Dear LIS professioanls, I came through a finding of 'Security and Privacy Team meeting' May 2006 on RFID Security issues. I thought it to share for your information. "A working group headed by the Center for Democracy and Technology (CDT) has developed privacy protection guidelines for radio frequency identification (RFID) deployments. Stakeholders in the RFID industry, including technology developers, manufacturers, retailers and financial security providers, should work to make security an equally important concern. The CDT working group has released RFID deployment guidelines that address key privacy concerns, detailing how consumer data obtained using RFID technology should be handled and what notification and consent rights consumers should have. These guidelines are a positive development that will help to overcome privacy concerns that will drive market and government resistance to RFID technologies. But ensuring the security of RFID deployments is at least equally important. Guidelines for the security features required in RFID tag production and reader systems are required, as well as industry commitment to security testing of all RFID software prior to deployment. This should be done by YE07 and should be mandatory before any expansion of the RFID data field standards is approved. The CDT working group — or some other industry organization — should work to develop comparable guidelines designed to ensure that adequate security is built into RFID tags and readers systems from the beginning of product development. Gartner recommends that the starting point be a protection profile for Common Criteria security testing, which could be completed and approved by YE07. Enterprises deploying RFID technologies should demand proof of compliance with such standards, because most privacy failures (such as large-scale identity thefts) result from security weaknesses. The CDT's privacy guidelines are a useful step toward protecting the privacy rights of consumers whose personal information is collected using RFID technologies — and toward encouraging adoption of RFID. But the guidelines are not enough, as they address security issues only tangentially. The RFID industry must also improve its security measures to prevent vulnerabilities that would enable attacks. With regards P K Upadhyay NIC Library, Delhi http://mcitconsortium.nic.in