Prof. Magdalena Balazinska testified at a public hearing today in the Washington State House Committee on Technology, Energy & Communications. The hearing was on House Bill 2729, which addresses “the reading and handling of certain identification documents” and is sponsored by Rep. Deborah Eddy among others. This is an especially timely bill in that it addresses privacy concerns raised by emerging public RFID systems such as the U.S. Passport Card, the Enhanced Driver’s License (EDL), and the new Puget Sound area transit pass, the ORCA card. The bill essentially limits the reading of RFID licenses and identicards as well as the use of the information contained on them. From the bill:

“[...] Washington state recognizes the importance of protecting the confidentiality and privacy of an individual’s personal information contained in drivers’ licenses and identicards.”

“[...] A nongovernmental entity may only electronically read an individual’s driver’s license or identicard to verify the authenticity of the document or verify the individual’s age or identity. [...] When a nongovernmental entity electronically reads a driver’s license or identicard for one of the purposes permitted in (a) of this subsection, and except as otherwise permitted in subsection (3) of this section, the entity may not store, sell, or share personal information collected from the driver’s license or identicard without written consent of the individual.”

Magda provided expert testimony on the privacy risks of such systems. Using examples from our research in the RFID Ecosystem project, Magda described how the lack of security features in the EDL (which uses EPC Gen 2 RFID technology) could lead to serious privacy violations for individuals. Her statement focused on three key points: (1) EPC Gen 2 tags can be read from a distance, (2) that EPC Gen 2 tags do not provide authentication and encryption, and (3) that there is no visible indication when an RFID tag is read. Magda also described how a great deal of higher-level information can be extracted from accumulated tracking data on an insecure RFID tag, even if the tag is “anonymous” or “unlinked”.

The panel of experts testifying in support of Bill 2729 also included Dan Kaminsky, security expert and Director of Penetration Testing for IOActive, and Riana Pfefferkorn, a University of Washington Law student who has been investigating issues surrounding RFID and privacy.

For more information on the hearing, you can check out the video online at TVW here.

For more information on the ORCA card, please see the FAQ assembled by myself and others in the UW Society and Technology Group: http://soctech.cs.washington.edu/wiki/ORCA/ORCA

- Evan Welbourne