Last week Washington State Governor Christine Gregoire signed into law two bills that affect RFID in Washington State. The first is House Bill 2729, “addressing the reading and handling of certain identification documents”, which was proposed by Rep. Deborah Eddy (D-Kirkland). HB 2729, which Prof. Balazinska testified in support of, makes it a felony and a violation of the Consumer Protection Act (with a few exceptions) for a party to read an Enhanced Driver’s License’s RFID tag without consent. It also protects the documentation and information provided upon applying for an EDL from public disclosure.

The second bill is House Bill 1031, “changing provisions concerning electronic devices”, which was proposed by Rep. Jeff Morris (D-Mt. Vernon). The bill was originally introduced in early 2007 as an “Electronic Bill of Rights” which would give consumers “the power to know who is collecting information and what has been collected”, as Morris explained it in late 2006. A series of revisions since that time have shifted the bill’s focus from regulating RFID technology to regulating the behavior of those seeking to abuse it. This shift is highly significant from both a public policy and an RFID industry perspective. More information on the bill can be found in an RFID Journal blog entry and on the Bill’s information page.

Prof. Magdalena Balazinska testified at a public hearing today in the Washington State House Committee on Technology, Energy & Communications. The hearing was on House Bill 2729, which addresses “the reading and handling of certain identification documents” and is sponsored by Rep. Deborah Eddy among others. This is an especially timely bill in that it addresses privacy concerns raised by emerging public RFID systems such as the U.S. Passport Card, the Enhanced Driver’s License (EDL), and the new Puget Sound area transit pass, the ORCA card. The bill essentially limits the reading of RFID licenses and identicards as well as the use of the information contained on them. From the bill:

“[...] Washington state recognizes the importance of protecting the confidentiality and privacy of an individual’s personal information contained in drivers’ licenses and identicards.”

“[...] A nongovernmental entity may only electronically read an individual’s driver’s license or identicard to verify the authenticity of the document or verify the individual’s age or identity. [...] When a nongovernmental entity electronically reads a driver’s license or identicard for one of the purposes permitted in (a) of this subsection, and except as otherwise permitted in subsection (3) of this section, the entity may not store, sell, or share personal information collected from the driver’s license or identicard without written consent of the individual.”

Magda provided expert testimony on the privacy risks of such systems. Using examples from our research in the RFID Ecosystem project, Magda described how the lack of security features…
(Read complete post >>)