Looking to Lock Down RFID

Privacy and security legislation is on the rise in states, but not from feds.

In 2005, the actions of a small-town school district in Northern California set off a chain of events that could lead to groundbreaking legislation limiting the use of RFID in California and, if other states pick up the rallying call, across the nation.

Last year, the Brittan Elementary School District in Sutter, Calif., required all its students to wear an ID badge implanted with a radio-frequency chip. The badges, which stored a 15-digit identifier for each student, were intended to be used as an attendance aid. Parents, however, were up in arms over the practice, which many said violated their kids privacy rights.

As a result, state Sen. Joseph Simitian, a Democrat from Palo Alto, authored a bill introducing security and privacy measures around the use of radio-frequency identification—particularly in government ID documents. The bill is sitting on Gov. Arnold Schwarzeneggers desk; he has until the end of September to either veto it or sign it into law.

Although there are many similar bills, Californias is considered by many to be the one with standard-setting potential. "We think the bill draws the right lines," said Tim Sparapani, legislative council for the American Civil Liberties Union, in Washington. "RFID can be incredibly useful when shipping certain goods, but not when used to track people."

Sparapani points out that California is where a large percentage of the U.S. population lives. If a controversial bill is passed there, other states tend to take notice and follow suit, with industries and vendors taking heed. At least, thats what Sparapani and others hope when it comes to legislation that mandates privacy and security practices around RFID. "[California] really is the bellwether," he said.

The governors of Georgia, New Hampshire, Utah and Wisconsin have signed some form of RFID legislation into law. RFID legislation is dead in the water in Florida, Maryland, Missouri, Montana, Nevada, South Dakota, Texas and Virginia. Some states, such as New Mexico, have reintroduced legislation or have separate bills in process. Rhode Island is the only state to have vetoed RFID legislation.

Many of the state bills create a study group to further understand RFID before actually enacting legislation and to set provisions that retailers must notify consumers when RFID is present in or on an item. Such notification legislation often calls for a nationally recognized symbol—something like the cotton symbol on a T-shirt—that will alert shoppers at a glance to the presence of an RFID tag.

But the four bills recently signed into law differ widely. Georgias law, enacted April 12, creates a joint house and senate committee chartered with developing and recommending legislation for the 2006 session. New Hampshires bill, signed into law May 25, requires retailers to inform consumers of the use of RFID tracking devices on products and to affix a label to shipped goods. Utahs law amends the definition of computer network to include wireless RFID networks. Wisconsins law, passed May 30, makes it illegal to "require" an implanted RFID chip in citizens.

"To me, it boils down to a privacy issue," said state Rep. Marlin Schneider, the Democrat who authored the Wisconsin bill. "Remember, our bill doesnt prohibit the implantation of RFID; it only prohibits implantation without consent," Schneider said.

Californias bill, SB 768, takes a wider view of RFIDs potential areas of regulation. An iteration of a previously introduced bill, SB 768 stipulates that if RFID is used in government documents, there must be security and privacy protections for Californians; makes it unlawful to "skim" identity from an RFID chip; and asks the California Research Bureau to review the use of RFID in government documents, according to Simitian.

Simitian said his state—and the nation—is at the threshold of RFIDs proliferating use in government identity documents. The Department of State has mandated RFID chips be added to all U.S. passports by the end of this year. Last year, the U.S. government put into effect its Real ID mandate that requires all states to redesign their drivers licenses by 2008—a move that signals for many of those same privacy advocates the advent of a national RFID-chipped ID card.

"This is the next really big privacy battle, and it will be fought in every state," said the ACLUs Sparapani. "This is the national ID card; every RFID vendor in the country wants in on this."

The ACLU and other citizen groups such as Consumers Against Supermarket Privacy Invasion and Numbering oppose the use of RFID chips in any ID card issued by federal, state and local governments. Privacy advocates have told eWeek that theyre concerned about the government setting up a system of ID card checkpoints around the country. More than one, including Kevin Ashton, the co-founder of the Massachusetts Institute of Technologys Auto ID-Labs, have said that chips on passports are both unreliable and a risk to data integrity.

"You can take the chip off one passport and stick it on another. No one will know the difference," said Ashton, now vice president of marketing at ThingMagic, in Cambridge, Mass., and an instructor at MIT. "It is truly a stupid idea to store any information on an RFID tag other than a unique number [that refers back to a database]. Otherwise, there is always the risk of data change."

There are currently two federal bits of RFID legislation being bandied about, both having to do with tracking the pedigree of prescription drugs.

Missing from federal legislation are measures that would protect citizens from the deleterious effects of RFID gone awry—whether that be terrorists skimming the identifying information of a U.S. citizen traveling abroad or a government body tracking a citizen at home.

"The first [strong state] legislation is the one thats going to garner the most attention; thats the one thats going to be a wake-up call on the hill," said Michael Laird, an RFID analyst with ABI Research, in Oyster Bay, N.Y.

Laird is a member of the nascent RFID Caucus, formed in July by two U.S. senators, Byron Dorgan, D-N.D., and John Cornyn, R-Texas. The groups goal: to educate their colleagues about the potential uses and benefits of RFID.

Californias bill could, according to Laird, restrict the way businesses and libraries use RFID, while other states could offer even more restrictions.

"My challenge with RFID is [that it is] a term with a thousand variations," said Laird. "What do you mean when you say RFID? Its legislating against bad behavior, not legislating against the technology—thats what we have to look at."

Wisconsin state Rep. Schneider agrees that the federal government needs to focus.

"The federal government should strike on this as much as they can," said Schneider in Wisconsin Rapids. "The states can act, but the federal government pre-empts. My concern is that once this [technology] becomes used by the Pentagon, as in the proposal [to implant] our soldiers, then it becomes an argument of economic necessity—and you cant control it then."

Arguably, there have been some concessions by the federal government that the use of RFID technology in documents such as passports presents some security and privacy risks. From its first concept of an RFID-chipped passport, the State Department has added the so-called Faraday Cage, which supposedly shields a closed passport from being read, and BAC [basic access control] technology to prevent skimming and eavesdropping of data.

For as many detractors of the use of RFID technology in public settings, there are supporters.

"Were opposed to any existing RFID legislation," said Maureen Riehl, vice president, Government and Industry Relations Counsel at the National Retail Federation, in Washington. "The concerns the privacy advocates have about interfacing with individual consumers is still a fairly long way off. … The whole point is for businesses to see what works and doesnt work in their own supply chains," Riehl said.

Retailers started working with RFID several years ago. Wal-Marts 2004 mandate to its top 100 suppliers that they RFID-enable some pallets and cases of goods kicked off a nationwide discussion around RFID, as did a similar supplier mandate from the Department of Defense.

NRF and other industry groups such as AIM Global are urging legislators to look at current laws—particularly those pertaining to computer crime, such as Utahs law—that include privacy and security mandates that could include RFID. At the same time, the NRF is working with EPCglobal, the RFID standard-setting organization, to develop the logo or nationally recognized symbol called for in some state legislation bills.

"It has a ways to go," said Riehl in Washington. "But large retailers are embracing it."

Scott Blackmer, a lawyer and board member of the International Security, Trust & Privacy Alliance—a group that has created an IT framework to help companies comply with privacy and security mandates—said he believes that the security and privacy concerns around RFID are warranted. Blackmer also recommends industry standards in place of legislation. He suggests that big buying organizations such as the DOD and Wal-Mart impose standards—such as making it hard for nonremovable tags to be read from a distance or making it easy to remove tags that can be read from a distance—and others will be forced to follow suit.

"The issue for the Wal-Marts of the world is if there is legislation in three or four states, it is very difficult for them to change procurement for Wisconsin or Florida," said Blackmer in Salt Lake City. "They will have to find ways to comply within those requirements—and that will factor in their decision [on whether] to do RFID at all."