California Bans RFID Skimming

Advocates of the bill say it will help maintain security for millions of state residents who use the technology in their everyday lives.
It's now illegal to surreptitiously read RFID tags in California.

The state's governor, Arnold Schwarzenegger, signed SB 31 into law Tuesday. The legislation makes it "illegal to take information from RFID tags" without an owner's knowledge and permission. Exemptions allow emergency medical workers and law enforcement to scan RFID tags to identify unresponsive people or solve crimes, as long as they have obtained a warrant.

"The problem is real," said State Sen. Joe Simitian, a Palo Alto Democrat who introduced the legislation. "Millions of Californians use RFID cards to gain access to their office, apartment, condo, day care center or parking garage. Our passports now use the technology, and there is continued discussion about the possible use of RFID in drivers' licenses. Yet, up till now, there's been no law on the books to prevent anyone from skimming your information, and it's surprisingly easy to do." Simitian conducted an experiment in which his access card for the State Capitol was skimmed and cloned by a hacker in a second.

"Minutes later, using that clone of my card, the hacker was able to walk right into the Capitol through a 'secure' and locked entrance," he said. "RFID technology is not in and of itself the issue. RFID is a minor miracle with all sorts of good uses, but it's easier than ever to steal someone's personal information. With an unauthorized reader -- technology that is readily available, off-the-shelf, and surprisingly inexpensive -- it's really quite simple to do." Simitian said the public would resist emerging technologies without privacy and security protections.

The new law drew support from a wide variety of groups, including: the American Civil Liberties Union, Gun Owners of California, Privacy Rights Clearinghouse, Citizens Against Government Waste, California State Parent Teacher Association (PTA), Republican Liberty Caucus, and the National Organization for Women (NOW). Nicole Ozer, technology and civil liberties policy director for the ACLU of Northern California, praised Schwarzenegger for signing the bill into law.

"Just like Californians wouldn't allow a stranger to sift through their wallet and take their driver's license or want their children or grandchildren to tell passers-by on the street who they are or where they live, our private information must not be read at a distance without our knowledge or consent," she said. "By signing SB 31, Governor Schwarzenegger has taken an important step to safeguard the privacy, personal and public safety, and financial security of millions of families."

Editor's Choice
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing
John Edwards, Technology Journalist & Author
John Edwards, Technology Journalist & Author
James M. Connolly, Contributing Editor and Writer