9/3 Update: The bill is now posted. Assembly floor analysis is available at the end of this entry.
------------------------------------------------------------------
According to Paul Nicholas Boylan, Senator Simitian has moved to "give new life to SB 682," the RFID bill. Boyan reports that the SB 768, a "Marine finfish aquaculture" bill has been abandoned, and Senator Simitian amended it radically by inserting the language from the last version of SB 682.
I don't see this yet in the bill, but check this link later to see if it shows up.
Boylan also reports that the opposition to SB 682 is in the initial stages of formulating a bill to address privacy concerns, and says it would definitely impact libraries. Read more if you're interested in getting involved.
Page 1
SENATE THIRD READING
SB 768 (Simitian)
As Amended September 2, 2005
Majority vote
SENATE VOTE :Vote not relevant
WATER, PARKS, & WILDLIFE 9-0APPROPRIATIONS 9-0
(vote not relevant)
(vote not relevant)
SUMMARY : Requires certain security measures be implemented into
government-issued identification (ID) that incorporate radio
frequency identification (RFID) technology, with certain
specified exceptions, and prohibits the use of RFID in four
classes of widely-issued government documents. Specifically,
this bill :
1)Requires all ID created, mandated, purchased, or issued by a
state, county, or municipal government or subdivision thereof
that uses radio waves to transmit personal information or to
enable personal information to be read remotely to incorporate
several security measures including: a unique personal
identifier number, mutual authentication and key
establishment, encryption, and several alternatives that would
ensure that the holder of the ID card affirmatively consents
to each reading.
2)The issuing entity must communicate in writing to the person
to whom the ID is issued, among other things, the location of
the readers, countermeasures that can be taken to control the
broadcasting of information, and what information is
collected.
3)Excepts the following documents from some or all of the prior
security requirements:
a) ID currently in use prior to January 1, 2006, so long as
the purpose of use does not change, the amount or type of
information transmitted does not increase, and the
identification is not issued to a new group of persons;
and,
b) ID used in certain specified facilities (e.g., jails or
prisons), in certain emergency situations, by certain types
SB 768
Page 2
of professionals, for other specified uses (e.g., toll
bridges), or if the legislature determines that the ID
should not be subject to the security requirements because
a compelling state interest exists and there are no less
intrusive means to the individual's privacy.
4)Prohibits the use of RFID in the following government-issued
documents until January 1, 2009, unless extended: driver's
licenses or identification issued pursuant to Vehicle Code
Section 13000; ID cards issued to students in K-12 schools;
government-issued health and medical benefit cards; public
library cards.
5)Limits access to the security features and personal
information found in the identification documents by
third-parties with whom the government agencies have a
business relationship or contract; requires such third-parties
to adopt procedures to safe-guard information to which they
have access; permits a person to bring a civil action against
a government entity when the entity or third-party fails to
comply with these provisions.
6)Provides that a person who intentionally remotely reads or
attempts to remotely read a person's identification card using
radio waves shall be punished by imprisonment in county jail
for up to one year, and a fine of not more than $5,000, or
both.
EXISTING LAW :
1)Provides that all people in this state have an inalienable,
constitutional right to privacy. (Cal. Const., Art I, Sec.
1.) Protects people against significant intrusions upon their
fundamental privacy and autonomy interests, except where the
intrusion is "necessary to further a 'compelling'--i.e., an
extremely important and vital--state interest," and where a
feasible and effective alternative does not exist that would
have a lesser impact on privacy interests. ( Acad. of
Pediatrics v. Lungren , (1997) 16 Cal. 4th 307, 330, 341.)
2)Precludes a state agency, in the Information Practices Act,
from disclosing personal information it possesses "in a manner
that would link the information disclosed to the individual to
whom it pertains," except in specified circumstances. (Civil
Code Section 1798.24.) An agency is subject to a civil suit
SB 768
Page 3
if it does not comply with these standards and a person
suffers an adverse effect. (Civil Code Section 1798.45.)
3)Provides, generally penalties for obtaining under false
pretenses, or disclosing, personal information from a state
agency. (Civil Code Sections 1798.53, 1798.56, 1798.57.)
4)Provides that a person who uses an electronic tracking device
to determine the location or movement of another person is
guilty of a misdemeanor. (Penal Code Section 637.7.)
FISCAL EFFECT : According to the Assembly Appropriations
analysis of SB 682 (Simitian) as amended August 15, 2005 which
is identical to this bill:
1)Existing systems: Probably no additional costs. Because
these systems are only grandfathered from the bill's
requirements as long as the purpose, information transmitted,
and categories of users does not increase, government agencies
would probably forego any expansions of these systems' purpose
or users if the expansion triggered the need to deploy more
expensive systems meeting the bill's technical parameters. If
the expanded system was one of the exempted applications, per
Summary point #3, the costs would be minor (see #2 below).
2)Future RFID systems with exempted applications: Minor
additional costs to state and local agencies, mainly for the
notifications, as required in Summary point #2, when issuing
new RFIDs to public safety and emergency services personnel,
Fastrak-type users, public building and parking lot users, or
state-licensed professionals.
3)Future RFID systems, Non-Exempted applications (including
future applications subject to the three-year moratorium per
Summary point #4): State and local agencies choosing to
implement new RFID systems will incur increased costs to the
extent that the bill's technical requirements increase system
costs beyond current practice for comparable applications.
These costs are unknown but could be significant. For
example, the cost of cards could increase by up to several
dollars per card and reader station costs could increase by up
to several hundred dollars each. Conversely, to the extent
such increased cost pressures cause government agencies to
reject deployment of new RFID systems, agencies may fail to
realize possible efficiencies associated with using this
SB 768
Page 4
technology.
4)Civil actions: Potential unknown cost to the state or local
agencies to defend against civil actions brought pursuant to
alleged non-compliance with Summary point #5, and potential
costs for adverse judgments against the state or local
agencies in such actions.
COMMENTS : According to the author, Radio Frequency
Identification (RFID) (the technology used in the "contactless
identification document" regulated by the bill) "are tiny
devices connected to miniature antennae. When a circuit reader
emits a radio signal, the devices in the vicinity respond by
transmitting their stored information to the reader." Although
RFID has been used since World War II, the chips have only
recently been expanding into the human realm, and in so doing
raising privacy concerns from both sides of the political
spectrum. These concerns took on special significance in
California earlier this year, when an elementary school in
Sutter County initiated a program requiring students to wear IDs
containing RFID tags.
The author introduced this bill in response to the growing
privacy concerns that RFID technology may soon be integrated
into a variety of government-issued identification documents.
Supporters of the bill argue that numerous security and privacy
threats posed by using RFID in government IDs have been
identified by the government, independent researchers, and the
technology industry. Supporters of the bill state, "Secret and
remote reading of personal data embedded in driver's licenses,
student identity, and other state and locally issued
identification documents puts Californians at risk of stalking,
kidnapping, identity theft and tracking and surveillance. Any
person or entity with a reader could scan and collect the
personal information of Californians without their knowledge."
Some supporters of the bill believe that the government's
collection of mass quantities of information and the
government's ability to track individuals raises civil liberty
concerns.
SB 682 addresses several of the privacy concerns by requiring
certain, specified security measures be incorporated into most
government-issued identification cards. The bill prohibits the
use of RFID technology in a few widely-issued IDs because of
special threats particularly associated with the
SB 768
Page 5
mass-distribution of documents. The author and sponsors explain
that there are several concerns that militate against
implementing RFID technology in mass-distributed documents that
nearly everyone is required to carry. Namely, they contend that
a mass system is harder to secure, more tempting for misuse, and
more attractive to hackers. The author states that because the
security measures have not been deployed together in a mass
contactless system, there is a large amount of risk in relying
on an untested security system.
Opponents of the bill argue that many of the supporters' fears
are unfounded and even "outlandish." They argue that security
measures may address all of their concerns, and that the
security protections in the bill prevent ID theft, tracking, and
profiling. Opponents argue that many of the supporters'
concerns are not unique to RFID technology, such as security
failure.
Opponents argue that for some cards, the level of security
required by the bill is unnecessary. They feel that some of the
security measures are unnecessary if no personal data is stored
on the cards. They also argue that the ability to incorporate
these security features makes the technology safer and more
privacy-friendly than technologies which are currently in use.
Opponents argue that California's failure to join the rapid
proliferation of RFID technology will disadvantage California,
public agencies, and national security. Other opponents argue
that RFID technology, while still at an early stage in its
lifecycle, promises to deliver great benefits. Technology
companies argue that the legislature should ban bad behavior
rather than banning the technology. Opponents argue that
banning the technology is bad for jobs in California.
Analysis Prepared by : Elizabeth Linton / JUD. / (916)
319-2334
Final Update for 2005:
As I reported above, Califoria Sentate Bill 768 was gutted and it's language replaced with the contents of SB 682. Although it is likely that this maneuver was permitted in order to allow the bill's author, State Senator Simitian, to save face, the bill remained in the Assembly Active File, which meant that it could still be voted upon any time before the end of the 2005 legislative session.
Well, it didn't happen. On September 8th the bill was placed in the Inactive File and then both houses of the California Legislature adjourned for the year.
This means that both SB 768 and its identical counterpart SB 682 are most likely gone for good. They could possibly come up for further action sometime after January 1, 2006. However,this further means that if either bill actually gets out of the Assembly and then out of the Senate (they have to return to the Senate for a further vote because they were amended in the Assembly) and then aren't vetoed by the Governor,the bills won't become a law until January 2007.
This is plenty of time for California libraries to responsibly utilize RFID technology to improve services. The bills, if somehow enacted, grandfather in all uses that exist prior to the bill becoming law.
This is also plenty of time for everyone concerned with the proliferation of RFID technology to work out a rational, meaningful plan of action for dealing with legitimate privacy concerns. The reason why SB 682 and SB 768 failed wasn't because big business beat down the little guy once again. It is because both bills were engendered by extreme, radical views that left no room for the truth. The truth is that RFID is both safe and secure when used responsibly, and there isn't a librarian I know who isn't a dedicated public servant who cares deeply about the privacy of their patrons. After all, librarians were among the first to protest against the Patriot Act. They risked violating the law to protect the privacy of library patrons.
Posted by: Paul Nicholas Boylan | September 09, 2005 at 10:13 AM
UPDATE:
There are strong indications that SB 768 (formerly SB 682) was gutted and amended for cosmetic reasons and that the bill is quite dead.
The California Appropriations Committee decided to hold SB 682, thereby killing it for the remander of this year. However, the members of that committee as well as the committee chairperson - sitting as ordinary Assemblypersons during a floor vote - voted to allow Senator Simitian to amend SB 768 in order to replace all of its content with the contets of SB 682 - the very bill that the Appropriations Committee voted to kill.
This glaring contradiction begs for an explaination, and an explaination is readily apparent: it was done to allow Senator Simitian to "save face."
Rumor has it that Simitian pledged the sponsors of the bill (the ACLU and the Electronic Frontier Foundation) that he would get SB 682 to the Assembly floor. And that's what this seemingly bizarre amendment allowed to happen. This seemingly hollow achievement allows Simitian to satisfy his political allies with a Pyrrhic victory and the illusion of overcoming overwhelming political force. But it is likely that somewhere a high level deal was made to allow Simitian to save face with the promise that the bill would never hit the floor for a vote.
However, like baseball, any partcular game of lawmaking is never over until it is over. When bills are "gutted and amended" in this fashion and for these reasons, the bill is customarily placed in the Inactive File. SB 768 is still in the Active File, which means anything can happen prior to the legislature adjouring at the end of the week.
Stay tuned.
Posted by: Paul Nicholas Boylan | September 06, 2005 at 05:16 PM