California legislature considers bill to ban contactless technology from state-issued IDs
31 May, 2005
category: Biometrics, Contactless, Library
By Lauren Lowrey, Contributing Editor
The advent of a new technology often results in a backlash from opponents (or cautious skeptics) fearing (or prudently evaluating) malicious utilization (or unintended repercussions). Such is certainly the case with contactless and RFID technologies. A poignant example of this came in February when a California Senator proposed a bill barring the use of contactless or RFID technology in state-issued identity documents. Senate Bill 682, called the Identity Information Protection Act of 2005, was passed by the Senate and has been sent to the Assembly (the second legislative “house” in the California) for consideration.
The intent of the legislation, as stated in the bill, is to:
“… prohibit identification documents created, mandated, purchased, or issued by various public entities from containing a contactless integrated circuit or other device that can broadcast personal information or enable personal information to be scanned remotely …”
The stated justification for this ban is that:
“the inclusion in identification documents of contactless integrated circuits or other devices that broadcast data or enable data to be scanned secretly and remotely will greatly magnify the potential risk to individual privacy, safety, and economic well-being that can occur from unauthorized interception and use of personal information. The inclusion of those devices will also make it possible for any person or entity with access to a reader to engage in the secret tracking of Californians on an unprecedented scale.”
Defining terms defines the scope of the proposed legislation
Examining the stated intent of SB 682, several concepts emerge as keys to gauging the scope of the legislation’s impact should it become law. These terms are in bold in the sentence below:
“… prohibit identification documents created, mandated, purchased, or issued by various public entities from containing a contactless integrated circuit or other device that can broadcast personal information or enable personal information to be scanned remotely …”
While the legislation attempts to define these terms, there are significant holes and vagaries in the definitions.
“Contactless integrated circuit,” according to the bill, is described as “a data carrying unit, such as an integrated circuit or computer chip that can be read remotely.” However, the additional phrase “or other device” seems to expand the impact beyond what the industry defines as true ‘contactless’ technologies.
“Identification document,” is defined as, “any document containing personal information that an individual uses alone or in conjunction with any other information to establish his or her identity. Identification documents specifically include, but are not limited to, the following:
- Driver’s licenses or identification cards.
- Identification cards for employees or contractors.
- Identification cards issued by educational institutions.
- Health insurance or benefit cards.
- Benefit cards issued in conjunction with any government-supported aid program.
- Licenses, certificates, registration, or other means to engage in a business or profession regulated by the California Business and Professions Code.
- Library cards issued by any public library.”
“Personal information,” as defined, “includes any of the following: an individual’s name, address, telephone number, e-mail address, date of birth, race, religion, ethnicity, nationality, photograph, fingerprint or other biometric identification, social security number, or any other unique personal identifier or number.”
Obvious questions emerge upon reading the definitions. Are keyfobs, proximity cards, cell phones (when used for identification applications), or wireless network cards impacted under the proposed legislation? Certainly, government agencies provide laptop computers with wireless cards to employees, and one intention of a wireless card is to identify the specific individual via a unique identifier.
Does a contactless card with a simple unique ID number really put the individual at risk? In an access control environment, that unique ID number is merely a reference pointer to associate the token with a set of assigned privileges. A compromised number is of essentially meaningless without access to the database, and if access to the database can be obtained then the single reference ID number is of little use to the perpetrator – they would have access to all records.
Changes made to the original bill’s language
A number of changes were made to the bill’s original language prior to its passage by the Senate. The most significant seems be the addition of a series of exceptions to the contactless ban. The revised language grants exceptions for certain applications where, it would seem, the lawmakers thought contactless technology’s benefits outweighed its threats to personal privacy.
1798.10. No identification document created, mandated, purchased, or issued by a state, county, or municipal government, or subdivision or agency thereof shall contain a contactless integrated circuit or other device that can broadcast personal information or enable personal information to be scanned remotely, except as follows:
(a) The identification document is to be used on a toll road or bridge for the specific purpose of collecting funds for the use of that road or bridge, such as FastTrak.
(b) The identification document is to be given to a person who is incarcerated in the state prison or a county jail, or housed in a mental health facility, pursuant to a court order after having been charged with a crime, or to a person pursuant to court-ordered electronic monitoring.
(c) The identification document is to be given to a child four years of age or younger who is in the custodial care of a government-operated hospital, clinic, or other medical facility.
(d) The identification document is part of a contactless integrated system used by a state, county, or municipal government, or subdivision or agency thereof that is operational and in use no later than December 31, 2005.
(e) The Legislature determines through legislation that an exception allowing the inclusion of a contactless integrated circuit or other device is necessary to meet a compelling state interest and that there exists no means less intrusive to the individual's privacy and security that would achieve that compelling state interest.</em>
What happens next?
If the bill passes the Assembly, it would go directly to the governor for signature. If amended by the Assembly, it would return to the Senate for concurrence. If it is not passed or amended, it will die. Should the bill pass both houses, either in its current state or in an amended fashion, the governor has three options: He can sign the bill into law, allow it to become law without his signature, or veto it.
It is certainly not an easy process to pass a bill into law in California or any other state. Many more bills fail than succeed and SB 682 must clear a number of significant hurdles to reach the Governor’s desk. But whether it ultimately passes or not, it is a significant bellwether of the mood, at least in one population subsection. Whether you think of them modern day Luddites, fear mongers, or the voice of sanity in a technology-crazed world, the lobby against contactless and RFID technologies is a viable force that is holding their own, if not winning, the battle.
Additional resources:
To learn more about California’s legislative process, click here.
To read the amended bill text as approved by the Senate, click here.
For a thorough analysis of the bill conducted by legislative staff for the purpose of committee education, click here.