Earlier this month, SB 362, introduced by Senator Joe Simitian, (D-Palo Alto, CA), was unanimously passed by California lawmakers. The new law, which goes into affect on January 1, 2008, protects a person from being forced to have an 'identification device' subcutaneously implanted. The law defines an “Identification device”as "anything that is passively or actively capable of transmitting personal information, including, but not limited to, devices using radio frequency technology".
This is one of the bills I wrote about this past July (found here: Getting Personal to Prevent Banning RFID). After publishing this article, and contacting the offices of Senator Simitian, Senator Ellen Corbett (D-San Leandro, CA), and California Governor Schwarzenegger , the bill was amended from 'any unique identifier' to 'any unique personal identifier' as per our recommendation. I consider the passing of the bill to be a huge victory. Everyone I have spoken to in our community agrees that no one should be forced to have a tag implanted under their skin.
California is not the first state to do this. Wisconsin passed Act 482, in May 2006, and North Dakota in April, 2007. Colorado and Ohio are reviewing similar bills while Florida and Oklahoma choose not to pass what their lawmakers proposed.
Photo courtesy of VeriChip Corp
Given that, all the new laws still allow people to choose to have an RFID tag implanted. The Attorney General of Mexico and 18 members of his staff choose to implant a Verichip (see image left), an FDA approved 12-millimeter, glass-covered RFID tag, in the fatty tissue of their upper arm. The primary purposes are stated 'as verification when entering high security areas' and 'faster access to medical records'. These guys aren't the only ones. Verichip reports over 2,000 people have been tagged. As Orwellian as this sounds, I wrote about this being done at Barcelona beach club back in November of 2004. The patrons volunteered to put RFID under their skin simply to prevent needing to carry their wallet around in their bathing suit. Click here to read the entire article. Personally, I prefer to use a wrist-band tag and live with the tan lines - but that's my choice.
However, the right to choose is something one group wants to take away from you. The anti-RFID group, CASPIAN, attacksVerichip on their web site (Spychips.com) with the headline "Could a VeriChip cause cancer?". The headline links to a September 8, 2007 Associated Press story (here) that quotes a retired toxicologic pathologist who stated RFID had "induced" malignant tumors in some lab mice and rats during a 1996 study he led at the Dow Chemical Co. As I mentioned above, Verichip is FDA approved, but the article even questions how that happened. The fact is, it is conservatively estimated that over 15 million animals have been implanted with similar RFID tags during the past 15 years, and none have been linked to causing tumors.
CASPIAN uses this article, and other propaganda on the web site to scare the public and lawmakers into thinking RFID tags are 'the Mark of the Beast, as described in the Book of Revelation'. They've dedicated their efforts to outlaw RFID.
I did some investigating to find out what motivated the new state laws and it's not cancer or Satan. Several news stories referenced Citywatcher.com, an Ohio based security firm that requested certain employees have tags implanted in order to access secure areas of a facility. Yet, the official statements from several lawmakers, including Senator Simitian, imply they were motivated more by concern for the lack of security on the chips than strong-arm tactics by business.
Lawmakers need to understand that most tags don't need a lot of security. As long as an RFID tag does not contain any personal information and the tag can not be changed or altered after commissioning, then it is a very reliable and private means of identification. What is critical is the database that stores the personal information, medical records, or any data other than the unique identifier is secure and so is the method of communicating with it.
Take a look at the animated example (right). The RFID tag only contains a unique identification number. There is no personal information on the tag at all. When an RFID reader requests the tag information, it is given the unique number. The reader then securely connects to a database and requests the data associated with that number. In this case, a patient name.
Wired magazine published a story called RFID Hacking Underground that gives several scenarios where RFID tags are altered. One particiluar example describes someone walking around the grocery store changing the data on the RFID tag of an expensive bottle of wine to have the electronic product code of an inexpensive bottle. What the example failed to point out is that the standard RFID tags used by retailers (ISO-180006C) have the ability to lock the tag data. If you don't supply the right password, the tag doesn't change - it keeps the original data. So let's say you want to 'hack the code'. It takes 20 milliseconds to attempt to write to one of these tags. Since the lock code is 32 bits in length, it could take you up to 1 month to hack the code through trial and error. Not to mention the fact that you're standing in front of a bottle of wine with a reader in your hand like the one pictured above. Do you think store security might notice? Wouldn't it be easier to print the barcode of the cheaper wine and stick it over top the barcode on the more expensive bottle?
The real issue is handling duplicated, or counterfeit chips. If I can read all the data off of a tag, and get another tag like it, there is a chance I can program the second tag with the same data as the first. It all depends on the type of tag. In some situations where RFID is used for people tracking, copying tags is a possibility. In these cases, RFID should be coupled with other types of authentication, such as a pin number or password known only to the tagged person, a fingerprint/hand scan, a retinal scan, or a voice print. Some RFID tags used on pharmaceuticals use color shifting inks (aka Optically Variable Pigment Technology) where a strip on the label changes color as you alter the angle of the label to your point of view. A properly trained person can quickly recognize authentic products. Color shifting inks are the only technology that has never been counterfeit. Combining multiple methods of authentication makes a more secure solution, which is no different than the approach used to prevent counterfeiting money. Each technique makes it increasingly more difficult for the bad guys.
The lawmakers in California passed an excellent piece of legislation. It demonstrates that if lawmakers, privacy advocates, and technologists work together, we can craft balanced legislation that protects both the individual and industry.
Editor's note: the other bills written about in the July article, SB 28 & 29 & 388 have all been placed on inactive file as of September 5, 2007. SB 31 hasn't been addressed since April, 2007.
Lawmakers need to understand that most tags don't need a lot of security. As long as an RFID tag does not contain any personal information and the tag can not be changed or altered after commissioning, then it is a very reliable and private means of identification. What is critical is the database that stores the personal information, medical records, or any data other than the unique identifier is secure and so is the method of communicating with it.