California RFID ban shelved, awaiting next round in the New Year
01 November, 2005
category: Contactless, Government, Library
By Marisa Torrieri
Contributing Editor, AVISIAN Publications
Those waiting for the ‘California Gold Rush’ to RFID and contactless-enabled ID cards will have to cross their fingers and sit tight. Come January 1, a new bill barring wireless identification technology in government-issued IDs, authored by California Senator Joe Simitian (D-Palo Alto) will hit the state’s legislative floor. Should the bill pass, it would place a three-year moratorium on the use of RFID (and related technologies such as contactless smart cards) in driver licenses, K-12 ID cards, library cards, and health cards. Additionally, it would require costly and according to some, less-than-necessary, security additions to all cards.
These include encryption and mutual authentication techniques for all cards whether they include any personal data or simply a unique ID number. Additionally, the use of a shield to protect against unintended access is likely. Finally, it would restrict the expansion – both in terms of new populations and new applications – of any existing government RFID project.
The Identity Information Protection Act of 2005 is co-sponsored by the ACLU (American Civil Liberties Union) and the EFF (Electronic Frontier Foundation).
Should the bill pass, many in the ID card space may have to wait at least three years before the fruits of their labor can flourish. The moratorium is intended for chip-based wire- less technology to be studied more carefully before vendors can market such cards to California government agencies, according to reports.
But critics call it reactionary and unfounded. “Don’t ban technology, ban bad behavior,” said Marc-Anthony Signorino, director and counsel of technology policy for the AeA (formerly the American Electronics Association). “That’s always been our mantra.”
What’s worse, from the perspective of industry, is that a three-year ban could mean the loss millions of dollars – and not just from government contracts. Technologists who already invested in R&D may be forced to scratch current designs to incorporate mandated, higher-security chips and readers. Such technology is much more costly to produce and could raise the cost of a card from $1 to at least $7 each, says Mr. Signorino.
More importantly, the higher security and cost is considered unnecessary by many observers – at least for basic functions such as simple access control. Throughout the country and the world, millions of contactless smart cards and other wireless-communication IDs have been used safely and effectively.
The legislation as it stands today
Today’s Identity Information Protection Act looks nothing like the original. It’s gone through several revisions, most recently, a legislative process referred to as “gutting.” This gutting has allowed sponsors to get the bill the equivalent of a VIP pass to the California legislative floor on Jan. 1. The gutting process has stripped the contents of what was formerly SB 682 (Senator Simitian’s original bill) and dumped into another non-technology bill that had already been slated for review. Ironically, the gutted bill dealt not with RFID but fish (the “Marine Finfish Aquaculture Bill”). So come January, SB 768 will be the new number to watch.
Despite this clever maneuvering, Mr. Signorino says he is confident the bill – as it stands now – will not pass because it is flawed in several ways. For one, it puts a negative stigma on technology, and tells the public that it is not secure. In addition, it bans technology that could truly help consumers.
The AeA has offered to work out a mutual solution with Mr. Simitian’s staff, which would include recommending best practices for companies and the government organizations. For example, such best practices might include rules to protect consumers (i.e., requiring an agency to ensure that a card has high enough security to guard against hacking).
Companies most affected by the bill’s passing are certainly nervous about its passage and are working to convince state government officials of the merits of wireless identification technology. According to Christoph Liedtke, a spokesman for smartcard/contactless card manufacturer Infineon Technologies, the key is to educate the parties that there is significant difference between the less-secure RFID that is used to track goods shipped to Wal-Mart and the chip technology intended for ID cards.
“What we are talking about when we’re talking about contactless technology is an extremely secure technology, that stores encrypted information on a chip,” says Mr. Liedtke. “It’s a much safer technology than the existing magnetic stripe.”
The general industry perception seems to be that while it is always good to evaluate the potential impacts of a technology, it is not wise to react based on fear. As Mr. Liedtke points out, “it’s the skimming and eavesdropping that (many) fear. We share the concern of privacy – but don’t share concern that existing technology is insecure.”
But supporters of the bill, say arguments like Mr. Liedtke’s are just plain old propaganda.
“In a 12-step program, one of the first things you have to do is go from denial to acceptance that you have a problem,” says Lee Tien, senior staff attorney for bill co-sponsor EFF. “The RFID industry is still in denial.”
Mr. Tien says companies in the ID card space need to show that they are concerned about privacy, and willing to employ technology in a socially responsible way, for example, by working on pilots and improving their designs so the technology is more “privacy protected.”
Mr. Tien also said he is skeptical of the much higher cost per card of deploying such technology. “I would like to see what those numbers are based on,” says Mr. Tien, adding that, “when you do something in volume, the cost goes down.”
For now, California is the only state that is pushing for such a bill, says Mr. Signorino. But because of its sheer size, a ban on RFID and similar technologies would be a sweeping loss. According to Mr. Signoroino, in the state of California, 23 million people have driver licenses; 3.5 million have identification cards, and that is just the tip of the iceberg.
“Right now we’re trying to build up education, working with different legislators,” Mr. Signorino says, “letting them know what should be done to protect consumers’ privacy.”