Search Joe's Website

Background Information

NEED FOR THE BILL – 7 Reasons for California to Curb and Control its Use of RFID

• Privacy is an inalienable right under the California Constitution.  As such, state government has a specific responsibility to protect it, and must meet a higher standard when its actions violate it.
• RFID poses clear privacy and information security risks that threaten individual and public safety.  Unprotected RFID systems can be easily compromised, which exposes device holders to privacy violations, identity theft, property theft, surveillance, stalking and tracking, and other serious harm. Even protected RFID systems have been hacked, some in a matter of minutes.
• Government is currently using unprotected RFID-enabled devices for human identification in California.  Unprotected RFID is already being used in state higher education institution IDs and the California Assembly and Senate ID cards.
• Citizens are compelled to carry these unprotected IDs, which expose them to risk.  Unlike a cell phone or key fob, you can’t shop around for a better, less risky government-issued ID card.
• California lacks even minimum safeguards for RFID-enabled, government-issued identification documents. Neither existing statute nor current practice requires protections against the threats posed by the inclusion of RFID in government-issued IDs.
• Independent sources agree RFID should be used judiciously, if at all, in government-issued human identification. Independent researchers, and several federal government reports, have concluded that using RFID in government-issued human identification is at best, problematic, and in many cases, inadvisable.
• Operational problems mean RFID’s benefits in government-issued human identification aren’t worth the risk. The risks of RFID might be worth it if we got something great out of it – like increased reliability.  But government studies of RFID indicate significant problems with reliability.  In fact, in tests of the US-VISIT program at the border, researchers found the RFID system correctly identified vehicles 14 percent of the time at one check-point and only 4 percent at another.  As a result of these failures, the Department of Homeland Security has said it will pull RFID-enabled devises from the US–VISIT program.

THE SOLUTION: SB 30

• SB 30 Applies Existing, Widely-Accepted State Privacy Principles to Government-Issued IDs—Consistent with the most widely-accepted, baseline privacy practices and standards, SB 30 would extend existing state information practice principles to Radio Frequency Identification(RFID)-enabled ID cards used by state and local government.  Specifically, SB 30 would improve:
  • Security—Require that RFID-enabled, government-issued identification cards contain protective features to ensure the security and privacy of their users.  These protections are necessary because identification cards contain, or can be traced to, personal information that can be used to harm individuals.
  • Notice—Require that RFID-enabled, government-issued identification cards are issued with educational materials that tell users where they can expect to encounter the technology, how to protect themselves from risks such as identity theft and behavior monitoring, and what personal information is being collected and stored.
• It’s Narrowly Tailored—The privacy protections mandated by SB 30 apply only to RFID-enabled, government-issued identification documents such as driver’s licenses, employee ID cards, and public benefit cards. State and local governments would be free to use less well-protected RFID-enabled devices for any number of other innovations, including: supply chain management, document, container, and vehicle tracking, controlling and testing for hazardous and toxic materials, among others.
• Contains Sensible Exemptions—SB 30 contains reasonable exemptions for RFID-enabled identification systems that are already in place, and for those in corrections, medical, and emergency scenarios.
• Prohibits and Punishes Bad Behavior—Consistent with existing state law, SB 30 would makes it illegal to disclose RFID system keys.
• And Just for Good Measure—SB 30 requires the California Research Bureau, in consultation with government, industry, and privacy rights stakeholders and experts, to explore the privacy and security issues associated with RFID-enabled identification devices and to report back to the Legislature with recommendations.

Related Pages: Privacy, 2007-2008 Legislation, SB 30: Identity Information Protection Act of 2007