Fans and Foes of SB 768 still trying to work on a compromise in latest version
By Marisa Torrieri, Contributing Editor
The California RFID bill hailed by privacy advocates but feared by the tech industry is undergoing major revisions as both sides try to work out differences before the end of the legislative session in August, when the bill would expire.
SB 768, “The Identity Information Protection Act of 2005,” co-sponsored by the ACLU (American Civil Liberties Union) and the EFF (Electronic Frontier Foundation) is far from finished. Voting on the bill, formerly known as SB 628, has been delayed since August while lawmakers and RFID supporters continue to wrestle over its contents.
At a recent conference with RFID industry professionals, the bill’s primary author, Sen. Joe Simitian [D-Palo Alto], said that his top concern is to protect the privacy of individuals. Most of the bill is devoted to security measures that government agencies should take when they implement the technology in state and local government IDs (such as minimal data elements, authentication security, and affirmative consent).
The portion of the bill causing significant commotion is a three-year moratorium for chip-based wireless technology to be studied more carefully before it is used in government-issued state ID cards (such as driver licenses). Mr. Simitian notes, however, that bill completely permits the use of chip-based wireless technology in every single government-issued identification document one can think of except for four highly sensitive, mass-distributed IDs.
At the center of the debate, says Mr. Simitian, is the issue, “Should state and local governments be in a position to compel citizens to carry documents that broadcast their personal information?”
During that proposed three-year waiting period, Mr. Simitian says the technology will be studied, and ethical issues regarding the use of RFID will be debated.
The senator’s intentions, via SB 768, are to criminalize bad behavior (such as skimming), to make sure government-issued IDs have security or privacy elements in place (such as unique identification numbers instead of person’s social security number or other personal information), and to make sure that government-issued IDs can only be read by authorized readers.
“The bill’s been amended half a dozen times,” Mr. Simitian told ContactlessNews, noting that the latest version took industry’s concerns into account. “I feel that I’ve made some pretty dramatic accommodations.”
Meanwhile, longstanding opponents of the bill – RFID manufacturers and associations like the AeA (formerly the American Electronics Association) – contend that SB 768 will severely slow the growth of RFID. This, in turn, could hurt companies that produce the technology and hope to contract with the government, Marc-Anthony Signorino, director and counsel of technology policy for the AeA, said in a November interview.
The industry’s response to Sen. Simitian’s latest stance
The good news for RFID industry folks, says Mr. Simitian, is that the bill does not apply at all to private sector uses, nor does to the vast number of uses in the public sector.
“It’s only this narrow slice of mass distribution documents,” he says.
Although current California Law prohibits unauthorized electronic tracking except by law-enforcement agencies, it doesn’t prohibit skimming a person’s RFID-embedded government ID (or, for example, skimming the ID of everyone at an anti-war rally or gun show and compiling a list of all those who attended).
In a recent conference sponsored by HID Corporation, manufacturer of contactless access control cards and readers for the security industry, Mr. Simitian attempted to assuage industry fears. As a panelist for the “RFID & Privacy in the Information Age” forum, in Sacramento, Mr. Simitian reiterated his support for the technology to 65 so attendees, and tried to explain the motives behind his bill.
“I thought we made a little progress,” Mr. Simitian said. “Some of the room seemed open to the possibility of finding common ground.”
But rethinking or shortening the bill’s three-year moratorium clause is not likely, as Mr. Simitian expressed to ContactlessNews that he thinks it is a reasonable amount of time to study and debate the technology’s presence in government IDs.
Other areas of concern …
Until the federal government defines the specifics of its Real ID Act, which could possibly incorporate RFID into certain documents such as driver licensees in an effort to bolster homeland security, it is unclear how SB 768 and Real ID might coexist.
Should the state of California have its own privacy law in place, it could be exempt from the federal Real ID Act of 2005, says Nicholas Chavez, the president for RFID Ltd., a public RFID consulting firm. Thus, California would become the preferred entry point for terrorists.
“You’re talking about a giant leaking point for terrorism and immigration on the California-Mexico border,” he says.
Additionally, today’s IDs are much easier to duplicate than ever before via advanced desktop publishing software, Mr. Chavez says.
“The encryption inherent RFID-enabled ID cards would help prevent counterfeit cards better than the holograms and watermarks used on state ID cards and driver’s licenses today,” Mr. Chavez says. “Encoding an RFID chip with the proper information, in the proper sequence and subsequently encrypting it provides an identification system that is next to impossible for counterfeiters to crack.”
As technology evolves, consumers are becoming more concerned about privacy issues, says HID Executive Vice President Debra Spitler.
“Naturally, consumers are concerned about their privacy as the digital world becomes more pervasive,” says Ms. Spitler. “However, RFID and many other technologies are actually making personal information more secure. Greater public understanding of this, as well as responsible and necessary privacy policies, will go a long way to dissipating these concerns.”