近年來，RFID 應用技術日益成熟，使用領域也愈來愈多元，連帶引發各國對個人資料隱私保護議題的重視。為了因應 RFID 應用系統所帶來的個人資料隱私與安全威脅，目前許多消費者保護團體與各國官方組織，針對 RFID 隱私提出相關的實施原則與規範，要求 RFID 應用系統提供者必須揭露其 RFID 隱私權政策。然而，這些原則與規範多在說明 RFID 隱私權政策所應涵蓋的內容，少有針對如何建立 RFID 隱私權政策。
因此，本研究將提出一個系統化的架構，來協助 RFID 應用系統提供者建立 RFID 隱私權政策。根據此架構，RFID 應用系統提供者可在 RFID 隱私權政策中，明確地說明所採取的相關措施，並據此向使用者進行說明對於個人資料收集與使用之目的，以及相關的安全保護措施；此外，RFID 應用系統提供者可以據此向第三公正單位證明確實有依照政策內容來執行。
當未來愈來愈多的國家開始要求 RFID 應用系統提供者必須揭露隱私權政策，本研究將可幫助這些國家建立相關的指引與原則，來協助 RFID 應用系統提供者來建立 RFID 應用系統的隱私權政策。

As advances of RFID technologies, privacy and personal data security of RFID applications is brought to the spotlight in recent years. In response to the threats of personal data and security due to RFID application systems, many customer protection groups and authorities of different countries have proposed guidelines and regulations considering for RFID privacy. The guidelines usually ask RFID application providers to disclose their privacy policies. Although several guidelines discuss the major components of privacy policies, there are few guidelines addressed that how RFID application providers establish their privacy policies.
This article proposed a systematic scheme to support RFID application providers to establish RFID privacy policies. Based on the scheme, RFID application providers are able to clarify their privacy practices about the implemented applications in their RFID privacy policies step by step. RFID application providers can also use these policies to communicate with users of the applications about the purpose of personal data collected and used in the application, and related security safeguard. Moreover, RFID application providers can provide evidences to third parties trusted by both the providers and users to make sure the enforcement of the policies.
While more and more countries are about to ask RFID application providers to disclose their privacy policies in the future, the study can hopefully contribute to help these countries to develop guidelines and regulations for RFID application providers to establish privacy policies about their applications.

[1] S. L. Garfinkel, et al., "RFID privacy: an overview of problems and proposed solutions," Security & Privacy, IEEE, vol. 3, pp. 34-43, 2005.
[2] A. Juels, "RFID security and privacy: a research survey," Selected Areas in Communications, IEEE Journal on, vol. 24, pp. 381-394, 2006.
[3] F. Thiesse, "RFID, privacy and the perception of risk: A strategic framework," The Journal of Strategic Information Systems, vol. 16, pp. 214-232, 2007.
[4] Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN), American Civil Liberties Union (ACLU), Electronic Frontier Foundation (EFF), Electronic Privacy Information Center (EPIC), Junkbusters, Meyda Online, PrivacyActivism, "Position Statement on the Use of RFID on Consumer Products," November 14 2003.
[5] A. Cavoukian, "Privacy Guildeline for RFID Information Systems," Information and Privacy Commissioner/Ontario, 2006.
[6] US Center for Democary and Technology, "Privacy Best Practices for Deployment of RFID Technology, Interim Draft," 2006.
[7] The State of Washington of USA, "Engrossed Substitute House Bill 1031," 2008.
[8] Commission of the European Communities, "EU Commission Recommendation on the Implementation of Privacy and Data Protection Principles in Applications Supported by RFID," EU Commission Recommendation, 2009.
[9] 廖緯民, "論資訊時代的隱私權保護-「以資訊隱私權」為中心," 資訊法務透析, pp. 20-27, 1996.
[10] 徐新隆, "數位時代下資訊隱私權問題之研究-以個人資料保護為中心," 碩士論文，國立臺北大學法律學院法學系研究所, 2005.
[11] T. J. Smedinghoff, "Online Law: The SPA's Legal Guide to Doing Business on the Internet " 1996.
[12] 中華民國, "個人資料保護法," 2010.
[13] Organization for Economic Cooperation and Development, "Guidelines on the Protection and Privacy of Transborder Flows of Personal Data," Organization for Economic Cooperation and Development, 1980.
[14] European Union, "Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data," Official Journal of the European Communities, 1995.
[15] D. Isenberg, The GigaLaw Guide to Internet Law: Random House Trade Paperbacks, 2002
[16] U.S. Department of Commerce, "International Safe Harbor Privacy Principles," 1998.
[17] Federal Trade Commission, "Privacy Online: A Report to Congress," 1998.
[18] Consumers Against Supermarket Privacy Invasion and Numbering (CASPIN), "RFID Right to Know Act of 2003," 2003.
[19] Electronic Privacy Information Center (EPIC), "Proposed Guidelines For Use of RFID Technology : Enumerating the Rights and Duties of Consumers and Private Enterprises," 2004.
[20] MIC and METI, "Guidelines for Privacy Protection with Regard to RFID Tags," Government of Japan, July 2004.
[21] T. Karygiannis, et al., "Guidelines for Securing RadioFrequency Identification (RFID) Systems," National Institute of Standards and Technology, Special Publication 800-98, April 2007.
[22] D. Kristol and L. Montulli, "Http state management mechanism," 2000.
[23] D. M. Kristol, "HTTP Cookies: Standards, privacy, and politics," ACM Trans. Internet Technol., vol. 1, pp. 151-198, 2001.
[24] V. Mayer-Schönberger, "The internet and privacy legislation: Cookies for a treat?," Computer Law & Security Report, vol. 14, pp. 166-174.
[25] D. Lin and M. C. Loui, "Taking the byte out of cookies: privacy, consent, and the Web," presented at the Proceedings of the ethics and social impact component on Shaping policy in the information age, Washington, D.C., United States, 1998.
[26] TRUSTe, "TRUSTe Guidance on Model Web Site Disclosures," 2005.
[27] Electronic Privacy Information Center, "Guidelines on Commercial Use of RFID Technology," EPIC Guidelines, 2004.
[28] M. Howard and D. LeBlanc, "Writing Secure Code," Microsoft Press, 2002.
[29] ISO/IEC, "Information technology – security techniques – management of information and communications technology security – part 1: Concepts and models for IT security," ISO/IEC TR 13335-1 Tecnhnical Report, 1996.
[30] Google, "Google 隱私權政策," March 11 2009.
[31] J. H. P. Eloff, et al., "A comparative framework for risk analysis methods," Comput. Secur., vol. 12, pp. 597-603, 1993.
[32] The Committee of Sponsoring Organizations of the Treadway Commission (COSO), "Enterprise risk management – integrated framework," COSO Publications, 2004.
[33] M. E. Whitman and H. J. Mattord, "Management of Information Security, 2nd ed," Course Technology, 2007.
[34] ISO/IEC, "Information technology – security techniques – information security risk management," ISO/IEC 27005:2008 International Standard, 2008.
[35] G. Stoneburner, et al., "Risk management guide for information technology systems," Recommendations of the NIST Special Publication 800-30, 2002.
[36] C. J. Alberts and A. Dorofee, Managing Information Security Risks: The OCTAVE Approach. Boston, MA: USA: Addison-Wesley Longman Publishing Co, 2002.
[37] C. Shi Cho, et al., "An Efficient and Flexible Way to Protect Privacy in RFID Environment with Licenses," in RFID, 2008 IEEE International Conference on, 2008, pp. 35-42.
[38] U.S. Dept. of Commerce, "Guidelines for automatic data processing risk analysis," FIPS Publications 65, 1979.
[39] B. Karabacak and I. Sogukpinar, "ISRAM: information security risk analysis method," Computers & Security, vol. 24, pp. 147-159, 2005.
[40] Z. Yazar, "A qualitative risk analysis and management tool – CRAMM," SANS InfoSec Reading Room White Paper, 2002.
[41] 李俊磊, "網站隱私權政策分析-以台灣網站為例," 碩士論文，國立政治大學資訊管理研究所, 2003.
[42] 林秀宜, "網站經營對於顧客資訊隱私保護觀之研究," 碩士論文，國立高雄第一科技大學資訊管理系, 2002.
[43] 馬興平, "論資訊隱私權的保護-從釋字第603號解釋出發," 碩士論文，國立中正大學法律所, 2007.