A Compromise on the California RFID Bill

By Mark Roberti

The best course of action would be for the bill to be shelved and for the RFID industry to address concerns about using RFID transponders in government-issued documents.

  • TAGS

Senator Joe Simitian (D-Palo Alto) has revised the bill he originally authored and introduced to the California State Senate—the Identity Information Protection Act—to reduce restrictions on the use of radio frequency identification transponders in government-issued identity documents (see Calif. Bill Allows RFID in More Ids). While the amendments are a step in the right direction, the RFID industry continues to oppose the bill. The right course of action, in my view, would be for the senator to agree to shelve his bill if the industry agrees to fund an objective study of the potential threats of using RFID in identity cards, and propose countermeasures and best practices to ensure that RFID transponders can be used safely in government-issued identity documents.

Simitian’s bill would ban the use of RFID in driver’s licenses, student IDs, government health and benefit cards and public library cards. It would require other government-issued identity documents using RFID to incorporate the highest level of RFID encryption, and to utilize at least one of three available solution to prevent someone from reading the tag without authorization (known as “skimming”). One solution is to require anyone wishing to read the data on the RFID tag first to scan a bar code with a unique number used in an algorithm that unlocks the encrypted data on the RFID chip. Another option is a switch the document holder uses to activate and deactivate the RFID device. And the third is a shield that prevents the tag from being read without permission. The bill also imposes a $5,000 fine for skimming.

The senator says the fundamental issue is whether the government should compel people to carry around tags that could be used to identify them. His two main concerns are that the government might use RFID transponders in identity documents to track people, and that the IDs could put the personal safety and financial security of citizens at risk by giving criminals the means to identify them.

The RFID industry opposes the bill mainly because of the blanket ban on the use of RFID. Trade associations, including the American Electronics Association and AIM Global, have teamed with several leading RFID vendors, such as Oracle, Philips Semiconductors, Symbol Technologies and Texas Instruments, to form the High-Tech Trust Coalition to try to block the bill.

In a letter to Simitian, dated June 16, 2005, the coalition rightly points out that RFID cards reduce costs to governments and have security features unmatched by other technologies. The letter goes on to say the revised bill “still embraces false fears and misrepresentations of fact to impose a ban against a technology proven both secure and reliable.” The letter adds that “by using a combination of powerful encryption, unique access keys and strong authentication protocols, coupled with a strong commitment to best practices, securing important information from prying eyes will be increased in very real and very substantial ways” with RFID.

I think the coalition is right to oppose a blanket ban on the use of RFID in certain documents. If passed into law, Simitian’s bill would send a signal that RFID is a potentially threatening technology, and that there’s no way to prevent its abuse other than to ban it. If this happens, it’s likely state legislators in the United States and potentially other elected representatives around the world will decide to follow California’s lead—and it’s not farfetched to think that a ban on RFID transponders in government identity documents could lead to a ban on RFID payment cards and other potentially beneficial applications.

On the other hand, I agree with Simitian when he says the RFID industry “would be well advised that there are both technical issues and policy issues that should be solved before we march ahead with using RFID in government documents.” He points out that if RFID were to be used in driver’s licenses or some other broad application and a major problem were to occur, there would be a backlash against the RFID industry—something none of us wants to see.

In fact, the industry has been grappling with the issue of privacy for more than two years now, and not just because some opponents of RFID are trying to scare people away from using RFID. Schools and other organizations interested in adopting the technology have not always addressed concerns by educating the public about what RFID can and can’t do and about security features—for example, the encryption used in global standards, such as ISO 14443.

The California Senate passed the bill by a vote of 29-7 in May (see Calif. Senate Approves RFID Bill). It has cleared the assembly’s judiciary committee and needs to be approved by the appropriations committee. A floor vote could be taken in late August or early September. Simitian says he’s not sure what the prospects are for passage.

Frankly, I do not think the RFID industry can afford to let the bill pass. There are two courses of action to stalling this bill: opponents can either lobby hard to kill it, or ask Simitian to withdraw it. Unfortunately, it would get very expensive and waste industry resources to fight every bill ever dreamed up by elected representatives. Therefore, I think the better course of action is to ask the senator to withdraw the bill.

The senator told RFID Journal that he’s open to compromise, so here’s the compromise: The industry will fund an independent study of the potential threats posed by RFID transponders in government-issued documents and potential measures to block those threats. The group making the study would have to be approved by the industry and by Simitian (I’m thinking of McKinsey & Co., or perhaps another company that can study not just the technology, but also the business and policy implications).

Vendors and even end user organizations, such as EPCglobal US, would benefit from paying for a study like this. Any intelligent study is likely to determine that the risk to the public with a properly implemented RFID card program and accompanying privacy best practices is too small to justify a blanket ban on the technology. An independent study could also help the RFID industry and end users avoid a pubic relations disaster caused by implementing the technology improperly. And it could make companies and government agencies more comfortable about deploying RFID technologies, which would foster market growth.

I would point out that California is not planning to put RFID tags in driver’s licenses and other ID documents, so Simitian’s bill, however well-intentioned, aims to use aggressive measures to solve a problem that doesn’t yet exist. It’s up to the RFID industry to make sure this hypothetical danger—the use of RFID cards to infringe on privacy—doesn’t arise. At this stage, it’s more an issue of education than technology (technological protections already exist). An intelligent, objective study could go a long way toward educating the public, elected representatives and end users about what RFID can and can’t do, and how it should and should not be implemented.

Mark Roberti is the founder and editor of RFID Journal. If you would like to comment on this article, click on the link below.