RFID Moratorium Bill Stalls in Committee

California's Identity Information Protection Act of 2005, which seeks to restrict the use of RFID technology in state-issued IDs, is being held up in the assembly's appropriations committee.
Published: August 27, 2005

On Thursday, the California Assembly’s Appropriations Committee was supposed to consider a controversial California bill designed to limit the use of RFID technology in state-issued identity documents, such as driver’s licenses. Instead, it shelved the bill. With the end of the legislative season two weeks away, the Appropriations Committee is unlikely to vote on it until next year.

Called the Identity Information Protection Act of 2005, or SB 682, the bill would place a three-year moratorium on the use of RFID in driver’s licenses, IDs issued to students (kindergarten through 12th grade) in public schools, public library cards and government benefit cards.

An opposition group called the High-Tech Trust Coalition has been lobbying against the bill, calling it misguided and unduly restrictive of RFID technology. It has authored multiple letters of opposition and met with Senator Simitian to defend the use of RFID, which it calls a safe and secure technology. The technology needed to secure tag data is tested and works, it says. The High-Tech Trust Coalition includes representatives from technology trade groups American Electronics Association, the Association for Automatic Identification and Mobility and EPCglobal, as well as vendors of RFID products, including Oracle, Philips Semiconductors, Symbol Technologies and Texas Instruments.

“I believe that industry opposition played a key role in the decision to hold the bill in committee,” says California Senator Joe Simitian, the bill’s author.

Roxanne Gould, spokesperson for the opposition group and a senior vice president of government and public affairs for American Electronics Association, says that she has heard anecdotal information indicating assembly legislators desired more time to evaluate the bill and therefore sought to shelve it until next year. She says she and other members of the opposition group are pleased by the decision to hold the bill in committee because it gives lawmakers a much-needed “time-out” before voting on it.

Gould claims the opposition group offered Simitian a counterproposal to the bill in June but says the Senator rejected it because it removed all bans and moratoriums on the use of the technology. The counterproposal called for a three-tiered approach wherein the tags embedded in driver’s licenses and similar IDs would have the highest level of data encryption.

Simitian drafted the bill out of concern that data transmitted from RFID tags on ID documents could be accessed without the ID holder’s knowledge. To help prevent this, the bill would require that data encoded to a tag be encrypted and that skimming, or surreptitiously reading, a tag be punishable by imprisonment and/or a fine. It also says the state would be held responsible for the security of the databases that correlate RFID tag data with an ID holder’s personal information. The three-year moratorium is intended to provide more time to develop and test security measurements to protect RFID tag data before the technology could be deployed in the most widely used state identity documents

Simitian asserts he is determined to resurrect the bill before Sept. 9. “There is a series of parliamentary hoops to jump through, but two weeks is a lifetime in politics,” he says. To be made law, the bill has to pass through the Appropriations Committee and an Assembly floor vote, and then be approved by California Governor Arnold Schwarzenegger.

The bill was passed by the state’s senate in May (see Calif. Senate Approves RFID Bill) and by the Assembly Judiciary Committee in early July (see Amended Calif. Bill Softens RFID Restrictions). The bill was revised three times in the senate and four times so far in the assembly. Original versions called for a ban, rather than a moratorium, of RFID tags in driver’s licenses and other widely used forms of identification. The bill had bipartisan support coming out of the senate, but the six Assembly Judiciary Committee members who voted for the bill were Democrats and the three members who voted against it were Republicans. The Assembly Appropriations Committee is made up of 13 Democrats and 5 Republicans.

Simitian maintains he is not trying to ban the technology, but rather attempting to ensure that it is deployed with privacy protections in place. At this time, however, there are no known plans to use RFID in any of the identity documents named in the bill.

The bill permits the use of RFID tags in California government employee ID cards, state-issued door access cards, mass transit passes and patient ID bracelets used in state-run hospitals, but requires that standardized encryption methods be used to protect the data on the tags and that databases correlating tag data with personal information of the cardholders be protected, under penalty of law.

The American Civil Liberties Union, the Electronic Frontier Foundation and the Privacy Rights Clearinghouse support the bill, saying that the unregulated use of RFID technology in identity documents would expose millions of Californians to surreptitious readings of those tags and that tag data could be used to access personal information.

“We don’t view this as an antitechnology bill; we view it as an appropriate-technology bill,” says Beth Givens, director of the Privacy Rights Clearinghouse, a privacy advocacy group based in San Diego. “I don’t oppose the use of RFID in commercial applications, such as in the supply chain. But I do not think the use of a wireless technology is appropriate to use in an ID that you have to carry with you,” she says, because the tag could be read without the carrier’s knowledge.

Many California newspapers, however, have run editorials in support of the bill.