California Law Bans Forced RFID Tagging
From: E-Week.com, October 15, 2007
October 15, 2007
By Renee Boucher Ferguson
It's illegal now for California employers to force anyone to have an RFID device implanted under his or her skin as a condition of receiving something—such as a paycheck or government benefits. Gov. Arnold Schwarzenegger signed Senate Bill 362 on Oct. 15, prohibiting the forced implantation of RFID (radio-frequency identification) chips. The bill, authored by state Sen. Joe Simitian (D-Palo Alto), will go into effect on Jan. 1, 2008.
The anti-tagging bill, now a law, is not the first piece of privacy-based RFID legislation authored by Simitian to pass the governor's desk. A little more than a year ago Gov. Schwarzenegger quietly vetoed SB 768, also known as the Identity Information and Protection Act of 2006, which would regulate the use of RFID in state and local documents.
At the time, the bill was thought by many to be a call for other states to enact similar legislation. But when that effort failed, so did the hopes that California's actions would spur additional state legislatures to address RFID-related privacy concerns.
In the wake of the 2006 veto, Simitian took the next feasible step. He broke the Identity Information and Protection Act into smaller bits and shipped them off to the legislature as five separate bills. SB 362 is the first of those smaller bills to see the light of day, and it could have positive implications for the remaining four RFID bills trundling through California's legislative process.
"With the signing of SB 362, California has taken an important first step in crafting legislation to properly balance the potential benefits of RFID technology while safeguarding privacy and security," said Nicole Ozer, technology and civil liberties policy director at ACLU of Northern California, in San Francisco. "We are pleased that the governor has stood up for the privacy and security rights of Californians and not allowed these rights to be 'chipped' away by inappropriate uses of RFID technology."
"When there are 2,800 bills that move through the system in a year, the governor has hundreds and hundreds of bills come at the end of the session. Sometimes it's helpful to narrow the issue a bit; that helps to force the question," Simitian said. "We were at a bit of a disadvantage last year with a broader, more comprehensive package, with a technology that the administration is largely unfamiliar with and not the time to give it careful consideration. When in doubt, the veto falls."
Simitian said that taking the issues and breaking them into more manageable, bite-sized pieces makes it easier to focus on the fundamental privacy implications of RFID.
The additional four bills—SB 28, 29, 30 and 31—address different aspects of RFID implementation and use. SB 28 calls for a three-year moratorium on the use of RFID in state driver's licenses.
SB 29 would put a similar three-year moratorium on the use of RFID in K-12 student identification cards. SB 30—really the meat in Simitian's efforts—looks to mandate security and privacy provisions in RFID-chipped ID documentation required by state and local governments. The bill would do two things: require that people be informed when the technology is present and spell out what citizens can do to protect their privacy.
The bill also imposes technological requirements that amount to password protection and, in cases where personal information—such as HIV-positive status or a telephone number—is present on the chip, encryption and mutual authentication technologies have to be utilized. SB 31 imposes criminal charges for skimming and unauthorized access to tags and the disclosure of codes that are in the encryption process.
The remaining bills are awaiting action when the legislature reconvenes in January, according to Simitian.
Not everyone supported SB 362. Simitian said he was not able to garner any industry support for the bill; manufacturers and technology trade associations balked at backing it.
"I really did think it was both unfortunate and regrettable that we couldn't get any industry support on this bill," Simitian said. "While we did not have any formal opposition, we did have behind-the-scenes efforts to derail the bill by one manufacturer."
Click here to read about why RFID is only slowly catching on for industrial use.
While several industry consortiums, such as the AEA (American Electronics Association), HID Global and ITAA (Information Technology Association of America), oppose Simitian's 2006 bill, a group that's organized itself under the rubric of AEA seems the most vociferous—or at least the most well-appointed.
The High-Tech Trust Coalition is made up of some of the biggest players—technology companies, manufacturers, standard-setting bodies—in the RFID industry, including AIM Global, EDS, EPCGlobal, ITAA, Kimberly-Clark, National Semiconductor, Oracle, Texas Instruments, Symbol Technologies and Phillips Technologies.
Roxanne Gould, senior vice president for California Government and Public Affairs with AEA, said that while the AEA is not opposed to California's new law preventing forced tagging of individuals, the group is opposed to Simitian's remaining bills. "We had no position on 362. But we don't agree with any effort that unfairly demonizes technology," said Gould, in Sacramento.
"Technology is not inherently good or evil; it is how it's used. We don't agree that anyone should be forced to use a chip. But at the same time there are uses where subcutaneous chips are highly useful—with Alzheimer patients or diabetes. Just because someone is chipped, we don't agree that it's bad; we don't have a problem with the forced part. But we are opposed to the other bills that are still in play."
While Simitian began looking into the use of RFID in government-issued documentation after an elementary school in Sutter, Calif., required its students to wear identification badges that contained RFID tags, it was really video surveillance company Citywatcher.com that spurred the current anti-implementation law.
In 2006 Citywatcher.com required employees working in its secure data center to be implanted with RFID chips. Simitian said he figured it would only be a matter of time before others followed, particularly with state and local governments moving toward RFID-embedded identification documents.
"The issue that kept cropping up with people we spoke with was that while RFID is wonderful for identifying a particular document, they can be easily exchanged or passed from one person to another," Simitian said. "The concern I've had is I think there is an underlying pressure to go to implantation given the shortcomings and limitations of [RFID] documentation. The public wants us to get out in front of these potential privacy problems."
In 2004, the Food and Drug Administration approved a human-implantable RFID chip that is manufactured by VeriChip. So far, VeriChip has chipped about 2,000 individuals.