RFID Law Blog

Several states, including California and Florida, are pursuing ePedigree requirements that may include RFID. There are also more than 20 states considering legislation to regulate RFID in some capacity. The role of the federal government versus that of the states is important for those in the RFID space to understand and determine how best to address their public policy interests. 

If you’re going to be in Washington, DC on Tuesday, June 17^th, you’ll want to check out “Congress vs. the States,” a business regulatory discussion being held at the McKenna Long & Aldridge LLP office at 1900 K Street NW. The event will be chaired by Lawrence Ebner, a partner at McKenna and presenters will include:

• S. William Becker, Executive Director, National Association of Clean Air Agencies
• Ronald A. Cass, Chairman of the Center For the Rule of Law and Dean Emeritus,Boston University School of Law
• Robin S. Conrad, Executive Vice President, National Chamber Litigation Center
• Michael S. Greve, John G. Searle Scholar, American Enterprise Institute for Public Policy Research
• Douglas T. Nelson, Executive Vice President and General Counsel, CropLife America
• Raymond C. Scheppach, Executive Director, National Governors Association
• David C. Shonka, Principal Deputy General Counsel, Federal Trade Commission

Registration is free, but make sure to RSVP here by June 9^th, as space is limited. You can view the complete agenda here.

| Posted By RFIDblogger In Drug Chain Security , Federal Legislation , Government Usage of RFID , State Legislation | Permalink | 0 Comments

Earlier today, RFID Update reported being tipped off by Washington State House of Representatives Speaker Pro Tempore Jeff Morris that Governor Chris Gregoire is expected to sign House Bill 1031 in law today. RFID Update’s article can be found here.

Considering that Representative Morris's effort to regulate RFID began with a much more onerous proposal to mandate certain security features and to ban certain RFID applications, this outcome should be considered a success for those interested in the future of RFID. The most important thing, I think, was changing the terms of the debate away from 'how do we regulate the product' to 'how do we regulate the behavior of those seeking to abuse the product'. That's a significant shift in the public policy world. Dan Mullen at AIM is right that, technically, the law is making illegal something that is already illegal - data theft. But this is by far the more desirable outcome than the other option, which looked likely only a year or so ago.

Visit our “State Legislation” section of the blog for more information about this subject.

| Posted By RFIDblogger In State Legislation | Permalink | 0 Comments

The EU is calling for “meaningful discussion” considering its draft legislation on how to regulate RFID. The pending text can be found here, and cites past forum discussions and the EU’s commitment to “privacy, data protection and security.”

| Posted By RFIDblogger In Europe , Privacy , State Legislation | Permalink | 1 Comments

Legislation approved Monday would prohibit public schools from requiring the implementation of radio-wave devices that broadcast students' personal identification and monitor their movement around campus.

The bill was introduced by Democrat Sen. Joe Simitian and passed in the Senate on a 28-5 vote. The State Assembly will still have to pass it, also.

"The reason we have this level of support is it is a narrowly crafted bill, Simitian told the Associated Press. "We're dealing only with mandatory use that tells parents they don't get to be in charge of their kids' personal information."

According to this article in The Register, since 2005, when a small elementary school in Sutter, California, tried to implement a similar RFID program, public opinion has soured for mandatory RFID child-monitoring. The bill provisions would expire in 2011, giving the state government four years to debate the implications of this topic. Despite the assertions of the article, I've seen substantial evidence that when parents understand and are comfortable with the way a school is using an electonic monitoring device like an RFID-enabled ID card to control access to school buildings or to monitor whether children are leaving school unsupervised, that there is broad support for such efforts. I don't know if Virginia Tech uses RFID-enabled access controls on their dormatories or classrooms, but if properly used it could have helped police identify faster who entered the building for the first shooting and potentially stop the one that followed 2 hours later.

More RFID bills led by Simitian are currently being sent through California committees. One bill places a similar temporary ban on RFID technology in California driver's licenses. Another would impose specifical technical mandates on any existing RFID-enabled government IDs, mandates supposedly designed to reduce privacy risk to card holders. Simitian also has led a bill that would restrict forced RFID chip implants in people.

It's not clear whether this collective effort is designed to make the public safer, or as a crusade against RFID technology. There are lots of technologies, in addition to RFID, that have similar track and trace capabilities and are being used in similar applications -- but the restrictions are targeted only at RFID. I don't know if the Senator is aware of the distinctions, or just considers the term "RFID" as a catch-all term that covers smart cards, magnetic stripe technologies, GPS, etc -- all are different, all can be used in similar applications, and all have pros and cons.

If this Senator or other lawmakers are concerned about protecting public safety, they might be better off looking at increasing penalties or enforcement against lawbreakers who steal identities, abuse personal information, hack computer systems, kidnap school children, counterfeit drivers licenses or other government documents, etc. Perhaps that would be more effective than targeting a specific technology.

| Posted By RFIDblogger In State Legislation | Permalink | 0 Comments

The 642,200 residents of North Dakota no longer have to lose sleep worrying about being implanted with an RFID chip against their will. This article from ComputerWorld reports that North Dakota has joined Wisconsin to become the second state to ban employers from forcing surgical insertion of RFID chips in their employees.

The ComputerWorld article also quotes Rep. Marlin Schneider, the sponsor of Wisconsin's bill, pleased with North Dakota's new law but also concerned that is does not go far enough, warning that private companies "will be able to monitor everything we buy, everywhere we go and, perhaps as these technologies develop, everything we say." Everything we say?! Since when?

Another article notes that California now has five pending RFID restriction bills, which are designed to separately reintroduce the notions proposed by state Sen. Joe Simitian and then rejected by Gov. Schwarzenegger in October of last year.

These are failures of the RFID industry to organize and mobilize in order to educate policymakers, who hold immense power to shape the industry and affect its growth. Maybe it's not possible to address representatives from each of the 50 states senates, but Simitian's district includes Silicon Valley. The industry can do better.

| Posted By RFIDblogger In State Legislation | Permalink | 0 Comments

Shortly after a Washington state bill restricting the use of RFID technology died earlier this month, the state of Washington and the Department of Homeland Security have teamed up to develop an RFID-embedded driver's license that can be used at border crossings in place of a passport and in accordance with the Western Hemisphere Travel Initiative.

DHS aims to reduce the number of documents, currently estimated at over 8,000, that travelers can use to identify themselves at border crossings.  However, Washington's RFID-enhanced driver's license will allow for an alternative identification document for people who do not have passports.

Participation in this program by Washington residents is completely voluntary. Luckily, HB 1031 won't be around to place haphazard restrictions on the way the technology will be used in the ID card. Rather, Washington residents themselves will speak their opinion of the technology, via their participation in the program or lack thereof, and the RFID industry will be able to adequately and appropriately respond -- let the market respond.

| Posted By RFIDblogger In Homeland Security , State Legislation | Permalink | 0 Comments

In February, Washington state legislators introduced a bill that would impose rules on how companies could deploy RFID and retain personal information gathered via the technology.  We were forwarded this article from the RFID Journal by Representative Morris, the sponsor of the Washington State legislation.

The legislation died Wednesday night, by failing to make it onto the Floor calendar for this year however interested parties should expect that this issue will not go away in Washington or anywhere else.

In contrast to the California legislation last year in which only a handful of IT companies and related organizations offered their view, in Washington state there was a large coalition that came together comprising of RFID businesses and their customers. Due to the concern that was expressed by this group, this helped in slowing down the legislation and ultimately assisted in its dismissal.

Below is the letter from the organizations and companies who were opposed to the legislation.

| Posted By RFIDblogger In State Legislation | Permalink | 0 Comments

March 10, 2007

To: Honorable Members of the Washington State House of Representatives

Re: Opposition to HB 1031- Electronic Devices

We respectfully ask you to oppose House Bill 1031 related to electronic communications devices and specifically the use of Radio Frequency Identification (RFID) technology. Burdensome regulation of emerging technologies like RFID is not in the best interest of Washington State which prides itself on innovation and technological development. Public policy decisions that restrict use of technologies create the potential to impede the current and yet unknown benefits of its use.

Our points of concern include:

• Overbroad definitions, such as “personal information” and “electronic communication device”
• Failure to distinguish between applications of RFID – retail use and secure identification documents
• Unnecessary and burdensome notification rules
• Requirements that may harm consumers
• Onerous burdens on small business

Successful deployment of RFID can bring significant benefit to Washingtonians; access for first responders in emergency situations, ease of secure identification, authentication of pharmaceuticals, better supply at local stores, lower product cost, and theft protection, to name just a few. We ask you not to move forward with this legislation and are available to provide you with further information on RFID technology.

Respectfully submitted,

AeA (American Electronics Association)
Alliance of Automobile Manufacturers
Amerisource – Bergen Corporation
Association of Washington Business
Bank of America
Cingular/AT&T Wireless
Comcast
EPCglobal Inc.
Food Marketing Institute
General Motors Corporation
Grocery Manufacturers Association/Food Product Association
HDMA (Healthcare Distribution Management Association)
Hewlett-Packard Company
HID Global
Infineon Technologies North America Corp.
Information Technology Association of America (ITAA)
Independent Business Association (IBA)
McKesson Corporation
Motorola
NACDS (National Association of Chain Drug Stores)
National Federation of Independent Business (NFIB)
Northwest Grocery Association
NXP Semiconductors
Pharmaceutical Research & Manufacturers of America (PhRMA)
Sprint/Nextel
Texas Instruments
Verizon Communications
Verizon Wireless
Washington Electronic Business and Telecommunication Coalition
Washington Farm Bureau
Washington State Hospital Association
Washington Restaurant Association
Washington Retail Association
WSA

| Posted By RFIDblogger In State Legislation | Permalink | 0 Comments

Earlier this month, state legislators in Wisconsin introduced a bill that would prohibit US currency or other documents to be embedded with RFID chips. This bill is brought to you by the same people who proposed and passed legislation in 2005 barring forced subdermal implantations of RFID chips.  Rep. Marlin D. Schneider (D-Wisconsin Rapids) introduced both pieces of legislation.

This bill falls under the Privacy Related - Extreme Privacy Bills type state legislation relating to RFID as per the breakdown previously mentioned in this blog.

This bill represents uninformed privacy legislation for several reasons. First of all, I have heard no official talk or even speculation of embedding RFID chips in US currency. It's hard to imagine that the cost-benefit of adding RFID to currency makes sense at the current prices and capabilities of the technology. Put this in the camp of legislation creating a solution to a problem that doesn't remotely exist yet.

It's bad enough to have Wisconsin AB 290 already on the books, legally ensuring that Wisconsin employers can't perform involuntary surgery on their employees in order to track them. The RFID industry needs to continue to educate policymakers and constituents on the reality of the technology. Evidently, there is still work to be done.

| Posted By RFIDblogger In State Legislation | Permalink | 2 Comments

As of this month, the state of Arkansas has joined the roughly two dozen other US states with legislation passed or pending relating to RFID technology. As per the classifications broken down earlier in this blog, Arkansas' SB 846 fits squarely in the Study Committee/Task Force type of legislation.

At this point, the bill is not very detailed; it simply spells out where the seventeen members of the Legislative Task Force on RFID Technology should be drawn from, and assigns them these duties: 

  10-3-2403. Duties.

    The duties of the Legislative Task Force on RFID Technology are to:

    (1) Study the privacy issues surrounding the usages and application of RFID technology in the state;

    (2) Study whether controls should be placed on RFID technology to protect the privacy interests of residents of the state; and

    (3) Propose legislation to effectuate the findings of the study.

  10-3-2404. Report.

    On or before December 15, 2008, the Legislative Task Force on RFID Technology shall submit a report of its findings and any recommended legislation to the Governor and the Legislative Council.

It is important that policy-makers stay educated on these issues, hopefully the task force will not focus on potential abuses of RFID technology, but rather focus on the positive uses of RFID in government and the private sector. It's chances like these that the RFID industry has to inform lawmakers on the realities of the technology, and to avoid regulation that could be harmful to the growth of the industry.

| Posted By RFIDblogger In State Legislation | Permalink | 0 Comments

Yesterday, state legislators in Maine voted to reject the federally defined standards of the REAL ID Act, which Congress signed into law in May of 2005. 

REAL ID has been controversial in the states since it passed. There has long been a resistance among civil libertarians on the left and the right to a mandate for a "National ID card", prompting comparisons to Nazi Germany requiring citizens to "show their papers". The federal legislation tried to avoid that problem by instead establishing "Federal standards" for state driver's licenses and other government documents - that states could determine how best to meet. Some states have argued that the distinction between a mandate and a standard is too thin.

The debate over REAL ID, for the most part, has been an issue of states rights - not against RFID or other smart card technologies. That is starting to change.  Opponents of a federal standard for a state driver's license are adopting the arguments used against RFID to argue that it is an issue of personal privacy and data security, as the following quote from this article in United Press International indicates:

"'Mainers ... alarmed by the threat posed to privacy and identity-security' by Real ID, were 'leading a nationwide movement,' Shenna Bellows of the Maine Civil Liberties Union told UPI, adding that lawmakers also saw it as 'a hugely expensive unfunded mandate.' … 'It will be a one-stop shop for identity thieves,' said Bellows, adding that a requirement for machine-readable capability for new licenses would potentially enable government databases to track license holders as they moved around." 

Additionally, in a recent press release the ACLU has urged other states to follow in Maine's "call for privacy," though in actuality, various quotes from Maine lawmakers like House Majority leader Hannah Pingree have critcized the REAL ID Act moreso as a "massive unfunded federal mandate", rather than as an infringement on civil liberties.

Similar legislation is in the works in up to a dozen other states. 

| Posted By RFIDblogger In State Legislation | Permalink | 0 Comments

More details soon...

| Posted By RFIDblogger In State Legislation | Permalink | 0 Comments

Five separate law enforcement bodies have sent Governor Arnold Schwarzenegger a request to veto SB 768. See a copy of the letters here.

| Posted By RFIDblogger In State Legislation | Permalink | 0 Comments

This article from RFID Update on Sept. 22, 2006 implies that the "RFID Industry" is supporting the Simitian legislation pending the Governor's signature. However, as our blog has noted, the Security Industry Association -- which represents companies directly impacted by the legislation -- has asked the governor to veto it.

Only a very tiny subset of AeA's membership has any idea what the Simitian bill does or doesn't do. And for Gould to say "this is the best we're going to get out of the legislative process" is silly. The earlier Simitian bill was defeated in the last legislative session in Sacramento. Did the RFID Industry need the Simitian bill? Does it make the industry stronger, or better? Not a chance. The "best we're going to get out of the legislative process" is no bill -- again.

| Posted By RFIDblogger In State Legislation | Permalink | 2 Comments

As most people reading this know, technological advances are still being made in RFID development, and its widespread rollout is a work in progress. Naturally, governments are interested, and state legislation concerning RFID, which first appeared in 2004, has increased, and will likely continue to do so. While some of the legislation has merit, much of it is based upon faulty knowledge of RFID or overblown fears.

In order to prevent legislative activity from harming this burgeoning industry, the RFID community must become involved in the legislative process. This article reviews the basic types of RFID legislation that have been introduced, and offers some thoughts on steps the RFID community can take to ensure future legislation does not cripple future expansion.

| Posted By RFIDblogger In State Legislation | Permalink | 2 Comments

The California Senate yesterday passed by a 30 to 7 vote (all 7 Republicans) legislation that would impose the most sweeping security regulations to date on the use of RFID in certain public applications. The bill had already passed the State Assembly, so it is ready for Governor Schwarzenegger's signature or veto.

The legislation, sponsored by Senator Simitian (ironically, from technology hub Silicon Valley), is a reaction to fears that RFID is an unsafe technology that will more easily allow hackers entrance to buildings using RFID-enabled ID cards, or to steal personal information embedded in RFID-labeled documents.

The solution, according to the legislation, is to - by statute - require certain "privacy protecting" measures be taken when RFID-enabled systems are used, including:

1) Require mutual authentication technologies between the card and the reader, in circumstances where there may be an electronic transfer of personal information;
2) Allowing the card holder to "opt-out" of having the information read wirelessly from the card by having a "switch" to turn off the wireless mechanism, a manual key punch at doors so ID numbers can be entered manually instead of wirelessly, or an authorized guard at each entrance who can visually inspect ID cards for accuracy and authenticity;
3) Requiring public entities that use RFID-enabled systems to notify card holders that their ID card could create a risk of their identity being stolen, provide them a list of every scanner location and what information is gleaned from the card at those locations and for what purpose, and create a website -updated regularly- where RFID card holders can look up the locations of all scanners that will read their card.
4) Allows "victims" of data theft because their RFID card was hacked to seek legal restitution against the government agency that put the RFID system in place.

| Posted By RFIDblogger In State Legislation | Permalink | 4 Comments

The California Assembly has passed legislation that would mandate certain security requirements for RFID systems used in specific public applications. The bill is pending in the California Senate Judiciary Committee, and could conceivably pass in that body before the end of the week. The bill passed the Assembly 49-26, with all Democrats voting "aye" and all but 2 Republicans voting "Nay". This is a copy of the bill as passed.

An organization of IT trade associations, led by the AeA, dropped their opposition to an earlier version of the bill. The lead sponsor, Senator Simitian, agreed to delete a provision that would have imposed a 3-year moratorium on RFID for those specified public applications pending a study of the safety and security of RFID.

In my opinion, that is the equivalent of saying "You can cut off my hand, so you won't cut off my arm".

Another organization, which was not part of the Coalition, the Security Industry Association, continues to oppose the legislation in its current form. They sent this letter to the Senate earlier this month.

| Posted By RFIDblogger In State Legislation | Permalink | 0 Comments

State legislative update:

The state of Wisconsin has passed legislation prohibiting RFID chips from being implanted under people's skin without their approval. Thank god! There has been so much unauthorized surgical implantation going on in the United States, someone finally put their foot down regarding RFID chips. It started with people being hijacked in the park, and having a third kidney transplanted without their knowledge or approval -- now RFID chips.

In all seriousness, wouldn't it already be illegal for employers to conduct surgery on their employees without consent? Whether it is an appendectomy or implanting of an RFID chip? If it was really an issue, wouldn't prohibiting unauthorized surgical implantation across the board make more sense? Why start and stop with RFID chips? I don't want my employers or the government sticking anything under my skin without my permission -- a tattoo, a tic tac or a cardiac stent.

More troubling is that the reputation of RFID technology is such that politicians believe they need to ban the implantation of RFID chips under people's skin -- and are applauded for it. The RFID industry needs a far more organized, focused, proactive strategy to promote the responsible uses and benefits of their technology, before someone else defines it for them as something inherently dangerous or suspect.

| Posted By RFIDblogger In State Legislation | Permalink | 1 Comments