< Return to Press Releases Page

Doug Farry's Column Regarding California's RFID Legislation Appears in RFID Product News

Does California's New Legislation Ignore Advantages of RFID
RFID Product News
September 1, 2006
Doug Farry

Does California's New Legislation Ignore Advantages of RFID?

State Senate bill imposes preemptive security standards in effort ro reduce RFID technology's hypothetical risks

By Douglas B. Farry

On August 30, the California Senate passed by a 30 to 7 vote legislation that would impose the most sweeping security regulations to date on the use of RFID in certain public applications. The bill had already passed the State Assembly, so it is ready for Gov. Schwarzenegger's signature or veto.

The legislation, sponsored by Senator Simitian (ironically, from technology hub Silicon Valley), is a reaction to fears that RFID is an unsafe technology that will more easily allow hackers entrance to buildings using RFID-enabled ID cards, or to steal personal information embedded in RFID-labeled documents.

The solution, according to the legislation, is to—by statute—require certain "privacy protecting" measures be taken when RFID-enabled systems are used. These include:

1) Requiring mutual authentication technologies between the card and the reader, in circumstances where there may be an electronic transfer of personal information;

2) Allowing the card holder to opt-out of having the information read wirelessly from the card by having a switch to turn off the wireless mechanism, a manual key punch at doors so ID numbers can be entered manually instead of wirelessly, or an authorized guard at each entrance who can visually inspect ID cards for accuracy and authenticity;

3) Requiring public entities that use RFID-enabled systems to notify card holders that their ID card could create a risk of their identity being stolen, provide them a list of every scanner location and what information is gleaned from the card at those locations and for what purpose, and create a website—updated regularly—where RFID card holders can look up the locations of all scanners that will read their card.

4) Allowing "victims" of data theft because their RFID card was hacked to seek legal restitution against the government agency that put the RFID system in place.

After imposing all of these new requirements that will supposedly make us all safer, the legislation then asks for a study to determine what the risks of RFID are and recommendations for comprehensive privacy and security standards to defend those risks.

In other words: Shoot first, ask questions later. Has there been a problem of hackers stealing personal information from RFID-enabled ID cards? I suspect there has been far more ID theft from publicly owned online databases, or stealing credit card information from the mail.

Why not pass a law stating that restaurant employees have to swipe your card at the table, instead of taking it out of your sight, to minimize the risk that they will steal your data? Or requiring that they not look too long at your driver's license, so they can't memorize your address or other personal information? Is that too far fetched?

Because the bill provides no financial compensation to local governments, transit authorities, public schools, state parks, public utilities, or other entities required to follow these rules, the cost of implementing a new RFID system will be significantly higher and more risky than it is currently—and certainly more expensive than other methods of ID authentication.

Do you think a library or public utility is going to pay someone to stand at each entrance to look at ID cards as employees enter, so they don't have to risk having a hacker nearby with a high-powered scanner stealing their information during the two seconds that their ID card is waved in front of the door reader? It's kind of silly.

Instead of making RFID safer to use, the more likely scenario is that different solutions will get a second look—to avoid the cost and risk of deploying an RFID system. Or, they will keep their existing RFID card systems in place, since they are grandfathered and don't need to comply with the new rules.

So, while RFID technology and the surrounding security continues to get better and stronger as innovation and competition drives better products, California entities will be glued through 2012 to the systems that exist today (or they will be forced to look for non-RFID systems that may be less secure in order to circumvent these new rules).

And while the new rules will apply only to certain government functions (indeed there are exceptions carved out for prisons, certain hospital situations, juvenile facilities, etc.), there could very well be implications for private sector customers as well. Why upgrade to an RFID system that the state of California, by legislation, has deemed a risky technology requiring specific regulations to prevent identity theft? Will the new legal liability outlined in the Simitian bill be extended to private sector systems—it's certainly not inconceiveable.

Governor Schwarzenegger has to decide whether to sign or veto this legislation within 30 days. Surprisingly, many of the organizations representing the IT and RFID industries have given their blessing to the Simitian legislation. The Security Industry Assocation opposes it—and no one else with a stake in the outcome has expressed any position at all.

The bill is certainly an improvement from where it began. The original version imposed a three-year ban on RFID systems pending the study, and would not have grandfathered existing RFID systems, for example. Just because the legislation is "less bad," it doesn't mean that it is "good." The IT and RFID industry in general have given Governor Schwarzenegger very little justification for vetoing legislation that passed by significant margins, when most are not even opposing the legislation themselves. The only hope is that companies who have not been at the negotiating table speak up about why the legislation would make us less safe, rather than safer. Or customers who use RFID systems speak up about the impact this legislation might have on them.

It would not be unreasonable to ask questions and get information about the risks and benefits of an emerging technology like RFID. But to impose preemptive security standards in the hope that it will reduce hypothetical risks, without considering the advantages of RFID over existing systems, seems like putting the cart before the horse.

Doug Farry is a Managing Director with the Government Affairs practice and Chair of the RFID practice of the international law firm of McKenna Long & Aldridge LLP. Doug spearheaded the launch of the McKenna Long & Aldridge-sponsored RFID Law Blog (http://rfidlawblog.mckennalong.com) for which he serves as the lead correspondent. He can be reached at dfarry@mckennalong.com

 
 
©2008 MCKENNA LONG & ALDRIDGE LLP DISCLAIMER PRIVACY POLICY SITE MAP SITE BY FIRMSEEK MLA CONNECT