What's in California's Proposed RFID Bill?

The progress of the RFID industry depends on how major concerns choose to manage patents

By Kenneth A. Adler, Esq.

During its current term, the California legislature is likely to act on a bill regulating the use of RFID technology in identification documents issued by the State of California and local governments. While the scope of the proposed legislation is limited to government uses of RFID technology, it is being watched closely by private sector manufacturers and users of RFID technology for the potential expansion of RFID regulation to the private sector. This article provides an in-depth review of the proposed legislation and what manufacturers and users of RFID need to know.

In February 2005, California State Senator Joe Simitian (D-Palo Alto) introduced bill SB 682, otherwise known as the Identity Information Protection Act of 2005. The California Senate passed this bill in May 2005. After being passed by the state Senate, SB 682 was forwarded for consideration to the Assembly Judiciary Committee where it was approved by a 6-3 vote. In August 2005, in the midst of significant industry opposition, SB 682 was stalled in the Assembly Appropriations Committee where a key deadline lapsed, resulting in the expiration of the legislative life of SB 682. The bill was resurrected through some legislative maneuvering so that the newly numbered RFID bill, SB 768, can now be brought before the Assembly floor without additional approval by the Assembly Appropriations Committee, which may bring this proposed legislation closer to enactment.

Key provisions of California's legislation

The proposed legislation would, among other things, regulate the use of RFID tags in government issued identification documents in California. The bill does not apply to private sector uses of RFID technology or to government uses of RFID technology for asset management purposes or other applications that do not involve or contain personal information of individuals. Specifically, SB 768 proposes to:

• Criminalize the "skimming" of personal data from RFID-enabled identification documents;
• Implement specific provisions to ensure the security of data contained in such identification documents; and
• Impose a three-year moratorium on the use of RFID technology in certain types of government issued identification documents.

If enacted, SB 768 would make it a crime if any person or entity intentionally remotely reads or attempts to read a person's RFID-enabled identification document without such person's knowledge, with violators subject to punishment by imprisonment in a county jail for up to one year, and/or a fine not exceeding $5,000. In addition, this legislation would implement specific security related requirements to ensure the security of data contained in RFID-enabled identification documents. These requirements include:

• A restriction from including any personal information in government issued RFID-enabled identification documents with the exception of a unique personal identification number;
• A requirement that such identification documents incorporate technology that enable individuals to affirmatively consent to the remote reading of their RFID-enabled identification documents by being able to turn transmittal capability of such documents on or off;
• Notification by the government entity issuing an RFID-enabled identification card that such card is equipped with an RFID tag;
• A requirement that RFID-enabled identification cards include non-proprietary encryption technology at least as strong as encryption standards approved by the Federal Information Processing Standards Publication 140-2; and
• A requirement that RFID-enabled identification cards by equipped with mutual authentication technology that would require that both the holder and the reader authenticate authorization of the reading of the identification document.

Opponents of SB 768 argue that the implementation of these security requirements are both unnecessary and cost prohibitive. However, Senator Simitian, the sponsor of this legislation, argues that these security requirements are reasonable, stating that "the measure is narrowly crafted and is limited to government identification documents. SB 768 has no impact whatsoever on private sector applications."

Perhaps the most controversial aspect of this legislation is the proposed three-year moratorium on the use of RFID technology in certain specific government-issued identification documents. Identification documents affected by this moratorium potentially include driver's licenses, government issued health and benefits cards, K-12 student identification cards, and public library cards. Critics claim that this moratorium is, in effect, a ban on the use of RFID technology in such government identification documents and is fundamentally "anti-technology."

In a letter of opposition to the proposed bill dated August 17, 2005, the High-Tech Trust Coalition, a group comprised of technology trade organizations and manufacturers of RFID products, argues that SB 768 "embraces false fears and misrepresentations of fact to impose a ban against a technology (RFID) proven both secure and reliable." Many opponents of this portion of the proposed legislation largely support the aspect of the bill that criminalizes unauthorized skimming of information contained in RFID-enabled documents, but generally assert that the aim should be to ban bad behavior, not technology.

Will there be a ripple effect?

Proponents of this legislation argue that, because of the nature of information contained in such identification documents, making such documents RFID-enabled can increase the risks and occurrences of identity theft, profiling (by reconstructing and aggregating an individual's movements and transactions to develop a profile of the individual), or tracking a person's movements or location similar to the tracking of livestock or sex offenders. Senator Simitian maintains: "Industry opponents would do well to remember that public acceptance and commercial success of developing technologies requires that we acknowledge and address legitimate privacy and security concerns, not ignore or deny them."

The unique legislative history of SB 768 suggests that there is significant political determination behind this legislation. Since the bill is now eligible for consideration by the full State Assembly, SB 768 is one step closer to enactment. As with any new technology, once legislation is considered or enacted, the industry needs to consider whether the concerns spurring legislative concerns can be addressed in alternate ways, including possible adoption of some form of industry self-regulation or adoption of industry "best practices" to address such concerns directly, rather than leaving these issues for further public debate and legislation.

A possible side-effect of this type of legislation may be that private sector uses of the regulated technology may benefit from manufacturers generally incorporating technological developments to comply with legislative mandates, thereby improving the security of such products in private sector applications of RFID technology. As RFID technology implementation is clearly growing and spreading through new applications, the legislative and public debate--particularly around privacy issues—is likely to continue.

Paresh Trivedi, an associate of the firm, assisted in the preparation of this article.