RFID privacy: Why not do it right?

California is again taking the lead on privacy issues (see “Knitting legal patchwork quilts”). The state’s approach with one use of RFID is a good one, but unfortunately it is only looking at a very small part of the problem.

California’s attention to privacy issues begins with its constitution in Article 1, Section 1. California politicians pay attention, at least some of the time. Also, the state’s Office of Privacy Protection lists hundreds of laws and pending legislation dealing with privacy.

This focus on privacy is quite different from that of the U.S. Congress. Too many legislators forget about the rights of people who voted for them or decide that it’s more important to keep those providing money for the next campaign happy. Either way, Congress has not passed any meaningful privacy laws since the dawn of the Web.

One of the latest California privacy efforts is SB 30, “Use of RFID in Identifications Documents”, which passed the California Senate 33 to 3. This bill, which requires good security and privacy protections for RFID-based identification cards and devices, interprets as anything that can be read via radio waves without any requirement for a direct contact.

The Electronic Frontier Foundation has a good review of the proposal here.

The law would tell those who mandate the use of RFID IDs that they have to pay attention to privacy — something that too many of them do not consider. For example, the law would directly deal with cases in which schools provide RFID tags that students are required to wear. (See “The kids were right, school is a prison”.)

This proposal is a very important step but it’s nowhere near as important as it could be. The legislation, as drafted, only applies to government-issued RFID IDs. But such IDs are a very small part of the overall RFID problem — even if we ignore the issue of RFIDs attached to products. RFIDs are used in all sorts of private sector-issued IDs including building access systems, credit cards (see “More ’security as an afterthought’”), highway toll systems and gas station charge tokens.

The California proposal would be far more important if it covered all RFID-based IDs in the state. There is little evidence that the companies distributing, and often mandating, these systems care about the privacy and security aspects of them. If the people who buy the systems do not care, it’s not likely that the people who manufacture the devices and systems will make the effort to make them secure. A law, even if it applies only in California, would help wake up the vendors. Of course, the vendors might be able to go back to sleep if Congress does what it does best: create a nationwide law that does nothing to protect the individual but overrides the often better laws that the states have passed.

Disclaimer: Sleep has been an overrated activity for most Harvard students over the last few months, but I did not ask them or the university about waking up sleeping vendors, so the above opinion is mine alone.