Calif. RFID Bill Drops Moratorium, Could Pass Senate

By Mary Catherine O'Connor

Aug. 23, 2006—Eleven months ago, California Senate Bill 682—otherwise known as the Identity Information Protection Act of 2005—stalled on the Assembly floor and was placed under another bill, SB 768. Because it placed a three-year moratorium on the use of RFID technology in driver's licenses, student IDs and a long list of other state-issued identification documents, the bill had raised the hackles of RFID industry representatives, as well as the hopes of privacy advocates concerned that misuse of the technology could lead to civil-right abuses through the surveillance or tracking of citizens (see Calif. RFID Bill Assumes New Identity).

On Monday, a newly amended SB 768 was approved by the full Assembly in a 49-to-26 vote. It now goes back to the Senate for a concurrence vote, because it has been amended since the Senate last approved it. If the Senate passes the current bill, which could be heard either this Friday or early next week, it will be sent to Governor Schwarzenegger for his approval into law.

The most significant of the bill's most recent amendments is the removal of the three-year moratorium. An amendment would also require the California Research Bureau (CRB) to submit to the legislature a report on security and privacy for government-issued "remotely readable identification documents," and to create an advisory board composed of government officials and representatives from industry and privacy-rights organizations. The board would provide recommendations and technical advice to the CRB as it prepares the report, which is due June 30, 2007.

SB 768 now lists a number of interim rules any state and local governmental entity would need to follow when deploying RFID in identity documents. According to the amended bill, the interim rules should be replaced by a "statewide legislative or regulatory framework in the most timely and expeditious fashion possible following the issuance of recommendations by the California Research Bureau."

Although the bill spells out certain exemptions, the interim rules would place security measures on RFID identity cards such as those used for tracking school attendance, or for paying mass transit fares. The rules call for the incorporation of tamper-resistant authentication tools in order to prevent duplication, forgery or cloning of the ID. Mutual authentication between the interrogator and tag embedded in the ID would be required if any personally identifiable information—such as an individual's picture, Social Security number or name—is transmitted between the tag and reader. The IDs would also need to employ encryption or some other method of making such information unreadable or unusable by an unauthorized person, as well as offer an on/off switch or similar means of giving the ID holder direct control over any data transmission. If the identity documents transmit merely a unique number but not personally identifiable information, their issuers would need to follow less stringent security guidelines. The interim rules would also require the issuing entity of the RFID-enabled IDs to inform individuals about the technology and how it is being used.