Technology industry and privacy advocates clash

Radio Frequency Identity technology, the communication over certain radio frequencies between a small microprocessor with an antenna and its reader, has been used for decades to track inventory and for shipping purposes.

Increasingly, small chips outfitted with the technology are implanted in domestic pets and livestock too. The technology is also used in the health care industry and in new U.S. passports. In California, RFID is probably best known, though, for enabling the FasTrak system to speed commuters through toll bridges. In fact, FasTrak devices in cars also provide the information for billboards that advertise traffic delays.

But as the wonder-technology has expanded its reach to security applications in California–like identification documents at colleges and entrance cards to secure buildings like the Capitol–a diverse coalition has formed to address privacy fears that the RFID industry believes are unwarranted.

Last year, a bill authored by Senator Joe Simitian, D-Palo Alto, to regulate RFID technology in the public sector passed 33-3. But the bill, SB 768, was vetoed by Governor Arnold Schwarzenegger, who expressed concern that the legislation would hamstring state agencies’ procurement decisions and wasn’t necessary.

This year the same privacy coalition–of women’s advocates, labor unions, gun owners, and the ACLU–has teamed up with Senator Simitian on five bills, to reign in certain RFID technology use in the public sector, and punish would-be identity thieves. Among other actions, the bills would ban public schools from using RFID cards to take attendance, establish interim privacy safeguards for many government issued IDs and benefit cards until new legislation is passed, and ban the Department of Motor Vehicles using RFID technology in state driver’s licenses for four years.

Another bill, SB 388 authored by Senator Ellen Corbett, D-San Leandro aimed at the private sector, would require companies to inform customers what privacy features their RFID products contain. All but one of the bills recently cleared the Senate. One bill, SB 31, that would make it a misdemeanor to steal personal information off an RFID card, remains stuck in the Senate Public Safety Committee until January with other bills that contribute to prison overcrowding. An Assembly Judiciary committee hearing is scheduled for Tuesday on the other bills.

Governor Schwarzenegger’s spokesman Aaron McClear said that the governor won’t take a position this time around until he sees the final versions of the bills.
Privacy advocates worry that users of certain types of RFID-enhanced IDs and access-cards too easily broadcast one’s personal information to potential identity thieves or stalkers. They point to cases where researchers have cracked and cloned systems with off-the-shelf electronic equipment. Senator Simitian said that one wouldn’t even know when their information was compromised in such a scenario. “(At least) if you were the victim of a pickpocket you could know that your wallet was missing and cancel you credit cards,” Simitian said.

Advocates of the legislation also worry of the potential for big brother abuse down the road should state agencies require RFID technology in driver’s licenses and other official ID cards. “Knowing the ATF and the FBI, I’m sure they would love to see people’s gun ownership on our cards,” said Sam Paredes, executive director of the Gun Owners of California. Paredes said that it isn’t often that his 30,000-plus members see eye to eye with the ACLU. He said that everyone in the coalition, though, wants to ensure that government doesn’t ever mandate use of a technology that is insecure and has the potential for tracking.

The RFID industry says many of these fears are unfounded. They say that RFID technology improves privacy protections, and is better than other security systems–like the magnetic strip on the back of credit cards and driver’s licenses–that have been forged for years. Meanwhile, they say that with more than a billion RFID cards in use worldwide, there hasn’t been a single case of identity theft. “We believe this is a solution looking for a problem,” said Kathleen Carroll, the director of government relations for HID Global, a manufacturer of RFID readers and cards. She points to the fact that the DMV isn’t even planning on changing their current technology for at least five years, if at all.

The industry also believes it is being singled out unfairly, and if the legislation passes an unintended side effect will be to stifle innovation.

“When you start mandating technology you are locking in the 8-track tape,” said Roxanne Gould, a spokesperson for the American Electronics Association and the High-Tech Trust Coalition that opposes the bills. “We are concerned that investors will think ‘maybe we should hold off on this company.’ This will send a signal to companies that are innovating that they should rethink what they are improving.”

Finally, industry complains that people’s worst fears of the technology is hyped by the media and privacy advocates who lump together all forms of RFID products when some are more secure than others – and for good reason. A card with a unique code to access a building, for example, doesn’t contain any personal information, they argue. Still, it is included in the bills’ language as vulnerable to giving away personal information. “If you found a metal house key on the street you would have no idea who that house belonged to,” said Carroll. “It’s the same principle with unique identifier numbers.” They say that RFID smart cards that include names, addresses, or bank numbers, however, already offer two forms of security–authentication and encryption.

Still, Senator Simitian said that if you can get into a building like the state Capitol and have access to restricted areas by hacking a unique identifier code, your identity is still compromised. Nicole Ozer, with the ACLU agrees.

“Automobile manufactures fought against seat belts and airbags in cars before