BILL ANALYSIS �
SB 388
Page 1
Date of Hearing: June 26, 2007
ASSEMBLY COMMITTEE ON JUDICIARY
Dave Jones, Chair
SB 388 (Corbett) - As Amended: June 13, 2007
FOR VOTE ONLY
SENATE VOTE : 22-17
SUBJECT : Privacy: RFID Tags
KEY ISSUES :
1)Should a private entity that issues a card or other device
that uses RFID technology be required to notify the cardholder
as to the nature of any personal information transmitted by
that card, and the steps that the cardholder may take to
protect that information?
2)should this bill's definition of "personal information" be
amended to exclude a random number known as a "unique
identifier," so long as the GENERAL existence of that number
is disclosed to the recipient cardholder?
SYNOPSIS
This bill is one of many that prohibit, restrict, or regulate
the use of radio frequency identification technology (RFID) on
identification cards or other items issued by private entities
or government agencies. This bill would require private
entities that issue identification devices that transmit
"personal information," as defined, via RFID technology to
inform the cardholder of (1) the nature of the information that
is transmitted; (2) a general statement of any security measures
that may be in place to safeguard that information; and (3)
steps that the cardholder may take to prevent unauthorized
access of the information. In addition, the bill provides that
a private entity that fails to properly disclose the required
information shall be subject to private actions to recover
nominal damages of $1000, actual damages, if any, or both. The
bill further provides that a prevailing plaintiff shall be
awarded his or her reasonable attorney's fees and costs.
Supporters of this bill contend that as the use of RFID
technology by private entities becomes more pervasive, consumers
�
SB 388
Page 2
should know that they are carrying devices that may be
transmitting their personal information to RFID "readers"
without their knowledge. Opponents claim, among other things,
that the disclosure requirements of this bill are burdensome and
unnecessary. They also claim that the proponents greatly
exaggerate the threats posed by RFID and confuse it with other
more dangerous "tracking" technologies. Opponents claim further
that the bill is unnecessary given the lack of substantial, or
even anecdotal, evidence that the technology has caused any harm
to consumers. While disagreements about the relative risks and
merits of RFID will probably not be resolved, the Committee may
wish to consider whether the bill's definition of "personal
information" may be a bit overbroad in its inclusion of random
"unique personal identifiers" within that definition. The
analysis therefore suggests a possible amendment for the
author's and Committee's consideration on this point.
SUMMARY : Requires any private entity that sells, furnishes, or
otherwise issues a card or other item containing a radio
frequency identification tag to make certain disclosures to the
recipient cardholder. Specifically, this bill :
1)Requires any private entity that sells, furnishes, or
otherwise issues a card or other item containing a radio
frequency identification (RFID) tag that is capable of being
scanned for the recipient cardholder's personal information,
or a unique personal identifier, shall inform the recipient of
the card or item all of the following:
a) the information that is transmitted to the RFID scanner
upon the scanning of the tag.
b) a general statement of the security measures, such as
authentication or encryption, that are used to safeguard
information.
c) steps the recipient may take to prevent unauthorized
access or scanning of information contained on the card or
item.
2)Defines "personal information" to include, whether used alone
or in conjunction with one another, the following:
a) first or last name;
b) address;
c) telephone number;
d) e-mail, Internet Protocol, or Web site address;
�
SB 388
Page 3
e) date of birth;
f) driver's license number or California identification
card number;
g) any unique personal identifier number contained or
encoded;
h) bank, credit card, or other financial institution
account number;
i) any unique identifier contained or encoded on a health
insurance, health benefit card, or government-issued
benefit card;
j) religion;
aa) ethnicity or nationality;
bb) photograph;
cc) fingerprint or other biometric identifier;
dd) social security number;
ee) any unique personal identifier.
3)Provides that a recipient cardholder may bring an action
against any private entity in violation of the provisions of
this bill either nominal damages of $1000 or actual damages,
if any, or both nominal and actual damages. Provides further
that a prevailing plaintiff shall be awarded his or her
reasonable attorney fees and costs.
4)Provides that in the case of a medical emergency during which
a card or item containing a RFID tag is furnished or issued,
the disclosure required pursuant to subdivision (a) shall be
provided at a reasonable time after the cessation of the
emergency.
EXISTING LAW :
1)Grants to all persons within this state a constitutional right
to privacy and, unlike the federal constitution, protects the
right to privacy from both state action and private entities.
(Cal. Const., Art. I, Sec. 1; Hill v. Nat'l Collegiate
Athletic Assn (1994) 7 Cal. 4th 1.)
2)Requires persons and businesses that conduct business in
California, and who own or license the personal information of
their customers, to implement and maintain reasonable security
�
SB 388
Page 4
measures to protect that information and, subject to certain
conditions, to notify customers as to any disclosures of that
information to third parties. Provides further that if a
person or business discloses personal information pursuant to
a contract with a third party, the person or business shall
require by contract that the third party implement and
maintain reasonable security practices and procedures. (Civil
Code Section 1798.81.5.)
FISCAL EFFECT : This bill as currently in print is keyed
non-fiscal.
COMMENTS : This bill would require a private entity that issues
an RFID identification card or device to make certain
disclosures to the recipients of those cards or devices.
Specifically, the bill would require three separate, but
related, disclosures for devices containing RFID technology.
According to the author, the purpose of those disclosures is to
fully inform the consumers about their RFID-enabled cards,
thereby allowing them to make more informed decisions about
whether and how to use them. The bill would require three kinds
of disclosures: 1) the type of information transmitted to the
RFID scanner upon scanning; 2) a general statement of the
security features of the card or item; and 3) steps that may be
taken to prevent unauthorized access or "skimming" of the
information on the card. The measure would also allow an
exemption to these disclosure requirements when cards or devices
are issued in connection with a medical emergency, so long as
the disclosure is made within a reasonable period of time after
the emergency conditions cease.
As this Committee well knows from the many measures it hears in
this area of the law, existing law imposes a number of
requirements upon a business or private entity relative to
safeguarding personal information that the business or entity
collects from its customers. For example, a private business
must implement reasonable security standards relative to its
customers' personal data and notify customers if there is any
breach of that data. (Civil Code Section 1798.80 et seq.) This
bill targets personal information protection by seeking to
safeguard personal information that a business or other private
entity places on cards or other devices issued to customers.
Background: What is RFID and How Does it Work ? Despite the
jargon-laden language sometimes used by both proponents and
�
SB 388
Page 5
opponents, the basic outline of how RFID and related
technologies works is fairly easy to understand. RFID "tags"
can be embedded into objects, including documents, clothing, and
even people. The tag typically consists of a microchip (that
stores information) and one or more antennae. Remote "readers"
can read this tag, via radio waves. The reader constantly emits
radio signals. As a person or object with an RFID tag moves
near the reader - the distance varies depending upon the device
- the antennae pick up the signal and transmit the information
stored on the microchip to the reader. Most RFID tags are
"passive," which means that they can only be activated by the
radio signal; others are "active," which means that they can
actively search out readers in the area. In either case, an
authorized reader can then transmit this information to a
computer database. The distinction between "passive" and
"active" tags is important because, despite some claims to the
contrary, a passive tag cannot "broadcast" any information,
personal or otherwise.
In some ways, RFID technology is merely a higher-tech version of
bar code and magnetic strip scanning. However, scanning
requires direct contact between the scanner and the stored
information (or at least the magnetic strip or barcode must be
in the direct line of sight of a laser). RFID readers, on the
other hand, can read the information stored on the RFID tag
remotely. With existing technology, the reader's capacity may
only be about an inch or several feet. Experts disagree on the
potential range of RFID readers in the future. But most agree
that the current technology typically only works at ranges of a
few inches, though some devices may have ranges up to thirty
feet. However, the fact that RFID tags can be read at any
distance creates the possibility that information stored on an
identification document can be read without the holder's
knowledge or consent.
A key issue that divides experts on both sides of the debate,
however, concerns the nature of the information stored on the
RFID tag, and the usefulness of that information to any
unauthorized reader. Sometimes an RFID tag only contains a
random number that has no meaning until the reader transmits it
to a computer database, where the random number is then matched
to other information. However, RFID tags apparently can contain
other information, such as a name, address, a credit card
number, or even a visual image. Experts on both sides of the
debate disagree about the value of "encryption" or other
�
SB 388
Page 6
security measures that make stored information intelligible only
to authorized readers. Moreover, privacy advocates point out
that security measures must address more than the ability of the
reader to access intelligible information from the tag; they
must also address potential security breaches along the entire
transmission process from tag, to reader, to computer database.
Proponents of RFID, on the other hand, claim that RFID
applications are confined to a closed system of authorized tags,
readers, and databases within that system. So that even if
outsiders with remote readers obtained information from an RFID
tag, that information is only intelligible to persons within the
system. (The above summary of RFID technology, and the contours
of the debate of privacy and security issues, is based, in part,
on a host of documents representing the opinions of privacy
rights and consumer groups, industry representatives, and
government agencies. See for example
www.privacyrights.org/are/RFIDposition.htm .)
ARGUMENTS IN SUPPORT : According to the author, this bill will
help to give consumers the information that they need in the
area of RFID use to protect their sensitive personal information
from unwanted disclosure. While agreeing that RFID technology
offers benefits, the author cites recent reports that have
purportedly demonstrated how information may be "skimmed" by
unauthorized readers without the knowledge or consent of the
RFID cardholder. Furthermore, the author contends that:
Consumers are generally unaware whether an item
contains a RFID tag, the information contained within
that tag, and any security precautions that may be
taken to prevent the unauthorized access of that
information. SB 388 would provide consumers with
this information, thus allowing them to make informed
decisions concerning the use of RFID-enabled items.
The ACLU supports this bill because "individuals need to know of
the presence of RFID tags so they can, first, make the decision
as to whether or not they want to carry that item, and second,
so they can use devices to shield the RFID tag from being read
invisibly." Consistent with its position on the related RFID
bills, the ACLU maintains that what makes RFID more dangerous
than "direct contact" forms of technology is that RFID chips can
be read without the holder's knowledge or consent. Providing
disclosures, the ACLU believes, will give individuals more
control over when, and to whom, personal information may be
�
SB 388
Page 7
disclosed.
Many of the other supporters of this bill, including several
consumer and privacy rights groups, make substantially the same
arguments that they make in support of the other RFID bills
presently before the Committee. For example, they cite reports
highlighting the potential risks of RFID technology, whether
issued by private or government entities. For example,
virtually all supporters cite a New York Times article
describing a research project conducted at the University of
Massachusetts. According to the report, the researchers tested
about 20 major credit cards and found that at least some of the
cards transmitted the cardholder's name and other data without
encryption and could read by a remote reader "cobbled together
from readily available computer and radio components for $150."
(NYT October 23, 2006.) Company officials quoted in the story
stressed that the report was based on staged demonstrations that
would be extremely burdensome to pull off in a real-world
situation. Still, many of the experts cited in the story agreed
that, if in fact RFID-enabled cards transmitted unencrypted
personal information, then they would pose considerable risks of
identity theft and invasion of privacy. Supporters of this bill
believe that the risks are sufficiently likely that, at the very
least, private entities that issue such cards should disclose
basic information to the recipients of those cards.
ARGUMENTS IN OPPOSITION: This bill is opposed by a number of
retail, banking, and business associations, as well as various
companies that manufacture RFID and related technologies. Their
opposition to this particular bill must be placed in the context
of their opposition to the several pending bills attempting to
prohibit, limit, or regulate the use of RFID technologies. To
all of these bills, they raise at least three core objections:
First, opponents contend that these bills are largely
unnecessary because, to date, there is no evidence that RFID
technology has been linked to any particular case of identity
theft. Second , opponents claim that authors and proponents of
these bills misrepresent the capabilities of RFID and thereby
exaggerate the risks associated with its use. For example, they
point to the fact that the authors and proponents routinely
claim that RFID technology "broadcasts personal information,"
even though most RFID technologies contain only "passive" chips
that do not "broadcast" anything and can only be activated by a
reader. Moreover, they point out that the vast majority of RFID
devices contain only a random number, not "personal information"
�
SB 388
Page 8
as usually defined. Furthermore, because the range of most RFID
readers is limited to a few inches, RFID is virtually useless
for "tracking" human beings. Third , opponents stress that "not
all 'RFID' is the same." There are vast differences - and
vastly different security implications - between "passive" cards
and "active" cards, between "smart cards" and "proximity cards,"
and between cards that truly contain "personal information" and
those that contain only a random number. Most importantly, they
argue, there is a vast difference between what can done with
existing technology and what proponents claim might conceivably
could be done in the future.
As for this bill, opponents claim that its disclosure
requirements are burdensome and unnecessary. The result of the
added time and costs of disclosure, they contend, will not
protect privacy or security: it will only prevent private
entities from developing what has proved to be a beneficial and
safe technology. More specifically, opponents object to the
bill's broad definition of "personal information." In
particular, they object to the inclusion of "unique personal
identifier" in the list of examples of "personal information."
(See discussion of possible amendment on this point below.) HID
Global contends that a unique identifier - which it states is
all that is contained on the vast majority of RFID cards - "is a
randomly generated set of digits that is only used to complete a
transaction between an RF reader and its matching database.
These numbers are not public numbers, and are used in lieu of
personal information to further protect a person's identity and
security."
Opposition to Damages Provisions : The Civil Justice Association
of California (CJAC) does not oppose the disclosure provisions
of this bill, but it does oppose the damages provisions for
violations of this bill. In particular, it points to the fact
that this bill would permit a recipient cardholder to bring an
action for nominal damages or actual damages, or both nominal
and actual damages. CJAC claims that nominal damages, in
particular, will "do more to attract litigation . . . than it
will to ensure full and accurate disclosure." CJAC also objects
to the provision which states that the court "shall" award
attorney's fees and costs to the prevailing plaintiff. (The
bill is silent as to whether a prevailing defendant would be
entitled to fees and costs.) CJAC would prefer to replace the
word "shall" with the word "may," so as not to take away the
court's discretionary power.
�
SB 388
Page 9
Benefits of Possible Amendment Regarding the Definition of
Personal Information? Unlike the other RFID bills before the
Committee, this thoughtful measure does not seek to prohibit or
limit the use of RFID technology, nor does it propose to require
that entities using the technology implement any specified
security measures. Instead, this bill is more modest in its
reach: it would only require private entities to disclose
certain information to the persons to whom such RFID devices are
issued, allowing the use of the technology to evolve and
continue without moratorium or cessation.
However there is one aspect of the bill that the Committee may
wish to discuss with the author pertaining to the bill's
definition of "personal information." As HID Global and others
have argued, the bill defines "personal information" more
broadly than it is defined in existing statutes. On the one
hand, some privacy experts, including the ACLU, claim that a
randomly produced "unique identifier" is personal information,
insofar as the number becomes associated with a particular
individual over time and over multiple uses. On the other hand,
others, including the Privacy Rights Clearinghouse, note that a
random identifier is really not personal information that should
be protected in the same manner as personal information that is
truly unique to an individual; it is, they note, substantially
different from a name, address, credit card number, or social
security number; and it does not pose the immediate risks
associated with unauthorized disclosure of those pieces of
information.
Indeed, the Committee may wish to discuss with the author
whether it is true that the primary purpose of using a random
unique identifier is actually to improve privacy protection by
obviating the need to place actual - and vulnerable -- personal
information on the card. Even those groups who support this
bill and insist that the unique identifier is personal
information nonetheless agree that a card with only a randomly
generated number is much safer in protecting against identity
theft and other misuses than an RFID card that contains the
names, addresses, credit card numbers, and/or social security
numbers of the card holders. As drafted, the Committee could
conclude that the measure might suggest that a unique identifier
creates the same risk as the other clearly personal information
listed in the bill at subdivision (b).
�
SB 388
Page 10
The Committee may wish to consider, therefore, whether this bill
should be amended to remove "any unique personal identifier"
from the list of examples that constitute "personal information"
in proposed subdivision (b). However, recognizing that random
identifiers are not risk-free under potential scenarios, the
Committee might conclude that cardholders should under the bill
continue to be generally informed if the card or other device
contains any random identifier that can be read remotely through
RFID technology. In this regard, the Committee may wish to
discuss with the author her openness to amending the bill to
remove "unique personal identifier" from the list of "personal
information" but still requiring that its presence be disclosed
to the recipient. The following mock-up reflects this change:
1 SECTION 1. Part 2.7 (commencing with Section 60) is
added
2 to Division 1 of the Civil Code, to read:
3
4 PART 2.7. RADIO FREQUENCY IDENTIFICATION (RFID)
5 PRIVACY
6
7 60. (a) Any private entity that sells, furnishes,
or otherwise
8 issues a card or other item containing a radio frequency
9 identification (RFID) tag that is capable of being scanned
for the
10 recipient cardholder's personal information , or unique
personal identifier, shall inform the
11 recipient of the card or item of all of the following:
12 (1) The type of information that is transmitted to the
RFID scanner
13 upon the scanning of the tag.
14 (2) A general statement of the security measures, such
as
15 authentication, encryption, or the use, but not the
content, of a unique personal identifier, if any, used by the
card or item to safeguard
16 information.
17 (3) Steps the recipient may take to prevent
unauthorized access
18 or scanning of information contained on the card or item.
19 (b) For purposes of subdivision (a), "personal
information"
20 includes any of the following data elements to the extent
�
SB 388
Page 11
that
21 information is used alone or in conjunction with any other
22 information used to identify an individual:
23 (1) First or last name.
24 (2) Address.
25 (3) Telephone number.
26 (4) E-mail, Internet Protocol, or Web site address.
27 (5) Date of birth.
28 (6) Driver's license number or California
identification card
29 number.
30 (7) Any unique personal identifier number contained or
encoded
31 on a driver's license or identification card issued
pursuant to
32 Section 13000 of the Vehicle Code.
33 (8) Bank, credit card, or other financial institution
account
34 number.
35 (9) Any unique personal identifier contained or
encoded on a
36 health insurance, health benefit, or benefit card or
record issued
37 in conjunction with any government-supported aid program.
38 (10) Religion.
(11) Ethnicity or nationality.
2 (12) Photograph.
3 (13) Fingerprint or other biometric identifier.
4 (14) Social security number.
5 ( 15) Any unique personal identifier .
6 (c) In the case of a medical emergency during which a
card or
7 item containing a RFID tag is furnished or issued, the
disclosure
8 required pursuant to subdivision (a) shall be provided no
later
9 than a reasonable time after the cessation of the
emergency.
10 65. In addition to any other remedies available at
law, a
11 recipient cardholder may bring an action against any
private entity
12 in violation of this part for either or both of the
following:
13 (a) Nominal damages of one thousand dollars ($1,000).
�
SB 388
Page 12
14 (b) The amount of actual damages sustained, if any.
15 66. A prevailing plaintiff in an action commenced
under this
16 part shall be awarded his or her reasonable attorney's
fees and
17 costs.
RELATED PENDING LEGISLATION : SB 28 (Simitian): Prohibits,
until January 1, 2011, the Department of Motor Vehicles (DMV)
from issuing, renewing, duplicating, or replacing a driver's
license or identification card, if the license or card uses
radio waves to either transmit personal information remotely or
to enable personal information to be read from the license or
card remotely.
SB 29 (Simitian): Prohibits, until January 1, 2011, a public
school, school district, and county office of education from
issuing any device that uses radio waves to transmit personal
information, as defined, or to enable personal information to be
viewed remotely for the purposes of recording the attendance of
a pupil at school, establishing or tracking the location of a
pupil on school grounds, or both.
SB 30 (Simitian): Enacts the Identity Information Protection
Act of 2007 to (1) establish interim privacy and security
protections to apply to remotely readable identifications (IDs)
created, mandated, purchased, or issued by government entities,
until subsequent legislation or regulations are enacted, (2)
require the California Research Bureau to submit a report to the
Legislature on security and privacy for government-issued,
remotely readable IDs on or before June 30, 2008, and (3)
specify that it is the intent of the Legislature that the
interim measures contained in the Act be replaced with permanent
legislation or regulations in the most timely and expeditious
fashion possible following the issuance of the California
Research Bureau's report.
SB 362 (Simitian): Provides that no person shall require,
coerce, or compel another person to undergo a subcutaneous
implantation of identification device that transmits personal
information, and provides for corresponding penalties and causes
of actions.
REGISTERED SUPPORT / OPPOSITION :
�
SB 388
Page 13
Support
AARP
Asian Americans for Civil Rights and Equality
ACLU
ACLU of San Diego
California Commission on the Status of Women
California Federation of Teachers
California Immigrant Policy Center
California Labor Federation
Consumer Action
Consumer Federation of California
Consumers Union
Eagle Forum of California
Electronic Frontier Foundation
Gun Owners of California
Howard Jarvis Taxpayers Association
National Council of La Raza
Privacy Activism
Privacy Rights Clearinghouse
Protection and Advocacy, Inc. (PAI)
State Building and Construction Trades Council
Opposition
HID Global
Hi-Tech Trust Coalition:
3M
AeA (American Electronics
Association)
ActivIdentity
AIM Global
Alvaka Networks
Aubrey Group, Inc.
American Express
California Bankers Association
California Business Properties Association
California Chamber of Commerce
California Financial Services Association California
Retailers Association
EDS
Elpac Electronics, Inc.
Grocery Manufacturers Association
InCom Corp.
Infineon Technologies North America Corp.
�
SB 388
Page 14
Information Technology Association of America (ITAA)
MAXIMUS
Motorola
Matheson Tri-Gas
National Semiconductor
Natoma Technologies, Inc.
NXP
Oberthur Card Systems
Oracle Corporation
Precision Dynamics
Retail Industry Leaders Association
San Jose-Silicon Valley Chamber of Commerce
SAS
Secura Key
SIA (Semiconductor Industry Association)
Sonnet Technologies, Inc.
Texas Instruments
VEDC, Inc.
Zebra Technologies
Analysis Prepared by : Thomas Clark / JUD. / (916) 319-2334