Sunday, August 28, 2005

San Fran Chronicle wants RFID privacy bill back on the agenda

I blogged yesterday about the shelving of SB 682 in the California legislature (See: The Canadian Privacy Law Blog: California legislature shelves RFID ban). Today, the San Francisco Chronicle has a strong editorial demanding that it be put back on the legislative agenda and urging readers to contact their legislators about it:

FOLLOW-UP / Don't hide this privacy bill:

"... Should the state have the ability to track your movements with tiny radio transmitters? This is the essence of the debate behind Senate Bill 682, which reaches a critical juncture today in the Assembly Appropriations Committee. The bill, authored by Sen. Joe Simitian, D-Palo Alto, would wisely put some restrictions and safeguards on government's use of radio frequency identification (RFID) technology. Simitian's bill was inspired by the controversy that erupted when middle-school students in Sutter County were required to wear badges that allowed the school to track their movements around campus. The school board last year scrapped the experimental program in the face of parental objections, but the implications of expanded government use of this technology are truly chilling."

2 comments:

Anonymous said...

Mr. Boylan wants attention, a lot of attention.

What Mr. Boylan does not say, is that he is the attorney for the company in Sutter, CA that created the Badges at Brittan Elementary last year and stands to loose a lot of money if SB 682 is passed.

It is amazing to me that some people have to use all there energy to fight a bill that WILL cause a risk to personal privacy.

Amazing, just amazing.

Anonymous said...

It has been a little less than a year since I posted any news about the battle in California to regulate RFID uses in government identification documents. Despite my silence, plenty has happened. I am very pleased to report that the legislative process worked well and a bill that provides privacy protections without effectively banning radio frequency identification (RFID) uses is expected to become law. This bill is likely to become the model for similar legislation throughout the United States.

To review, RFID uses are not that different from bar code or magnetic stripe information technologies. But instead of “line of sight” bar codes that require the card to be placed in specific places for the card to be “read” or magnetic stripe cards that require the card to be physically run through a reader – which may have to happen over and over again, as we have all experienced trying to use a credit card in a supermarket – RFID uses radio waves to read the card. This is much, much faster and much, much less expensive than other kinds of similar technologies.

RFID use is increasingly common. All credit cards will be using it to avoid “swiping” problems and to increase informational security. Everyone who gets into a parking lot by holding up a card to a box is using an RFID card.

However, RFID cards are designed to be read from a distance – from a few centimeters to a few feet. Privacy groups are afraid that such radio transmissions can be intercepted, allowing “bad actors” to impersonate the card holder. Privacy groups are also concerned that RFID card holders could be followed, or “tracked” by using these cards.

Consequently, privacy groups want RFID cards issued by governments – such as secured building passes – to include devices or technologies that will prevent the card from being copied or tracked by bad actors.

The RFID industry believes that RFID cards are more secure and safer than any other kind of identification technology. The Indusry points out that – even though there are some laboratory studies that show it might be possible – it has never been demonstrated that an RFID card can be copied or tracked without the card holder knowing about it or helping the bad actor to do it. The RFID industry argues that designing cards so that they cannot be copied or tracked is a solution looking for a problem and, if required by law, would make RFID technology too expensive to use, resulting in a de facto ban of the technology as well as a de facto law favoring other, less effective technologies. The industry also argues that, when it comes to RFID security measures, “one size does not fit all” – that some RFID uses require no additional protections while other uses, such as drivers licenses and passports, warrant strict safety measures

SB 768 balances privacy concerns with industry concerns. SB 768 is jointly authored by California State Senator Joe Simitian and California Assemblyperson Albert Torrico. The bill accomplishes many noteworthy objectives.

First, the bill sets up a blue ribbon commission composed of representative from privacy groups, technology companies and concerned state agencies. The task of this commission is to study the different uses of RFID and formulate recommended regulations.

Second, the bill puts in place specific protections that will remain in place until regulations are enacted. These “interim protections” involve a sliding scale of protections depending on the sensitivity of the information on the RFID card. For example, “unique identifiers” are strings of random numbers, letters or symbols that, even if read by a bad actor, doesn’t reveal anything about the cardholder. However, cards with “personally identifiable information” require any number of protections specified in the bill, including mutual authentication and encryption.

The bill is not perfect by any means. The industry believes that the interim protections include protections that are unnecessary and privacy advocates believe that the protections mandated by the bill are far below the level necessary to address their concerns. But, from the industry’s point of view, SB 768 is better than an outright ban on what the industry considers to be a safe and secure technology. From the privacy community’s point of view, the bill is better than no required protections at all.

From my viewpoint, SB 768 is a good start and a fair compromise. Everyone gave a little and everyone got a little – and that is what the legislative process was designed to achieve. I am proud to have been part of the process that created SB 768 and the eventual statute it will engender.

I want to send out a special thank you to the person who posted as "anonymous" in response to my original arguments. she has been especially helpful in helping craft the final bill.

Paul Nicholas Boylan,
Legislative Director,
InCom Corporation