Privacy Issues of Applying RFID in Retail Industry

Retail industry poses typical enterprise computing challenges, since a retailer normally deals with multiple parties that belong to different organizations (i.e., suppliers, manufacturers, distributors, end consumers). Capable of enabling retailers to effectively and efficiently manage merchandise transferring among various parties, Radio Frequency Identification (RFID) is an emerging technology that potentially could revolutionize the way retailers do business. With the dramatic price drop of RFID tags, it is possible that RFID could be applied to each item sold by a retailer. However, RFID technology poses critical privacy challenges. If not properly used, the data stored in RFID could be abused and, thus, cause privacy concerns for end consumers. In this article, we first analyze the potential privacy issue of RFID utilization. Then we propose a privacy authorization model that aims to precisely define comprehensive RFID privacy policies. Extended from the role-based access control model, our privacy authorization model ensures the special needs of RFID-related privacy protection. These policies are designed from the perspective of end consumers, whose privacy rights potentially could be violated. Finally, we explore the feasibility of applying Enterprise Privacy Authorization Language (EPAL) as the vehicle for specifying RFID-related privacy rules.