California bill would limit state's use of RFID in identification cards
With things relatively quiet in Washington just now (it is August, after all), we have a chance to take a closer look at an interesting law that is pending in the California legislature: S.B. 682, Senator Simitian’s “Identity Information Protection Act.” The bill has two main purposes:
1. Prohibit the inclusion of “contactless integrated circuit” devices or other devices that use “radio waves to broadcast personal information to be read remotely” (i.e., RFID technology) in state-issued driver’s licenses, student ID cards (K-12), healthcare and other benefit cards, and public library cards.
2. Require significant security measures with respect to the use of RFID technology in all other state-issued ID cards, including provisions for strong encryption, authentication measures, and shielding devices.
The bill also has provisions requiring notice of certain things for IDs that do employ RFID technology, such as the fact that a given ID contains an RFID device, countermeasures (e.g., shielding) that an individual may use for greater protection, the location of all readers intended to be used by the authority that issued the ID, and specifics on just what information is being collected or stored when the RFID device is being read or accessed.
This bill could also prove interesting with respect to federal government implementation of the Real ID Act (which USACM was quite active on), for some anticipate that Real ID’s implementation rules, once promulgated by DHS, will include specifications for including RFIDs on the new cards called for by the act.
As far as the bill’s prospects go, according to the ACLU of Northern California (who support the bill), it “passed the California Senate [in May] with bipartisan support, but many in the industry are working very hard to kill it.” The bill is now in committee in the state Assembly, and a committee hearing is scheduled for August 17 (with a floor vote possible the week following). We will, of course, update this post (or create a new one) as events warrant.
In other RFID-related news, Bruce Schneier has a good post on his weblog commenting on the State Department’s efforts to include RFID technology in U.S. passports.