Team 12, Post 3: RFID law in Washington State

The security threats posed by RFID chips have been known for some time.  However, the federal government has yet to pass any laws regarding RFID chips.  As awareness of privacy concerns has increased, some states have taken privacy measures into their own hands.  For example, Arkansas passed a law in 2009 making it illegal to put an RFID chip into driver’s licenses or any other identification card.  California has a law making it illegal to read a person’s RFID chip without their knowledge or consent.  Rhode Island passed a law in 2010 that protects personally identifiable information of persons who use toll payment devices that contain RFID chips.  So, what has been done in our state regarding RFID chips?

In 2007, Washington passed RCW 46.20.202.  This bill is in regards to the RFID chips in Enhanced Driver’s Licenses.  The bill states:

“…The enhanced driver's license or identicard must include reasonable security measures to protect the privacy of Washington state residents, including reasonable safeguards to protect against unauthorized disclosure of data about Washington state residents. If the enhanced driver's license or identicard includes a radio frequency identification chip, or similar technology, the department shall ensure that the technology is encrypted or otherwise secure from unauthorized data access. From time to time the department shall review technological innovations related to the security of identity cards and amend the rules related to enhanced driver's licenses and identicards as the director deems consistent with this section and appropriate to protect the privacy of Washington state residents.”

This ensures that the chips used in the Enhanced Driver’s Licenses will include encryption in an attempt to protect the information stored on the RFID chip.  However, the encryption of information alone is not enough to stop data thieves or other illegitimate parties from reading the information.  This led to the creation of House Bill 1031 in 2008.  This law states: “A person that intentionally scans another person's identification device remotely, without that person's prior knowledge and prior consent, for the purpose of fraud, identity theft, or for any other illegal purpose, shall be guilty of a class C felony.”  This legislation is important because it actually makes it a felony for people to scan RDIF chips without the owner’s knowledge.  

Additionally, in 2009, Washington State passed House Bill 1011, which prohibits the scanning of RFID tags by anyone except for the business or agency that issued the tag.  This bill does list some exceptions, including when the scanning is part of a sales transaction initiated by the tag holder, or data from an individual's identification device is remotely read or stored in the course of an act of good-faith security research.  These exceptions largely are due to the fact that stakeholder groups including retailers and RFID technology vendors lobby the legislation that restricts RFID chips.

I am glad to live in a State where these types of laws exist to protect the information that is unknowingly stored on RFID chips.  However, when is the federal government going to start taking action to protect people’s privacy on RFID chips?

Sources:

http://apps.leg.wa.gov/documents/billdocs/2007-08/Pdf/Bills/House%20Passed%20Legislature/1031-S.PL.pdf

http://www.rfidjournal.com/articles/view?4802

http://www.prweb.com/releases/2008/03/prweb803114.htm

http://www.ncsl.org/issues-research/telecom/radio-frequency-identification-rfid-privacy-laws.aspx

http://apps.leg.wa.gov/RCW/default.aspx?cite=46.20.202