EXECUTIVE SUMMARY
This case study describes the privacy issues of applying Radio Frequency Identification (RFID) in the retail industry. With the dramatic price drop of RFID tags, it is possible that RFID be applied to individual items sold by a retailer. However, the RFID technology poses critical privacy challenges. In this study, we analyze the potential privacy issue of RFID utilization, and we propose a privacy authorization model aiming for precisely defining RFID privacy policies for the retail industry.
Keywords: RFID, Privacy, RBAC, EPAL
INTRODUCTIONIn present retail industry, retailers are under tremendous pressure to improve their efficiency. One way to increase productivity is through the adoption of new technologies. History has revealed that retailers are the early adopters of Electronic Data Interchange (EDI) and Business-to-Business (B2B) E-Commerce. The benefits of adopting these new technologies are obvious: reduced time to market and reduced cost associated with office and manufacturing floor automation. In recent years, Radio Frequency Identification (RFID) has caught significant attention in retail industry. RFID is a generic term for the technologies that use radio waves to automatically identify individual items wirelessly. RFID is capable of enabling retailers to effectively and efficiently track the entire circulation process of items from suppliers to end users. It allows to identify, orientate, and trace objects directly and continuously. In addition, RFID is able to deliver information at real time. As a result, RFID is widely considered as an emerging technology that could potentially revolutionize the way retailers do business. Among other examples, Wal-Mart has mandated its top 100 suppliers to use RFID by January 2005 (Vijayan, 2003); U.S. Department of Defense has also made the similar requests to its military suppliers (U.S. Department of Defense, 2003).Although it seems that RFID is a boom to e-Commerce, the actual adoption of RFID in retail industry is quite slow (Bradner, 2005). Retail industry poses typical enterprise computing challenges (Neogi, 2004) as a retailer normally deals with multiple parties belonging to different organizations: suppliers, manufacturers, distributors, and end consumers. Nowadays, the focus of enterprise computing efforts of retailers mainly aims for suppliers. To date there is little work conducted on how to provide enterprise-level computing capability for individual customers. In addition to the known security issue, one such capability we have identified is consumer's privacy protection. There is a growing concern for data privacy among businesses and consumers, because of the possible unwanted revelation of confidential or personal data stored within RFID devices.1 The third author is currently with BEA Systems, Inc., and also a Guest Scientist of National Institute of Standards and Technology (NIST).2 Privacy is a state or condition of limited access to a person (Schoeman, 1984). Particularly, information privacy refers to an individual's rig...