SB 768: RFID Protections for Government IDs (2005)

Jul 01, 2009
By:
Nicole A. Ozer
ACLU of Northern CA

RFID devices are tiny chips with miniature antennae that are embedded within documents or objects for tracking and identification purposes. When a RFID reader emits a radio signal, all RFID-enabled devices in the vicinity respond by automatically transmitting their stored information to the reader.

RFID has some useful applications but when embedded in ID documents, it can pose serious privacy and security threats. For example, information can be scanned off a RFID device at a distance and without notice to the holder. Without adequate protections, unauthorized readers can surreptitiously read and skim the personal information stored on a device–such as a birth date, digital picture, or unique identifier number–all without the knowledge of the RFID holder.

SB 768 would have prohibited any person or entity from intentionally reading a person's government-issued identification document (ID) remotely using radio waves without the knowledge of that person. It includes strong criminal penalties for anybody who violates this statute.

SB 768 would have required a governmental entity that issues IDs that can be read remotely using radio waves to provide the following basic security protections for the holders of those IDs:

  • Limiting the remote transmission of any personal information other than a unique identifier number.
  • Robust encryption to protect against the unauthorized reading of transmitted information.
  • Mutual authentication to ensure as best as possible that only those who are supposed to have access to the data stored on the ID can read it.
  • An additional security feature to ensure that the ID cannot be read unless the ID's holder specifically authorizes that reading.

Written notification:

  • That the ID can communicate information using radio waves.
  • That the use of shield devices can help mitigate the privacy and security risks associated with the ID.
  • Of the location of readers intended to be used to read the ID.
  • Of the information that is being collected or stored regarding the individual in a database in conjunction with the ID.

With bi-partisan votes by the legislature, SB 768 was passed overwhelmingly. Had Gov. Schwarzenegger not vetoed the bill, SB 768 would have required state and local government to ensure that government-issued RFID-enabled devices include some basic privacy and security protections; and would have made it a crime to steal someone's information with an RFID reader.

Final Status and Text
SB 768 is no longer active. Its final status was: Vetoed by the Governor

Learn more:

SB 768, formerly SB 682, was reintroduced as SB 30 (2007).

You can read its final text on the Legislature's Bill Information site.

SB 768 Fact Sheet

Landmark Privacy Bill Heads for Governor's Desk (08/31/2006)

Don't Chip Our Rights Away!

SB 30 The Identity Information Protection Act of 2007

SB 682 Identity Information Protection Act (2005)