California RFID Bill One Step Away from Law

The RFID Industry Daily
September 7, 2006

The RFID Law Blog has published an article on the latest development in the California legislation concerning RFID technology. Last Thursday, the California Senate approved the bill in question by a wide margin of 30 to seven. There is now one remaining step for it to become law: Governor Arnold Schwarzenegger must sign it.

The bill is sponsored by Senator Joe Simitian and calls for a number of regulations that would tighten the security and privacy-protection of RFID applications in California's public sector. Among the regulations noted in the article:

Public entities must notify contactless (RFID) cardholders that their cards could expose them to identity theft.
Public entities must provide cardholders with a list of every RFID reader, including locations and exactly what information is collected.
Public entitles must maintain a website that cardholders can access to download a list of RFID reader locations.
Cardholders who suffer data theft due to hacking of their RFID cards will be allowed to seek restitution against the government agency that installed the RFID system for which the card was used.
RFID card systems must include one of the following opt-out capabilities:
- Cards must have a physical switch the cardholder can flip to block wireless transmissions.
- Systems must offer manual key punches at RFID access chokepoints so that cardholders can enter their access codes physically instead of using the wireless system.
- A guard must be stationed at such locations to offer human, visual inspection of the cards.

The bill also advises a study on RFID risks and best practices to counter them.
The RFID Law Blog comes out quite strongly against the proposed legislation. First, it considers the bill a solution in search of a problem, noting that the theft of personal data from RFID cards is not a widely reported problem (unlike the theft of such data from hacked online databases, for example).

Second, the bill would probably stunt the adoption of contactless systems, as affected public institutions consider other technologies that are less regulated. "Do you think a library or public utility is going to pay someone to stand at each entrance to look at ID cards as employees enter, so they don't have to risk having a hacker nearby with a high-powered scanner stealing their information during the 2 seconds that their ID card is waved in front of the door reader? It's kind of silly. Instead of making RFID safer to use, the more likely scenario is that different solutions will get a second look - to avoid the cost and risk of deploying an RFID system."

Third, while the existing legislation only addresses public institutions, it could likely have a spillover effect on private ones. The legislation would essentially stigmatize RFID as a risky technology, making the private sector more wary of deploying it.

The article notes that despite these issues, many of the industry stakeholders are actually not opposed to the bill (with the exception of the Security Industry Association). The reason is probably because in its current form the bill is a marked improvement over the original version, which would have imposed a sweeping three-year ban on certain applications of RFID systems in the public sector. However, this logic is not necessarily appropriate, argues the article. "Just because the legislation is 'less bad', it doesn't mean that it is 'good'. The IT and RFID industry in general have given Governor Schwarzenegger very little justification for vetoing legislation that passed by significant margins, when most are not even opposing the legislation themselves." Without more push-back from heretofore quiet stakeholders, it is likely the bill will pass. "The only hope is that companies who have not been at the negotiating table speak up about why the legislation would make us less safe, rather than safer. Or customers who use RFID systems speak up about the impact this legislation might have on them."

Read the entire article from RFID Law Blog