Here in California, there are five bills being considered that govern the use RFID technology. Four bills were introduced by Senator Joe Simitian, (D-Palo Alto, CA), and one was introduced by Senator Ellen Corbett (D-San Leandro, CA). I have been in contact with Senator Simitian’s office regarding these bills. The Senators and supporters of the bills, such as the ACLU, are concerned about privacy. Every member of the RFID Wizards community I’ve spoken to also shares these concerns but passionately believes RFID technology can be implemented in a way that protects peoples’ privacy.
After thoroughly reviewing the bills, it appears that ONE WORD is all that stands between balanced legislation and unnecessary outlawing. That word is "personal", and that's what the laws need to be.
For our readers that are not familiar with the bills, let me provide some background. (Please note: you can click on the title of the bill to read the actual text.)
SENATE BILL No. 28: Department of Motor Vehicles
This bill would prohibit the department from issuing, renewing, duplicating, or replacing a driver’s license or identification card, if the license or card uses radio waves to either transmit personal information remotely or to enable personal information to be read from the license or card remotely. This bill would provide that its provisions shall remain in effect only until January 1, 2011, and as of that date would be repealed.
“Personal information” includes, but is not limited to, an individual’s name, address, telephone number, e-mail address, date of birth, religion, ethnicity, photograph, fingerprint or other biometric identification, driver’s license number, California Identification Card number, social security account number, or other unique identifier.
SENATE BILL No. 29: Electronic Monitoring of Pupils
This bill would prohibit a public school, school district, and county office of education from issuing any device to a pupil that uses radio waves to transmit personal information, as defined, or to enable personal information to be viewed remotely for the purposes of recording the attendance of a pupil at school, establishing or tracking the location of a pupil on school grounds, or both. The bill would repeal these provisions as of January 1, 2011.
“Personal information” means any of the following: the name, address, telephone number, e-mail address, date of birth, religion, ethnicity, photograph, fingerprint or other biometric identifier, school identification number, driver’s license number, California Identification Card number, social security number, or any other unique identifier of the pupil.
SENATE BILL No. 31: A Person’s Identification Document
This bill would provide that a person or entity that intentionally remotely reads or attempts to remotely read a person’s identification document, as defined, using radio waves without his or her knowledge and prior consent, as described, shall be punished by imprisonment in a county jail for up to one year, a fine of not more than $5,000, or both that fine and imprisonment. The bill would also provide that a person or entity who knowingly discloses, or causes to be disclosed, specified operational system keys shall be punished by imprisonment in a county jail for up to one year, a fine of not more than $5,000, or both that fine and imprisonment.
This bill does not apply to the reading of a person’s identification document for emergency services of medical care during a disaster and there are several other exceptions pertaining to law enforcement and incarcerated people. If you accidentally read the data, you’re OK too.
SENATE BILL No. 362: Subcutaneous Implanting of an Identification Device
Editor's note, October 23, 2007: we updated this link to the .pdf version of the bill that passed.
This bill would prohibit a person from requiring, coercing, or compelling any other individual to undergo the subcutaneous implanting of an identification device. Any person who violates this may be assessed an initial civil penalty of no more than ten thousand dollars ($10,000), and no more than one thousand dollars ($1,000) for each day the violation continues. A person who is implanted with a subcutaneous identification device may bring a civil action for damages.
Although this sounds Orwellian, I wrote about this being done at Barcelona beach club back in November of 2004. The patrons volunteered to put RFID under their skin simply to prevent needing to carry their wallet around in their bathing suit. Click here to read the entire article.
SENATE BILL No. 388:
This is the only bill of the five introduced by Senator Corbett Senator Corbett. This bill would require any private entity that sells, furnishes, or otherwise issues a card or other item containing a radio frequency identification tag, as defined, that may be scanned for personal information, as defined, to provide specified information to the recipient.
Of the bills, there's only two that need to get personal. SB 28 and 29 stipulate “other unique identifier” while SB 388 specifies “any unique personal identifier”. What we’re concerned with is sharing personal information, such as the information listed in the bills. Anyone implementing an RFID solution that uses personal information as a unique identifier is being irresponsible. Experienced professional know to use a unique number on an RFID tag that is associated with someone that isn't personal. The tag number alone is useless until it is combined with the information contained in a secure database, such as the Motor Vehicle database. So even if an RFID tag is read by a bad guy (which isn't nearly as easy as the media has made it sound), there is absoultely no value to the information they have.
The language of SB 28 and 29 prevent the use of RFID technology, while SB 388 prevents the technology from being implemented improperly. On behalf of the RFID industry, I suggest that the two Senators collaborate and amend SB 28 and 29 to reflect the language in SB 388. It protects individuals and industry.
