Calif. RFID Bill Assumes New Identity

By Mary Catherine O'Connor

Senator Simitian’s RFID privacy bill, now SB 768, will move to the full California State Assembly for consideration next year.

  • TAGS

After the California State Assembly‘s appropriations committee failed to vote on California Senate Bill 682—otherwise known as the Identity Information Protection Act of 2005, just two weeks before the end of the legislative season, the bill seemed destined to stall in the assembly’s appropriations committee until next year. But in the eleventh hour, Joe Simitian, the Democratic state senator who authored the bill, met with Assemblywoman Judy Chu, chair of the appropriations committee, and her staff, persuading her to move the bill to the full assembly.

Since the appropriations committee had already held its final vote of the season, Chu moved SB 682, in its entirety and with no changes, into SB 768, an aquaculture bill Simitian had also authored. In the process, she deleted SB 768’s original text. The appropriations committee had aready voted SB 768 onto the assembly floor in August, and the full assembly approved this change to it on Sept. 2, through a majority vote. A spokesperson for Simitian says the aquacultural legislation removed from SB 768 will be placed into another bill on the assembly floor at some point during the next legislative session.

Now that the Identity Information Protection Act has been approved by the assembly’s judiciary and moved out of the appropriations committees, the entire assembly will vote on it, as SB 768, at some point after the assembly reconvenes in January.

In its present form, the bill would place a three-year moratorium on the use of RFID in identity documents issued in California, including driver’s licenses. The intent of the bill is to allow more time to develop and test exactly how the technology might be deployed. The bill would make it a crime to read data from an RFID tag in such a document surreptitiously. It would also require that tags in IDs contain only a unique identifier, rather than any personal information about the cardholder, and that this unique identifier be encrypted.

If the assembly approves the bill, it will go back to the California State Senate, which bilaterally approved an earlier version of it in May. Should the senate pass the bill again, it will land on the desk of the governor, who can approve or veto it.

The bill went through a number of revisions as it traveled through the senate and the Assembly Judiciary Committee. The senate passed it along party lines—six Democrats for, three Republicans against—in July, right around the time industry opposition to the bill gained steam (see Amended Calif. Bill Softens RFID Restrictions). That opposition is spearheaded by a group called The High-Tech Trust Coalition, which includes representatives from three technology trade groups: American Electronics Association, the Association for Automatic Identification and Mobility and EPCglobal, as well as several vendors of RFID products, including Oracle, Philips Semiconductors, Symbol Technologies and Texas Instruments.

The opposition says the moratorium on tags is unnecessary because the encryption standards already in place would adequately protect citizens’ private information. It argues, in fact, that RFID could actually improve the safeguards for protecting private information. In a letter dated Aug. 17, the group says Simitian’s bill “embraces false fears and misrepresentations of fact to impose a ban against a technology proven both secure and reliable.” The letter goes on to suggest that the bill bans the use of technology rather than preventing bad behavior among parties attempting to access data encoded to an RFID tag without permission. It says the bill “should create strong criminal and civil penalties against those who seek to remotely scan a person’s identification document without their knowledge or without the authority of a court-issued warrant.”

The current version of the bill does, however, criminalize skimming, stating, “A person or entity that knowingly or willfully remotely reads or attempts to remotely read a person’s identification document using radio waves without his or her knowledge shall be punished by imprisonment in a county jail for up to one year, a fine of not more than $5,000, or both that fine and imprisonment.”

Roxanne Gould, spokesperson for the opposition group and a senior vice president of government and public affairs for American Electronics Association, said the group does support that part of the bill. “If that was all the bill said, [The High-Tech Trust Coalition would] probably have asked to cosponsor it,” she says. “We don’t disagree with the concept of making personal information more secure. But we can’t go along with something that also attempts to ban RFID technology.” She points out that the group considers the moratorium a de facto ban.

Senator Simitian was surprised by the Assembly Appropriations Committee’s failure to vote on the bill in August, saying he knew of no Democrats on the committee who opposed the bill. (The committee is made up of 13 Democrats and 5 Republicans.) The committee held some “misconceptions” about the bill and what it proposes, he adds, which he assuaged during his meeting with Chu and her staff. He would not say, however, whether misconceptions were based on the fiscal or policy impacts of the bill.

According to Simitian, only one person—whom the senator suspects is linked to the industry opposition group—raised the issue of whether the bill should be allowed to pass at a recent public forum. Otherwise, he claims he has not had any interaction with individuals or groups opposed to the bill since his meeting with Chu and the bill’s transfer to SB 768.

“There were some discussions when I met with [Chu], about whether there could be further amendments to the bill in order to address opposition’s concerns. But my response was that I had overhauled the bill not once, but twice, and so far, that had not generated any reciprocity from the opposition. It had not made any efforts to find common ground,” he says.

Initially, the bill included a ban, rather than a moratorium, on RFID in the most widely used identity documents (see Calif. Senate Approves RFID Bill).

Simitian believes that now, with the bill up for a vote by the full assembly and, therefore, closer to becoming a law, the opposition might be more willing to make some concessions on the bill.

Gould, however, says, “We’ve asked [Simitian] on three occasions to consider a bill that does not include a ban on the technology, and he refused to do that. At that point, we said we’d have to agree to disagree about this bill.”