Governor Takes Important Step to Protect Privacy and Safety of Californians

Oct. 3, 2008
Governor Schwarzenegger took an important first step to protect the privacy, personal safety, and financial security of millions of Californians by signing Radio Frequency Identification (RFID) anti-skimming legislation into law this week.

SB 31, authored by Senator Joe Simitian (D-Palo Alto), sponsored by the American Civil Liberties Union, Privacy Rights Clearinghouse, and the Electronic Frontier Foundation, and supported by a broad bipartisan coalition including the Gun Owners of California, California Eagle Forum, American Association of Retired Persons (AARP), makes it a crime to surreptitiously read information stored on tiny electronic devices known as RFID tags.

The information stored on unsecured RFID chips embedded in identification cards like drivers’ licenses, medical ID cards, or student IDs, can be read from a distance, without an individual’s knowledge and consent and then misused for tracking, counterfeiting, and identity theft.

“The ACLU is constantly vigilant for ways to better protect our privacy when too often privacy seems at best a mere afterthought for government and corporations,” said Kevin Keenan, Executive Director of the ACLU of San Diego and Imperial Counties. “That’s why we’re proud to have played a role in encouraging this sensible reform, and we salute Senator Simian, the Legislature, and the Governor for taking this important step to protect the information on our ID cards.”

In an experiment, the information on the RFID-embedded identification card that Senator Simitian uses to access the California State Capitol was skimmed and the information copied by a hacker in a split second. Minutes later, using the information from the Senator’s card, the hacker was able to walk right into the Capitol through a members-only, locked entrance. The experiment helped Simitian and other legislators understand the immediate need for legislation.

“Right now if someone steals your ID card, it’s a crime. But if they steal the information on your ID card by ‘skimming,’ it’s not. That makes no sense whatsoever,” Senator Simitian said. “The problem is particularly serious because we’ve got millions of IDs and access cards out there with no limitation on the kind of information they carry, and no requirement that they use any of the privacy protection technology that’s readily available.”

SB 768, Senator Simitian’s 2006 legislation to ensure that any RFID tags used in government-issued IDs made use of these readily available privacy and security protections, such as encryption and shielding, was overwhelmingly passed with bipartisan support by the California legislature, but vetoed by the Governor.

“The privacy and security of Californians is not a liberal or conservative issue, it’s an issue for everyone. We are pleased that the Governor signed SB 31 into law and hope that he comes to understand why robust RFID privacy protections are necessary for all Californians,” said Sam Paredes, Executive Director of the Gun Owners of California.

Simitian began to look at the use of RFID in identification documents after an elementary school in Sutter, California required its students to wear identification badges that contained RFID tags that broadcast the students’ information. With the help of the ACLU, parents successfully petitioned the school to remove the RFID tags. “The ACLU is disheartened that the Governor vetoed a related RFID bill, SB 29, which would have provided for notice and consent from parents about the use of RFID in school identification documents. We’re looking forward to working with the Administration to implement real protections for students and their parents,” said Valerie Small Navarro, Senior Legislative Advocate for the ACLU in Sacramento.

“SB 31 is an important first step, but enforcing laws on RFID skimming will be an ongoing challenge,” said Nicole Ozer, Technology and Civil Liberties Policy Director at the ACLU of Northern California. “Because an RFID tag can be read at a distance, it may be very difficult to catch people breaking this law. The next step in protecting our privacy safety will be to ensure that our driver’s licenses and other government IDs only use secure technology.”

For more information about SB 31 and RFID technology, please visit the San Diego ACLU web article on RFIDs.