The California State Senate took action to outlaw "skimming," the surreptitious reading of personal information stored on RFID-enabled ID cards, State Senator Joe Simitian announced.
RFID involves placing a "tag," a tiny receptor device containing electronic information, on an object. The tag can be read by directing radio waves at it, which causes the tag to send back a signal containing the information.
"The problem is real," Simitian said. In a controlled experiment, "the card I use to access the State Capitol was skimmed and cloned by a hacker in a split second. Minutes later, using that clone of my card, he was able to walk right into the Capitol through a 'secure' and locked entrance."
By a vote of 36 to 3, the Senate passed Simitian's Senate Bill, SB 31, which now moves to the Assembly. The bill would make it a crime to surreptitiously read information stored on RFID tags. The bill makes exceptions for inadvertent scanning and also permits various emergency medical services and law enforcement agencies to scan without a bearer's permission to identify or assist an unresponsive person, or to solve a crime, as long as a search warrant has been issued.
"If you've been mugged, or even had your pocket picked, you know you've been a victim. You can take steps to protect yourself against identity theft,'' said Simitian. "But if your personal information has been 'skimmed' without your knowledge or consent, you're completely vulnerable."
"Right now if someone steals your ID, it's a crime; but if they steal the information on your ID by 'skimming,' it's not. That makes no sense whatsoever," Simitian said. "The problem is particularly serious because we've got millions of IDs and access cards out there with no limitation on the kind of information they carry, and no requirement that they use any of the privacy protection technology that's readily available."
Simitian has expressed concern about the potential privacy pitfalls of RFID technology as its use becomes more widespread in identification documents. He said he was pleased to see the Senate return to the issue after Governor Arnold Schwarzenegger signed another RFID bill he authored just last year.
Simitian said, "RFID technology is not in and of itself the issue. RFID is a minor miracle with all sorts of good uses." But, he notes, "It's easier than ever to steal someone's personal information with an unauthorized reader -- technology that is readily available, off-the-shelf, and surprisingly inexpensive."
RFID technology is decades old. But miniaturization in electronics has enabled it to be employed much more widely in recent years. Unlike swipe cards, which must be held close to a reader to register, RFID tags can be read automatically, without the bearer doing anything, or even noticing. Some can be read only from an inch or two, but others may be readable over several yards.
Tags can be encoded with almost any type of personal information, including birth dates, Social Security numbers, addresses, drivers license numbers, or bank account numbers.
The technology is increasingly being used to encode information on identification documents, such as driver's licenses and passports. Businesses or schools may use it on ID cards for employees or students. On a health insurance card, it might not only identify the bearer, but provide essential -- and deeply personal -- medical information.