WiFi Jedi.com

Here is another RFID story that I read awhile ago and my commentary:

California – home of sunshine, celebrities, and trailblazing legislation.  At the end of January 2008, the California Senate voted 36 to 3 to approve Senate Bill 31 (SB 31), which outlaws skimming of personal information via Radio Frequency Identification (RFID).

A copy of the bill can be found here.

With the ever increasing use of RFID in applications such as credit cards, passports, and security badges, it seems to make sense to outlaw skimming personal information.  There are some obvious challenges in such legislation such as “would such a law be enforceable?” and “how would the law be enforced?”

While reading the actual bill, I found two things particularly interesting: 1) the penalties for violating the law were lower than I anticipated and 2) the law has numerous exceptions, one of which applies to security researchers.

The penalty for intentionally reading or attempting to read a person’s identification information without their knowledge is imprisonment for up to one year, and a fine not to exceed $1500.  The fine in the bill originally introduced was $5000.

Furthermore, Senate Bill 31 “shall not apply to… the reading of a person’s identification document in the course of an act of good faith security research, experimentation, or scientific inquiry, including, but not limited to, activities useful in identifying and analyzing security flaws and vulnerabilities.” This provision was not in the bill as it was introduced, nor was it in the first two revisions.  Does this provision provide a loop hole for accused individuals to state they were simply trying to identify security flaws?

Also, should there be any tie in between an anti-skimming law with California Senate Bill 1386, which addresses the privacy of personal information?  SB 1386 states that organizations are required to notify citizens whose personal information was, or reasonably believed to been acquired by an unauthorized person.

What do you think?