Identity Information Protection Act (SB 30): Setting the Record Straight

Myth: RFID tags have been used around the world for many years with no privacy or security breaches.

Fact: From the United States to Holland to France, this technology has been cracked, often leading to costly breaches.

  • Cracked the new Dutch e-passport, which uses the same standard as the proposed U.S. passports (2006) [1]
  • Cracked the Verichip human RFID implant (2006) [2]
  • Cracked the RFID chips used in Exxon Mobil gasoline passes and automobile anti-theft devices (2005) [3]
  • Cracked the proposed U.S. e-passport, reading unencrypted data from as far away as 30 feet (2004) [4]
  • Cracked the encryption key to the chips used in French bank cards (2000) [5]
  • Cracked the security on chips used in German phone cards with losses of 34 million dollars (1998) [6]

If RFID tags are included in millions of California state-issued identification documents without proper protections, the harm to privacy, personal safety, and financial security could be astronomical.

Myth: SB 30's standards are unreasonable.

Fact: The standards are not only reasonable, but they are already used by the federal government to protect private information. The security standards proposed in SB 30 are the same standards required by the U.S. Department of Commerce for federal agencies to follow when buying technology to protect unclassified personal information. Thus, SB 30 merely ensures that California is providing the same level of privacy protection to its residents that the federal government provides to its employees. RFID vendors are already in compliance with the federal standards; it is not unreasonable to require them to continue to be in compliance with these standards to do business with the state of California.

Myth: SB 30 is costly.

Fact: SB 30 has no current costs because it grandfathers all systems in use prior to January 1, 2008, and it does not mandate any future costs. In fact, SB 30 will likely save the state money by ensuring that any state-issued RFID identification documents will be more secure. Just like you put a lock on your door to keep your things from being stolen, California should likewise make sure that your personal information is protected so as to avoid identity theft. SB 30 provides this protection, and thereby helps avoid the huge costs associated with upgrading breached systems and replacing millions of hacked identification cards.

Myth: These chips can only be read from a few inches away.

Fact: The information on these chips can be read much farther away than the "intended" read range quoted by manufacturers. The U.S. State Department demonstrated that a passive chip intended to only be readable from 4 inches away could be read from 2-3 feet away. A February 2004 National Institute of Standards and Technology report stated that these chips could be read from as far as 20 feet away. In August 2005, Los Angeles-based Flexilis set a world record by reading an RFID tag from 69 feet away. Reader technology is only going to get more powerful in the future.

Myth: Identity document chips are "passive" RFID chips, which are safer than "active" chips.

Fact: The information on passive chips can still be read by any reader. While a passive chip does not have its own power source, it still automatically transmits its information whenever any reader "wakes it up" by sending a radio frequency.

Myth: No added protections are necessary if the chip only has a unique identifier number.

Fact: A unique identifier number does not solve the privacy, safety, or security problems of RFID. Your Social Security Number (SSN) is also just a unique number, but you would never announce it to a passerby on the street because it can be used to steal your identity. Likewise, an RFID unique identifier represents valuable information for hackers, as it can be used to clone an ID card, or to access the database where your personal information is stored. Also, a unique RFID identifier may ultimately suffer from "mission creep." Like the SSN, it may quickly be used in ways never considered when first created. The anonymous RFID identifier of today may turn into the indispensable ID number of tomorrow, making it even more valuable for hackers.

Myth: RFID technology makes us safer by protecting us from terrorism.

Fact: RFID systems have inherent security flaws which are easily exploited by criminals, including terrorists, and its inclusion in passports and other identifying documents does nothing to protect the country from terrorism and may make us more vulnerable The use of RFID in an identification card is only a means of transporting data between the card and the card reader; it does not add to the security of the identification system and certainly does not prevent terrorism. In fact, RFID systems are less secure, because when you broadcast your identification over radio waves, you make yourself vulnerable to electronic eavesdropping and identity theft-both of which can be more easily prevented with non-RFID identification systems. Preventing terrorism is an enormously complex problem and RFID technology is not the solution.

[1] "Face and fingerprints swiped in Dutch biometric passport crack," The Register, Jan. 30, 2006, http://www.theregister.co.uk/2006/01/30/dutch_biometric_passport_crack/.

[2] "The New Chiperati," Internetnews.com, http://www.internetnews.com/security/article.php/3582971 ; http://www.rfidanalysis.org/

[3] "Tests reveal e-passport security flaws," EE Times, Aug. 30, 2004, http://www.eetimes.com/news/latest/showArticle.jhtml;?articleID=45400010

[4] "France braces for smart card onslaught," The Register, March 14, 2000, http://www.theregister.co.uk/2000/03/14/france_braces_for_smart_card/

[5] http://lists.jammed.com/ISN/1998/05/0090.html

Related Issues

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

EFF joins other rights groups in calling on Twitter to restore API access to Politwoops https://eff.org/r.qdng

Sep 4 @ 2:22am

Good news! In major policy shift, DOJ tells law enforcement agents: Want to use a Stingray? Get a warrant. https://eff.org/r.bbky

Sep 3 @ 5:30pm

DOJ saw the writing on the wall, will require a warrant to use 'Stingray' cellphone trackers: https://eff.org/r.fbd9

Sep 3 @ 4:38pm
JavaScript license information