Monday, 22 August 2005
Last-minute lobbying on California RFID bill
"Silicon Valley tech companies have launched an 11th-hour bid to stop state legislation" to regulate the use of secretly and remotely-readable RFID chips in identification documents issued by the state government of California, according to a report today in the San Jose Business Journal .
Despite being limited to California, the proposed regulations for RFID chips on government-issued ID documents would set an important precedent. This bill needs your support -- especially if you live in California -- in the face of this last-minute industry attempt to derail it. The Electronic Frontier Foundation (EFF) has a Web form to e-mail and fax your comments (customizable) on the bill to California's Governor and legislators.
SB 682 wouldn't affect the use of RFID in international travel documents (e.g. passports) or for interstate travel (e.g. registered traveller credentials for interstate airline travel), both of which are subject to the exclusive jurisdiction of the Federal government and international treaties.
As I read it, though, the bill would create significant privacy protections for RFID chip use in local travel documents such as those used for paying road and bridge tolls (e.g. Fastrak) or public transit fares (e.g. Translink).
Travel, toll, or fare payment documents aren't explicitly included in the list of types of "identification documents" covered by the law. But that list is explicitly not limiting, and travel documents used to establish the identity of the person travelling, so that the toll or fare can be charged to the proper personally identified account, would seem to fit the definition of "any document containing personal information that an individual uses alone or in conjunction with any other information to establish his or her identity."
There's a partial exemption for "An identification document that is part of a contactless integrated identification document system ... that is operational and in use prior to January 1, 2006" . That would appear to "grandfather in" Fastrak, but it's less clear whether that would apply to Translink, which is being used to collect actual fares, but only for a small sample of beta testers.
The most significant provision of the law makes it a crime to "intentionally remotely read or attempt to remotely read a person's identification document ... using radio waves, without the knowledge of that person." That clause applies even to existing insecure systems like Fastrak: governments are allowed to continue to use them, without additional security measures, for their current purposes. But no one else is allowed to read any personal information (including the unique and personally identifiable RFID chip number) without your knowledge.
As of now, there are no restrictions whatsoever, anywhere in the USA, on the collection, sharing, use, and sale of RFID tag data (unique chip number, time and place of reading, and any associated events) for any private or commercial purpose. Really the law should require consent, not just knowledge -- that's a huge loophole that would likely result in "Your RFID chip numbers may be read in this area" notices becoming so ubiquitous as to be useless -- but the bill as written is still an important start toward restrictions on the use of government-issued RFID tracking chips by travel compnaies, commercial data aggregators, and others to compile logs of our movements for their purposes without our knowledge.Link | Posted by Edward on Monday, 22 August 2005, 08:29 ( 8:29 AM)