6.857: Computer and Network Security

The California legislature has recently passed the Identity Information Protection Act, which requires that state-issued IDs that contain remotely-readable RFID chips must contain adequate security features to prevent them from being read by unauthorized parties. RFID chips are designed to store unique identifiers that will be broadcast in response to a particular radio signal. The technology has already been rolled out for US passports and a number of other identification documents.

The California law, introduced by State Senator Joe Simitian, was sparked by concerns that RFID embedded within identification cards and documents could be remotely read without the user's knowledge, revealing personal information that could be used to commit fraud, identity theft, or gain unauthorized access. Bill proponents note that the technology has valid uses, but that the state needs to include protections when it compels citizens to carry a technology capable of broadcasting their personal information. Recently, security experts have shown the vulnerabilities of RFID chips, "cloning" the data on them using commonly available technology.

Specifically, the bill requires that RFID documents issued by state or local governments include tamper-resistant features, a authentication process by which both the card and the reader are recognized as legitimate, and a means for a holder of the document to directly control whether or not the chip can be read. Citizens would also have to be notified of the locations of RFID readers. However, the bill does not apply to RFID programs instituted before 2007. The bill also criminalizes intentional unauthorized reading of an RFID identification document.

The bill now goes to Governor Schwarzenegger for approval. California civil liberties groups are urging residents to write the governor, encouraging him to sign the bill.

6.857: Computer and Network Security

California RFID Bill Nears Approval