IoT Security Blog

Articles and Posts on IoT Security, Embedded Systems, and the Internet of Things

California Senate Approves Bill To Outlaw Skimming RFID Tags

Contributed by Joanne Kelleher

California Senate Bill 31, which misdemeanors for non-consensual remote reading RFID and for improper disclosure of the keys to RFID systems, is part of a package of bills concerning privacy and RFID technology introduced by CA Senator Simitian. After several amendments, SB 31 was passed by the California Senate on 1/30/08 and now goes to the California State Assembly.

The language states: This bill would provide that a person or entity that intentionally remotely reads or attempts to remotely read a person’s identification document, as defined, using radio waves without his or her knowledge and prior consent, as described, shall be punished by imprisonment in a county jail for up to one year, a fine of not more than $1,500, or both that fine and imprisonment. The bill would also provide that a person or entity who knowingly discloses, or causes to be disclosed, specified operational system keys shall be punished by imprisonment in a county jail for up to one year, a fine of not more than $1,500, or both that fine and imprisonment. The bill would provide that the provisions regarding knowing disclosure of operational system keys is to become operative only if SB 30 of the 2007-08 Regular Session is also enacted and becomes effective on or before January 1, 2009.

There are exceptions for law enforcement, health care situations, or the reading of an identification document in the good faith course of security research, experimentation of scientific inquiry, including analysis of security vulnerabilities.

This bill was originally part of SB 768 (Simitian) in the 2005-06 Session and was vetoed by Governor Schwarzenegger. By creating a new crime, this bill would result in a state-mandated local program.

Protecting privacy is certainly important, but I’m not sure how local government is going to enforce this, especially when they are to receive no funding and they most likely don’t have the local expertise to prove that skimming occurred.

Information Week article –
http://www.informationweek.com/news/showArticle.jhtml?articleID=206101115