New RFID Bills Moving Through Calif. Assembly

The state's Assembly Judiciary Committee approved two RFID bills limiting the use of RFID in driver’s licenses and ID cards, and also passed a third bill studying—but not restricting—the use of RFID.
Published: June 13, 2006

The California Assembly Judiciary Committee today approved two bills, SB 433 and SB 1078, which would put a three-year moratorium on the use of RFID in driver’s licenses and student identification cards, respectively. Each received six yes votes, all from Democrats, as well as two no votes from Republicans.

Originally, the bills had nothing to do with RIFD (one involved regulating the collection of data from magnetic stripes on licenses; the other, funding for charter schools). But after the Senate approved both bills, Simitian stripped the bills of their original content and replaced it with language restricting RFID’s use in licenses and ID cards. SB 433 is now headed for the Assembly’s Transportation committee, while SB 1078 goes to the Education Committee. They could be approved by these committees and sent to an Assembly floor vote within the coming weeks. If the Assembly approves the amended bills, the Senate will need to vote on them again.

When introduced in the Assembly earlier this year, both bills sought to prohibit RFID use but were amended in committee. The ban was then switched to a three-year moratorium.

California Democratic Senator Joe Simitian authored both bills, which mirror parts of another bill he introduced last year, known as the Identity Information Protection Act of 2005. This act, which also seeks to regulate the use of RFID, had passed through the Senate and reached the Assembly floor before the 2005 legislative year ended.

Initially, the Identity Information Protection Act also outlawed RFID in a long list of identity documents carried by Californians, from driver’s licenses and school IDs to health insurance and benefit cards issued by state agencies. However, that ban was softened to a three-year moratorium (see RFID Bill Assumes New Identity). The Act has not yet been up for vote this year. Simitian is in discussion with an RFID industry-based opposition group pushing for the removal of the moratorium from the bill.

The intent of the bills is to allow more time to develop and test exactly how the technology might be deployed, and to vet how well security measures, such as data encryption and authentication between readers and cards, could address concerns over privacy protections. All three bills would make it a crime to read data surreptitiously from an RFID tag in an identity document, but those opposed to the bills say today’s security applications are robust and proven, and that by limiting the state’s ability to use RFID, the bill limits innovation.

Opposition to SB 433, SB 1078 and the Identity Information Protection Act (which was initially SB 682 but changed to SB 768 late last year) is being spearheaded by a group of industry associations and corporations that manufacture RFID products.

Roxanne Gould, spokesperson for the opposition group and a senior vice president of government and public affairs for the American Electronics Association (AEA), says amending SB 433 and SB 1087 from a ban to a three-year moratorium on the use of RFID in driver’s licenses and student IDs, respectively, does not change the group’s position on the bills.
“They are trying to call a three-year ban a ‘time-out,’ but a prohibition is a prohibition. A three-year sunset might seem better than a three-year ban, but it still demonizes the technology without [acknowledging] the security protections that are available today,” she says.

Opposition groups claim the use of RFID technology in identity documents such as driver’s licenses and school IDs could bolster security rather than weakening it. Supporters of RFID-enabled school IDs say the ability to account for the location of each student is a security tool, and that using RFID-enabled IDs in an automated attendance-taking system would allow teachers to concentrate more on education and less on administration. In its opposition to SB 433, the groups note that the California Department of Motor Vehicles (DMV) has publicly stated it is not planning on embedding RFID tags in driver’s licenses any time soon.

Meanwhile, another California bill, sponsored by the AEA and the Information Technology Association of America (ITAA), an IT trade association, and introduced by Democratic Assemblyman Alberto Torrico, is seeking to bridge concerns from Simitian and the supporters of his bill: an eclectic group includes the American Civil Liberties Union (ACLU), the Gun Owners of California and RFID industry members.

The bill, AB 2561, calls for the California Research Bureau (CRB) to “submit a report to the Legislature on security and privacy for government-issued, remotely readable identification credentials.” It also calls for the creation of an advisory board, composed of government and industry representatives, that would assist the bureau in drafting the report and describe the “strengths and weaknesses of potential approaches to security and privacy proposals for government-issued, remotely readable identification credentials.”

Nowhere does the bill specify RFID as the technology that would power remotely readable identification credentials, but Torrico’s office says the report resulting from its passage would cover the use of RFID technology. Sponsors of AB 2561, approved by the full Assembly and now awaiting assignment to a Committee in the Senate, have met with Simitian to discuss whether the bill would provide an alternative to the RFID bills he is pushing, and if he would cosign AB 2561.

Carol Henton, vice president with the Information Technology Association of America, says Simitian showed a willingness to back off on a moratorium on RFID in identity documents if three major interim privacy protections on the use of RFID were written into Torrico’s bill. These include requiring that tamper-evident tags be used, that any RFID system employ mutual authentication (wherein both the reader and the tag must be authenticated before an ID is transmitted) and that the tag data be encrypted.

AB 2651’s sponsors, however, say mutual authentication—though possibly appropriate for some high-security applications—is too expensive and too complex for many applications. As such, they would not endorse something requiring such authentication across the board, opting for single authentication instead.

Simitian and sponsors of his bill plan to meet with AB 2651’s backers on Thursday to continue ongoing negotiations toward devising legislation both sides find amendable.

“I’m looking for meaningful privacy protection, and sooner rather than later,” says Simitian. “That’s it in a nutshell.”