Search Joe's Website

Background Information

Contactless integrated circuits are tiny devices connected to miniature antennae. When a circuit reader emits a radio signal, the devices in the vicinity respond by transmitting their stored information to the reader.  When the devices are used to encode a person’s personal information, the devices do not alert that person that his or her personal information, such as a birth date, digital picture, or unique identifier number is being transmitted.

California has long recognized the importance of protecting the confidentiality and privacy of an individual’s personal information contained in identification documents.  Existing legislation, however, does not adequately guard against the threats posed by the inclusion of contactless integrated circuits or RFID containing personal data in government-issued identification documents, such as a driver’s license, a student ID, a health card, or a library card.  From local elementary schools to the U.S. State Department, RFID is being included in identification documents without first establishing a rational policy to protect people’s privacy and security.

Problem:

Several security and privacy issues exist that are related to federal and commercial use of RFID technology.  The security of tags and databases raises important considerations concerning the confidentiality, integrity, and availability of the data on the tags, in the databases, and how this information is being protected … Among the key privacy issues are notifying individuals of the existence or use of the technology; tracking an individual’s movements; profiling an individual’s habits, tastes or predilections; and allowing for secondary uses of information.  While measures to mitigate these measures are under discussion, they remain largely prospective.
—GAO Report, Information Security: Radio Frequency Identification Technology in the Federal Government (May 2005)

[T]aging junior high school kids becomes a form of indoctrination into an emerging surveillance society that young minds should be learning to question … Widespread adoption of human-tracking devices should never be embraced without serious and prolonged discussion at all levels of society.
—The Editors, Scientific American (May 2005)

Numerous security and privacy threats posed by using RFID in IDs have been identified by the government, independent researchers, and the technology industry:

• Identity theft: If sensitive personal information, such as a person’s name or Social Security number, is encoded on the ID and is not adequately protected, anybody with a compatible reader who is within range can steal the information and use it to imperil a person’s safety, financial security, and privacy.
• Tracking: Any information that is transmitted remotely—including just a random number—which is static and unique to an ID permits tracking.  Connecting a person to an identifier number can happen by accessing a database either legally or through unauthorized means, by video camera, or by close-range recognition.  Subsequent sightings of that identifier number or stored records of when that identifier number was sighted at a particular place in time can then be linked to the individual.  Recent U.S. State Department testing showed that even IDs with an intended read range of just 4 inches can actually be read from 2-3 feet away with modified readers.  That is more than enough distance to allow an individual’s ID to be read surreptitiously as he or she walks through a doorway or hallway, sits at the airport, stands at a political rally, or visits a gun show.  The disclosure that since 9/11 the Transportation Security Administration has been collecting extensive personal information about airline passengers through unauthorized means highlights this threat.
• Profiling: Profiling is the reconstruction of a person’s movements or transactions over a specific period of time, usually in order to become better acquainted with a person’s more private affairs. Because IDs can contain unique identifier numbers, once a number is associated with a particular individual, personal identifiable information can be obtained and then aggregated to develop a profile of the individual.  Consumers have raised concerns about whether certain collected data might reveal personal information such as medical predispositions or personal health histories—for example, when, where, and how often one went to a particular medical or mental health facility.
• Security failure: The ultimate success of using countermeasures to mitigate these threats particularly associated with the use of RFID depends almost entirely on two factors: (1) nobody who is in a position to compromise the security measures actually does so and (2) all levels of government refrain from abusing a tool that enables them to collect unprecedented quantities of information on people.  Countless cases from the last few years of insider corruption or carelessness at state DMV offices and of sophisticated government surveillance on citizens cast doubt on a security strategy relying so much on these two factors.

There are additional special threats particularly associated with mass-distributed contactless IDs that everyone uses and everyone regularly carries around with them:

• Key management: Unlike with other technologies, addressing the security and privacy risks associated with radio frequency technology in government IDs depends almost entirely on the use of such countermeasures as unique identifier numbers, encryption, and mutual authentication.  The more layers of protection that are implemented, however, the more complicated the architecture of the security system becomes and the more opportunities for failure are created.  In a mass contactless ID system of millions of IDs, thousands of authorized persons and readers would need to know the name and personal info that goes with the unique identifer number and so would need to access the central database where that information was stored; they would need to know how to decrypt the information and so they would need the encryption key; and they would need the authentication key to know if a person truly was who he or she claimed to be.  With so many secrets known to potentially thousands of people, there would be good reason to doubt whether these secrets could be kept for long.
• Comprehensive tracking infrastructure: The possibility that everyone could be carrying around and using the same kind of contactless ID could create the incentive to implement a comprehensive tracking infrastructure in which people’s movements are captured and recorded by readers as they go through the airport, get off a train, visit a hospital or museum, drive on the highway, or shop at a store. 
• Function creep: The history of the Social Security number gives ample evidence of how a random unique identifier developed for one specific use and originally related to a person only in some database has become a mainstay of identification for numerous other purposes.  The use of a common contactless ID for commerce especially has the potential to undermine data protection features, as it will spread bearer data more widely across divergent and less secure systems.
• Reliability of countermeasures: Most security countermeasures, such as encryption, mutual authentication, basic access control, and shield devices have never been deployed together in a mass contactless ID system.  Their effectiveness has not withstood the test of a real-world deployment.  Recently, a team of Johns Hopkins University security researchers successfully defeated the security on Texas Instruments Digital Signature Transponders, RFID devices widely-deployed in ExxonMobile Speed Passes and automobile anti-theft devices.
• Infeasibility of a mass recall: As the recent massive credit card data breach showed, in the event millions of drivers’ licenses were compromised, it would be nearly impossible, as well as extraordinarily expensive, to recall and replace them.

Need for the Bill:

Given the serious security and privacy risks of radio frequency technology in government-issued IDs, a rational policy is needed to capture the potential benefits of the technology while not rushing into implementation of untested schemes with still questionable security protections.  No such policy safeguarding people’s privacy and security currently exists.

The goal of SB 682 is to establish such a policy by requiring robust security and privacy protections today for most government-issued contactless IDs, but drawing a line at this point in time around a few highly sensitive IDs where there is no need to implement the technology because of more secure, equally cost-effective alternatives (such as contact-required smart cards and optical scan cards) and where relying on unproven security countermeasures in an untested security system is an invitation for widespread identity theft, personal data breaches, and unauthorized tracking.

Related Pages: Privacy, 2005-2006 Legislation, SB 682: Identity Information Protection Act