Tiny computer chips called Radio Frequency Identification (RFID) tags that transmit information about us can be embedded in driver's licenses, student ID's and other government issued cards without our knowledge. These “human identification systems” pose clear information security risks that can threaten individual privacy and public safety.

RFID chips allow government agencies to track our whereabouts, are susceptible to a hacker with an RFID scanner, and expose us to the threat of privacy violations, identity theft, property theft, and stalking and tracking. When the system has been breached, the device holder won’t know it and therefore won’t know to take steps to protect him or herself. Even protected RFID systems have been hacked, some in a matter of minutes.

These threats to our privacy and safety are real. Consider:

• A California school district embedded RFIDs in student IDs without the parents' knowledge, and only stopped after an outcry about the potential for hacking by a child abductor.

• A Dutch prototype for an RFID embedded in a passport was hacked in two hours by a local TV station. Hackers could access fingerprint, photograph, and other data on the RFID tag, perfect for creating a cloned passport.

• Successful hacks of the Exxon Mobile key fob, the VeriChip human RFID implant, the California State Capitol building access system, and the new RFID passports show how easy it is to skim and clone poorly protected RFID devices and compromise RFID-dependent security systems.

The rapid evolution of ever intrusive technology makes it essential that we draw the line now.

SENATE BILLS 29 AND 31 – A GOOD START

Two privacy protection bills introduced by Senator Joe Simitian (SB 29 and SB 31) are awaiting Governor Schwarzenegger's signature or veto. They address privacy concerns and problems with "skimming" - the unauthorized surreptitious reading of RFIDs by persons with malicious intent.

Senate Bill 29 requires public schools to obtain a parent's voluntary consent before a student is required to carry an RFID-enabled identification card. It requires a school to explain to parents the risks RFIDs pose to personal privacy.

Senate Bill 31 makes it unlawful to skim information from an RFID without the consent of the ID holder. The prohibition does not apply to law enforcement applications such as in prisons, or in valid health emergency situations.

The Consumer Federation of California has been active for the past two years in supporting Senator Simitian’s efforts to protect the privacy and safety of Californians.

Please go to our site now and send the Governor a message: Protect the California Constitution and our personal privacy by signing SB 29 and 31!

Organizations across the political spectrum ranging from the ACLU to the Liberty Coalition support these bills. High tech RFID manufacturers have derailed similar legislation by Senator Simitian in the past, and they continue to fight any effort to allow California residents to control the use of RFIDs in government-issued documents.

CFC urges the Governor to establish an important precedent for privacy protection and against Big Brother snooping by signing SB 29 and SB 31.

Zack Kaldveer works for the Consumer Federation of California, http://www.consumercal.org/ a non-profit advocacy organization. Since 1960 CFC has testified before the California legislature on dozens of bills that affect millions of consumers. CFC also appears before state agencies in support of consumer regulations.
Posted on September 25, 2008