation and events)
Payment (small values w/o PIN code)
Identity (passport, driver licence)
NFC applications…
Citizen are surrounded by RFID tags
Everyday life products (textile, library books,…)
Luxury goods (authentication, certificates,…)
First developed for logistics, inventory, article surveillance, …
Data can identify people directly…
Name, address, etc.
Generally secured HF protocols (first use cases)
Or indirectly
Unique identifiers (TID, EPC, …)
Combined with other data, could impact privacy
Introduction: RFID everywhere?
11/07/2013 4www.centrenational-rfid.com
6. Introduction: RFID operator
6www.centrenational-rfid.com
Definition is given in the Recommendation 2009/387/EC
‘RFID application operator’ or ‘operator’ means the natural or legal person, public
authority, agency, or any other body, which, alone or jointly with others, determines
the purposes and means of operating an application, including controllers of personal
data using a RFID application
Organizations that read RFID tags…
… Organizations that write (encode) a tag
The RFID operator is responsible in implementing a PIA
02/23/2015
7. Privacy: European Regulations
7www.centrenational-rfid.com
Directive 95/46/CE
protection of individuals with regard to the processing of personal data and on the
free movement of such data
Transposed in National French Law: “Loi Informatique et Libertés”
Chart of fundamental rights of the UE (2000/C 364/01)
Art. 8, right to the protection of personal data
Everyone has the right to the protection of personal data concerning him or
her.
Such data must be processed fairly for specified purposes and on the basis of
the consent of the person concerned or some other legitimate basis laid down
by law. Everyone has the right of access to data which has been collected
concerning him or her, and the right to have it rectified.
Compliance with these rules shall be subject to control by an independent
authority.
In France, such authority is CNIL !!!!
02/23/2015
8. Privacy: European Regulations
8www.centrenational-rfid.com
Recommendation 2009/387/EC
Due to potential massive RFID deployment, the European Commission issued a
Recommendation (May 2009)
« on the implementation of privacy and data protection principles
in applications supported by RFID »
Title
Data protection: Not only personal data
Definition and scope
All RFID technologies (NFC and contactless smart cards included)
All kind of application, including… governmental applications, with exceptions
being rare
For retail sector (direct link to the consumer) there are rules when deactivation of
the tag is required
02/23/2015
9. Focus on tag deactivation at the Point of Sale
Once the tag leaves the « controlled domain »
Logic deactivation:
Secured deactivation (Kill + passwords)
Unsecured deactivation (Kill with one password for the entire application)
Reduced read range????
Hardware:
Tag destruction (strong electromagnetic wave,…)
Tag removal
Privacy
(European Recommendation)
11/07/2013 9www.centrenational-rfid.com
10. Recommendation does not oblige to deactivate the tags at PoS if RFID
operator undertakes a
Privacy Impact Assessment (PIA)
and proves that the risk is limited
Systematic deactivation (OPT-IN) in case of high level of risk.
To provide a simple, immediate and free way to disable the tag at PoS (medium
level of risk) (OPT-OUT)
Privacy Impact Assessment (PIA)
Identify the impact of the implementation of the application with respect to
personal data and privacy
PIA has to be undertaken by the RFID operator !
Level of detail consistent with the level of risk
Privacy
(Recommandation)
11/07/2013 10www.centrenational-rfid.com
11. Privacy, PIA Framework
11/07/2013 11www.centrenational-rfid.com
To help the RFID operators in the PIA process,
European Commission gathers stakeholders
to draft a Framework
This Framework has been accepted by Art. 29
WP and endorsed by European Commission in
January 2011
13. Privacy: one word on M/436
13www.centrenational-rfid.com
December 2008: European Commission issued Mandate 436
Madate is issued to CEN, ETSI and CENELEC (only CEN and ETSI participate)
Phase 1: propose a gap analysis of existing standards related to RFID, data
protection and privacy protection. A joint technical committee is chaired by CNRFID
May 2011: phase 1 report underlines that there is no existing standard related to
PIA process and signage (public awareness)
January 2012: KoM of phase 2: the goal is to publish standards in a 2 year time
frame (only CEN is involved)
July 2014: publication of 2 major standards
EN16570: Signage and public awareness
EN16571: PIA process for RFID applications
July 2014: CNRFID became the Registration Authority for EN16571
02/23/2015
14. Future European Regulation
14www.centrenational-rfid.com
Future Regulation on Data Protection
Supersedes Directive 95/46/CE
Regulation: no need to transpose it into national law
Art.33 makes Privacy Impact Assessment Mandatory
Art. 32a: Respect to risk
The controller, or where applicable the processor, shall carry out a risk analysis of the
potential impact of the intended data processing on the rights and freedoms of the data
subjects, assessing whether its processing operations are likely to present specific risks
Art. 33: Data Protection Impact Assessment
The controller shall carry out an assessment of the impact of the envisaged processing
operations on the rights and freedoms of the data subjects, especially their right to
protection of personal data
Art. 33: Describes the minimal requirements …
02/23/2015
15. Future European Regulation
15www.centrenational-rfid.com
The DPIA shall contain …
a systematic description of the envisaged processing operations and the
purposes of the processing
an assessment of the necessity and proportionality of the processing
operations in relation to the purposes
an assessment of the risks to the rights and freedoms of data subjects
a description of the measures envisaged to address the risks and minimize
the volume of personal data which is processed
a list of safeguards, security measures and mechanisms to ensure the
protection of personal data
a general indication of the time limits for erasure of the different categories
of data
a list of the recipients or categories of recipients of the personal data
02/23/2015
16. Introduction
RFID and privacy
RFID operator
Legal Environment
Chart of fundamental rights of European Union
Directive 95/46/EC and French “Loi Informatique et Libertés”
Recommendation 2009/387/EC, Mandate M436 et EN 16571
Future European Regulation
Privacy Impact Assessment (PIA/EIVP)
PIA levels
PIA process: the 9 steps
Risk Analysis
Data, Threats, Vulnerabilities, Countermeasures, Residual risk
EN 16571 / ISO 27005 vs. EBIOS
EN 16571
Registration Authority
CSL/CNRFID Software
Agenda
16www.centrenational-rfid.com02/23/2015
17. Privacy Assets and Data Types
Assets are classified in two categories
Assets that can directly identify individuals
Passport, Medical bracelet, Loyalty card, Venue-based trackable bracelets, …
Assets that when held can identify the individuals
Airline baggage tag, Tagged employee uniform, Public transport card, Retail product, Library book, …
Privacy Assets are closely related to Personal Data (wherever it is stored)
EN 16571 assesses the “value” of the data on the tag and in the application
Associated Personal Data are classified into 6 categories
PI Personal Identifier (name, email, DNA, …)
PB Personal Behaviour (age, religion, political affiliation…)
TH Tag and Hardware (RFID chip ID, IPV4/6, …)
RV Residual Value (Residual value on loyalty card, travel card, …)
TL Time and Location (start location, route, …)
IT Identity of Things (Unique Item code)
PIA Levels
17www.centrenational-rfid.com02/23/2015
18. Privacy in depth model
This model identifies all of the
layers that need to be considered to
assess the privacy risks associated
with the RFID technology used in
the application
The top four layers are directly
concerned with RFID technology,
whereas the bottom four layers are
concerned with the host computer
and application
PIA Levels
18www.centrenational-rfid.com02/23/2015
19. Asses the PIA Level
19www.centrenational-rfid.com
To assess the
PIA level,
you need to
answer
3 basic
questions
02/23/2015
20. What to consider regarding the PIA level?
Level 0: no PIA required
Level 1:
Risk assessment for data types other that PI and PB
Only consider threats on the RFID air-interface
Level 2:
For PI and PB, only consider threats on application layer
For other data types, consider all kind of threats
Level 3:
For PI and PB, consider all kind of threats
Whatever the level, don’t forget to consider the controlled and uncontrolled domains
PIA Levels
20www.centrenational-rfid.com02/23/2015
23. Introduction
RFID and privacy
RFID operator
Legal Environment
Chart of fundamental rights of European Union
Directive 95/46/EC and French “Loi Informatique et Libertés”
Recommendation 2009/387/EC, Mandate M436 et EN 16571
Future European Regulation
Privacy Impact Assessment (PIA/EIVP)
PIA levels
PIA process: the 9 steps
Risk Analysis
Data, Threats, Vulnerabilities, Countermeasures, Residual risk
EN 16571 / ISO 27005 vs. EBIOS
EN 16571
Registration Authority
CSL/CNRFID Software
Agenda
23www.centrenational-rfid.com02/23/2015
24. Asset identification and valuation
2 categories of asset
directly identifiable assets, where encoded data includes:
an individual's name
a unique chip ID
any identifier that has a one-to-one relationship with the individual
indirectly identifiable factors specific to the individual's physical, physiological,
mental, economic, cultural or social identity, as included in Directive 95/46/EC for
the definition of person data
The value of the asset is based on the highest value of the associated data types
The value of asset is between 0 and 4 (based on ISO 27005)
EN16571 gives a list (quite exhaustive) of data types and proposes values
Risk Analysis: Asset
24www.centrenational-rfid.com02/23/2015
25. Example of Asset valuation
Membership card with information encoded in the RFID chip and stored in the application
Risk Analysis: Asset
25www.centrenational-rfid.com02/23/2015
26. RFID Threats are mainly based on two different attacks:
Eavesdropping
Tag activation
Eavesdropping
Listening the communication between a tag and an interrogator
Eavesdropping distances are greater than reading distances
Information can be decoded if not cover-coded or encrypted
Tag Activation
RFID tag are operational once energized (no ON/OFF switch)
A fake reader can ask a real tag to backscatter information
Activation distances are greater than reading distances because attacker does not
care Regulation limitations (eg. 2Werp in Europe)
More and more commercial readers are available
At least 250 Million HF readers on smart phones
Many small UHF readers that have USB connections or plug into smart phones
e.g. Arete Pop (1 off price 200€) with a read range of 1 metre
Actual threats are a mix of eavesdropping and tag activation
RFID Threats
11/07/2013 26www.centrenational-rfid.com
27. Physical data modification:
unauthorized changing of encoded data on the tag by deleting, modifying or adding
data
Example: changing a product code to gain some financial advantage
Tracking
Continual sequence of unauthorized tag reading
The threat can be deployed with mobile or fixed interrogators
Example: tracking of employees in known zones, tracking of customers,…
Relay Attack
Also known as “Man in the middle” attack
Allow a real tag to communicate with a real reader at long distances
Example: Access a building without authorization
Examples of RFID Threats
11/07/2013 27www.centrenational-rfid.com
28. Threats are classified using 2 vectors:
The layer that is attacked (data on the tag, RFID air-interface, RFID reader,
application)
The security requirement (confidentiality, availability, integrity)
The value of the threat is either low, medium or high (ISO 27005)
The value is linked to the complexity and required skill required for implementing
the threat
Threats associated with the data encoded on the RFID tag and the RFID tag
Side Channel attack (confidentiality)
Physical data modification (integrity)
Cloning (integrity)
Tag reprogramming (integrity)
Tag destruction (availability)
…
Risk Analysis: Threats
28www.centrenational-rfid.com02/23/2015
29. Threats associated with the air interface or the device interface communication
Unauthorized Tag Reading (confidentiality)
Eavesdropping or traffic analysis (confidentiality)
Crypto attacks (confidentiality)
Relay, or man-in-the-middle attack (integrity)
Replay attack (integrity)
Noise (availability)
Jamming (availability)
Malicious Blocker Tags (availability)
…
Risk Analysis: Threats
29www.centrenational-rfid.com02/23/2015
30. Threats associated with the interrogator
Side channel attack (confidentiality)
Exhaustion of protocol resources (availability)
De-synchronization attack (availability)
There is no identified interrogator’s threat on data integrity
Threats associated with the host application
Privacy and Data Protection Violations (confidentiality)
Injecting Malicious Code (integrity)
Partial/complete denial of service (availability)
Risk Analysis: Threats
30www.centrenational-rfid.com02/23/2015
31. Vulnerability can be:
Low: it is unlikely or impossible to implement a threat
Medium: it is possible (identified in research documents) to implement a
threat
High: the threat has been exploited in real world
Taking into account the “exposure” time
Asset that is held on a transient basis (less than 50 consecutive days) are
considered as less vulnerable
Vulnerability can be reduced by one level
Example: detachable label on retail product.
Risk Analysis: Vulnerability
31www.centrenational-rfid.com02/23/2015
33. www.centrenational-rfid.com 33
Risk value (EN 16571 / ISO 27005)
Example: library book
Asset: Unique Identifier linked to book category
(data on the tag): 2
Threat: Tag activation: Medium
Vulnerability: UHF protocol, no encryption: High
Risk Value 5/8
02/23/2015
But exposure is less
than 50 consecutive
days
Risk is reduced by one
Risk Value: 4/8
34. Countermeasures are applied in order to
mitigate the risk
Countermeasures are classified:
embedded in the tags and devices (crypto)
available in the technology but require an action by the RFID operator (kill)
independent of the hardware and can be implemented by the RFID operator
(systematic removal of the tag at point of sale)
RFID operator can advise the individual about protecting privacy (please
remove the tag yourself)
Risk Analysis: Countermeasures
34www.centrenational-rfid.com02/23/2015
35. Once countermeasures have been implemented, the risk shall be reevaluated
The basic rule (described in EN 16571) is that:
Implementation of a countermeasure reduces the risk by 1
If RFID operator decides to remove, destroy, or render untraceable a tag
before it moves from the controlled to the uncontrolled domain, then the risk
level goes to zero.
CSL/CNRFID Software is more sophisticated
Countermeasures’ values can be more or less than 1
Implementation of multiple countermeasures on a threat reduces the risk
even more (cumulative effect with non linear equation)
Overall Risk reduction can be more or less than 1
Risk Analysis: Countermeasures
35www.centrenational-rfid.com02/23/2015
36. The risk that has not been canceled (zeroed) is called the residual risk
This residual risk has to be compared to the benefits carried by the application
The residual risk has to be accepted by the stakeholders
The risk has to be reassessed in case of:
significant changes in the RFID application
changes in the type of information process
reports of breaches in similar RFID applications
And every year ….
Risk Analysis: residual risk
36www.centrenational-rfid.com02/23/2015
37. EBIOS: Expression des Besoins et Identification des Objectifs de Sécurité
A 5 steps methodology
Circumstantial study - determining the context
Security requirements
Risk study
Identification of security goals
Determination of security requirements
EBIOS is primarily intended for governmental and commercial organizations
working with the Defense Ministry that handle confidential or secret defense
classified information: Nothing to do with RFID and privacy
Risk Analysis: EBIOS approach
37
www.centrenational-rfid.com02/23/2015
38. CNIL proposes a methodology for privacy risk management based on EBIOS
The 5 steps become:
Background study: What is the context?
Feared events study: What does one fear happening?
Threats study: How can it happen? (optional)
Risk study: What is the risk level? (optional)
Measures study: What can be done to treat risks?
STEP 1: equivalent to the description of the application
Risk Analysis: EBIOS approach
38
www.centrenational-rfid.com02/23/2015
39. STEP 2: Feared events are:
unavailability of legal processes
change in processing (diversion of the purpose, excessive or unfair
collection...)
illegitimate access to personal data
unwanted change in personal data
disappearance of personal data
Feared events are ranked using the addition of:
Level of identification (negligible, limited, significant, maximum)
Prejudicial effect (negligible, limited, significant, maximum)
Risk Analysis: EBIOS approach
39
www.centrenational-rfid.com02/23/2015
40. STEP 3: Threats study: How can it happen?
A threat is a possible action by risk sources on supporting assets
Threats are ranked using the addition of:
vulnerabilities of the supporting assets (negligible, limited, significant,
maximum)
capabilities of risk sources (negligible, limited, significant, maximum)
Risk Analysis: EBIOS approach
40
www.centrenational-rfid.com02/23/2015
41. STEP 4: Level of risk
Severity vs. Likelihood
You can only have a map of the
risk not a score
Risk Analysis: EBIOS approach
41
www.centrenational-rfid.com02/23/2015
42. STEP 5: Measures
The RFID operator describes how he will reduce the risk (severity and/or
likelihood)
It is up to the RFID operator to evaluate the risk reduction
Risk Analysis: EBIOS approach
42
www.centrenational-rfid.com02/23/2015
43. EBIOS is more devoted to security issues and not suited to RFID and privacy
EBIOS concentrates on feared event not on privacy asset and data type
For one feared event, many data types can be involved so what data type do
we have to choose?
EBIOS doesn’t take into account where the data is stored
A feared event can occur if the data is stored in the tag or in the hosted
application (the threat will be different !)
When using EBIOS methodology, you will have to imagine scenario so you can
forget risks
EBIOS doesn’t give an overall risk score so it is difficult to rank the risk and choose
to mitigate the highest ones
EBIOS doesn’t explain how a measure reduces the risk score
EBIOS doesn’t take into account the uncontrolled domain
EBIOS doesn’t take into account the exposure time
Risk Analysis: EBIOS approach
43
www.centrenational-rfid.com02/23/2015
44. Introduction
RFID and privacy
RFID operator
Legal Environment
Chart of fundamental rights of European Union
Directive 95/46/EC and French “Loi Informatique et Libertés”
Recommendation 2009/387/EC, Mandate M436 et EN 16571
Future European Regulation
Privacy Impact Assessment (PIA/EIVP)
PIA levels
PIA process: the 9 steps
Risk Analysis
Data, Threats, Vulnerabilities, Countermeasures, Residual risk
EN 16571 / ISO 27005 vs. EBIOS
EN 16571
Registration Authority
CSL/CNRFID Software
Agenda
44www.centrenational-rfid.com02/23/2015
45. European Registration Authority
Role defined in the standard EN 16571 – PIA process
Privacy Capability Statement
A reference document
Clear and standardized information on product features related to privacy
for: RFID chips, tags and readers
Avoid misinterpretations of technical standards (many optional features)
and commercial manufacturers’ information (incomplete datasheets)
Allow easy comparison of different products
The Registration Authority:
Gathers information from the manufacturers
Provides these information to RFID operators
Is the unique entry point in Europe
Impinj and NXP already declare their UHF products
02/23/2015
46. European Registration Authority
Impinj and NXP declare UHF products… More to come
You can download Privacy Capability Statement from the WebSite
02/23/2015
47. European Registration Authority
Example of PCS
Impinj M4QT
C:UsersctetelinDesktopUHF PCS - passive RFID chip - Impinj M4QT -
20141217.pdf
02/23/2015
48. PIA made easy: a devoted software
02/23/2015
Enter Organization’s details
49. PIA made easy: a devoted software
02/23/2015
Describe your application
50. PIA made easy: a devoted software
02/23/2015
Select your Assets
51. PIA made easy: a devoted software
02/23/2015
Choose the tags you are using in the application
In case the product is not referenced, an email is automatically sent to
support
52. PIA made easy: a devoted software
02/23/2015
Selectthedatatypes
53. PIA made easy: a devoted software
You can change the data type value
02/23/2015
54. PIA made easy: a devoted software
Only threats that are relevant to the specific RFID protocol and the layer are
presented. These are the threats for 15693 and Tag Data:
The operator can accept or change the EN 16571 suggested values
02/23/2015
55. PIA made easy: a devoted software
02/23/2015
RelevantCountermeasuresaredisplayed
56. The countermeasures are linked to threats and impact on risk values varies
Spreadsheet Threat/Countermeasures
PIA made easy: a devoted software
02/23/2015
57. The software displays the PIA summary, with details of
Operator details
Application description (overview)
Data on the tag
Countermeasures applied by the operator
Countermeasures the individual should apply
The risk score
Export in various formats e.g. PDF, HTML
More at: http://rfid-pia-en16571.eu
PIA made easy: a devoted software
02/23/2015
58. RFID operators have now all the reference texts to undertake a PIA
PIA is a good practice and is not mandatory
European Recommendation
Next step: European Regulation ? All ICT technologies will be covered
PIA is a good way to establish trust between operators and citizen
PIA approach could be spread to other communication and internet technologies
Governments could be a forerunner with ID applications…
Conclusion
58www.centrenational-rfid.com02/23/2015
59. Based on ISO/IEC 29160 : RFID Emblem
One common Emblem (EN 16570)
59www.centrenational-rfid.com02/23/2015
60. Additional Information to be provided by RFID operators
Signalisation (EN 16570)
60www.centrenational-rfid.com
NFC tags may be read in this area for the purpose of easy NFC
Smartphone based professional data exchanges. vCard
application is available on demand and can be embedded in
your visitor badge.
vCard application is operated and controlled by French RFID
National Center (CNRFID)
A Privacy Impact Assessment has been undertaken and validated
by the French Data Protection Authority (CNIL)
PIA summary can be downloaded at
www.centrenational-rfid.com
For more information, please contact us by phone or email:
+33 494 370 937, contact@centrenational-rfid.com Back to presentation
02/23/2015