SB 31: Radio frequency identification technology privacy concerns and standards

BILL ANALYSIS


           ------------------------------------------------------------ 
          |SENATE RULES COMMITTEE            |                    SB 31|
          |Office of Senate Floor Analyses   |                         |
          |1020 N Street, Suite 524          |                         |
          |(916) 651-1520         Fax: (916) |                         |
          |327-4478                          |                         |
           ------------------------------------------------------------ 
           
                                         
                              UNFINISHED BUSINESS


          Bill No:  SB 31
          Author:   Simitian (D)
          Amended:  8/7/08
          Vote:     21

           
           SENATE JUDICIARY COMMITTEE  :  3-2, 3/13/07
          AYES:  Corbett, Kuehl, Steinberg
          NOES:  Harman, Ackerman

           SENATE PUBLIC SAFETY COMMITTEE  :  4-0, 1/15/08
          AYES:  Romero, Cogdill, Margett, Perata
          NO VOTE RECORDED:  Cedillo

           SENATE APPROPRIATIONS COMMITTEE  :  Senate Rule 28.8

           SENATE FLOOR  :  36-3, 1/30/08
          AYES:  Aanestad, Alquist, Ashburn, Battin, Calderon,  
            Cedillo, Cogdill, Corbett, Correa, Cox, Denham, Ducheny,  
            Dutton, Florez, Hollingsworth, Kehoe, Kuehl, Lowenthal,  
            Machado, Maldonado, Margett, Migden, Negrete McLeod,  
            Oropeza, Padilla, Perata, Romero, Runner, Scott,  
            Simitian, Steinberg, Torlakson, Vincent, Wiggins, Wyland,  
            Yee
          NOES:  Ackerman, Harman, McClintock
          NO VOTE RECORDED:  Ridley-Thomas

           ASSEMBLY FLOOR  :  77-0, 8/11/08 - See last page for vote


           SUBJECT  :    Radio frequency identification technology  
          privacy concerns
                      and standards
                                                           CONTINUED





                                                                 SB 31
                                                                Page  
          2


           SOURCE  :     Author


           DIGEST  :    This bill (1) defines a new misdemeanor that is  
          committed where a person or entity, without consent, uses  
          radio waves to remotely read, or attempt to read, another  
          persons identification document, (2) defines a new  
          misdemeanor that is committed where a person or entity  
          reveals operation keys to a radio frequency identification  
          (RFID) system, and (3) defines relevant terms and  
          exceptions.

           Assembly Amendments  (1) removed conjoining language to SB  
          30 (Simitian), (2) added penalties for a person who  
          knowingly discloses the operational system keys used in a  
          contactless identification system, and (3) made clarifying  
          changes.

           ANALYSIS  :    Existing law provides that all people in  
          California have a constitutional right to privacy.

          Existing law, the Information Practices Act of 1977,  
          precludes a state agency from disclosing personal  
          information it possesses "in a manner that would ink the  
          information disclosed to the individual to whom it  
          pertains," except in specified circumstances.

          Existing law establishes that a person who intentionally  
          discloses non-public information obtained from a state or  
          federal agency is subject to a civil action for invasion of  
          privacy.

          Existing law establishes that a person who willfully  
          requests or obtains any record containing personal  
          information from an agency under false pretenses is guilty  
          of a misdemeanor.

          This bill provides that the intentional remote reading, or  
          attempted reading, of a person's identification document  
          using radio waves for the purpose of reading that person's  
          identification document, without the knowledge or consent  
          of the person, is a misdemeanor, punishable by a jail term  
          of one year, a fine of up to $1,500, or both.







                                                                 SB 31
                                                                Page  
          3


          This bill, among other terms, defines "identification  
          document" as any document containing data used solely by an  
          individual for the purpose of establishing identity.   
          Identification documents will specifically include, but not  
          be limited to:

          1.Drivers licenses.
          2.Identification cards issued for employees or contractors,  
            by educational institutions, or pursuant to the Vehicle  
            Code.
          3.Health insurance or benefit cards.
          4.Licenses, certificates, registration, or other means to  
            engage in a business or profession regulation under the  
            Business and Professions Code.
          5.Library cards issued by any public library.

          This bill exempts the following situations from its  
          prohibition:

          1.Triage or medical care during a disaster and immediate  
            hospitalization or immediate outpatient care directly  
            related to a disaster.

          2.Reading by a health care professional for reasons  
            relating to health or safety of that person, or  
            identification issued by emergency services.

          3.Individuals incarcerated, detained in a juvenile  
            facility, housed in a mental hospital or upon court order  
            after being charged with a crime, or pursuant to  
            court-ordered electronic monitoring.

          4.Law enforcement, government personnel, or authorized  
            parties who must read a lost identification document when  
            the owner is unavailable for notice, knowledge or  
            consent.

          5.Law enforcement personnel who need to read an  
            individual's identification document pursuant to a search  
            warrant or after an accident when the person is  
            unavailable for notice, knowledge or consent.

          6.Reading of an identification document in the good faith  







                                                                 SB 31
                                                                Page  
          4

            course of security research, experimentation of  
            scientific inquiry, including analysis of security  
            vulnerabilities.

          This bill defines a "key" as "a string of bits of  
          information used as part of a cryptographic algorithm used  
          in encryption."

          This bill provides, with specified exceptions, that a  
          person or entity that intentionally remotely reads or  
          attempts to remotely read a person's identification  
          document using RFID, for the purpose of reading that  
          person's identification document without that person's  
          knowledge and prior consent, shall be punished by  
          imprisonment in a county jail for up to one year, a fine of  
          not more than $1,500, or both that fine and imprisonment.

          This bill further provides that a person or entity that  
          knowingly discloses, or causes to be disclosed, the  
          operational system keys used in a contactless  
          identification document system shall be punished by  
          imprisonment in a county jail for up to one year, a fine of  
          not more than $1,500, or both that fine and imprisonment.

          This bill provides that these provisions do not apply to a  
          person or entity that unintentionally remotely reads a  
          person's identification document using RFID in the course  
          of operating a contactless identification document system  
          unless it knows it unintentionally read the document and  
          thereafter intentionally does any of the following acts:

          1.Discloses what it read to a third party whose purpose is  
            to read a person's identification document, or any  
            information derived therefrom, without that person's  
            knowledge and consent.

          2.Stores what it read for the purpose of reading a person's  
            identification document, or any information derived  
            therefrom, without that person's knowledge and prior  
            consent.

          3.Uses what it read for the purpose of reading a person's  
            identification document, or any information derived  
            therefrom, without that person's knowledge and prior  







                                                                 SB 31
                                                                Page  
          5

            consent.

          4.To the reading, storage, use, or disclosure to a third  
            party of a person's identification document, or  
            information derived therefrom, in the course of an act of  
            good faith security research, experimentation, or  
            scientific inquiry, including, but not limited to,  
            activities useful in identifying and analyzing security  
            flaws and vulnerabilities.

          This bill provides that "radio frequency identification" or  
          "RFID" means the use of electromagnetic radiating waves or  
          reactive field coupling in the radio frequency portion of  
          the spectrum to communicate to or from an identification  
          document through a variety of modulation and encoding  
          schemes.

           Prior Legislation

          SB 768 (Simitian) - 2005-06 Session  .  Passed the Senate on  
          8/30/06 with a vote of 30-7.  Vetoed by the Governor.

           SB 30 (Simitian) - 2007-08 Session  .  Passed the Senate on  
          5/24/07 with a vote of 30-3.  (On Assembly Inactive File)

           Governor's Veto Message from SB 768 of 2006

           The provisions of this bill, contained in SB 768  
          (Simitian), were vetoed in 2006.  In addition to concerns  
          relating to the federal REAL ID Act, the Governor stated:

            "[T]his bill may inhibit various state agencies from  
            procuring technology that could enhance and streamline  
            operations, reduce expenses and improve customer  
            service to the public and may unnecessarily restrict  
            state agencies.  In addition, I am concerned that the  
            bill's provisions are overbroad and may unduly burden  
            the numerous beneficial new applications of contactless  
            technology."

          Those concerns, relating to the arguable restriction on  
          state agencies and burden on future applications of RFID  
          technology, focus on the portion of SB 768 that would have  
          imposed minimum RFID security standards for government  







                                                                 SB 31
                                                                Page  
          6

          issued identification documents.  As stated above, that  
          portion of SB 768 is located in SB 30, which is currently  
          on the Assembly Inactive File.  Thus, the stated objections  
          are not directly applicable to this bill.

           FISCAL EFFECT  :    Appropriation:  No   Fiscal Com.:  Yes    
          Local:  Yes

           SUPPORT  :   (Verified  8/13/08)

          American Association of Retired Persons
          American Civil Liberties Union
          ACLU SD/Imperial
          American Electronics Association
          Asian Americans for Civil Rights and Equality
          California Immigrant Policy Center
          California Labor Federation
          Commission on the Status of Women
          Consumer Action
          Consumer Federation of CA
          Consumer's Union
          Eagle Forum
          Gun Owners of California
          Los Angeles County District's Attorney's Office
          Liberty Coalition - letter signed by the following  
          organizations: 
               Liberty Coalition
               Bob Barr (former Member of Congress) Chairman and CEO  
               of Liberty Strategies, LLC
               The Multiracial Activist
               The New Grady Coalition
               American Policy Center
               Citizen Outreach Project
               U.S. Bill of Rights Foundation
               BT Counterpane
               Consumer Action 
               The Rutherford Institute
               Council for Citizens Against Government Waste
          PORAC
          Privacy Activism
          Privacy Rights Clearinghouse
          State Building and Construction Trades Council
          SEIU - California State Council








                                                                 SB 31
                                                                Page  
          7

           ARGUMENTS IN SUPPORT  :    According to the author's office,  
          "Although the technology has been around since World War  
          II, state and local governments have recently begun  
          incorporating Radio Frequency Identification (RFID) devices  
          into identification documents like driver's licenses and  
          passports.  Businesses are using RFID technology in a wide  
          range of applications.   Many citizens are now aware of the  
          risks to their privacy and financial security presented by  
          misuse of RFID, particularly where RFID documents and tags  
          can be remotely read without the consent or even knowledge  
          of the citizen.

          "SB 31 is part of a package of bills concerning privacy and  
          RFID technology.  SB 31 defines misdemeanors for  
          non-consensual remote reading of RFID and for improper  
          disclosure of the keys to RFID systems.  Persons and  
          entities that misuse this powerful technology must face  
          reasonable sanctions."



           ASSEMBLY FLOOR  : 
          AYES:  Adams, Aghazarian, Anderson, Arambula, Beall,  
            Benoit, Berg, Berryhill, Brownley, Caballero, Charles  
            Calderon, Carter, Cook, Coto, Davis, De La Torre, De  
            Leon, DeSaulnier, DeVore, Duvall, Dymally, Emmerson, Eng,  
            Evans, Feuer, Fuentes, Fuller, Furutani, Gaines,  
            Galgiani, Garcia, Garrick, Hancock, Hayashi, Hernandez,  
            Horton, Houston, Huff, Huffman, Jeffries, Jones,  
            Karnette, Keene, Krekorian, La Malfa, Laird, Leno,  
            Levine, Lieber, Lieu, Ma, Maze, Mendoza, Mullin,  
            Nakanishi, Nava, Niello, Nunez, Parra, Plescia,  
            Portantino, Price, Ruskin, Salas, Saldana, Silva, Smyth,  
            Solorio, Spitzer, Strickland, Swanson, Torrico, Tran,  
            Villines, Walters, Wolk, Bass
          NO VOTE RECORDED:  Blakeslee, Sharon Runner, Soto


          RJG:cm  8/13/08   Senate Floor Analyses 

                         SUPPORT/OPPOSITION:  SEE ABOVE

                                ****  END  ****




ftp://leginfo.ca.gov/pub/07-08/bill/sen/sb_0001-0050/sb_31_cfa_20080813_175323_sen_floor.html

Leave a Reply

Your email address will not be published.