Policymakers Deal with RFID Security and Privacy Problems

The cards used by California legislators to gain access to the "secure" areas of their statehouses have one big problem: it's been demonstrated that third parties can easily read information off their electronic tags at a short distance and gain unauthorized access. 

This kind of problem is why legislatures in California and Washington are moving bills that would criminalize the unauthorized reading of personal information from documents embedded within devices that make this possible, radio frequency identification (RFID) tags. This practice, known as RFID "skimming," involves surreptitiously copying the information embedded in IDs, security access cards, consumer loyalty cards, and a growing number of other documents where they are increasingly ubiquitous. The information on some types of tags can be scanned thirty or more feet away with readers that are easy to build or purchase.

Stopping the Skimming of Personal Information: Because RFID tags can be read remotely, without the tag holder's knowledge, the personal and consumer information contained inside is inherently less secure. Similarly, government or private actors could track and profile tag holders without their knowledge or consent. (One controversial application of the technology has been to track students in school.) The insecurity of these documents facilitates identity theft, security breaches, personal surveillance, and violence against women. These concerns have lead a broad array of groups, including privacy, civil liberties, women's rights, and industry organizations, to support anti-skimming laws and other ways to protect the privacy and security of RFID embedded documents. 

The RFID document problem will increase with the adoption of new "enhanced" driver's licenses which comply with the Department of Homeland Security's mandate requiring passports when crossing a U.S. land border or traveling to Bermuda or the Caribbean. For this program, DHS has chosen to use RFID tags that can be read across the room instead of a technology that will only work on contact or over very short distances, against the advice of the General Accounting Office, the Department's own Data Privacy and Integrity Advisory Committee, the Smart Card Alliance (an industry group that has recommended a more secure alternative to RFID) and U.S. Sen. Patrick Leahy, among others.

  • Washington State has legislation (HB 1031) recently passed by its House that would create a felony for skimming an RFID tag for the purpose of fraud, identity theft or other crime. The bill would also require opt-in consent before any public or private entity could scan and store information contained in an RFID tag.
  • California's Senate recently passed SB 31, which would create a misdemeanor for skimming any identification document. California also has other RFID bills that would create a moratorium on using RFID in driver's licenses and school identity cards, as well as regulate RFID use in government identity documents.

More Resources