Over 16,508,926 people are on fubar.
What are you waiting for?

Crack! Security expert hacks RFID in UK passport Successful effort pulled data off document in mailing envelope Jeremy Kirk Today’s Top Stories or Other Privacy Stories Comments Comments (2)Recommendations Recommendations: 111 — Recommend this article Click here to find out more! * Authentication...it is not just for consumers * Careful What You Search For.... * Self-Auditing with Vulnerability Management * Demystifying the Anti-Spam Buzz: Features vs. Fluff in the search for an Enterprise Anti-Spam Solution * Roaring Penguin helps Protect Mutual Telephone gain the upper hand on spammers * Transbeam, provides Corporate and Small Business Clients with More Options and Less Spam thanks to CanIT-Pro * WLAN Security Update * Security and Device Management * Intrusion Protection Sign up to receive Security Resource Alerts sign-up March 06, 2007 (IDG News Service) -- A security expert has cracked one of the U.K.'s new biometric passports, which the British government hopes will cut down on cross-border crime and illegal immigration. The attack, which uses a common RFID (radio frequency identification) reader and customized code, siphoned data off an RFID chip from a passport in a sealed envelope, said Adam Laurie, a security consultant who has worked with RFID and Bluetooth technology. The attack would be invisible to victims, he said. "That's the really scary thing," said Laurie, whose work was detailed in the Sunday edition of the Daily Mail newspaper. "There's no evidence of tampering. They're not going to report something has happened because they don't know." The British government, which began issuing RFID passports about a year ago, eventually wants to incorporate fingerprints and other biometric data on the chips, although privacy activists are concerned over how data will be stored and handled. Currently, the chip contains the printed details on the passports, the person's photograph and security technology to detect if those files have been altered. The attack was executed while the passport was still in its original envelope used to send it from the passport service, since RFID chips can be read from a few inches away, Laurie said. He used a passport ordered by a woman affiliated with No2ID, a group that opposes the U.K.'s biometric passport and ID card programs. The data on the passport's chip is locked until an RFID reader provides the encryption key, Laurie said. The encryption key is calculated using a combination of the person's personal data, such as date of birth, and is contained in the "machine-readable zone" (MRZ) -- the string of characters and digits on the bottom of the passport's first page. At an immigration desk, the optical character reader scans the MRZ and gets the key. The RFID chip is unlocked, and the information on the chip is matched with that on the passport. However, Laurie was able to do this process himself. He analyzed ICAO 9303, the standard from the International Civil Aviation Organization that been adopted worldwide for machine-readable passports, to see how the MRZ is organized. Laurie also knew some of the woman's personal details -- used to calculate her passport's key -- and found out more through Internet research. He then wrote what's known as a "brute force" program, which repeatedly tries different combinations of data to discover the key. After about 40,000 attempts by the program, he cracked the key. To scan the chip, he used a common RFID reader from ACG ID, now part of Assa Abloy Identification Technology GmbH of Germany. The attack could then let Laurie begin the process of making an exact copy of the woman's passport. However, the U.K. Home Office defended the passports on Tuesday, asserting the hack doesn't make them less secure. "The key point ... is that the information on the chip cannot by changed, rendering the procedure described by Adam Laurie pretty pointless," wrote Peter Wilson, senior press officer, in an e-mail. Further, a cloned chip would have to be inserted into a forged passport, and new security measures in the passports make that "virtually impossible," the Home Office said, quoting a report released last month by the National Audit Office. But Laurie said the new passports were marketed as enhancing security, "but so far I don't see anything about it that increases my security." The greatest weakness with the passports is using relatively easy-to-find data to compose the encrypted key, Laurie said. It would be better to include more random elements that would render brute-force style programs nearly useless, he said. Laurie's work spawned from concern over how users can know what's on their passport's chip. "At the moment, if you want to see what's in your own passport, you have to go to passport office," Laurie said. "With my code, you can do it at home." Laurie has published a library of open-source tools written in the Python programming language that will run on RFID readers made by ACG and by Frosch Electronics OEG, based in Austria.

the bill itself

BILL ANALYSIS SENATE JUDICIARY COMMITTEE Senator Ellen M. Corbett, Chair 2007-2008 Regular Session SB 30 S Senator Simitian B As Introduced Hearing Date: March 13, 2007 3 Civil Code 0 BCP:jd SUBJECT Identity Information Protection Act of 2007 DESCRIPTION This bill would establish interim protections to apply to remotely readable identification documents (IDs) that are created, mandated, purchased, or issued by state government entities. The protections would require government entities to incorporate specified security measures into remotely readable IDs and their readers, and to give written information to ID holders regarding: the possibility that an ID may be remotely read, available protections, the location of authorized readers, the purpose of any intended reading, and the nature of any data that will be collected by the readers. Existing systems would be exempt from these protective requirements, as would other specified systems. The bill would also contain interim civil and criminal prohibitions, including: (1) a prohibition against the disclosure of "operational system keys," subject to misdemeanor prosecution; and (2) a prohibition against the disclosure of data regarding a person's location, except in "exigent circumstances" or in response to specified law enforcement requests or warrants. The bill would also permit any interested person to enforce the interim protections, subject to a 30-day notice and opportunity to cure for the government entity. A prevailing plaintiff in such an action could be awarded attorney's fees and costs. The bill would also require the California Research Bureau (more) SB 30 (Simitian) Page 2 to convene an advisory committee and prepare a report for the Legislature on security and privacy issues relating to such IDs, and would state that it is the intent of the Legislature that the bill's interim protections be replaced with permanent legislation or regulations in the most timely and expeditious fashion possible following the issuance of the California Research Bureau's report. BACKGROUND Radio Frequency Identification (RFID) is an old technology that has recently raised new privacy concerns. RFID technology allows for the contactless transfer of information via radio waves to a remote reader. As stated in the Department of Homeland Security's Data Privacy & Integrity Advisory Committee's report on The Use of RFID for Human Identity Verification: RFID is a type of automatic identification technology that enables the user to "tag" objects with a tiny device that can later be detected by automatic means. That detection can range from simply noting the presence of the device, to obtaining a fixed identification number from the device, to initiating a twoway communication with the device. The essential functionality of the system is that when the tag is in the presence of an appropriate radio frequency (RF) signal emanated by a reader the tag responds by sending back a reflected RF signal with information in response. Some can only operate over a very short distance of a few centimeters or less, while others may operate at longer distances of several meters or more. At the higherend of RF technology, the contactless RFID tags have been enhanced with the full capabilities of smart card chips containing generalpurpose computer processors and larger nonvolatile memory spaces . . . The author of this bill introduced several bills during the 2005-06 session that would have prohibited the use of RFID technology in certain government IDs, and required SB 30 (Simitian) Page 3 protective measures to be implemented for other government IDs. The most comprehensive of these previous bills was SB 682 (Simitian), which was approved by this committee on April 26, 2005, and later narrowed and placed in SB 768 (Simitian) at the end of the 2005 legislative session. Also last year, members of industry sponsored AB 2561 (Torrico) - a study bill that would have required the California Research Bureau to convene an advisory board and file a report with the Legislature regarding the security and privacy issues associated with the use of RFID in government IDs. However, when AB 2561 was approved by this committee on June 27, 2006, it was with the understanding that AB 2561 would be double-joined with a Senator Simitian RFID bill that would institute interim protections for the time during which the California Research Bureau's report is compiled, its findings considered by the Legislature, and a permanent legislative or regulatory solution is crafted. On August 17, 2006, SB 768 (Simitian) was amended in the Assembly to incorporate both protective measures that align with the purposes underlying the terms of SB 682, the previous terms of SB 768, and language from AB 2561 to commission a report by the California Research Bureau to assist the Legislature in crafting a permanent legislative or regulatory solution. The language contained in that bill was agreed upon by consumer and privacy advocates who sponsored the other Senator Simitian RFID bills, and by the industry representatives who sponsored Assembly Member Torrico's study bill. SB 768 passed out of the Assembly, this committee, the Senate and was vetoed by the Governor. This year, the provisions of SB 768 were re-introduced in two different bills, SB 30 and 31. Except for the provision that would make the intentional unauthorized reading or attempted reading of a personal identification document a misdemeanor crime, located in SB 31, the remainder of SB 768 has been placed in this bill. Importantly, the proposed interim minimum security standards for RFID-enabled government identification documents would become inoperative on December 31, 2013, or upon the legislative enactment of alternate statewide regulations. If passed by this committee, the bill will be SB 30 (Simitian) Page 4 heard by the Senate Public Safety Committee. CHANGES TO EXISTING LAW Existing law provides that all people in this state have an inalienable, constitutional right to privacy. [Cal. Const., Art I 1.] Existing law , the Information Practices Act, precludes a state agency from disclosing personal information it possesses "in a manner that would link the information disclosed to the individual to whom it pertains," except in specified circumstances. [Civ. Code 1798.24.] Existing law establishes that a person who intentionally discloses non-public information obtained from a state or federal agency is subject to a civil action for invasion of privacy. [Civ. Code 1798.53.] Existing law establishes that a person who willfully requests or obtains any record containing personal information from an agency under false pretenses is guilty of a serious misdemeanor. [Civ. Code 1798.56.] Existing law establishes that a person who uses an electronic tracking device to determine the location or movement of another person is guilty of a misdemeanor. [Pen. Code 637.7.] This bill would enact the Identity Information Protection Act of 2007, to: (1) establish interim privacy and security protections to apply to remotely readable IDs created, mandated, purchased, or issued by government entities, until subsequent legislation or regulations are enacted; (2) require the California Research Bureau to submit a report to the Legislature on security and privacy for government-issued, remotely readable IDs on or before June 30, 2008; and (3) specify that it is the intent of the Legislature that the interim measures contained in the Act be replaced with permanent legislation or regulations in the most timely and expeditious fashion possible following the issuance of the California Research Bureau's report. This bill would institute the following protective requirements for government IDs that use radio waves to SB 30 (Simitian) Page 5 transmit data or to enable data to be read remotely: The ID must incorporate tamper-resistant features to prevent duplication, forgery, or cloning. The ID and authorized readers must use an authorization process. The issuing entity must inform the ID holder in writing: (1) that the ID can transmit data or enable data to be read remotely without the holder's knowledge; (2) that specified countermeasures may be used to help control that risk; (3) the location of readers used or intended to be used by the issuing entity to read the ID; (4) all circumstances under which the entity intends to read the ID and the underlying reasons for the reading; and (5) any information that is being collected or stored regarding the individual when the ID is read. If personally identifiable information is transmitted from the ID: (1) the ID and authorized readers must use a "mutual authentication process"; (2) the ID must make the data unreadable and unusable by an unauthorized person; and (3) the ID must implement an access control protocol to give the holder direct control over the transmission of data. If a unique personal identifier number is transmitted and is used (1) to provide the ID holder access to more than one application or service, (2) to record attendance of a pupil at a public school, or (3) to access public transit services, the issuing entity must implement one of several protective measures. This bill would exempt government IDs from the bill's interim restrictions when the following circumstances are present: Actions were taken to establish an RFID ID system prior to specified dates, including actual implementation, public issuance of the government proposal for the system, and execution of the contract for the system. The ID was issued to an incarcerated person, a juvenile detainee, a person housed in a mental health facility, a SB 30 (Simitian) Page 6 criminal defendant subject to a court order, or a person subject to court-ordered electronic monitoring. The ID was issued to an employee at a jail, prison, or juvenile facility, is not removed from the facility, and specified requirements were met. The ID was issued to a law enforcement officer or emergency response personnel for use on active duty, and specified requirements were met. The ID was issued to a patient in specified medical centers for a single episode of care, subject to specified requirements. The ID was issued to a person in the care of a skilled nursing facility who was diagnosed with dementia or other cognitive impairments, subject to specified requirements. The ID was issued to a patient for emergency medical care, as specified. The ID was issued to facilitate secured access to a public building or parking area, subject to specified requirements. The ID was a license, certificate, registration, or other authority for engaging in a business or profession regulated under the Business and Professions Code, subject to specified requirements. This bill would prohibit a government entity from disclosing to a third party the "operational system keys" to a mutual authentication system or other specified systems that are designed to make transmitted data unreadable and unusable by an unauthorized person, except where the third party has a bona fide business relationship with the government entity and the disclosure is necessary to the operation, testing, or installation of the ID system, or where emergency response personnel need the disclosure to locate or identify a person in a disaster, as specified. This bill would make it a misdemeanor crime to disclose operational system keys in violation of these terms. SB 30 (Simitian) Page 7 This bill would prohibit a government entity or authorized third party from disclosing any data or information regarding the location of a person derived from the use of radio waves, except in specified situations involving "exigent circumstances," requests from law enforcement personnel, or search warrants. This bill would permit any interested person to institute proceedings against a governmental entity for injunctive or declaratory relief or a writ of mandate to prevent or stop any violation of the restrictions of the bill, but only after giving written notice of the asserted violation to the government entity and allowing 30 days for the entity to cure the violation and inform the plaintiff in writing of its curative actions. This bill would permit a court to assess reasonable attorney's fees and costs against a government entity if the plaintiff prevails in the action. This bill would specify that this civil enforcement provision does not limit or supplant any other remedies that may be available in law or equity. This bill would require the California Research Bureau to submit a report to the Legislature by June 30, 2008 relating to security and privacy for remotely readable government IDs. This bill would require its provisions to become inoperative on December 31, 2013, or upon the legislative enactment or promulgation of alternative statewide regulations pertaining to the privacy and security of remotely readable identification documents, whichever is earlier. COMMENT 1. Stated need for bill According to the author, "SB 30 puts in place basic, common sense safeguards to protect people's privacy and security." The author maintains that SB 30's interim RFID security requirements are necessary due to demonstrated security and privacy threats, the lack of current minimum safeguards, and spreading public concern about RFID technology. SB 30 (Simitian) Page 8 Specifically, the author states that "[t]he technology and business communities, independent researchers, and several government agencies all agree that using RFID in government IDs with few or minimal protections poses serious privacy and security threats." In support, the author cites recent hacks of the encryption scheme for RFID-enabled Dutch passports, the Exxon Mobile key fob, VeriChip human RFID implant, California State Capitol building access system and new RFID passports. Furthermore, the author states that [n]either existing statute nor current practices require protections against the threats posed by the inclusion of RFID in government-issued IDs, such as a driver's license, a student ID or a health card. To make matters worse, competing RFID vendors have sometimes obfuscated risks and sold products with little or no security in an effort to sell the cheapest product. From local elementary schools to state agencies impacting millions of Californians, RFID is being included in identification documents with no minimum safeguards or standards in place Accordingly, SB 30 would seek to impose interim minimum standards for RFID-enabled government identification documents. The author maintains that "[b]y requiring the use of basic safeguards, SB 30 is essential to rebuilding the public's trust in RFID technology and its use in government-issued IDs." 2. Concerns raised by industry with respect to the Governor's veto message As noted above, last years negotiations for SB 768 resulted in most parties withdrawing their opposition to that bill. That opposition has now reemerged. The High-Tech Trust Coalition, in current opposition, states: [w]e worked . . . in an attempt to address what we viewed as the unintended negative consequences of this legislation. However, at the end of the year, the Governor vetoed the Identity SB 30 (Simitian) Page 9 Information Protection Act, which [has been] reintroduced as SB 30 . . . We are compelled to agree [with the Governor's veto message.] Specifically, the Governor's veto message stated: SB 768 . . . is premature. The federal government, under the REAL ID Act, has not yet released new technology standards to improve the security of government ID cards. SB 768 may impose requirements in California that would contradict the federal mandates soon to be issued. In addition, this bill may inhibit various state agencies from procuring technology that could enhance and streamline operations, reduce expenses and improve customer service to the public and may unnecessarily restrict state agencies. In addition, I am concerned that the bills provisions are overbroad and may unduly burden the numerous beneficial new applications of contactless technology. In response, the author disputes each of the Governor's contentions, and in turn similar arguments raised by industry. a) Maturity of RFID technology As stated above, the Governor's veto message contended that the prior bill was premature. Similarly, the High-Tech Trust Coalition, citing advances in performance, security and privacy technology, contends that "[a]s this industry continues to grow and mature . . . it becomes more and more apparent that such legislation is not called for." In response, the author maintains that RFID, currently found in numerous cards, documents and other items, is "hardly an 'emerging' technology that needs to be handled with kid gloves while markets develop." Historically, RFID can be traced back to the German's use of similar technology to identify friendly aircraft during World War II. Over the years, the SB 30 (Simitian) Page 10 technology dramatically evolved, leading to the relatively low cost RFID tags available today. According to the author, [m]arket researchers expect 1.71 billion RFID tags to be sold, with an aggregate value of $5 billion for the total RFID market, in 2007 . . . These tags can, and have been, cloned, skimmed and otherwise hacked to the detriment of their owners. Regarding the need for legislated minimum standards, HID Global contends that SB 30 is "an example of a solution searching for a problem, and . . . perpetuate[s] unfounded criticism of RF-based technology that has been proven safe and reliable for more than 30 years." While most examples of vulnerabilities have been demonstrated by researchers in a laboratory setting, not discovered by law enforcement, the author argues that the demonstrated potential to hack current technology demonstrates that "[w]e're already at risk." For example, on October 23, 2006, the New York Times reported that researchers were able to "skim" information off of major credit cards. That article reported that "tests on 20 cards from Visa, MasterCard and American Express, the researchers here found that the cardholder's name and other data was being transmitted without encryption and in plain text." Other examples cited by the author include weaknesses in RFID-enabled key fobs and the VeriChip human RFID implant. Furthermore, the aforementioned report by the Data Privacy & Integrity Advisory Committee noted that "the use of RFID-enabled systems for human identification may create a number of risks that are not found in conventional identification processes." As a further example of risks generated by RFID-identification documents, the Daily Mail reported on March 4, 2007 that it was able to copy the details from a delivered but unopened UK biometric passport. Using a device built from parts purchased from the internet, the passport's information was copied without opening the SB 30 (Simitian) Page 11 delivery envelope, thus demonstrating one possible way a recipient's information may be comprised without their knowledge. Although no RFID-security is foolproof, SB 30 would attempt to minimize risks through the proposed interim minimum requirements. b) Draft regulations released for the Federal REAL ID Act The federal REAL ID Act of 2005 prohibits federal agencies, as of May 11, 2008, from accepting state issued drivers licenses or identification cards unless the requirements of the Act are met. For various reasons, including potential state cost, it appears questionable whether the REAL ID Act will proceed. Currently, the Department of Homeland Security (DHS) has granted states an extension for compliance until December 31, 2009. To that end, the author states that "[i]f the Act actually goes forward, it is unlikely that federal regulators will restrict states to a single technology, and less likely if it does, that that technology will be RFID." On March 1, 2007, the Department of Homeland Security released draft rules on the implementation of the REAL ID Act for public comment. Those draft regulations did not propose any RFID-specific requirements, but did request public comment "on how States would or could incorporate a separate WHTI-compliant technology, such as an RFID-enabled vicinity chip technology, in addition to the REAL ID PDF417 barcode requirement." Thus, the draft regulations support the author's contention that RFID is "an unlikely candidate as the sole technology for REAL ID." c) Inhibition of state agencies The Governor's veto message further argued that the bill may inhibit state agencies from procuring technology that would increase efficiency and customer service. In response, the author contends that "[s]tate SB 30 (Simitian) Page 12 agencies already have to comply with security and privacy protections for other technologies [and that this] bill simply levels the playing field by applying existing standards to the new use of an old technology." Those privacy protections, contained within the Information Practices Act of 1977, Civil Code Section 1798 et seq., prevent agency disclosure of "any personal information in a manner that would link the information disclosed to the individual to whom it pertains," subject to limited exceptions. By instituting minimum RFID standards for state-issued identification documents, SB 30 would not prohibit the use of RFID, but instead implement standards that may further protect an individuals' information. Moreover, SB 30 only would apply to state-issued identification documents, the most sensitive of documents issued by the state. The California Federation of Teachers, in support, reiterate that "[o]ther state-issued documents [would be] afforded levels of protections commensurate with the sensitivity of the information contained on the computer chip and the vulnerability of the people carrying the identity documents." Opponents contend that state agencies should retain flexibility to choose the appropriate RFID system to match their needs. That flexibility provides the state with discretion to choose the most secure, or in the alternative, the cheapest RFID-enabled system. Unlike other items, identification documents play an essential day-to-day role in society. The Asian Americans for Civil Rights & Equality (AACRE), in support, argue that "Californians should not be required to carry identity documents that allow their personal information and locations to be read at a distance without their knowledge." Accordingly, SB 30 would institute minimum standards for state-issued identification documents in lieu of relying upon state agencies and industry to dictate standards for those items. d) Concerns about SB 30 being overbroad, imposing an undue burden on developing technology Finally, the Governor expressed concern that SB 768 SB 30 (Simitian) Page 13 was "overbroad and may unduly burden the numerous beneficial new applications of contactless technology." Similarly, The High-Tech Trust Coalition contends that the "end result of this legislation would be to strongly discourage agencies from utilizing this technology . . ." and HID Global states that "[b]y imposing specified requirements . . . SB 30 will economically disadvantage California users of RF-based systems and create a climate of uncertainty for users of the technology going forward." The author refutes the overly broad argument by noting the multitude of uses of RFID which would not be affected by this bill. These uses include supply chain, document tracking, and other potentially cost-saving uses of RFID. The author further emphasizes that "[t]his bill applies only to the use of RFID in human identification documents, and even then, it simply applies existing privacy standards - it doesn't outlaw the technology . . ." (emphasis in original). Although opponents argue that the implications of SB 30 reach beyond state-issued identification documents, the bill itself attempts to provide narrow interim protections for the most sensitive of those documents. Furthermore, SB 30 states the intent to replace these interim requirements with a state framework "in the most timely and expeditious fashion possible following the issuance of recommendations by the California Research Bureau." 3. California Research Bureau would be required to submit a report on security and privacy for government-issued, remotely readable identification documents The interim protections of SB 30 would only remain in effect until December 31, 2013, or the legislative enactment of alternate statewide regulations. In order to facilitate the timely and expeditious formulation of those regulations, the California Research Bureau would be required to submit a report on security and privacy for government-issued, remotely readable identification documents. That report must be submitted to the Legislature "within 270 days of receiving a request from SB 30 (Simitian) Page 14 the Office of the President pro Tempore of the Senate or the Office of the Speaker of the Assembly, or before June 30, 2008, whichever is earlier . . ." Since this bill would presumably go into effect on January 1, 2008, less than 270 days before June 30, 2008, it does not appear that there would ever be a situation where either office would be able to seek early issuance of the bureau's report. This does not appear to be a problem, provided that six months is sufficient time to generate the report. In preparing the report, the California Research Bureau would be required to convene an advisory board composed of the State Chief Information Officer, Chief of the Office of Privacy Protection, and Attorney General or their designees, along with numerous representatives from state agencies, industry, and privacy groups. Along with reviewing best practices, the bureau would be required to: [i]dentify, develop, and evaluate options for the Legislature to review and consider for action for a legislative and regulatory framework that would ensure the safety and security of information contained on remotely readable identification documents and the privacy of the individuals to whom the documents are issued. Assuming the report is completed timely, it has the potential to be acted upon late in the 2008 legislative session. While the California Research Bureau is not frequently required to formulate such reports on technology to the Legislature, the advisory board would provide the Bureau with the necessary expertise. Furthermore, should concern arise, the author's office appears to be flexible to any suggestions as to other neutral state agencies that may have the capability of completing the report. 4. Definitions, and exceptions to those definitions for SB 30 As stated above, SB 30 imposes interim RFID-security SB 30 (Simitian) Page 15 requirements for government issued identification documents. Those minimum requirements would vary depending on whether personally identifiable information or a unique personal identifier is transmitted. All of those terms are defined in detail in proposed Civil Code Section 1798.135. Of specific interest, the definition of identification document would exempt devices used for the limited purpose of collecting toll funds for bridges or roads. That exception would only apply if the device is not exclusively used by an individual and does not transmit or enable the remote reading of personally identifiable information. Moreover, although FasTrak is specifically mentioned as an example, that system would already be excluded from the scope of this bill as it was implemented prior to January 1, 2008. Although excluding existing contactless identification systems from this bill's interim standards may leave insecure systems in operation, that exception prevents the state from incurring the significant cost required to redo existing systems. 5. Civil enforcement provision To aid enforcement of this bill's provisions, SB 30 would establish a private right of action for any interested person to enforce the protections in the bill by seeking injunctive or declaratory relief or a writ of mandate. Given the recognized importance of privacy rights, and the relatively intangible nature of those rights, an enforcement provision that allows all interested persons to bring an action appears appropriate. From a public policy standpoint, it seems prudent to allow enforcement by all interested persons, without a showing of injury, because an enforcement action for declaratory or injunctive relief, taken at an early stage in a government entity's statutory violation, could help to prevent a continued statutory violation that might subject the entity to class action litigation for damages once the action has actually resulted in a monetary injury. For example, an enforcement action to prevent practices that may expose a person's personal information to identity theft could help encourage entities to stop SB 30 (Simitian) Page 16 such practices before an identifiable instance of identity theft causes people to suffer actual monetary losses. The entity's potential monetary liability under the bill's enforcement provision could be significantly less than a later action for damages, since the enforcement provision would only permit a prevailing plaintiff to obtain injunctive or declaratory relief, and potentially attorney's fees, and would not permit recovery of damages. The High-Tech Trust Coalition, in opposition, contends that SB 30 "threatens those agencies with costly civil litigation if they interpret the legislation incorrectly." Although there may be differences in opinion as to what SB 30 would require, this bill would provide a government entity 30 days to fix an alleged violation of this act. Under those terms, an entity could avoid any monetary liability whatsoever if enforcement is sought before any tangible losses are suffered and the entity acts promptly to cure the violation. 6. Remaining concerns The opponents' remaining concerns include arguments over other details of this bill, such as conforming definitions to current technological practices, best resolved through continued negotiations. Support: AARP; Asian Americans for Civil Rights and Equality (AACRE); California Applicants' Attorneys Association (CAAA); California Commission on the Status of Women; California Federation of Teachers; California Labor Federation, AFL-CIO; California State Employees Association (CSEA); Consumer Federation of California; Consumers Union; Privacy Activism Opposition: HID Global; The High-Tech Trust Coalition [consisting of 3M, AeA (American Electronics Association), ActivIdentity, AIM Global, Alvaka Networks, Aubrey Group, Inc., American Express, California Business Properties Association, California Chamber of Commerce, EDS, Elpac Electronics, Inc., Grocery Manufacturers Association, InCom Corp., Infineon Technologies SB 30 (Simitian) Page 17 North America Corp., Information Technology Association of America (ITAA), Matheson Tri-Gas, MAXIMUS, Motorola, National Semiconductor, Natoma Technologies, Inc., NXP, Oberthur Card Systems, Oracle Corporation, Precision Dynamics, Retail Industry Leaders Association, San Jose Silicon Valley Chamber of Commerce, SAS, Secura Key, SIA (Semiconductor Industry Association), Sonnett Technologies, Inc., Texas Instruments, VEDC, Inc., Zebra Technologies] HISTORY Source: Author; American Civil Liberties Union (ACLU); Electronic Frontier Foundation; Privacy Rights Clearinghouse Related Pending Legislation: SB 28 (Simitian), would prevent the DMV from issuing an RFID-enabled drivers license or identification card. SB 29 (Simitian), would prevent the use of RFID devices transmitting personal information for the purpose of tracking students or their attendance. SB 31 (Simitian), would criminalize the unauthorized intentional reading, or attempted reading of an individual's personal identification document. SB 362 (Simitian), would prevent the required implantation of an identification device capable of transmitting personally identifiable information. SB 388 (Corbett), would require minimum disclosures from private issuers of RFID-enabled items capable of transmitting personally identifiable information. SB 30 (Simitian) Page 18 Prior Legislation: SB 682 (Simitian), as amended August 15, 2005, contains the original Identity Information Protection Act language that was amended into SB 768 on September 2, 2005. This bill was gutted and amended on August 7, 2006. SB 768 (Simitian, 2006), would have imposed minimum requirements on government issued identification documents, require a study by the California Research Bureau and criminalize the unauthorized intentional skimming of a person's identification document. This bill was vetoed by the Governor. AB 2561 (Torrico, 2005), would have mirrored the California Research Bureau report requirement in this bill. This bill was gutted and amended on August 24, 2006. SB 1834 (Bowen, 2004), failed passage in Assembly B & P, would have prohibited the use of RFID on library circulating materials to collect, store, or share information that could be used to identify a borrower, and would have limited the use of RFID on other consumer products to gather, store, use, or share information that could be used to identify an individual. **************

Bush reatard at it again!

At that point they required me to submit my thumbprint to them. I complained about the lack of freedom in this state and asked them why they just didn't tell everyone that in order to get a drivers license in their state we would need to bring in a suitcase full of ID,s as well as blood and urine samples to go with our thumbprints!! The supervisor then informed me that as of May 2008 that won't be necessary as every state will require (as per Federal Law) every driver to go to the DMV and obtain a FEDERAL ID number which will be implanted in the hand of the individual!!!! They ACTUALLY told me this at the DMV! Apparently, several years ago the FEDERAL GOVERNMENT tried to get a law passed requiring everyone to receive a FEDERAL ID NUMBER. It was turned down by the citizens of the United States. Well, the FEDERAL GOVERNMENT being the lying, cheating criminals that they are-quietly inserted that law into a bill giving federal funds to the Katrina victims. When that bill passed...so did the requirement to receive a FEDERAL ID NUMBER! According to that (now) law, as of MAY 2008, every driver will be required to go to their local DMV office to obtain a federal ID number. They must take in certified copies of their birth certificates, marriage & divorce certificates and social security card. They will also submit to being finger and/or thumbprinted. They will then receive their new FEDERAL ID NUMBER to be inserted under the skin of their hand. At that time they will then be licensed to drive! If you choose not to participate in this FEDERAL ID program...you will not be able to: DRIVE, TRAVEL ON COMMERCIAL AIRCRAFT, GO INTO FEDERAL BUILDINGS (that means you can't defend yourself in Federal Courts if you don't have a FEDERAL ID number) STEP ONTO FEDERAL LANDS (say goodbye to hiking, camping, rafting, etc....), RECEIVE SOCIAL SECURITY, RECEIVE ANY FEDERAL FUNDS & BENEFITS, RECEIVE TAX REFUNDS, WORK FOR THE FEDERAL GOVERNMENT, RECEIVE WAGES FROM THE FEDERAL GOVERNMENT, SERVE IN ANY OF THE ARMED FORCES, RECEIVE VA BENEFITS etc...etc...etc... Does this LAW affect YOU??? Do you like it? IF YOU DO NOT LIKE THIS LAW You MUST fight this. You have one year to get your representatives to reverse this law. You MUST write all your Congressmen, Senators and Representatives and DEMAND that this "LAW" be reversed. None of us can afford to sit and ignore this law. This law effectively takes away our last remaining rights as citizens of this country. When the Federal Government starts to enforce this law...you will NOT have any rights. NONE! You cannot stand on the Constitution as it will be ONLY for those who have received their ID number!!! Don't believe me??? Call your local DMV and ask them!!!!.... PLEASE PROTECT WHAT LITTLE RIGHTS WE STILL HAVE LEFT.....FIGHT THIS LAW! EVIL PROSPERS WHEN GOOD MEN DO NOTHING
last post
16 years ago
posts
3
views
1,132
can view
everyone
can comment
everyone
atom/rss

other blogs by this author

official fubar blogs
 8 years ago
fubar news by babyjesus  
 13 years ago
fubar.com ideas! by babyjesus  
 10 years ago
fubar'd Official Wishli... by SCRAPPER  
 10 years ago
Word of Esix by esixfiddy  

discover blogs on fubar

blog.php' rendered in 0.0483 seconds on machine '193'.