The Identity Information Protection Act of 2007:
Safeguarding the Privacy, Safety, and Financial Security of Californians
It's a sensible bill that will protect privacy and security without banishing a technology that is useful in certain situations.
-The Editors, San Jose Mercury News (April 26, 2005)
SB 30 (formerly SB 768) requires privacy and security measures for "tag and track" devices known as Radio Frequency Identification (RFID) tags implemented in highly sensitive, mass-distributed state identification cards (IDs).
What are RFID tags?
Contactless integrated circuits, most commonly in the form of RFID tags, are tiny devices connected to miniature antennae. When a circuit reader emits a radio signal, the devices in the vicinity respond by transmitting their stored information to the reader. When the devices are used to encode a person's personal information, the devices do not alert that person that his or her personal information, such as a birth date, digital picture, or unique identifier number is being transmitted. Recent U.S. State Department testing showed that even IDs with an intended read range of just 4 inches can actually be read from 2-3 feet away with modified readers.
Why do we need SB 30?
From local elementary schools to the U.S. State Department, RFID tags are being considered for inclusion in identification documents without first establishing a rational policy to protect people's privacy and security. The government, independent researchers, and the technology industry have identified numerous security and privacy threats posed by using RFID tags in IDs. A recent GAO report stated: "Among the key privacy issues are notifying individuals of the existence or use of the technology; tracking an individual's movements; profiling an individual's habits, tastes or predilections; and allowing for secondary uses of information." (GAO Report, Information Security: Radio Frequency Identification Technology in the Federal Government, May 2005)
- Identity theft: If sensitive personal information, such as a person's name or Social Security number, is encoded on the ID and is not adequately protected, anybody with a compatible reader who is within range can steal the information and use it to imperil a person's safety, financial security, and privacy.
- Tracking: Any information that is transmitted remotely–including just a random number–which is static and unique to an ID permits tracking. Connecting a person to an identifier number can happen by accessing a database either legally or through unauthorized means, by video camera, or by close-range recognition. Subsequent sightings of that identifier number or stored records of when that identifier number was sighted at a particular place in time can then be linked to the individual. An individual's ID could be read surreptitiously as he or she walks through a doorway or hallway, sits at the airport, stands at a political rally, or visits a gun show. The disclosure that since 9/11 the Transportation Security Administration has been collecting extensive personal information about airline passengers through unauthorized means highlights this threat.
- Profiling: Profiling is the reconstruction of a person's movements or transactions over a specific period of time, usually in order to become better acquainted with a person's more private affairs. Because IDs can contain unique identifier numbers, once a number is associated with a particular individual, personal identifiable information can be obtained and then aggregated to develop a profile of the individual. Consumers have raised concerns about whether certain collected data might reveal personal information such as medical predispositions or personal health histories–for example, when, where, and how often one went to a particular medical or mental health facility.
But wouldn't simple security measures prevent abuse?
Unfortunately, as the GAO Information Security report pointed out, "While measures to mitigate these measures are under discussion, they remain largely prospective" and have not been sufficiently tested.
- Key management: Unlike with other technologies, addressing the security and privacy risks associated with radio frequency technology in government IDs depends almost entirely on the use of such countermeasures as unique identifier numbers, encryption, and mutual authentication. The more layers of protection that are implemented, however, the more complicated the architecture of the security system becomes and the more opportunities for failure are created. In a mass contactless ID system of millions of IDs, thousands of authorized persons and readers would need to know the name and personal info that goes with the unique identifer number and so would need to access the central database where that information was stored; they would need to know how to decrypt the information and so they would need the encryption key; and they would need the authentication key to know if a person truly was who he or she claimed to be. With so many secrets known to potentially thousands of people, there would be good reason to doubt whether these secrets could be kept for long.
- Reliability of countermeasures: Most security countermeasures, such as encryption, mutual authentication, basic access control, and shield devices have never been deployed together in a mass contactless ID system. Their effectiveness has not withstood the test of a real-world deployment. Recently, a team of Johns Hopkins University security researchers successfully defeated the security on Texas Instruments Digital Signature Transponders, RFID devices widely-deployed in ExxonMobile Speed Passes and automobile anti-theft devices. (See http://rfidanalysis.org/)
- Infeasibility of a mass recall: As the recent massive credit card data breach showed, in the event that tens of millions of drivers' licenses were compromised, it would be nearly impossible, as well as extraordinarily expensive, to recall and replace them.
But won't this limited security be enough to prevent government abuse?
Unfortunately, probably not. The ultimate success of using security countermeasures to mitigate these threats particularly associated with the use of RFID technology depends almost entirely on two factors: (1) nobody who is in a position to compromise the security measures actually does so and (2) all levels of government refrain from abusing a tool that enables them to collect unprecedented quantities of information on people. Countless cases from the last few years of insider corruption or carelessness at state DMV offices and of sophisticated government surveillance on citizens cast doubt on a security strategy relying so much on these two factors.
As in past cases, we're likely to see the function of RFIDs tags expand dangerously over time. The possibility that everyone could be carrying around and using the same kind of contactless ID could create the incentive to implement a comprehensive tracking infrastructure in which people's movements are captured and recorded by readers as they go through the airport, get off a train, visit a hospital or museum, drive on the highway, or shop at a store. The history of the Social Security number gives ample evidence of how a random unique identifier developed for one specific use and originally related to a person only in some database has become a mainstay of identification for numerous other purposes. The use of a common contactless ID for commerce especially has the potential to undermine data protection features, as it will spread bearer data more widely across divergent and less secure systems.
How would SB 30 protect privacy while preserving RFID technology's benefits?
Given the serious security and privacy risks of radio frequency technology in government-issued IDs, a rational policy is needed to capture the potential benefits of the technology without rushing to implement untested schemes with questionable security protections.
SB 30 creates such a policy by:
- Requiring the most rigorous security and privacy protections today for government-issued IDs that can be read via radio waves.
- Exempting certain special cases where heightened security standards are less necessary.
- Making it a misdemeanor for any person or entity to willfully read a person's ID remotely using radio waves without the knowledge of that person.
Why does the bill single out certain mass-distributed IDs?
Relying on RFIDs in these highly sensitive IDs poses unique privacy and security threats, and more secure alternatives are available.
What security standards would SB 30 apply to government-issued IDs?
SB 30 requires remotely-readable government-issued IDs to meet certain security standards:
- The ID implements tamper-resistant features to prevent forgery or cloning.
- The ID implements an authentication process to determine that it is genuine and that it is authorized to be read.
- The ID holder is informed in writing:
- That the ID can communicate information using radio waves.
- That the use of shield devices can help mitigate the privacy and security risks associated with the ID.
- Of location of readers intended to be used to read the ID.
- Of the circumstances under which ID is intended to be read.
- Of the information that is being collected or stored regarding the individual in a database.
For IDs that transmit personally identifiable information, SB 30 also requires that:
- The ID implements encryption or other technology to protect against the unauthorized reading of transmitted information.
- The ID implements mutual authentication to ensure as best as possible that only those who are supposed to have access to the data stored on the ID can read it.
- The ID implements an "on/off switch" under the control of ID holder.
IDs must also include those additional security measures if they transmit a unique identifying number used for multiple purposes, for taking attendance in public schools, or for public transit.
What IDs would be exempt from these standards?
SB 30 recognizes there are some cases in which IDs do not need to meet the above security standards and exempts the corrections system, emergency first responders, ID bracelets used in medical facilities or for emergencies, door/garage access cards, and automatic toll-bridge collection systems from having to meet most or all of those security standards. SB 30 also exempts all systems currently in use by state, county, or municipal governments from the provisions of the bill.
Who supports this bill?
The bill passed the California Senate with bipartisan support. The following organizations also support the bill:
- ACLU
- Electronic Frontier Foundation (EFF)
- Privacy Rights Clearinghouse
- California Family Alliance
- Consumer Action
- California Alliance for Consumer Protection
- Consumer Federation of California
- California Commission on the Status of Women
- California National Organization for Women
- Statewide California Coalition for Battered Women
- California Alliance Against Domestic Violence
- Liberty Coalition
- AARP
- Association of American Physicians and Surgeons
- SEIU
- Free Congress Foundation
- University of California Students Association (UCSA)
- California State Parent Teacher Association (PTA)
- Drug Policy Alliance Network
- Eagle Forum