Radio-frequency identification (RFID) technology constitutes an important part of what has become known as the Internet of Things (IoT) that is accessible and interconnected machines and everyday objects that form a dynamic and complex environment. To secure the IoT in a cost-efficient manner, we need to build security and privacy into the design of its components. Moreover, mechanisms should be constructed that will allow both individuals and organizations to actively manage their “things” and information in a highly flux environment. The contributions of this paper are twofold: We first discuss the use of security and privacy policies that can offer fine granularity and context-aware information control in RFID systems. Second, we propose a novel secure and privacy-preserving tag management protocol that can support such policies. Our protocol has a modular design that allows it to support a set of desirable management operations (viz. tag authentication, delegation, and ownership transfer) while imposing minimal hardware and computational requirements on the tag side. Furthermore, inspired by the European Network and Information Security Agency's Flying 2.0 study, we describe a near-future air travel scenario to further explain and demonstrate the inner workings of our proposal. Copyright © 2011 John Wiley & Sons, Ltd.