Surreptitiously reading (“skimming”) RFID tags embedded in identity documents is now illegal in California. Governor Arnold Schwarzenegger on Tuesday signed Senate Bill (SB) 31, which makes skimming RFID-based identity cards punishable with imprisonment in a county jail for up to one year, a fine of up to $1,500, or both. According to the law’s wording, the ID cards in question include those issued by government agencies, health insurance companies, employers, libraries and schools. The governor, however, did not approve another piece of legislation focused on RFID technology, SB 29. He vetoed this bill on Sept. 29. It would have required schools to acquire parental consent before requesting that students carry RFID-enabled identity cards, designed to track the children’s location or attendance at the school.
California State Senator Joseph Simitian, who authored both bills as well as other RFID-related measured dating back to 2005, says he’s pleased with the governor’s decision to make skimming illegal.
“It’s an acknowledgement from the governor that any technology can be abused and that as technology changes, the law has to keep pace,” he says, adding that he was also happy to be able to attain broad-based support for the bill from both industry groups and privacy advocates. “It was not without much discussion along the way, but ultimately we were able to come together on this one.”
In a letter that Simitian sent Governor Schwarzenegger, requesting his signature on the bill, the senator said both the American Civil Liberties Union (ACLU) and the American Electronics Association supported the bill. While the ACLU and Electronic Frontier Foundation have supported Simitian’s RFID-related bills ever since the lawmaker first began drafting the pieces of legislation, the American Electronics Association had teamed with RFID vendors in the past to block other RFID-related bills, saying they were too restrictive and would stifle broad adoption of the technology.
“This [anti-skimming law] will serve as some deterrent, and provide law enforcement with ability to take action [if someone skims data],” Simitian says. “Right now if someone steals your ID card, that’s a crime, but if they skim the data of the card, it’s not. That makes no sense.”
“I have always distinguished between the power of the state that compels the use of technology versus its use in the commercial marketplace. There has to be a higher standard when talking about power of the state,” he says. In the commercial sector, he explains, the use of RFID in an opt-in, whereas citizens aren’t able to choose what technology is integrated into their state-issued identity documents.
California is considering integrating RFID tags into driver’s licenses, but the technology is already used in some government-issued IDs—including the one that Senator Simitian carries. He says it is also used in some ID issued by the University of California.
The new law will also apply to access control cards (used to unlock doors or access computer systems), which do not bear the carrier’s name or photo but are encoded with a unique ID number associated with that individual’s personal data in a back-end database.
The bill makes exceptions for inadvertent scanning of RFID tags. It also permits various emergency medical services providers and law enforcement officials to scan without a bearer’s permission to identify or assist an unresponsive person, or to solve a crime, as long as a search warrant has been issued.
Simitian says he plans to keep working on the failed parental consent bill (SB 29), as well as SB 30, which calls for privacy and security safeguards on RFID-enabled, government-issued identification documents. This bill was not approved by the State Assembly and has been placed on hold.
In addition to requiring parental consent, SB 29 would have also required schools to inform parents about the use of the technology, how it works and the school’s plans for protecting students’ privacy in order to comply with privacy laws.
Simitian says he removed provisions for a three-year moratorium on the use of RFID technology, as well as requirements (taken from an earlier version of school bill) that would have instituted data protection protocols for RFID-based IDs. Simitian had hoped that removing these elements would convince the governor to sign SB 29.
“I said OK, the industry is opposed to this moratorium, it has been opposed to limitations on data stored on cards, opposed to privacy protections, so the least we can do is give parents the right of notice and parental consent,” says Simitian. “The frustrating part to me is that I continue to believe that enlightened self-interest should lead industry to support something like this [parental consent bill]. There were no [technological] limits called for in the bill, just consent. The public will continue to resist emerging technology if limits aren’t placed on its use.”
In the past few days, Governor Schwarzenegger vetoed an unprecedented number of bills, due to a backlog of legislation that had formed on his desk while he was working with lawmakers to finalize the state budget. In a statement, he said he believes the decisions on how to deploy RFID-based IDs should be left to the schools districts that choose to use them. However, he added: “I support parental consent and notification, and encourage school districts deciding to require consent prior to adopting the use of contactless based identification cards at their schools, to apply it equally in a way that is technology neutral—whether it is an RFID-enabled card or another type of identification card.”
In 2005, an elementary school in Sutter County, Calif., made national headlines when parents filed a complaint with the American Civil Liberties Union after students there were issued RFID-based ID cards (see RFID Takes Attendance—and Heat). Parents feared that the IDs could be used to track the whereabouts of their children without their knowledge. This controversy prompted Simitian to draft legislation that would address how schools and government agencies should go about using RFID.
In fact, all three State Bills—29, 30 and 31—were derived from an original, more comprehensive measure, SB 768, the Identity Protection Act of 2006, which Schwarzenegger vetoed, citing concerns that it would have made it more difficult for law-enforcement officers to “impose requirements in California that would contradict the federal mandates soon to be issued,” referring to the Real ID Act, which President Bush passed in 2005 to establish a federally approved ID card that would be electronically readable (see Calif. Gov Terminates RFID ID Bill).
The Real ID Act has been met with opposition from certain groups that complain that it calls for a de facto national ID card and feel that its call for a common machine-readable technology would turn the cards into tracking devices and violate citizens’ right to privacy. Its implementation deadline in all 50 states has been delayed until 2011.
SB 31 is the second RFID-related bill that California has ratified. Last year, the governor signed Simitian’s bill SB 362 to prohibit the forced implantation of RFID tags in humans (see California Bans Forced Human Tagging). It is also the second state law aimed on criminalizing the act of skimming data from an RFID-based ID. Last year, Washington enacted a similar law (see Washington State Governor Signs Anti-Skimming Law), though its law prohibits skimming only when the practice is used for the illegal purposes of fraud, theft or stalking. However, it also attaches much harsher penalties: violation of the law a Class C felony, with violators subject to five years in prison and a $10,000 fine.