14 DAY TRIAL // California Governor Arnold Schwarzenegger signed Senate Bill 31, which makes it illegal to establish a connection with a Radio Frequency Identification (RFID) tag in order to access the stored information without explicit consent from its owner. The Governor had previously vetoed another bill (SB 768), which aimed at ensuring that government-issued RFID tags are secured by using encryption and other technologies.
The RFID technology offers an automatic identification method, by storing remotely-accessible data on chips called RFID tags. These chips are embedded in access and identification cards like drivers’ licenses, medical cards, student cards, etc. The data is stored unencrypted on the majority of these tags and tests have demonstrated that it can be remotely read from tens of meters away by potential identity thieves or hackers.
In fact, SB 31 was authored by State Senator Joe Simitian as a result of an experiment where a hacker copied the information stored on one of his access cards and used it to forge a copy. Then, he was able to enter the California State Capitol through a locked entrance destined to members only. “Right now if someone steals your ID card, it’s a crime. But if they steal the information on your ID card by ‘skimming,’ it’s not. That makes no sense whatsoever,” Simitian noted.
The bill was sponsored by many organizations that aim at protecting the civil and privacy rights of citizens. “Just as we don’t let a stranger sift through our wallets and take our driver’s license, our private information should not be accessible without our knowledge or consent,” said Nicole Ozer, Technology and Civil Liberties Policy Director at the American Civil Liberties Union (ACLU) of Northern California, while Sam Paredes, Executive Director of the Gun Owners of California, noted that “we are pleased that the Governor signed SB 31 into law and hope that he comes to understand why robust RFID privacy protections are necessary for all Californians”.
While this is a notable beginning for RFID-stored information protection, there is still a long way to go, as preventing a crime from happening is just as important as making sure it is punished. Other previously vetoed bills like SB 768, regarding the encryption and shielding of RFID data, or the SB 29, requiring parental consent for the use of student identification RFID tags in schools, need to be re-evaluated and passed.
“The problem is particularly serious because we’ve got millions of IDs and access cards out there with no limitation on the kind of information they carry, and no requirement that they use any of the privacy protection technology that’s readily available,” said Senator Simitian. Nicole Ozer also pointed out that “because an RFID tag can be read at a distance, it may be very difficult to catch people breaking this law. The next step in protecting our privacy safety will be to ensure that our driver’s licenses and other government ID only use secure RFID technology”.