California Bill Outlaws RFID Skimming
Filed under: RFID | Tags: CA SB 1386, CA SB 31, Legislation, Privacy, RFID
Leave a Comment Here is another RFID story that I read awhile ago and my commentary:
California – home of sunshine, celebrities, and trailblazing legislation. At the end of January 2008, the California Senate voted 36 to 3 to approve Senate Bill 31 (SB 31), which outlaws skimming of personal information via Radio Frequency Identification (RFID).
A copy of the bill can be found here.
With the ever increasing use of RFID in applications such as credit cards, passports, and security badges, it seems to make sense to outlaw skimming personal information. There are some obvious challenges in such legislation such as “would such a law be enforceable?” and “how would the law be enforced?”
While reading the actual bill, I found two things particularly interesting: 1) the penalties for violating the law were lower than I anticipated and 2) the law has numerous exceptions, one of which applies to security researchers.
The penalty for intentionally reading or attempting to read a person’s identification information without their knowledge is imprisonment for up to one year, and a fine not to exceed $1500. The fine in the bill originally introduced was $5000.
Furthermore, Senate Bill 31 “shall not apply to… the reading of a person’s identification document in the course of an act of good faith security research, experimentation, or scientific inquiry, including, but not limited to, activities useful in identifying and analyzing security flaws and vulnerabilities.” This provision was not in the bill as it was introduced, nor was it in the first two revisions. Does this provision provide a loop hole for accused individuals to state they were simply trying to identify security flaws?
Also, should there be any tie in between an anti-skimming law with California Senate Bill 1386, which addresses the privacy of personal information? SB 1386 states that organizations are required to notify citizens whose personal information was, or reasonably believed to been acquired by an unauthorized person.
What do you think?
Sam’s Club RFID Fines
Beyond WiFi, one of my interests lies in RFID, another wireless technology. I ran across this interesting story at RFID Update.
Nearly a year ago, Sam’s Club sent some of their suppliers a letter ( dated January 7th, 2008 ) requiring RFID tagging of shipments to the DeSoto, Texas distribution center by January 31st, 2008. In the letter, Sam Club outlined fines of $2 to $3 per each non-tagged pallet.
Additionally, Sam’s Club is requiring tagging at the case level to all distribution centers by October 31, 2009 and at the item level by October 31, 2010
Have you heard of a company that received a fine after last year’s deadline? Is this a program that is “all bark, and no bite”?
Is Wal-Mart trying to pass along the additional cost of handling non RFID tagged goods? It seems that it would be equally effective for Wal-Mart to negotiate different purchase prices with suppliers who do not implement RFID tagging. I would be interested to hear Wal-Mart’s reasoning behind the fines in lieu of their other options. After all, what happens to suppliers who chose not to pay fines?
This story is interesting to me from the stand point that it seems to further the precedence for one business to fine another, rather than fines being levied by government or other regulatory bodies. Did this trend start with the Payment Card Industry? The PCI framework allows banks to fine institutions for non-compliance with their Data Security Standard, which is meant to protect card holder data.
What do you think about the situation?
Introduction
OK, if you are wondering where I came up with “WiFi Jedi”, here is the short of it – I wanted to come up with something catchy and easy to remember regarding my specialty, wireless networking and security.
I was originally thinking of “The L2 Guru” as much of 802.11 wireless operates at the MAC Layer, but then I thought that Mike Meyers might want to do a sequel to “The Love Guru”.
I live in a house that seems to be semi-obsessed with Star Wars. We have two cats who are litter mates – one of each sex. Naturally, we named them “Luke Skywalker” and “Princess Leia”. Therefore, I just thought “WiFi Jedi” fit the bill.
I chose to start my blog on WordPress because it was free, widely used, and even had a free iPhone app so that I can update my blog while on the go! I also believe I can tie my blog posts into my LinkedIn page (http://www.linkedin.com/in/douglashaider)
More details about me can be seen at:https://wifijedi.wordpress.com/about/
More details about Xirrus can be seen at:https://wifijedi.wordpress.com/xirrus/
![[LinkedIn]](https://i0.wp.com/farm4.static.flickr.com/3477/3463037125_247575d1f3_m.jpg)
![[LinkedIn]](https://i0.wp.com/farm4.static.flickr.com/3598/3463037145_924738ec38_m.jpg)
![[del.icio.us]](https://i0.wp.com/images.del.icio.us/static/img/delicious.small.gif){kind=small}
WiFi Jedi.com 