The following text is copyright 2007 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.
RFID Privacy: Why not do it right?
By: Scott Bradner
California is again in the lead when it comes to trying to address privacy issues. The approach they are taking with one use of RFIDs is a good one but unfortunately they are only looking at a very small part of the RFID problem.
It is hardly unusual for California to be out in front of the rest of the country when it comes to privacy issues. (see, for example, "Knitting legal patchwork quilts" http://www.sobco.com/nww/2004/bradner-2004-10-25.html) [Bob - I'm pointing to my own web site for this column because the search engine for the column on your web site does not search all that far back - swap this URL for the copy on your web site if you can find it] The California Constitution starts right out in Article 1 Section 1 talking about the right to privacy (http://www.leginfo.ca.gov/.const/.article_1) and California politicians pay attention, at least some of the time. The California Office of Privacy Protection lists 100s of laws and pending legislation dealing with privacy.
This focus on privacy is quite different in the U.S. Congress. It seems like too many U.S. legislators either forget about the rights of the people who voted for them or decide that it's more important to keep the people providing the money they need for the next campaign happy. Either way, the U.S. Congress has not passed any meaningful privacy laws since the dawn of the web.
One of the latest California privacy efforts is SB 30 "Use of RFID in Identifications Documents." (http://info.sen.ca.gov/pub/07-08/bill/sen/sb_0001-0050/sb_30_bill_20070419_amended_sen_v97.html) which passed the California Senate 33 to 3. This bill requires good security and privacy protections for RFID-based identification cards and devices. In this legislation RFID is interpreted as anything that can be read via radio waves without any requirement for a direct contact. The EFF has a good review of the proposal at http://www.eff.org/Privacy/Surveillance/RFID/sb682_fact_sheet.php.
The law would tell those that would mandate the use of RFID IDs that they have to pay attention to privacy -- something that too many of them do not consider at all. For example, the law would directly deal with cases where schools provide RFID tags that students are required to wear. (See "The kids were right, school is a prison" http://www.networkworld.com/columnists/2005/022105bradner.html)
This proposal is a very important step but it's nowhere near as important as it could easily be. The legislation, as drafted, only applies to government issued RFID IDs. But government issued RFID-based IDs is a very small part of the overall RFID problem -- even if we ignore the issue of RFIDs attached to products. RFIDs are now used in all sorts of private sector issued IDs including building access systems, credit cards (see "More 'security as an afterthought'" http://www.networkworld.com/columnists/2006/103006bradner.html), highway toll systems and gas station charge tokens.
The California proposal would be far more important if it covered all RFID-based IDs in California. There is little evidence that the companies that are distributing, and often mandating, these systems care at all about the privacy and security aspects of them. If the people who buy the systems do not care, it's not likely that the people who manufacture the devices and systems will make the effort to make then secure. A law, even if it applies only in California would help wake the vendors up. Of course, the vendors just might be able to go back to sleep if the U.S. Congress does what it does best: create a nation-wide law that does nothing to protect the individual but overrides the often better laws that the states have passed.
disclaimer: Sleep has an over rated activity for most Harvard students over the last few months but I did not ask them or the university about waking up sleeping vendors so the above opinion is mine alone.