Sunday, August 28, 2005

San Fran Chronicle wants RFID privacy bill back on the agenda

I blogged yesterday about the shelving of SB 682 in the California legislature (See: The Canadian Privacy Law Blog: California legislature shelves RFID ban). Today, the San Francisco Chronicle has a strong editorial demanding that it be put back on the legislative agenda and urging readers to contact their legislators about it:

FOLLOW-UP / Don't hide this privacy bill:

"... Should the state have the ability to track your movements with tiny radio transmitters? This is the essence of the debate behind Senate Bill 682, which reaches a critical juncture today in the Assembly Appropriations Committee. The bill, authored by Sen. Joe Simitian, D-Palo Alto, would wisely put some restrictions and safeguards on government's use of radio frequency identification (RFID) technology. Simitian's bill was inspired by the controversy that erupted when middle-school students in Sutter County were required to wear badges that allowed the school to track their movements around campus. The school board last year scrapped the experimental program in the face of parental objections, but the implications of expanded government use of this technology are truly chilling."


Paul Nicholas Boylan said...

The San Francisco Chronicle got it wrong - amazingly wrong. SB 682 failed to get out of the California Assembly Appropriations Committee because it was just a bad bill. The more people looked at it, the less sense it made. The bill claims to be afraid of people "skilling" information from smart cards. But when those supporting the bill were asked again and again to provide just one example of where smart cards had been skimmed, they couldn't do it.

Instead, they resorted to trickery. I am not kidding. They presented a list of examples of smart card security breaches, but the list didn't contain any smart card security breaches. Instead, it contained a list of instances where data bases had been hacked. They thought no one would know the difference.

But they did. Everyone knew the difference, and knew that SB 682 didn't do a thing to protect against hacking a data base.

Here is the bottom line: the vast majority of smart cards - like security badges to get into buildings - have only a long number on them. The reader reads the number and knows that the person with the card can be let in. The reader doesn't know who the person is. If anyone was somehow able to read the number on the card from a distance (which they can't - period; anyone who tells you differently is lying) then all the bad guy gets is a long number that does them no good at all.

In otherwords, smart cards are safe and private. They are harder to read than any other kind of ID - which protects our privacy. But SB 682 banned those safe, private uses.

Oh, the proponents of the bill are outraged by the accusation that they ban technology. But there is such a thing as a de facto ban. Here is how it works: the bill imposed an encryption standard on smart card uses that increased the cost so much that no one could afford it. That, dear friends, is a de facto ban. It's a lie to say otherwise.

Here is the best part: any smart card can be rendered absolutely impossible to read when placed in an inexpensive card holder. Or, if you dont' want to spend the money, just fold a piece of aluminum foil in half and put your smart card in it and it instantly becomes unreadable by anyone or anything.

Those supporting SB 682 had an answer to this elegant, simple solution to the fears of smart card info piracy/tracking by Big Brother. They said, and I kid you not, "how can we make sure everyone uses the card holders?"

Look, privacy is as much a choice as a right. When I am in my home, sometimes I have my drapes open. When I want privacy I close my drapes. We all have choices like that. Some of us actually choose not to care about their privacy.

But SB 682 wanted to mandate privacy. It wanted to remove the choice - even though a solution exists - because those supporting the bill wanted to make sure no one could choose otherwise.

I hope the irony isn't missed by any reader. Those who drafted the bill because they were afraid of Big Brother became Big Brother. If it wasn't so horrible it would be incredibly funny.

So you see, SB 682 was a solution in search of a problem. When all is said and done, the democratic process works just fine. Given enough time, enough people realized the bill was rediculous. And so it died,in much the same way all bad laws should die.

Anonymous said...

Mr. Boylan wants attention, a lot of attention.

What Mr. Boylan does not say, is that he is the attorney for the company in Sutter, CA that created the Badges at Brittan Elementary last year and stands to loose a lot of money if SB 682 is passed.

It is amazing to me that some people have to use all there energy to fight a bill that WILL cause a risk to personal privacy.

Amazing, just amazing.

Paul Nicholas Boylan said...

Hey, Anonymous: you are exactly correct. I was hired by a small high tech start up company to do whatever I could to stop this bill from becoming law. Why? Because the bill, if enacted, would put that company out of business - and without any justification whatsoever other than irrational fear. This company wouldn't just "stand to lose a lot of money." The bill would put the company totally out of business. They hired me because they were fighting for their lives.

Anonymous, you said that the technology is a "risk to personal privacy..." How? Tell me how. I've asked those supporting the bill how on earth my client's product poses a risk to personal privacy. They couldn't do it. Maybe you can.

Just so you understand what you are up against, let me tell you how InCom's product works. The system is used to take automatic attendance. Students carry an ID badge with a sixteen digit randomly assigned number on it. This number is locked on the card so nothing can be added. The tag does NOT contain the student's picture, or social security number or any other information other than a randomly assigned sixteen digit number. I want to make this very clear, because the proponents of SB 682 told people that the card contained students pictures, etc. etc. It isn't true, so don't go there.

As the child enters the room, the number on the tag is noted by a device called a "reader." The reader then sends the tag's number over land lines to the schools secure server where the computer matches up the tag number with the student's name. The computer then generates an attendance list with the student's name - not the number - and sends the attendance list to the teacher who checks it for accuracy.

As I explained earlier, the fear that is the foundation for SB 682 is the fear that someone could "skim" the number off of a tag using a portable reader. It isn't going to happen. The read distance is so close that anyone trying to creep up on a child is going to be noticed.

But let's say there is some way to read the sixteen digit randomly assigned number from a distance. First of all, it isn't possible today. It just isn't. The technology doesn't exist to do it.

But let's say there is a super genius pedophile out there who has the fiancing and engineering know how to build such a long distance reader - one that doesn't cook the subject. If that hypotetical genius bad guy reads the card, what does he get? A sixteen digit number that does him or her no good whatsoever.

"Ah," the proponents argue, "what if the hypotetical super genius predator got the number and then hacked into the school's computers?? What then??"

It isn't going to happen. The school's server is secured. It is not connected to the internet or phone lines and cannot be hacked. To be able to match up a student's number with their name, the super genius predator would also need to be a cat burglar. They would need to climb the school fence, break into locked doors, turn on the school's computers, get past their passwords and then past their own encryption.

It would be easier and less expensive to rob a bank.

So you see, the use of secure smart cards in school is absolutely safe, secure and privacy is assured. It has to be. If a school allows a student's private information to be released they will lose federal funding. They don't want to risk that. And with the InCom system, they don't have to.

But why would a school want to use such a system? The truth is, not all would want it. Not because it doesn't work, but because they are happy with ordinary methods of taking attendance. But for other schools, funding is more and more of a problem. Schools are funded according to how many students they have in class, so accurate attendance is crutial. The state audits schools and if they have made mistakes their funding is cut. The InCom system is accurate.

It is also fast, and this speed is beneficial in two ways. First, it allows teachers to spend more time doing what they do best - i.e., teach our kids. In this day and age of low test scores and greater paper work burdens for teachers, it is a very good thing for teachers to be able to spend more time in front of the class teaching.

But speed is also important for child safety. Using current attendance methods, it can take hours for parents to be notified that their children didn't make it to school. When a child goes missing, every minute counts. The InCom system allows schools to notify parents in minutes instead of hours.

Why is any of this bad? Why did SB 682 specifically exempt k-12 school IDs? The system is alreay encrypted. Student information is protected. Privacy is assured. Heck, I can look at a drivers license sitting on a check out stand and memorize the information on it. I can't do that with a secure smart card.

Okay, Anonymous, you articulate, couragous unknown person. Your turn. Tell me why?

And by the way, do you really think that "outing" me as an employee of a company that sells secure smart cards somehow impunes my credibility? Not at all. It gives me background and insight you are likely not to have.

And why not use your real name? Seriously. Are you afraid that someone might retaliate against you for voicing your opinion?

Come to think of it, that might be the reason. After all, irrational fear is what engendered SB 682 in the first place. It makes sense that you would want to hide your identity.

Use any name you want. But please respond to the argument. Show me any justification for banning such a useful technology that saves money, saves time and keeps our children safe.

Paul Nicholas Boylan said...


Senator Simitian is attempting a "Hail Mary" move to give new life to SB 682. He has "gutted-and-amended" SB 768 (originally dealing with "Marine finfish aquaculture") on the Assembly floor and has inserted the most recent language found in SB 682. This can happen when one bill is abandoned by it's author -- which, apparently, happened to SB 768.

It is never over until it is over, but I still believe the bill is dead.

This is a desperate move on Simitian's part and will carry a high price. He is essentially attempting to circumvent the legislative process by giving the finger to the Assembly Appropriations Committee, which held back SB 682 to study it's financial affect on California.

We are now accustomed to the underhanded tactics of those promoting SB 682 - now resurected as SB 768. We knew this was likely to happen and we are ready for it. What is happening further illustrates the problem: those who want this law enacted are unwilling to let anyone look too closely at it. The purpose of the bill isn't to regulate the techology - the purpose of the bill is to ban the technology either directly or indirectly by making it too expensive or ineffective to use. And they are comfortable achieving that goal by hook or by crook.

Extreme views engender bad laws.

Okay, one last observation: SB 682 is now SB 768 - which originally pertained to "Marine finfish aquaculture." But the basic nature of SB 768 hasn't really changed: even though the original content has been stripped out and replaced with SB 682, there is still something fishy about it.

I can hear the groans. Please forgive me, sometimes I just can't help myself.

Anonymous said...

It has been a little less than a year since I posted any news about the battle in California to regulate RFID uses in government identification documents. Despite my silence, plenty has happened. I am very pleased to report that the legislative process worked well and a bill that provides privacy protections without effectively banning radio frequency identification (RFID) uses is expected to become law. This bill is likely to become the model for similar legislation throughout the United States.

To review, RFID uses are not that different from bar code or magnetic stripe information technologies. But instead of “line of sight” bar codes that require the card to be placed in specific places for the card to be “read” or magnetic stripe cards that require the card to be physically run through a reader – which may have to happen over and over again, as we have all experienced trying to use a credit card in a supermarket – RFID uses radio waves to read the card. This is much, much faster and much, much less expensive than other kinds of similar technologies.

RFID use is increasingly common. All credit cards will be using it to avoid “swiping” problems and to increase informational security. Everyone who gets into a parking lot by holding up a card to a box is using an RFID card.

However, RFID cards are designed to be read from a distance – from a few centimeters to a few feet. Privacy groups are afraid that such radio transmissions can be intercepted, allowing “bad actors” to impersonate the card holder. Privacy groups are also concerned that RFID card holders could be followed, or “tracked” by using these cards.

Consequently, privacy groups want RFID cards issued by governments – such as secured building passes – to include devices or technologies that will prevent the card from being copied or tracked by bad actors.

The RFID industry believes that RFID cards are more secure and safer than any other kind of identification technology. The Indusry points out that – even though there are some laboratory studies that show it might be possible – it has never been demonstrated that an RFID card can be copied or tracked without the card holder knowing about it or helping the bad actor to do it. The RFID industry argues that designing cards so that they cannot be copied or tracked is a solution looking for a problem and, if required by law, would make RFID technology too expensive to use, resulting in a de facto ban of the technology as well as a de facto law favoring other, less effective technologies. The industry also argues that, when it comes to RFID security measures, “one size does not fit all” – that some RFID uses require no additional protections while other uses, such as drivers licenses and passports, warrant strict safety measures

SB 768 balances privacy concerns with industry concerns. SB 768 is jointly authored by California State Senator Joe Simitian and California Assemblyperson Albert Torrico. The bill accomplishes many noteworthy objectives.

First, the bill sets up a blue ribbon commission composed of representative from privacy groups, technology companies and concerned state agencies. The task of this commission is to study the different uses of RFID and formulate recommended regulations.

Second, the bill puts in place specific protections that will remain in place until regulations are enacted. These “interim protections” involve a sliding scale of protections depending on the sensitivity of the information on the RFID card. For example, “unique identifiers” are strings of random numbers, letters or symbols that, even if read by a bad actor, doesn’t reveal anything about the cardholder. However, cards with “personally identifiable information” require any number of protections specified in the bill, including mutual authentication and encryption.

The bill is not perfect by any means. The industry believes that the interim protections include protections that are unnecessary and privacy advocates believe that the protections mandated by the bill are far below the level necessary to address their concerns. But, from the industry’s point of view, SB 768 is better than an outright ban on what the industry considers to be a safe and secure technology. From the privacy community’s point of view, the bill is better than no required protections at all.

From my viewpoint, SB 768 is a good start and a fair compromise. Everyone gave a little and everyone got a little – and that is what the legislative process was designed to achieve. I am proud to have been part of the process that created SB 768 and the eventual statute it will engender.

I want to send out a special thank you to the person who posted as "anonymous" in response to my original arguments. she has been especially helpful in helping craft the final bill.

Paul Nicholas Boylan,
Legislative Director,
InCom Corporation