Oct 02, 2006On Saturday, California Governor Arnold Schwarzenegger vetoed SB 768, the Identity Information Protection Act of 2006, which would have been the first state bill to address how RFID technology may be used in identification documents issued by state and local governments and agencies.
Before passing through both houses earlier this year, the bill, written by California State Senator Joe Simitian (D), had gone through a couple of significant amendments. These included a downgrade from a moratorium on the use of the technology to a set of interim, security-based conditions users would need to meet. It was then sent to the governor's office on Sept. 7 after the California Senate approved it in a 30-to-7 vote.
In a statement, the governor called the bill premature, saying it could make it more difficult for law-enforcement officers to "impose requirements in California that would contradict the federal mandates soon to be issued," referring to the Real ID Act, which President Bush passed last year to establish a federally approved ID card that would be electronically readable. RFID technology may be used in these cards, though a decision to do so has yet to be made. The governor's concerns echo those related in letters presented to him within the past six weeks from a number of California law-enforcement agencies. These letters also claim the law-enforcement agencies were not "seriously consulted" about the bill.
"We had reached out to law enforcement over a year ago," Simitian says, "so I think law-enforcement's reaction [to the bill's passage through the legislature] was unfortunate and inaccurate." He added that the bill had been part of a "vigorous, two-year debate," and that people concerned with the bill could have expressed their concern during that time.
As for how the Real ID Act would have impacted SB 768 had the governor signed it into law, Simitian said California would most likely be obliged to follow the Federal government's lead on a national ID card. The bill, however, would still have provided regulations on how RFID would be used in state-issued IDs not impacted by Real ID Act regulations.
The security rules had a sunset date of Dec, 31, 2012, and were designed to be put in place while the California Research Bureau (CRB) would have conducted a research study into the use of RFID in government-issued "remotely readable identification documents," as well as the security and privacy implications of the technology's use. The CRB would have also called for an advisory board composed of government officials and representatives from industry and privacy-rights organizations. This board would have advised it on the technology and its application in identity documents—everything from driver's licenses to library cards.
The security rules called for the incorporation of tamper-resistant authentication tools to prevent duplication, forgery or cloning of the ID. Mutual authentication between the interrogator and tag embedded in the ID would have been required if any personally identifiable information—such as an individual's picture, Social Security number or name—were transmitted between the tag and reader. The IDs would have also needed to employ encryption or some other method of making such information unreadable or unusable by an unauthorized person, as well as offer an on/off switch or similar means of giving the ID holder direct control over any data transmission.
Roxanne Gould, a senior vice president of government and public affairs for the American Electronics Association (AEA) and a spokesperson for the High-Tech Trust Coalition, said she anticipates that Sen. Simitian will reintroduce the bill in January. The coalition levied strong opposition against earlier versions of the bill, but removed its opposition to the final bill. Gould says the bill "gives us [the High-Tech Trust Coalition] more time to really look through the bill that was sent to the governor and see what further refinements need to be made before it's reintroduced."
"We need to talk to the governor's office and get some more perspective on why he vetoed the bill," says Simitian, "and talk to folks in the [RFID] industry. We worked with representatives from the Information Technology Association of America (ITAA) and the AEA to try to craft a bill they could live with," he adds, "but apparently, that wasn't enough."
While both the ITAA and the AEA removed or neutralized their opposition to the bill before it was sent to the governor, not all industry groups followed suit. The Security Industry Association (SIA), based in Alexandria, Virginia, asked Schwarzenegger to veto the bill. The group supported the bill's call for a comprehensive study by the California Research Bureau, but opposed its call for interim protocols regarding how RFID would be deployed during the study period. The SIA felt the interim rules would make it more difficult for law-enforcement officials to protect Californians, because they would require state agencies to make public the location of all RFID readers and hamper the ability of those agencies to reveal the location of some individuals to emergency first-responder units.
Lee Tien, senior staff attorney with the Electronic Frontier Foundation (EFF), a privacy-rights advocacy group supporting SB 768, said the EFF and the other bill sponsors "worked hard to address industry concerns over the life of the bill." He thinks the withdrawal of opposition from the AEA was significant in that it showed both sides of the issue were committed to a compromise. "You can't satisfy everyone," he says. "We gave up things that we would have preferred not to give up—but at the same time, there was an understanding that there are security and privacy issued raised by RFID, and both sides are making an effort to take positive steps to address them."
As for whether the bill's sponsors should revise the bill before submitting it next year, Tien says he's not sure its language is the reason it didn't pass. "I think there was some misunderstandings on what the bill would do," he states.
