LibraryLaw Blog

CALIFORNIA SEN PUBLIC SAFETY HEARING DATE:  04/24/2007 . More info here.

This came in as a comment. I post it here so that libraries considering RFID especially in California can learn from the nuances discussed by R. Bruce Miller:

RE: "Although many libraries now have or are moving toward RFID, I am not aware of any that make personally identifying information readable by radio wave."

The nuance of language is what is at issue for libraries in regard to the Simitian bill. The Library at the University of California, Merced has books that are tagged with RFID and, for the library card, we use the campus "one-card" which has an RFID tag.

The nuance is that the library card RFID information is solely the number that serves as a key to the campus ID management system which then provides the ID info to the Library management system, i.e., the classic meaningless library card number, sometimes incorrectly referred to as the "bar code number".

At no time in the local transaction is personal information transmitted by RF nor is there personal information on the RFID on the card. If the card is lost, we simply use the system to turn off that random number "key" and we then issue a new card with a new random number key. (BTW we rely on substantial encryption for our RFID applications.)

The nuance of language in this issue is that Senator Simitian believes that the library card number is personal identification information. I discussed this in depth with the Senator and his staff. They remained steadfast in including library card numbers as personal identification information.

Their position is that a library might choose to use SSN or driver's license number for the library card and that would be compromising information that could be used in identity theft.

I pointed out that use of such numbers is now illegal and also is in violation of libraries' strict code of ethics regarding privacy. The Senator told me that he knew that but that he was concerned that a small town library might not know that they should not use personal identification information in that way. Simitian is adamant that the library card number be considered personal identification information and that library cards are personal identification documents.

My personal take on the bill is that the intentions are honorable. I support good policy that protects personal identity information. Unfortunately, the bill focuses on prohibitions against technology and does not provide much in the way of useful policy. I am perplexed that we are working so hard to ensure personal privacy and yet somehow we have become the enemy.

R Bruce Miller
University Librarian
University of California, Merced

I just read Karen Coyle's analysis of the newly reintroduced RFID bill in California.  As always, she makes very good points. The one that most got me thinking was her question as to why a bank account number is considered a personal identifier, but a library card number is not.  Think about it: both are unique numbers that get assigned to us as individuals.  In fact it may be easier to get your ex-boyfriend's library card number than his bank account number.  Once you have that unique identifier embedded in a chip, you're on your way to stalking that special someone with the right equipment and know-how. I saw a demonstration by David Molnar last week -- he showed us the hidden numbers embedded RFID chips in audience members' ID badges.  He used an inexpensive reader and a laptop. CHILLING.

As with any statement about what is personally identifiable, however, it comes down to the fact that the right context can link almost any information to you. Your library card number becomes you when combined with the library's patron database. Your credit card number identifies you if one has access to the bank's records. Quibbling over what is and what isn't personally identifiable just doesn't jive with the reality of our data mined world, and it is unclear to me why a bank card number is personally identifiable but a library card number is not (if it isn't, by this definition).

I don't know of any libraries that put patron ID numbers onto RFID chips, but if blog readers are aware of any, please comment.

RFID and California libraries: Identity Information Protection of 2007

Senator Simitian reintroduced an RFID bill last month that would require government issued identification documents to meet certain security requirements.  It specifically includes "Library cards issued by any public library." It would also make it a crime to knowingly disclose keys that allow someone to remotely read a patron's identity document using radio waves without the patron's consent. Further, it would direct the California Research Bureau to submit a report to the Legislature on security and privacy for government issued, remotely readable identification documents.

It is currently referred to the Senate Judiciary Committee

Senator Ellen Corbett (Chair)
Senator Tom Harman (Vice Chair)
Senator Dick Ackerman
Senator Sheila Kuehl
Senator Darrell Steinberg

and the Senate Public Safety Committee:

Senator Gloria Romero (Chair)
Senator Dave Cogdill (Vice Chair)
Senator Gilbert Cedillo
Senator Bob Margett
Senator Mark Ridley-Thomas

Minow take: I've never been a fan of legislation that aims at a specific technology.  This one gets amazingly prescriptive in its security requirements. That said, I don't see anything better on the horizon. I'd like to see a more comprehensive privacy bill that could be applied to all current and future technology. Our political climate is nowhere near right for a comprehensive European-style approach, however. In the absence of better legislation, I do want government to be careful with our identifying information, and I want it to be a crime for those who skim it off. 

How would this apply to libraries?  Although many libraries now have or are moving toward RFID, I am not aware of any that make personally identifying information readable by radio wave.  If readers know of any, please chime in.

The bill grandfathers in systems that began implementation before January 1, 2007, or for which a state, county, or municipal government request for proposal has been publicly issued before September 30, 2006, or executed a contract before September 30, 2006.

The libraries that should read the bill most closely are those that would miss these cut-off dates.   

Also, does anyone know if other states have RFID bills that impact libraries?

Note: last session a very similar version of this bill passed the Senate and Assembly and was vetoed by the Governator.

---

Identity Information Protection of 2007

To Coms. on  JUD. and  PUB. S.
COMM. LOCATION :  SEN JUDICIARY

MEASURE :  S.B. No. 30
AUTHOR(S) :  Simitian.
TOPIC :  Identity Information Protection Act of 2007.

For the full text, click below:

Beyond a Physical Conception of the Fourth Amendment:
Search and Seizure in the Digital Age

Stanford Law School
January 26th, 2007
http://stlr.stanford.edu/symposium.html

* Can the government search your computer without a warrant?
* Can they obtain your personal information from your Internet service provider?
* Is it constitutional for the cops to track your movements?

Free, open to everyone while registrations spaces last, with 8 CLE credits for lawyers.   Draft papers by the speakers available as they are received.  Here's one on RFID and Identification Objects by Nicole Ozer, ACLU-Northern Calif.

The Governor vetoed California's RFID bill. See http://www.informationweek.com/story/showArticle.jhtml?articleID=193101655

California's new RFID law (if signed by Governor Schwarzennegger) would probably not affect many if any libraries in California. It affects libraries that use RFID chips in library cards. Are there any?  Moreoever, it grandfathers in systems that are already in place.

The Identity Information Protection Act of 2006 (SB 768-Simitian) would require government issued identification documents (with specified exceptions) that use radio waves to transmit data (or enable data to be read remotely, as in passive chips), to meet certain security requirements.  Essentially, you could be punished with fines and imprisonment up to a year if you knowingl disclose operational system keys that allow someone to remotely read a patron's identity document using radio waves without the patron's consent.

The bill grandfathers in systems that began implementation before January 1, 2007, or for which a state, county, or municipal government request for proposal has been publicly issued before September 30, 2006, or executed a contract before September 30, 2006.

Library lawyer Grayson Barber joined ALA president elect Leslie Burger for a symposium on the issue of Radio Frequency Identification & libraries last month at Rutgers Law School.  It is available at the Rutgers site along with a lecture by noted First Amendment expert Geoffrey Stone, who spoke on Civil Liberties in a Time of War.  http://law-library.rutgers.edu/feeds/podcast.php

RFID: THE DIGITAL ERA AND PRIVACY

Date: November 4, 2005, 9:30 AM -12 Noon

Location: Rutgers Law School-Newark, N.J.
123 Washington St.
Newark, NJ 07102

Speakers: Grayson Barber, Lee Tien, Leslie Burger, Barry Steinhardt (ACLU) and Carol Roehrenbeck (Associate Dean, Info Services, Rutgers Law School Library)

Symposium website:  http://law-library.rutgers.edu/services/RFID.php

Link to audio and video playback of symposium:  http://law-library.rutgers.edu/feeds/podcast.php (scroll down to RFID symposium links)

Hat tip to Jonathan Kelly, OIF

Radio Frequency Identification and the San Francisco Public Library Summary Report Prepared by the San Francisco Public Library Technology and Privacy Advisory Committee (October 2005) 76 pages http://www.sfpl.org/librarylocations/libtechcomm/RFID-and-SFPL-summary-report-oct2005.pdf

TABLE OF CONTENTS

Executive Summary

Committee History and Description

RFID and Public Libraries

Sample Questions Suitable for an RFI

Recommendations to the Library

RFID Resources

Appendix A: San Francisco Public Library - First Floor Remodel Progress Report. April 10, 2003.

Appendix B: Repetitive Stress Injuries (RSIs), A Presentation to the Library Commission

Appendix C: Vendors Consulted

Appendix D: California Polytechnic State University RFID Survey, Fall 2004

Appendix E: The Most Popular RFID Read Range Frequencies

Appendix F: American Library Association's Intellectual Freedom Committee’s (IFC) DRAFT

Guidelines on RFID Implementation