Distinguishing Between Security and Privacy Issues

Although the terms security and privacy are often used interchangeably, it is important to understand the distinction between the two as illustrated in Figure 10.1. This will help you devise an effective plan to address the issues surrounding security and privacy in your application.

Figure 10.1. Distinguishing Between Privacy and Security

Security concerns revolve around vulnerabilities and solutions for protecting confidential data from unauthorized access and manipulation. Data about people, corporations, and objects that has been deemed confidential should be subject to protection and safekeeping. Deliberate security breaches involve the theft and use of such data by a third party for profit, mischief, or malice. Although privacy violations can happen because of security breaches, our focus in this chapter on privacy is as described next.

Our focus here on privacy issues is about the potential misuse of data by authorized users which leads to violation and invasion of individual or business privacy. In relation to RFID technology, hotly contested topics around privacy do not relate to security, per se. Instead, they primarily relate to the authorized collection of personal data that could potentially be misused or abused by authorities. In the United States, the oft-repeated Orwellian motif, "Big Brother is watching you," reflects concern that the same entities responsible for collecting and managing data about a populationfor providing valuable services to itmay be using that data for activities such as surveillance, monitoring, tracking, and profiling of citizens. This concern applies as well to seemingly less-intrusive acts of "targeted selling" (that is, tracking consumer-spending habits to aim specific advertising at unwitting consumers).

We note that although individual privacy concerns are more often discussed and debated publicly, business enterprises are also concerned with breaches of security that result in unauthorized access and possible manipulation of private or confidential corporate data. For example, in a supply chain RFID application where RFID tags are used to track inventory of products, a business partner who accesses confidential inventory data or tracks the movement of inventory by accessing the tag data, with or without authorization, compromises certain corporate data and possibly hampers that corporation's capability to negotiate better prices with its suppliers or customers.

In the next sections, we point to areas of security vulnerabilities, assess risks for enterprises and consumers, and outline a range of possible solutions. We conclude with a discussion of RFID-related privacy issues and offer a set of best practices that help address these issues.