Governor Schwarzenegger took an important first step to protect the privacy, personal safety, and financial security of millions of Californians by signing Radio Frequency Identification (RFID) anti-skimming legislation into law this week.
SB 31, authored by Senator Joe Simitian (D-Palo Alto), sponsored by the American Civil Liberties Union, Privacy Rights Clearinghouse, and the Electronic Frontier Foundation, and supported by a broad bipartisan coalition including the Gun Owners of California, California Eagle Forum, American Association of Retired Persons (AARP), makes it a crime to surreptitiously read information stored on tiny electronic devices known as RFID tags.
The information stored on unsecured RFID chips embedded in identification cards like drivers' licenses, medical ID cards, or student IDs, can be read from a distance, without an individual's knowledge and consent and then misused for tracking, counterfeiting, and identity theft.
"Just as we don't let a stranger to sift through our wallets and take our driver's license, our private information should not be accessible without our knowledge or consent," said Nicole Ozer, Technology and Civil Liberties Policy Director at the ACLU of Northern California. "Until now, there has been no law to prevent anyone from skimming our information. By signing SB 31, Governor Schwarzenegger has taken an important step to safeguard the privacy, safety, and financial security of millions of families."
In an experiment, the information on the RFID-embedded identification card that Senator Simitian uses to access the California State Capitol was skimmed and the information copied by a hacker in a split second. Minutes later, using the information from the Senator's card, the hacker was able to walk right into the Capitol through a members-only, locked entrance. The experiment helped Simitian see the need for legislation.
"Right now if someone steals your ID card, it's a crime. But if they steal the information on your ID card by ';skimming,' it's not. That makes no sense whatsoever," Simitian said. "The problem is particularly serious because we've got millions of IDs and access cards out there with no limitation on the kind of information they carry, and no requirement that they use any of the privacy protection technology that's readily available."
SB 768, Senator Simitian's 2006 legislation to ensure that any RFID tags used in government-issued IDs made use of these readily available privacy and security protections, such as encryption and shielding, was overwhelmingly passed with bipartisan support by the California legislature, but vetoed by the Governor.
"The privacy and security of Californians is not a liberal or conservative issue, it's an issue for everyone. We are pleased that the Governor signed SB 31 into law and hope that he comes to understand why robust RFID privacy protections are necessary for all Californians," said Sam Paredes, Executive Director of the Gun Owners of California.
Simitian began to look at the use of RFID in identification documents after an elementary school in Sutter, California required its students to wear identification badges that contained RFID tags that broadcast the students' information. With the help of the ACLU, parents successfully petitioned the school to remove the RFID tags. "The ACLU is disheartened that the Governor vetoed a related RFID bill, SB 29, that would have provided for notice and consent from parents about the use of RFID in school identification documents. We're looking forward to working with the Administration to implement real protections for students and their parents," said Valerie Small Navarro, Senior Legislative Advocate for the ACLU in Sacramento.
SB 31 is an important first step, but enforcing laws on RFID skimming will be an ongoing challenge," said Ozer. "Because an RFID tag can be read at a distance, it may be very difficult to catch people breaking this law. The next step in protecting our privacy safety will be to ensure that our driver's licenses and other government ID only use secure RFID technology."
For more information about SB 31 and RFID technology, please visit www.aclunc.org../blog/dont-chip-our-rights-away