M/436 - Radio frequency identification

ISO/IEC 29160:2012 specifies the design and use of the RFID Emblem: an easily identified visual guide that indicates the presence of radio frequency identification (RFID). It does not address location of the RFID Emblem on a label. Specific placement requirements are left to application standards developers.
It also specifies an RFID Index, which can be included in the RFID Emblem and which addresses the complication added by the wide range of RFID tags (frequency, protocol and data structure). The RFID Index is a two-character code that provides specific information about compliant tags and interrogators. Successful reading of RFID tags requires knowledge of the frequency, protocol and data structure information provided by the RFID Index.

This European Standard has been prepared as part of the EU RFID Mandate M436. It is based on the Privacy and Data Protection Impact Assessment Framework for RFID Applications, which was developed by industry, in collaboration with the civil society, endorsed by the Article 29 Data Protection Working Party, and signed by all key stakeholders, including the European Commission, in 2011.
It defines aspects of that framework as normative or informative procedures to enable a common European method for undertaking an RFID PIA.
It provides a standardised set of procedures for developing PIA templates, including tools compatible with the RFID PIA methodology.
In addition, it identifies the conditions that require an existing PIA to be revised, amended, or replaced by a new assessment process.

1.1   General
The scope of this European Standard is to define the requirements for a Common European Notification Signage system to be displayed by operators of RFID application systems in areas where radio frequency interrogators are deployed.
Additionally this European Standard shall define the notification procedures where RFID devices are attached to, or embedded in, items that may be purchased or used within the EU Member States.
In general, the requirement to display Common European RFID notification signs will be a consequence of a RFID Privacy Impact Assessment (PIA) undertaken by the operator to evaluate potential risks to personal privacy. Notification signage is a basic tool for mitigating identifiable risk.  
1.2   Objective
The objective of this European Standard is to provide enterprises, both large and small, with a common and accessible framework for the design and display of signs on a voluntary basis to meet Clauses 7 and 8 of EC Recommendation C (2009) 3200.
Specifically this European Standard defines:
-  which technologies shall require the signage to be displayed;
-  what type of application, including data types and association with type of person (e.g. citizen, customer, employee, etc) shall require the signage to be displayed;
-  who shall be defined as the application operator;
-  the details of data and graphics that shall be included on the signage;
-  the presentational requirements for the signage, taking account of the need
-  to balance some options for design choice;
-  for a consistent common and recognisable signage.
-  means to support accessibility.
1.3   Applicability  
This European Standard applies to all enterprises operating RFID applications in the European Union irrespective of the domicile of the operator.

This Technical Report is to assist operators of applications in areas where radio frequency interrogators are deployed, to identify the types of information that are called for in the recommendation. The Technical Report provides all the current information to assist operators to develop and publish a concise accurate and easy to understand information policy for each of their applications. The policy should at least include: - the identity and address of the operators; - the purpose of the application; - what data are to be processed by the application, in particular if personal data will be processed, and whether the location of tags will be monitored; - a summary of the privacy and data protection impact assessment; - the likely privacy risks, if any, relating to the use of tags in the application and the measures that individuals can take to mitigate these risks.

CEN/TS 16685 defines: - the details of data and graphics that shall be included on the signage; - the presentational requirements for the signage, taking account of the need: - to provide a practical solution given constraints on print technique and print area; - for a consistent common and recognizable signage; - means to support accessibility; - the structure and content of an information policy to meet the informational needs of individuals with respect to RFID privacy.

The scope of this Technical Report (TR) is to identify methodologies that are used for, or have been considered applicable to, wireless technologies. These methodologies are analyzed to identify features that are applicable to RFID. Based on the Industry RFID PIA Framework endorsed by the Article 29 Data Protection Working Party, the Technical Report focuses on proposing risk analysis methodologies suitable for the data capture area of an RFID system. This includes the RFID tag, the interrogator, the air interface protocol used for communication between them, and the communication from the interrogator to the application. The Technical Report also proposes risk management features based on the inherent capabilities of a number of RFID technologies that conform to standardized RFID air interface protocols. This should provide enough information to enable the proposed privacy control features to be applied to other RFID technologies including those with proprietary air interface protocols and tag architectures. The risk management features exclude fundamental privacy by design features because these should be the subject of revisions and enhancements to technology standards. The risk management features defined in this Technical Report are considered applicable to current and future implementations of RFID based on existing technology. As such, this Technical Report is considered as input into a standard procedure for undertaking an RFID Privacy Impact Assessment.

The scope of this Technical Report is to explore developments in the use of mobile phones as RFID interrogators. It uses as a datum the communication protocols developed for near field communication, which have a defined level of security. This Technical Report will explore known developments in the use of mobile phones as RFID interrogators including (but not limited to): - extending NFC phone capabilities to read RFID tags compliant with ISO/IEC 15693 and ISO/IEC 18000-3 Mode 1; - using mobile phones as interrogators for UHF tags based on ISO/IEC 18000-6 Type C; - the development of multi-protocol readers capable of switching between high frequency and UHF. The objective of the Technical Report is to identify specific characteristics associated with mobile phones being used as interrogators with tags that are primarily intended for other purposes. It will identify some potential threats associated with the technology. It will also identify gaps in the standardization process that might need to be addressed to mitigate against such threats. To counterbalance any negative implications, the Technical Report also identifies real and potential applications that could lead to an accelerated take-up of RFID and the Internet of Things through mobile phones being used as RFID interrogators by individual citizens and organizations.

The scope of this Technical Report is to use the RFID PIA Framework as the basis for exploring issues with four major sectors involved with RFID: - libraries; - retail; - e-Ticketing, toll roads, fee collection, events management; - banking and financial services. After specific sector research and consolidation of the results of industry workshops and seminars that take place in several EU Member States, this Technical Report will identify the characteristics that need to be taken into consideration by operators of RFID systems in the example sectors. In addition it will provide advice to operators in the sector on significant variants both in terms of technology and application data. This will enable the appropriate risk factors to be taken into account. Based on the synthesis of the applications in the chosen sectors, this Technical Report will also identify a set of factors relevant to specific RFID technologies and features that will need to be taken into account in preparing a Privacy and Data Protection Impact Assessment for many RFID applications.

The scope of the Technical Report is to consider the threats and vulnerabilities associated with specific characteristics of RFID technology in a system comprising: - the air interface protocol covering all the common frequencies; - the tag including model variants within a technology; - the interrogator features for processing the air interface; - the interrogator interface to the application. The Technical Report addresses specific RFID technologies as defined by their air interface specifications. The threats, vulnerabilities, and mitigating methods are presented as a toolkit, enabling the specific characteristics of the RFID technology being used in an application to be taken into consideration. While the focus is on specifications that are standardized, the feature analysis can also be applied to proprietary RFID technologies. This should be possible because some features are common to more than one standardized technology, and it should be possible to map these to proprietary technologies. Although this Technical Report may be used by any operator, even for a small system, the technical details are better considered by others. In particular the document should be a tool used by RFID system integrators, to improve security aspects using a privacy by design approach. As such it is also highly relevant to operators that are not SME’s, and to industry bodies representing SME members.

CEN/TR 16672 is to identify technical characteristics of particular RFID air interface protocols that need to be taken into consideration by operators of RFID systems in undertaking their privacy impact assessment. It also provides information for those operators who provide RFID-tagged items that are likely to be read by customers or other organizations. This Technical Report provides detailed privacy and security characteristics that apply to products that are compliant with specific air interface protocols, and also to variant models that comply with such standards. The Technical Report also identifies proprietary privacy and security features which have been added to tags, which are problematic of being implemented in open systems which depend on interoperability between different devices. Such proprietary solutions, whilst being technically sound, in fact impede interoperability. The gap analysis thus identified can be used to encourage greater standardization.

The scope of this Technical Report is to assess the need to develop a Technical Specification to define an interface that provides RFID system control components with low-level access to RFID interrogators for the purpose of optimising RFID data access and control operations.

1.1   General
The scope of this EN is to define the requirements for a Common European Notification Signage system to be used by operators of RFID application systems deployed within the EU Member States.
1.2   Objective
The objective of this EN is to provide enterprises, both large and small, with a common and accessible framework for the design and display of RFID notification signs.
In addition to the information placed on the sign, the framework includes the information policy - needed to answer enquiries received from individuals accessing the contact point noted on the sign itself. This minimizes the volume of information written on the sign.
This European Standard defines:
a)   the details of data and graphics that shall be included on the signage;
b)   the presentational requirements for the signage, taking account of the need;
1)   to provide a practical solution given constraints on print technique and print area;
2)   for a consistent common and recognisable signage;
c)   means to support accessibility;
d)   the structure and content of an information policy to meet the informational needs of individuals with respect to RFID privacy.
1.3   Applicability
This EN provides an application-agnostic framework which may be used by all enterprises operating RFID applications in the European Union.

This European Standard has been prepared as part of the EU RFID Mandate M/436. It is based on the Privacy and Data Protection Impact Assessment Framework for RFID Applications, which was developed by industry, in collaboration with the civil society, endorsed by Article 29, Data Protection Working Party, and signed by all key stakeholders, including the European Commission, in 2011.
It defines aspects of that framework as normative or informative procedures to enable a common European method for undertaking an RFID PIA.
It provides a standardized set of procedures for developing PIA templates, including tools compatible with the RFID PIA methodology.
In addition, it identifies the conditions that require an existing PIA to be revised, amended, or replaced by a new assessment process.

This European Standard specifies the design and use of the RFID Emblem: an easily identified visual guide that indicates the presence of radio frequency identification (RFID). It does not address location of the RFID Emblem on a label. Specific placement requirements are left to application standards developers.
It also specifies an RFID Index, which can be included in the RFID Emblem and which addresses the complication added by the wide range of RFID tags (frequency, protocol and data structure). The RFID Index is a two-character code that provides specific information about compliant tags and interrogators. Successful reading of RFID tags requires knowledge of the frequency, protocol and data structure information provided by the RFID Index.

The scope of this Technical Report is to explore developments in the use of mobile phones as RFID interrogators. It uses as a datum the communication protocols developed for near field communication, which have a defined level of security. This Technical Report will explore known developments in the use of mobile phones as RFID interrogators including (but not limited to):
—   extending NFC phone capabilities to read RFID tags compliant with ISO/IEC 15693 and ISO/IEC 18000-3 Mode 1;
—   using mobile phones as interrogators for UHF tags based on ISO/IEC 18000-6 Type C;
—   the development of multi-protocol readers capable of switching between high frequency and UHF.
The objective of the Technical Report is to identify specific characteristics associated with mobile phones being used as interrogators with tags that are primarily intended for other purposes. It will identify some potential threats associated with the technology. It will also identify gaps in the standardization process that might need to be addressed to mitigate against such threats.
To counterbalance any negative implications, the Technical Report also identifies real and potential applications that could lead to an accelerated take-up of RFID and the Internet of Things through mobile phones being used as RFID interrogators by individual citizens and organizations.

The scope of the Technical Report is to consider the threats and vulnerabilities associated with specific characteristics of RFID technology in a system comprising:
—   the air interface protocol covering all the common frequencies;
—   the tag including model variants within a technology;
—   the interrogator features for processing the air interface;
—   the interrogator interface to the application.
The Technical Report addresses specific RFID technologies as defined by their air interface specifications. The threats, vulnerabilities, and mitigating methods are presented as a toolkit, enabling the specific characteristics of the RFID technology being used in an application to be taken into consideration. While the focus is on specifications that are standardized, the feature analysis can also be applied to proprietary RFID technologies. This should be possible because some features are common to more than one standardized technology, and it should be possible to map these to proprietary technologies.
Although this Technical Report may be used by any operator, even for a small system, the technical details are better considered by others. In particular the document should be a tool used by RFID system integrators, to improve security aspects using a privacy by design approach. As such it is also highly relevant to operators that are not SME’s, and to industry bodies representing SME members.
Although this Technical Report may be used by any operator, even for a small system, the technical details are better considered by others. In particular the document should be a tool used by RFID system integrators, to improve security aspects using a privacy by design approach. As such it is also highly relevant to operators that are not SME’s, and to industry bodies representing SME members.

This Technical Specification defines:
—   the details of data and graphics that shall be included on the signage;
—   the presentational requirements for the signage, taking account of the need:
—   to provide a practical solution given constraints on print technique and print area;
—   for a consistent common and recognizable signage;
—   means to support accessibility;
—   the structure and content of an information policy to meet the informational needs of individuals with respect to RFID privacy.

This Technical Report is to assist operators of applications in areas where radio frequency interrogators are deployed, to identify the types of information that are called for in the recommendation.
The Technical Report provides all the current information to assist operators to develop and publish a concise accurate and easy to understand information policy for each of their applications.
The policy should at least include:
—   the identity and address of the operators;
—   the purpose of the application;
—   what data are to be processed by the application, in particular if personal data will be processed, and whether the location of tags will be monitored;
—   a summary of the privacy and data protection impact assessment;
—   the likely privacy risks, if any, relating to the use of tags in the application and the measures that individuals can take to mitigate these risks.

The scope of this Technical Report (TR) is to identify methodologies that are used for, or have been considered applicable to, wireless technologies. These methodologies are analyzed to identify features that are applicable to RFID.
Based on the Industry RFID PIA Framework endorsed by the Article 29 Data Protection Working Party, the Technical Report focuses on proposing risk analysis methodologies suitable for the data capture area of an RFID system. This includes the RFID tag, the interrogator, the air interface protocol used for communication between them, and the communication from the interrogator to the application.
The Technical Report also proposes risk management features based on the inherent capabilities of a number of RFID technologies that conform to standardized RFID air interface protocols. This should provide enough information to enable the proposed privacy control features to be applied to other RFID technologies including those with proprietary air interface protocols and tag architectures. The risk management features exclude fundamental privacy by design features because these should be the subject of revisions and enhancements to technology standards. The risk management features defined in this Technical Report are considered applicable to current and future implementations of RFID based on existing technology. As such, this Technical Report is considered as input into a standard procedure for undertaking an RFID Privacy Impact Assessment.

The scope of this Technical Report is to assess the need to develop a Technical Specification to define an interface that provides RFID system control components with low-level access to RFID interrogators for the purpose of optimising RFID data access and control operations.

The scope of this Technical Report is to use the RFID PIA Framework as the basis for exploring issues with four major sectors involved with RFID:
—   libraries;
—   retail;
—   e-Ticketing, toll roads, fee collection, events management;
—   banking and financial services.
After specific sector research and consolidation of the results of industry workshops and seminars that take place in several EU Member States, this Technical Report will identify the characteristics that need to be taken into consideration by operators of RFID systems in the example sectors. In addition it will provide advice to operators in the sector on significant variants both in terms of technology and application data. This will enable the appropriate risk factors to be taken into account.
Based on the synthesis of the applications in the chosen sectors, this Technical Report will also identify a set of factors relevant to specific RFID technologies and features that will need to be taken into account in preparing a Privacy and Data Protection Impact Assessment for many RFID applications.

The scope of the Technical Report is to identify technical characteristics of particular RFID air interface protocols that need to be taken into consideration by operators of RFID systems in undertaking their privacy impact assessment. It also provides information for those operators who provide RFID-tagged items that are likely to be read by customers or other organisations.
This Technical Report provides detailed privacy and security characteristics that apply to products that are compliant with specific air interface protocols, and also to variant models that comply with such standards.
The Technical Report also identifies proprietary privacy and security features which have been added to tags, which are problematic of being implemented in open systems which depend on interoperability between different devices. Such proprietary solutions, whilst being technically sound, in fact impede interoperability. The gap analysis thus identified can be used to encourage greater standardization.