California’s New RFID Bill Would Impose New Restrictions on Governmental Agencies that Issue RFID Cards to Safeguard User Privacy

Posted by Joe Addiego

On September 1, 2006, the California Senate approved Senate Bill No. 768, a/k/a the Identity Information Protection Action of 2006, which would regulate the use of radio frequency identification (“RFID”) cards issued by governmental bodies. Governor Arnold Schwarzenegger has until the end of the month to sign the bill into law.

RFID is a burgeoning technology that has numerous potential security, record keeping, and commercial applications. For example, it currently is used for passkeys to buildings and electronic payment on toll bridges and toll roads, but it also is being adopted for many other uses, including identification cards and drivers licenses, “touchless” payment transactions, and medical care and records tracking. The technology is attractive, because RFID cards communicate via a short range radio signal with a reader, allowing high speed and simultaneous data transfer without physical contact or human intervention.

However, because RFID cards often contain confidential data, many are concerned that this information can be intercepted during transmission or extracted from the card itself if it were to fall into the wrong hands.

In light of these concerns, among others, the California Senate passed the IIPA, which would impose many new restrictions on the use of RFID technology. The potential law would apply only to RFID cards issued by governmental agencies, and it is designed to protect both government employees and private citizens who receive government issued cards.

Some of the protections that would be required by the IIPA include that the cards be fitted with “tamper resistant features,” and that each card and companion reader be protected by an authentication process. Further, if “personally identifiable information” (“PII”), such as the user’s name, address, phone number, social security number or fingerprint, is contained on the RFID card, then the card and its transmissions must be encrypted.

The bill also mandates that users have the ability to override the RFID card’s standard operation if they are uncomfortable with the wireless transmission of their PII. All government issued RFID cards that contain PII would be required to have “an access control protocol that enables the holder to exercise direct control over any transmission of the date using radio waves.” In other words, the user must have the option to use the device without continuously transmitting data wirelessly, for example either by using physical contact between card and reader for the transfer, or by the activation of the card to broadcast the data only at the user’s direction.

In addition to these safeguards, the bill also would require governmental agencies to notify all users of the RFID cards of the risks of technology, the “countermeasures” that have been implemented, and the locations of all card readers so that the users know where and under what circumstances their data may be transmitted.

The IIPA also has teeth, as it provides for criminal penalties, including imprisonment for up to one year and/or a $5,000 fine for intentionally intercepting transmissions and/or reading a person’s RFID card without that person’s knowledge or consent. The bill contains a safe harbor for inadvertent receipt of data transmissions from RFID cards, as long as the information is not used for any purpose and is destroyed.

The potential passage of this bill into law raises many interesting questions:

  • Who will pay for the implementation and maintenance of these safety measures? The bill itself says that “no reimbursement [by the Legislature of any state agencies or local government] is required.” Thus, it will be up to each governmental entity to find room in their respective budgets for these new protections.
  • Will these increased costs discourage future adoption of RFID technology?
  • Is this bill overkill? In other words, is there enough of an existing security risk to justify requiring governmental agencies to take these protective measures?
  • On the flip side, is this bill an appropriately timed preventative measure? In other words, will it give users of RFID technology a leg up over would-be identity thieves, who may not as yet have focused on how to crack it, given that use of the technology is still in its relative infancy?
  • Can a law regulating the use of RFID technology by private businesses be far behind?

If Governor Schwarzenegger signs the IIPA into law, expect these questions and others to be hotly debated in the coming years.