Eleven months ago, California Senate Bill 682—otherwise known as the Identity Information Protection Act of 2005—stalled on the Assembly floor and was placed under another bill, SB 768. Because it placed a three-year moratorium on the use of RFID technology in driver’s licenses, student IDs and a long list of other state-issued identification documents, the bill had raised the hackles of RFID industry representatives, as well as the hopes of privacy advocates concerned that misuse of the technology could lead to civil-right abuses through the surveillance or tracking of citizens (see Calif. RFID Bill Assumes New Identity).
On Monday, a newly amended SB 768 was approved by the full Assembly in a 49-to-26 vote. It now goes back to the Senate for a concurrence vote, because it has been amended since the Senate last approved it. If the Senate passes the current bill, which could be heard either this Friday or early next week, it will be sent to Governor Schwarzenegger for his approval into law.
The most significant of the bill’s most recent amendments is the removal of the three-year moratorium. An amendment would also require the California Research Bureau (CRB) to submit to the legislature a report on security and privacy for government-issued “remotely readable identification documents,” and to create an advisory board composed of government officials and representatives from industry and privacy-rights organizations. The board would provide recommendations and technical advice to the CRB as it prepares the report, which is due June 30, 2007.
SB 768 now lists a number of interim rules any state and local governmental entity would need to follow when deploying RFID in identity documents. According to the amended bill, the interim rules should be replaced by a “statewide legislative or regulatory framework in the most timely and expeditious fashion possible following the issuance of recommendations by the California Research Bureau.”
Although the bill spells out certain exemptions, the interim rules would place security measures on RFID identity cards such as those used for tracking school attendance, or for paying mass transit fares. The rules call for the incorporation of tamper-resistant authentication tools in order to prevent duplication, forgery or cloning of the ID. Mutual authentication between the interrogator and tag embedded in the ID would be required if any personally identifiable information—such as an individual’s picture, Social Security number or name—is transmitted between the tag and reader. The IDs would also need to employ encryption or some other method of making such information unreadable or unusable by an unauthorized person, as well as offer an on/off switch or similar means of giving the ID holder direct control over any data transmission. If the identity documents transmit merely a unique number but not personally identifiable information, their issuers would need to follow less stringent security guidelines. The interim rules would also require the issuing entity of the RFID-enabled IDs to inform individuals about the technology and how it is being used.
According to to the bill’s sponsor, California Senator Joe Simitian, and the group that opposed the earlier version of the bill, these new amendments were the result of many months of intense meetings and negotiations between the bill’s supporters, which include the American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF), and its opposition, which rallied under an industry group called the High-Tech Trust Coalition. The latter includes representatives from three technology trade groups—American Electronics Association (AEA), the Association for Automatic Identification and Mobility (AIM Global) and EPCglobal—as well as several vendors of RFID products, including Oracle, Philips Semiconductors, Symbol Technologies and Texas Instruments.
“I made as much progress as I could,” says Simitian regarding the months of negotiations. “I think we’ve got a good, clear process in place that allows for additional debate by referral to CRB, but while that’s happening, we have modest protection [through interim rules], so that if and when the technology proliferates, we’ll have some protections.”
“Getting rid of the ban [moratorium] was head and shoulders above everything else in terms of our decision to remove our opposition to the bill,” says Roxanne Gould, spokesperson for the High-Tech Trust Coalition and a senior vice president of government and public affairs for the AEA. “Once we were past that, there were a number of particular issues to work through.”
Among these issues was assigning exemptions to the interim rules. According to the latest amendments, any state or local program for implementing RFID-based identity documents that begins prior to Jan. 1, 2007, would be exempt. Also exempt would be any system for which a request for proposal (RFP) has been publicly issued prior to Sept. 30, 2006, and any system for which a contract has been executed prior to Sept. 30, 2006. Other exemptions, which predate the most recent amendments, would be RFID-based documents used in prisons, corrections facilities, hospitals, nursing facilities and emergency scenarios, as well as building-access cards and parking-garage passes. Court-ordered electronic monitoring would also be exempt.
Gould says that if the bill passes into law, she hopes the results of the CRB study will lead to a decision by the state legislature to develop regulations regarding how RFID could be used in identity documents, rather than a permanent assignment of the interim rules. “We don’t want protections to be codified,” she says. “If something comes along that changes the technology, the protections might not apply any more. We want regulations that are more fluid.”
This summer, Senator Simitian also introduced two bills, SB 433 and SB 1078, which were derived from SB 768 but which would have limited their scope to driver’s licenses and student identification cards, respectively. The bills called for a three-year moratorium on the use of RFID in the cards (see New RFID Bills Moving Through Calif. Assembly). Now that the more comprehensive SB 768 is moving forward, Simitian is likely to drop these other two bills.
If the Senate approves SB 768, Simitian is confident the governor will approve it. “We’ve tried to work with the governor’s administration on this issue, and we’ve taken their comments in consideration in fashioning the bill,” he says.