Skip to content

SB 768: RFID Protections for Government IDs (2005)

Summary

RFID devices are tiny chips with miniature antennae that are embedded within documents or objects for tracking and identification purposes.  When a RFID reader emits a radio signal, all RFID-enabled devices in the vicinity respond by automatically transmitting their stored information to the reader.

RFID is promising, but not without risks.  RFID has many useful and promising applications, such as inventory tracking and automatic toll-road payment systems.  At the same time, however, it can pose serious privacy and security threats.  When embedded in identification documents, for example, information can be scanned off a RFID device at a distance and without notice to the holder.  Without adequate protections, unauthorized readers can surreptitiously read and skim the personal information stored on a device—such as a birth date, digital picture, or unique identifier number—all without the knowledge of the RFID holder.

Had Gov. Schwarzenegger not vetoed the bill, SB 768 would have required state and local government to ensure that government-issued RFID-enabled devices include some basic privacy and security protections; and would have made it a crime to steal someone’s information with an RFID reader.

For more information, you can read the SB 768 "Fact Sheet" prepared by a member of Senator Simitian's staff.

Final Status and Text

SB 768 is no longer active. Its final status was:
Vetoed by the Governor

You can read its final text on the Legislature's Bill Information site.

Background Information

Why Was SB 768 Needed?

  • Clear privacy and security threats have been identified.  The technology and business communities, independent researchers, and several government agencies all agree that using RFID in government IDs with few or minimal protections poses serious privacy and security threats.
  • The hacking of the encryption scheme used by the Dutch RFID passport demonstrated the threat of identity fraud.
  • Successful hacks of the Exxon Mobile key fob, the VeriChip human RFID implant, the California State Capitol building access system, and the new RFID passports have all shown how easy it is to clone poorly protected RFID devices and compromise RFID-dependent security systems.
  • Other privacy issues, according to the nonpartisan Government Accountability Office (GAO), include “notifying individuals of the existence or use of the technology; tracking an individual’s movements; profiling an individual’s habits, tastes or predilections; and allowing for secondary uses of information.”
  • Because a person’s RFID ID can be read from a distance and without that person’s knowledge as he or she enters a building, walks down the street, stands at a political rally, or visits a gun show, the privacy office of the Department of Homeland Security warns, “RFID may convert identification-based security into an effective surveillance program of all people passing certain locations.”
  • No minimum safeguards or standards are in place in the state. Neither existing statute nor current practices require protections against the threats posed by the inclusion of RFID in government-issued IDs, such as a driver’s license, a student ID, or a health card.  To make matters worse, competing RFID vendors have sometimes obfuscated risks and sold products with little or no security in an effort to sell the cheapest product.  From local elementary schools to state agencies impacting millions of Californians, RFID is being included in identification documents with no minimum safeguards or standards in place.
  • The public’s confidence in RFID and government-issued IDs is at risk.  In just the last two years, it has been revealed that numerous high-profile deployments of RFID technology, including those listed above, have lacked proper protections for privacy and security.  As a result, public concern and unease with RFID technology, especially when used in government-issued IDs, have become more widespread.  In order to restore the public’s trust, people have to know that appropriate safeguards have been and will be implemented.  By requiring the use of basic safeguards, SB 768 is essential to rebuilding the public’s trust in RFID technology and its use in government-issued IDs.

What Would SB 768 Have Done?

  • SB 768 would have put in place basic, commonsense safeguards to protect people’s privacy and security.  SB 768 required state and local governmental entities that issue remotely readable identification documents (IDs) using radio-frequency identification (RFID) chips (1) to include protective features on the chips to ensure that people know who, and when others, can access their information and (2) to give ID holders notice about the technology and the location of readers.  The measure also mandated additional protections, such as encryption and on/off capacities, for remotely readable IDs that transmit sensitive personal information and for IDs that are used for multiple applications, commensurate with the level of security required.  Existing RFID systems were exempted from the provisions of this bill, as were other IDs used in corrections, medical, and emergency scenarios.
  • SB 768 prohibited and punished bad behavior.  SB 768 made it a criminal misdemeanor to “skim,” or remotely read, a person’s government-issued ID for the purpose of reading the ID without that person’s knowledge and prior consent.  Compromising the privacy and security safeguards required under SB 768 through unauthorized disclosures would have also been punished by strict criminal penalties.
  • SB 768 established a process for obtaining continuing expert guidance.  SB 768 required the California Research Bureau, in consultation with government, industry, and privacy rights stakeholders and experts, to further explore the privacy and security issues associated with remotely readable IDs and report back to the Legislature with recommendations.

News and Reports