In California, a Loosely Written Law Threatens RFID and Prox

Sept. 12, 2005
Bill, now waiting for the next legislative session, could significantly affect how smart card technologies are employed

What if you couldn't add a new prox or RFID system to your facilities? Say perhaps you had a universal access card system using smart cards but wanted to integrate it in the coming years with your IT network's log-in system, and perhaps tie it in to a debit feature and even add on control of your parking garages... but there was a law that prevented you from acting on this?

That's essentially what has been proposed in California, where State Senator Joe Simitian has been working to enact a law that would create a freeze period of three years on RFID as the state assesses the privacy issues of this technology.

First, let's get some facts straight before anyone treats this proposed legislation with hysteria. The bill (click here to read the text) speaks only toward government-type usages including K-12 schools, libraries, driver's license cards, health insurance and benefits-type cards.

The bill, known as California Senate Bill 682 in its last version, has essentially been put on hold with the end of the California session, but not before over a half-dozen revisions. The most startling thing for our industry, I think, though is not that this kind of legislation has been proposed. It is after all, the aftermath of an action taken by the Brittan Elementary School in Sutter, Calif. Brittan essentially proposed to put RFID into their elementary to track students throughout the school (some reports have even said to the bathrooms) but failed to notify the parents of this technology decision (see original story on from February 2005). What happened was exactly to be expected -- public outcry and concerns about invasions of privacy. Brittan backed away quickly from the technology, also as was to be expected. So the bill, which does specifically block RFID tag implications at the K-12 level, really comes as no surprise. It's a standard political reaction to an improper policy almost put into place by an overzealous someone at the municipal level.

But as I started to mention, the most startling part of the bill isn't that the California Senate is reacting to a very bad incident, but that the bill very loosely approaches the technology upon which it's wants to put a three-year freeze.

The bill -- which is being reformulated for the next legislative session for reintroduction -- essentially blocks what it calls technology that uses "radio waves" to transmit personal identification. So it's not aiming specifically at RFID, but puts a major stumbling block for prox cards and any other "smart card" type technology that doesn't require a physical swipe or insertion to read the data. If you want to see how the bill really phrases this, you need only read down to the third paragraph of the Legislative Counsel's Digest, which delineates the affected documents to include (in the revised version of Aug. 15, 2005) "identification documents, except as specified, that are created, mandated, purchased, or issued by various public entities that use radio waves to broadcast personal information."

What does this mean for your facility? In a lot of ways, it's too early to tell. SB 682 went through so many revisions that you can almost expect the next bill version to see an equal number of revisions, before it even has a chance to be brought to a vote. There's also been some industry outcry. The RFID industry has come out very publically against the bill, with numerous campaigns encouraging their industry to contact their legislators. In the security-specific arena, Assa Abloy's ITG (Identification Technology Group) has been heavily involved, and as of recent has hired a political liasion to monitor this and other legislation. The company, which could stand to lose a great deal if this broadly-written law was passed, has offered to help Simitian redraft the bill in a way that not only serves the public's need for privacy but also enables the proper use of the available technologies.

According to ITG's CEO Denis Hebert, who presented a legislative update on Monday at the ASIS show on California and other states' pending legislation that could affect RFID and/or prox technology, the issue will likely be cropping up in a number of states in a variety of forms. Some of these, he notes, will be relatively harmless, while others may again treat the technology so broadly as to possibility limit how you use the technology at the facilities you secure. Hebert was also joined by Deb Spitler of HID and Indala President Marc Freundlich. The Assa Abloy ITG encompasses Indala, HID, and other companies under the Assa Abloy umbrella that deal in identification technologies. Our advice? Stay updated on this and other legislation, and make your voice heard to ensure, as Indala's Freundlich says, that "privacy and security are not mutually exclusive."