SB 31: Radio frequency identification technology privacy concerns and standards
BILL ANALYSIS
------------------------------------------------------------
|SENATE RULES COMMITTEE | SB 31|
|Office of Senate Floor Analyses | |
|1020 N Street, Suite 524 | |
|(916) 651-1520 Fax: (916) | |
|327-4478 | |
------------------------------------------------------------
UNFINISHED BUSINESS
Bill No: SB 31
Author: Simitian (D)
Amended: 8/7/08
Vote: 21
SENATE JUDICIARY COMMITTEE : 3-2, 3/13/07
AYES: Corbett, Kuehl, Steinberg
NOES: Harman, Ackerman
SENATE PUBLIC SAFETY COMMITTEE : 4-0, 1/15/08
AYES: Romero, Cogdill, Margett, Perata
NO VOTE RECORDED: Cedillo
SENATE APPROPRIATIONS COMMITTEE : Senate Rule 28.8
SENATE FLOOR : 36-3, 1/30/08
AYES: Aanestad, Alquist, Ashburn, Battin, Calderon,
Cedillo, Cogdill, Corbett, Correa, Cox, Denham, Ducheny,
Dutton, Florez, Hollingsworth, Kehoe, Kuehl, Lowenthal,
Machado, Maldonado, Margett, Migden, Negrete McLeod,
Oropeza, Padilla, Perata, Romero, Runner, Scott,
Simitian, Steinberg, Torlakson, Vincent, Wiggins, Wyland,
Yee
NOES: Ackerman, Harman, McClintock
NO VOTE RECORDED: Ridley-Thomas
ASSEMBLY FLOOR : 77-0, 8/11/08 - See last page for vote
SUBJECT : Radio frequency identification technology
privacy concerns
and standards
CONTINUED
SB 31
Page
2
SOURCE : Author
DIGEST : This bill (1) defines a new misdemeanor that is
committed where a person or entity, without consent, uses
radio waves to remotely read, or attempt to read, another
persons identification document, (2) defines a new
misdemeanor that is committed where a person or entity
reveals operation keys to a radio frequency identification
(RFID) system, and (3) defines relevant terms and
exceptions.
Assembly Amendments (1) removed conjoining language to SB
30 (Simitian), (2) added penalties for a person who
knowingly discloses the operational system keys used in a
contactless identification system, and (3) made clarifying
changes.
ANALYSIS : Existing law provides that all people in
California have a constitutional right to privacy.
Existing law, the Information Practices Act of 1977,
precludes a state agency from disclosing personal
information it possesses "in a manner that would ink the
information disclosed to the individual to whom it
pertains," except in specified circumstances.
Existing law establishes that a person who intentionally
discloses non-public information obtained from a state or
federal agency is subject to a civil action for invasion of
privacy.
Existing law establishes that a person who willfully
requests or obtains any record containing personal
information from an agency under false pretenses is guilty
of a misdemeanor.
This bill provides that the intentional remote reading, or
attempted reading, of a person's identification document
using radio waves for the purpose of reading that person's
identification document, without the knowledge or consent
of the person, is a misdemeanor, punishable by a jail term
of one year, a fine of up to $1,500, or both.
SB 31
Page
3
This bill, among other terms, defines "identification
document" as any document containing data used solely by an
individual for the purpose of establishing identity.
Identification documents will specifically include, but not
be limited to:
1.Drivers licenses.
2.Identification cards issued for employees or contractors,
by educational institutions, or pursuant to the Vehicle
Code.
3.Health insurance or benefit cards.
4.Licenses, certificates, registration, or other means to
engage in a business or profession regulation under the
Business and Professions Code.
5.Library cards issued by any public library.
This bill exempts the following situations from its
prohibition:
1.Triage or medical care during a disaster and immediate
hospitalization or immediate outpatient care directly
related to a disaster.
2.Reading by a health care professional for reasons
relating to health or safety of that person, or
identification issued by emergency services.
3.Individuals incarcerated, detained in a juvenile
facility, housed in a mental hospital or upon court order
after being charged with a crime, or pursuant to
court-ordered electronic monitoring.
4.Law enforcement, government personnel, or authorized
parties who must read a lost identification document when
the owner is unavailable for notice, knowledge or
consent.
5.Law enforcement personnel who need to read an
individual's identification document pursuant to a search
warrant or after an accident when the person is
unavailable for notice, knowledge or consent.
6.Reading of an identification document in the good faith
SB 31
Page
4
course of security research, experimentation of
scientific inquiry, including analysis of security
vulnerabilities.
This bill defines a "key" as "a string of bits of
information used as part of a cryptographic algorithm used
in encryption."
This bill provides, with specified exceptions, that a
person or entity that intentionally remotely reads or
attempts to remotely read a person's identification
document using RFID, for the purpose of reading that
person's identification document without that person's
knowledge and prior consent, shall be punished by
imprisonment in a county jail for up to one year, a fine of
not more than $1,500, or both that fine and imprisonment.
This bill further provides that a person or entity that
knowingly discloses, or causes to be disclosed, the
operational system keys used in a contactless
identification document system shall be punished by
imprisonment in a county jail for up to one year, a fine of
not more than $1,500, or both that fine and imprisonment.
This bill provides that these provisions do not apply to a
person or entity that unintentionally remotely reads a
person's identification document using RFID in the course
of operating a contactless identification document system
unless it knows it unintentionally read the document and
thereafter intentionally does any of the following acts:
1.Discloses what it read to a third party whose purpose is
to read a person's identification document, or any
information derived therefrom, without that person's
knowledge and consent.
2.Stores what it read for the purpose of reading a person's
identification document, or any information derived
therefrom, without that person's knowledge and prior
consent.
3.Uses what it read for the purpose of reading a person's
identification document, or any information derived
therefrom, without that person's knowledge and prior
SB 31
Page
5
consent.
4.To the reading, storage, use, or disclosure to a third
party of a person's identification document, or
information derived therefrom, in the course of an act of
good faith security research, experimentation, or
scientific inquiry, including, but not limited to,
activities useful in identifying and analyzing security
flaws and vulnerabilities.
This bill provides that "radio frequency identification" or
"RFID" means the use of electromagnetic radiating waves or
reactive field coupling in the radio frequency portion of
the spectrum to communicate to or from an identification
document through a variety of modulation and encoding
schemes.
Prior Legislation
SB 768 (Simitian) - 2005-06 Session . Passed the Senate on
8/30/06 with a vote of 30-7. Vetoed by the Governor.
SB 30 (Simitian) - 2007-08 Session . Passed the Senate on
5/24/07 with a vote of 30-3. (On Assembly Inactive File)
Governor's Veto Message from SB 768 of 2006
The provisions of this bill, contained in SB 768
(Simitian), were vetoed in 2006. In addition to concerns
relating to the federal REAL ID Act, the Governor stated:
"[T]his bill may inhibit various state agencies from
procuring technology that could enhance and streamline
operations, reduce expenses and improve customer
service to the public and may unnecessarily restrict
state agencies. In addition, I am concerned that the
bill's provisions are overbroad and may unduly burden
the numerous beneficial new applications of contactless
technology."
Those concerns, relating to the arguable restriction on
state agencies and burden on future applications of RFID
technology, focus on the portion of SB 768 that would have
imposed minimum RFID security standards for government
SB 31
Page
6
issued identification documents. As stated above, that
portion of SB 768 is located in SB 30, which is currently
on the Assembly Inactive File. Thus, the stated objections
are not directly applicable to this bill.
FISCAL EFFECT : Appropriation: No Fiscal Com.: Yes
Local: Yes
SUPPORT : (Verified 8/13/08)
American Association of Retired Persons
American Civil Liberties Union
ACLU SD/Imperial
American Electronics Association
Asian Americans for Civil Rights and Equality
California Immigrant Policy Center
California Labor Federation
Commission on the Status of Women
Consumer Action
Consumer Federation of CA
Consumer's Union
Eagle Forum
Gun Owners of California
Los Angeles County District's Attorney's Office
Liberty Coalition - letter signed by the following
organizations:
Liberty Coalition
Bob Barr (former Member of Congress) Chairman and CEO
of Liberty Strategies, LLC
The Multiracial Activist
The New Grady Coalition
American Policy Center
Citizen Outreach Project
U.S. Bill of Rights Foundation
BT Counterpane
Consumer Action
The Rutherford Institute
Council for Citizens Against Government Waste
PORAC
Privacy Activism
Privacy Rights Clearinghouse
State Building and Construction Trades Council
SEIU - California State Council
SB 31
Page
7
ARGUMENTS IN SUPPORT : According to the author's office,
"Although the technology has been around since World War
II, state and local governments have recently begun
incorporating Radio Frequency Identification (RFID) devices
into identification documents like driver's licenses and
passports. Businesses are using RFID technology in a wide
range of applications. Many citizens are now aware of the
risks to their privacy and financial security presented by
misuse of RFID, particularly where RFID documents and tags
can be remotely read without the consent or even knowledge
of the citizen.
"SB 31 is part of a package of bills concerning privacy and
RFID technology. SB 31 defines misdemeanors for
non-consensual remote reading of RFID and for improper
disclosure of the keys to RFID systems. Persons and
entities that misuse this powerful technology must face
reasonable sanctions."
ASSEMBLY FLOOR :
AYES: Adams, Aghazarian, Anderson, Arambula, Beall,
Benoit, Berg, Berryhill, Brownley, Caballero, Charles
Calderon, Carter, Cook, Coto, Davis, De La Torre, De
Leon, DeSaulnier, DeVore, Duvall, Dymally, Emmerson, Eng,
Evans, Feuer, Fuentes, Fuller, Furutani, Gaines,
Galgiani, Garcia, Garrick, Hancock, Hayashi, Hernandez,
Horton, Houston, Huff, Huffman, Jeffries, Jones,
Karnette, Keene, Krekorian, La Malfa, Laird, Leno,
Levine, Lieber, Lieu, Ma, Maze, Mendoza, Mullin,
Nakanishi, Nava, Niello, Nunez, Parra, Plescia,
Portantino, Price, Ruskin, Salas, Saldana, Silva, Smyth,
Solorio, Spitzer, Strickland, Swanson, Torrico, Tran,
Villines, Walters, Wolk, Bass
NO VOTE RECORDED: Blakeslee, Sharon Runner, Soto
RJG:cm 8/13/08 Senate Floor Analyses
SUPPORT/OPPOSITION: SEE ABOVE
**** END ****
ftp://leginfo.ca.gov/pub/07-08/bill/sen/sb_0001-0050/sb_31_cfa_20080813_175323_sen_floor.html
