New Legislation Could Criminalize RFID Security Testing

Nevada legislators are considering Senate Bill 125 (SB 125), which would make unauthorized collection of personal information by RFID a felony. Critics say wording of the bill would criminalize legitimate forms of testing and research.
Published: February 24, 2009

This article was originally published by RFID Update.

February 24, 2009—Another proposed RFID regulation, another unintended consequence. Nevada is the latest state to propose legislation to regulate how RFID data is collected and used. Senate Bill 125 (SB 125), which was introduced earlier this month, would make it a felony to use RFID to collect personal identification without a person’s consent. Critics say the way the bill is worded would make legitimate RFID research a crime.

The opposition was in part motivated by a recent “white hat” hacker attack that exposed potential privacy and security vulnerabilities of the PASS Cards issued by the US federal government to facilitate border crossing (see Latest Anti-RFID Video is Actually Worth Watching). Defenders of the well-publicized hack liken it to a public service and say it was a valuable exercise for calling attention to previously-raised security issues. The proposed Nevada legislation would prohibit similar exercises.

UK newspaper The Guardian reported that Lee Tien, an attorney for the influential Electronic Frontier Foundation (EFF), sent the bill’s sponsor a letter that reads in part: “Because the privacy risks of RFID include the likelihood that malevolent entities will ‘skim’ individuals’ RFID-enabled devices in public places without their knowledge, it is important that security researchers be able to lawfully demonstrate that these vulnerabilities exist in real-world settings – not only in controlled conditions.” The EFF makes no mention of the bill on its website.

Nevada’s senate judiciary committee was scheduled to debate the bill yesterday, however the minutes section of the senate website listed “No Action” for SB 125 yesterday.

The bill provides two exceptions to collecting personal information by RFID: 1) if it is done in the ordinary course of business — which presumably would apply to border control agents and other government employees who work with identification systems, and 2) authorized payment card transactions. The second example would close a loophole that emerged in legislation proposed recently in New York (see New York May Regulate Retail RFID Use).