RFID Law Blog

The California Senate yesterday passed by a 30 to 7 vote (all 7 Republicans) legislation that would impose the most sweeping security regulations to date on the use of RFID in certain public applications. The bill had already passed the State Assembly, so it is ready for Governor Schwarzenegger's signature or veto.

The legislation, sponsored by Senator Simitian (ironically, from technology hub Silicon Valley), is a reaction to fears that RFID is an unsafe technology that will more easily allow hackers entrance to buildings using RFID-enabled ID cards, or to steal personal information embedded in RFID-labeled documents.

The solution, according to the legislation, is to - by statute - require certain "privacy protecting" measures be taken when RFID-enabled systems are used, including:

1) Require mutual authentication technologies between the card and the reader, in circumstances where there may be an electronic transfer of personal information;
2) Allowing the card holder to "opt-out" of having the information read wirelessly from the card by having a "switch" to turn off the wireless mechanism, a manual key punch at doors so ID numbers can be entered manually instead of wirelessly, or an authorized guard at each entrance who can visually inspect ID cards for accuracy and authenticity;
3) Requiring public entities that use RFID-enabled systems to notify card holders that their ID card could create a risk of their identity being stolen, provide them a list of every scanner location and what information is gleaned from the card at those locations and for what purpose, and create a website -updated regularly- where RFID card holders can look up the locations of all scanners that will read their card.
4) Allows "victims" of data theft because their RFID card was hacked to seek legal restitution against the government agency that put the RFID system in place.

After imposing all of these new requirements that will supposedly make us all safer, the legislation then asks for a study to determine what the risks of RFID are and recommendations for comprehensive privacy and security standards to defend those risks.

In other words, shoot first -- ask questions later. Has there been a problem of hackers stealing personal information from RFID-enabled ID cards? I suspect there has been far more ID theft from publicly owned online databases, or stealing credit card information from the mail.

Why not pass a law stating that restaurant employees have to swipe your card at the table, instead of taking it out of your sight, to minimize the risk that they will steal your data? Or requiring that they not look too long at your driver's license, so they can't memorize your address or other personal information? Is that too far fetched?

Because the bill provides no financial compensation to local governments, transit authorities, public schools, state parks, public utilities, or other entities required to follow these rules, the cost of implementing a new RFID system will be significantly higher and more risky than it is currently -- and certainly more expensive than other methods of ID authentication.

Do you think a library or public utility is going to pay someone to stand at each entrance to look at ID cards as employees enter, so they don't have to risk having a hacker nearby with a high-powered scanner stealing their information during the 2 seconds that their ID card is waved in front of the door reader? It's kind of silly.

Instead of making RFID safer to use, the more likely scenario is that different solutions will get a second look - to avoid the cost and risk of deploying an RFID system. Or, they will keep their existing RFID card systems in place, since they are grandfathered and don't need to comply with the new rules.

So, while RFID technology and the surrounding security continues to get better and stronger as innovation and competition drives better products, California entities will be glued through 2012 to the systems that exist today (or they will be forced to look for non-RFID systems that may be less secure in order to circumvent these new rules).

And while the new rules will apply only to certain government functions (indeed there are exceptions carved out for prisons, certain hospital situations, juvenile facilities, etc), there could very well be implications for private sector customers as well. Why upgrade to an RFID system that the state of California, by legislation, has deemed a risky technology requiring specific regulations to prevent identity theft? Will the new legal liability outlined in the Simitian bill be extended to private sector systems -- it's certainly not inconceiveable.

Governor Schwarzenegger has to decide whether to sign or veto this legislation within 30 days. Surprisingly, many of the organizations representing the IT and RFID industries have given their blessing to the Simitian legislation. The Security Industry Assocation opposes it -- and no one else with a stake in the outcome has expressed any position at all.

The bill is certainly an improvement from where it began -- the original version imposed a 3 year ban on RFID systems pending the study and would not have grandfathered existing RFID systems for example. Just because the legislation is "less bad", it doesn't mean that it is "good". The IT and RFID industry in general have given Governor Schwarzenegger very little justification for vetoing legislation that passed by significant margins, when most are not even opposing the legislation themselves. The only hope is that companies who have not been at the negotiating table speak up about why the legislation would make us less safe, rather than safer. Or customers who use RFID systems speak up about the impact this legislation might have on them.

It would not be unreasonable to ask questions and get information about the risks and benefits of an emerging technology like RFID. But to impose pre-emptive security standards in the hope that it will reduce hypothetical risks, without considering the advantages of RFID over existing systems, seems like putting the cart before the horse.

One element that seems insanely stupid to require is listed above as #3 - requiring the posting of all scanner locations - web site to detail this as well, etc.

Depending on the technology used in the cards - why would you want to detail for all the areas that if "foiled" would permit access to these "public" places?
Isn't that akin to a bank publishing its floor plan and security layout for all would be thieves to use?

Why not just throw the doors wide open and require free daily tours of the cash vault by all with zero surveillance?

And - if the purpose is avoiding identity theft - why publish the scanner layout where someone might try to develop some specific scanning equipment that can zero in on a specific loaction to record the card to legitmate scanner transmission?

Once recorded - duplicates can be produced giving the copier the access rights of the legitimate person. What if this was an airport? Military base? Government biological testing center?

Point is that other than the outermost entrance that maybe is readily known - all other scanners should be not publicized particularly for sensitive locations.

Another point may also be that truly high securirity/sensitive locations utilize multiple security measures including those not easily copied - such as biometric. Also, rather than cards where potentially the transmission from card to reader is wide open - various protocols employed that outside of the few centimeter range can NOT be read or copied or scanned surrepticiously.

Regards,
Damon McDaniel

You've hit the nail on the head. All are good points and reinforce the problems with this legislation; good intentions notwithstanding.

We all know what road is paved with good intentions...

and we all know what the path to having the whole population chipped. Starts with vetoing laws like this. I really can't wait until the government tracks our every movement. I'll definetly feel safer from the terroist that the government sponsored then. You all just want everyone and everything chipped so you'll make a huge profit off the industry which you'll create through massive lobbying that will allow laws passed making RFID's mandatory. I personally don't want our children growing up in this kind of world. The path to hell is paved with greed, corruption, and lust for power. May god show now mercy on your souls.

Damon,

We should of course always be hesistant to regulate as it often backfires and is abused. Without suggesting to regulate or not, I would add three key issues to the debate.

a) Passive RFIDs with transfer of control and able to operate without leaking identifiers are both possible and on-route to mass production.

See www.rfidsec.com and my presentation at the EU RFID Consulation on Security.
http://www.rfidconsultation.eu/docs/ficheiros/Stephan_J_Engberg.pdf

b) But - however strong the crypto is - if a user is automatically identified (through RFID or biometrics), you create a serious vulnurability for Identity Theft. In RFID, Identity Theft using a Mafia Fraud Attack is a serious risk that is almost impossible to protect against.

As such we strongly recommend NEVER to use RFID for Person Id. This also apply even to the strong crypto described in my talk because these kind of attacks does not need to read the content, they merely extend the signal to successfully impersonate the security-cleared user.

We need much better and user-controlled identity management, especially focussing on the ability to create and maintain NEW keys for the purpose in order to achieve revokable security balancing between protecting the citizen and protecting others against the citizen.

When debating Person Identity, it is important to realise that the debate on National Id is mislead. A single or many identifiers doesnt change anything if they are all identified and easily linked - that the lesson US is learning know through REAL-ID.

The issue is not if you should have accountability (according to the situation), but to ensure that a certified accountable Id (a national id) can be inherited into purpose-specific keys with balanced controls, ie. non-linkable until the citizen has provenly violated the rights of others.

The root problem is of course how to do this without a trusted party, as no parties are inherently trustworthy unless the design is verifiably secure (and since nothing is 100% verifiably secure you need to work with fallbacks just in case).

But since Identity is by far the most critical aspect of any society, this is not a place to jump the low fence.

c) The requirement to accept open interfaces for alternative secure wireless identity is important.

We should be carefull to regulate against marketdriven security innovation to solve the obvious problems in hasty and unsecure standards being pushed to uses they are not ready for.

As an example is biometrics, where an easy move to on-card biometrics only is critical EVEN if some think that the need for shortterm use of unsecured biometrics override the security threats.