Skip to content

FOR IMMEDIATE RELEASE    

October 1, 2008              



For More Information, Contact:

Sarah Mason at (916) 651-4011

Hema Sareen Mohan at (650) 688-6384

LEGISLATION OUTLAWS “SKIMMING” ––

PRIVACY PROTECTION SIGNED INTO LAW


SACRAMENTO – State Senator Joe Simitian’s legislation (SB 31) to outlaw “skimming,” the covert reading of personal information stored on RFID-enabled ID cards, was signed into law by Governor Arnold Schwarzenegger.  The bill makes it a crime to surreptitiously read information stored on tiny electronic devices known as RFID tags. 

RFID stands for radio frequency identification. It involves placing a “tag,” a tiny receptor device containing electronic information, on an object. The tag can be read by directing radio waves at it, which causes the tag to send back a signal containing the information.  The new law prohibits anyone from “reading” that information without the card holder’s knowledge and consent.

“The problem is real,” Simitian (D-Palo Alto) said.  “Millions of Californians use RFID cards to gain access to their office, apartment, condo, day care center or parking garage,” he added.  “Our passports now use the technology, and there is continued discussion about the possible use of RFID in drivers’ licenses.  Yet, up ’til now, there’s been no law on the books to prevent anyone from skimming your information, and it’s surprisingly easy to do.”

In a controlled experiment, “the card I use to access the State Capitol was skimmed and cloned by a hacker in a split second,” said Simitian. “Minutes later, using that clone of my card, the hacker was able to walk right into the Capitol through a ‘secure’ and locked entrance.”

Simitian said, “RFID technology is not in and of itself the issue. RFID is a minor miracle with all sorts of good uses.”  But, he notes, “It’s easier than ever to steal someone’s personal information.  With an unauthorized reader – technology that is readily available, off-the-shelf, and surprisingly inexpensive – it’s really quite simple to do.”

Given that situation, Simitian saw the need for legislation.  “Right now if someone steals your ID card, it’s a crime; but if they steal the information on your ID card by ‘skimming,’ it’s not. That makes no sense whatsoever,” Simitian said. “The problem is particularly serious because we’ve got millions of IDs and access cards out there with no limitation on the kind of information they carry, and no requirement that they use any of the privacy protection technology that’s readily available.”

“If you’ve been mugged, or even had your pocket picked, you know you’ve been a victim. You can take steps to protect yourself against identity theft,’’ said Simitian. “But if your personal information has been ‘skimmed’ without your knowledge or consent, you’re completely vulnerable.”

Simitian noted that, “While we’re having a robust debate about the privacy concerns associated with the use of RFID in identity documents, at the very least, we should be able to agree that stealing someone’s personal information by skimming is just plain wrong.”  Simitian also noted that, “The public will continue to resist emerging technologies until and unless we acknowledge and respond to legitimate concerns about privacy and security.”

Simitian began to look at the use of RFID in identification documents after an elementary school in Sutter, California required its students to wear identification badges that contained RFID tags that broadcast the students’ information.  Parents successfully petitioned the school to remove the RFID tags. 

Simitian’s efforts to provide privacy protections in connection with RFID technology have garnered support from an eclectic and sometimes unlikely mix of advocates.  Among them are the American Civil Liberties Union, Gun Owners of California, Privacy Rights Clearinghouse, Citizens Against Government Waste, California State Parent Teacher Association (PTA), Republican Liberty Caucus, and the National Organization for Women (NOW). 

“Just like Californians wouldn’t allow a stranger to sift through their wallet and take their driver’s license or want their children or grandchildren to tell passers-by on the street who they are or where they live, our private information must not be read at a distance without our knowledge or consent,” said Nicole Ozer, Technology and Civil Liberties Policy Director
ACLU of Northern California.  “By signing SB 31, Governor Schwarzenegger has taken an important step to safeguard the privacy, personal and public safety, and financial security of millions of families.”

SB 31 is the second Simitian bill dealing with RFID privacy protections signed into law; last year the Governor signed Simitian’s bill SB 362 to prohibit the forced implantation of RFID tags (“chipping”) in humans.  Simitian still believes, however, that what is needed is a broader privacy protection framework governing the use of RFID in government identity documents.  The Governor vetoed Simitian’s 2006 legislation (SB 768) which would have provided such protections.

Simitian’s additional RFID measure, SB 29, which addressed privacy concerns about the use of RFID in school identification documents, was vetoed by the Governor earlier this week.

RFID technology is decades old. But miniaturization in electronics has enabled it to be employed much more widely in recent years.  In their simpler forms, RFID tags can quickly identify objects, such as shipping containers or cattle.  The tags can also be used, however, on a variety of identification cards; everything from credit cards to student IDs.

These days, RFID technology is increasingly used to encode information on identification documents, such as driver’s licenses and passports. Businesses or schools may use it on ID cards for employees or students. On a health insurance card, it might not only identify the bearer, but provide essential—and deeply personal—medical information.

It is possible to encode tags with almost any type of personal information, including birth dates, social security numbers, addresses, drivers license numbers, or bank account numbers.

Unlike swipe cards, which must be held close to a reader to register, RFID tags can be read automatically, without the bearer doing anything, or even noticing. Some can be read only from an inch or two, but others may be readable over several yards.

The bill makes exceptions for inadvertent scanning of RFID tags. It also permits various emergency medical services, and law enforcement agencies to scan without a bearer’s permission to identify or assist an unresponsive person, or to solve a crime, as long as a search warrant has been issued.

Simitian chairs the Senate Select Committee on Privacy.

For more information about SB 31, please visit http://www.senatorsimitian.com.

###