Skip to content

SB 31: RFID Skimming Ban (2007)

Summary

SB 31 is part of a 5-bill package Joe has introduced to address various concerns related to the government use of RFID (radio frequency identification).  Although RFID has been around since World War II, government has recently begun incorporating it into IDs like driver’s licenses and passports.  Citizens are then compelled to carry these devices, which broadcast personal information without the holder’s knowledge or consent and often lack meaningful privacy and security protections.  As a result, government is forcing citizens to carry devices that compromise personal safety.  SB 31 responds to this problem by making it illegal to “skim” (surreptitiously read and record) information from an RFID-enabled ID without consent, and by making it illegal to disclose RFID “system keys,” (similar to a codebook).

After this bill passed the Legislature, Senator Simitian sent a letter to the Governor urging his signature on this bill.

For more information, you can read the SB 31 "Fact Sheet" prepared by a member of Senator Simitian's staff.

Final Status and Text

SB 31 is no longer active. Its final status was:
Signed into Law

You can read its final text on the Legislature's Bill Information site.

Background Information

WHAT IS RFID?

  • RFID devices are tiny chips with miniature antennae that are embedded within documents or objects for tracking and identification purposes.  When a RFID reader emits a radio signal, the devices in the vicinity respond by automatically transmitting their stored information to the reader.
  • RFID is promising, but not without risks.  RFID has many useful and promising applications, such as inventory tracking and automatic toll-road payment systems.  At the same time, however, it can pose serious privacy and security risks.  When embedded in identification documents, for example, information can be scanned off a RFID device at a distance and with no indication to the holder of the RFID device that any information has been remotely transmitted or recorded.  Without adequate protections, unauthorized readers can surreptitiously read and skim the personal information stored on a device—such as a birth date, digital picture, or unique identifier number—all without the knowledge of the RFID holder.

WHAT IS SKIMMING?

  • “Skimming” is creating an unauthorized connection with an RFID tag in order to gain access to its data.

NEED FOR THE BILL

  • Clear privacy and security threats have been identified. Some examples of the vulnerabilities of RFID systems are:
    • Last year’s hacking of the encryption scheme used by the RFID-enabled Dutch passport—wherein the hackers accessed critical biometric and personal information – which demonstrated the potential for identity fraud.
    • Successful hacks of the Exxon Mobile key fob, the VeriChip human RFID implant, the California State Capitol building access system, and the new RFID passports show how easy it is to skim and clone poorly protected RFID devices and compromise RFID-dependent security systems.

News & Press Releases about SB 31

08/08/2010 - Governor must weigh in on state's right to shield personal data

05/20/2009 - Privacy Piracy interview with California State Senator Joe Simitian, 11th District

10/01/2008 - Legislation Outlaws "Skimming" - Privacy Protection Signed Into Law

01/30/2008 - Senator Simitian Speaks on SB 31 - RFID Skimming Ban

01/30/2008 - Privacy Protection for RFID Documents Approved

08/30/2007 - Simitian Bill to Ban 'Tagging' Humans Closer to Becoming Law - "RFID" at Issue

06/26/2007 - State Senator Argues that RFID Technology Allows the Government to Track Your Whereabouts

06/25/2007 - Editorial: State needs law to protect personal data on chips

06/19/2007 - Raising privacy alarm over RFID chips

05/09/2007 - Call Kurtis: Hacking Into Secure Buildings

04/02/2007 - California lawmakers try again to create RFID protections

02/23/2007 - Is RFID Technology a Security Risk? (video)