Announcement

Collapse
No announcement yet.

Illegal to secretly read RFID identification tags in california

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Illegal to secretly read RFID identification tags in california

    So I was browsing the CA Civil Code (the law) and came across this one:

    http://www.leginfo.ca.gov/cgi-bin/wa...ction=retrieve

    1798.79. (a) ...a person or entity that intentionally remotely reads or attempts to remotely read a
    person's identification document using radio frequency identification (RFID), for the purpose of reading that person's identification document without that person's knowledge and prior consent, shall be punished by imprisonment in a county jail for up to one year, a fine of not more than one thousand five hundred dollars ($1,500), or both that fine and imprisonment.

    (c) "Identification document" means any document containing data that is issued to an individual and which that individual, and only that individual, uses alone or in conjunction with any other information for the primary purpose of establishing his or her identity. Identification documents specifically include, but are not limited to, the following:
    (2) Identification cards for employees or contractors.

    Interesting, huh?

    Kallahar
    --- The fuck? Have you ever BEEN to Defcon?

  • #2
    Re: Illegal to secretly read RFID identification tags in california

    Originally posted by kallahar View Post
    So I was browsing the CA Civil Code (the law) and came across this one:

    http://www.leginfo.ca.gov/cgi-bin/wa...ction=retrieve

    1798.79. (a) ...a person or entity that intentionally remotely reads or attempts to remotely read a
    person's identification document using radio frequency identification (RFID), for the purpose of reading that person's identification document without that person's knowledge and prior consent, shall be punished by imprisonment in a county jail for up to one year, a fine of not more than one thousand five hundred dollars ($1,500), or both that fine and imprisonment.

    (c) "Identification document" means any document containing data that is issued to an individual and which that individual, and only that individual, uses alone or in conjunction with any other information for the primary purpose of establishing his or her identity. Identification documents specifically include, but are not limited to, the following:
    (2) Identification cards for employees or contractors.

    Interesting, huh?

    Kallahar
    (WAIS Search came up with a blank page for me. Here are some other choices: 1, 2

    This is interesting. If you can't provide sufficient security to safeguard the people from invasion of privacy with technology, then you just create laws to silence the people that might try to expose the problem with sensational news stories.

    This is the worst kind of failure that exists in projects or any kind of system with people playing a game; it is the decoupling of responsibility from control.

    So long as responsibility and control remain tied together, the players in a game will work to improve the things they control in such a way as to decrease their exposure to risk (responsibilities exposed.)

    When responsibility is decoupled from control, then the burden of risk is placed on people that have no control over managing their own personal risks.

    Some may counter with comment about citizens being able to protect themselves with RFID blocking wallets, or purses, but this is another example of creating a problem and pushing a burden to those that have no control over eliminating the problem by choosing not to accept the new risk that needs to be managed.

    Jaywalking is illegal, but people still do it.
    Speeding is illegal, but people still do that.
    Murder is illegal, but people still murder.

    With a law like this, it is known and expected that there will be people that will break this law. Even though an obvious method for 100% prevention would be to allow people to choose to NOT use RFID, and totally eliminate their risk to exposing their identity theft by RFID, such a solution will not be offered in the long term. (You can still choose to use credit cards that don't have RFID if you want, but there is little if any choice with government issued forms of identification, and history shows us that even if a choice is offered initially, that choice is ultimately eliminated.)

    I had a boss once who said this often:
    "If you can't afford to do something right, then maybe you shouldn't be doing it."

    Though there are exceptions, it is a useful question as a reality check when considering the addition of new technology.

    If they (credit card companies, governments, businesses, etc.) cannot be held responsible and accountable for using RFID, and if they do not offer a choice to allow people to not use RFID, then maybe RFID should not be used.

    To legally defeat this, it would be easy to go to other states that do not have such laws and wait at the gates in airports for flights arriving from the states with RFID enabled devices. If laws are created in those places, then visit other countries and do the same for visitors from the countries with RFID.

    Laws provide no protection in preventing criminals from committing crimes -- they provide a *penalty* after a crime is committed, but only if they are caught, prosecuted, and found guilty.

    [For readers that might reply: notice that I've kept politics out of this, and focused on risk and exposure and failure in the use of technology.]

    Comment


    • #3
      Re: Illegal to secretly read RFID identification tags in california

      Reminds me of the old days of analog cell phones where they couldn't stop people from being able to listen to those frequencies, so they just made it illegal to sell receivers for those freqs.

      Not like it stopped anyone, but it's one more thing that they can whack you with in court.

      I'm curious though if the legislation was passed in order to stifle researchers being able to conduct field tests on RFID skimming. Lab examples are one thing, field data is another.
      Never drink anything larger than your head!





      Comment


      • #4
        Re: Illegal to secretly read RFID identification tags in california

        Passive RFID scanning I can see being made illegal, but not receiving signals from active devices. I think it all comes down to intention not always easily proved in a court of law.

        xor
        Just because you can doesn't mean you should. This applies to making babies, hacking, and youtube videos.

        Comment


        • #5
          Re: Illegal to secretly read RFID identification tags in california

          Originally posted by xor View Post
          Passive RFID scanning I can see being made illegal, but not receiving signals from active devices. I think it all comes down to intention not always easily proved in a court of law.

          xor
          That's the thing that bothered me most when I read this, I think. For most legislation I've read through in California, especially with regards to information gathering, digital or otherwise, "with malicious intent" or some other derivative is usually in place, protecting those doing legit research.

          Originally posted by renderman View Post
          I'm curious though if the legislation was passed in order to stifle researchers being able to conduct field tests on RFID skimming. Lab examples are one thing, field data is another.
          This is indeed an interesting question on many levels. First off, we're talking not only independent researchers, but those working directly for RFID manufacturers being unable to collect real world data (at least in CA). Everyone knows that lab data is a good proof of concept tool, but isn't going to help find vulnerabilities that only exist outside of the lab, let alone fix them. But why not preform "controlled field research"? Why not give your staff RFID devices used only for testing and test those in the field? Because while such an approach would indeed give you expanded results as opposed to what you'd get in a lab, it's essentially doing the same research in a bigger lab. Any results would be tainted by using a "special test card".

          Though I haven't looked into it (yet) I'm curious to know how many states and countries have similar laws on the books, and how many cite intent. While I agree with xor that passive or blind scanning should be illegal, how many other people think that all or part of this code is just poorly written? I kind of get a sense of "Oh no, recent technology we all use that can be exploited! Hide!" It makes sense to outlaw RFID skimming when it comes to criminal activity and intent. But when that intent is in no way malicious, it's ridiculous.

          Special note: This post is in no way intended to be of a political nature. If it comes off that way, please feel free to let me know.
          [edit] redacted a sentence that I could see as somewhat political.
          Last edited by sintax_error; September 8, 2009, 00:29.
          "You have cubed asscheeks?"... "Do you not?"

          Comment


          • #6
            Re: Illegal to secretly read RFID identification tags in california

            Originally posted by xor View Post
            I think it all comes down to intention not always easily proved in a court of law.
            No. Not from what is written above. There is no mention of intent to to do harm or use the information in an illegal way. The law, as written, appears to me to only have the following conditions:
            1) Suspect reads RFID from someone remotely
            2) That RDIF data is used in conjunction with other data to establish a person's identity
            3) The reading of this data is done without the knowledge AND prior consent of the person that has the RFID information.

            Maybe you see something I don't?

            Originally posted by sintax_error View Post
            That's the thing that bothered me most when I read this, I think. For most legislation I've read through in California, especially with regards to information gathering, digital or otherwise, "with malicious intent" or some other derivative is usually in place, protecting those doing legit research.
            I think you are complaining about the lack of wording to include intent as a requirement in showing a person would be a criminal.

            Originally posted by sintax_error View Post
            Special note: This post is in no way intended to be of a political nature. If it comes off that way, please feel free to let me know.
            [edit] redacted a sentence that I could see as somewhat political.
            And your statements and comments seem to me perfectly fine and well inside the rules on no politics or religion. (This is stated for your benefit, and for those that are lurking and trying to better understand this is not a rule violation.) We are discussing laws and how they with help or hurt security, and that is on target with Defcon topics. If the became a partisan thread, or converted to political activism, then it would be heading in a political direction. :-)
            Last edited by TheCotMan; September 8, 2009, 00:47.

            Comment


            • #7
              Re: Illegal to secretly read RFID identification tags in california

              Originally posted by TheCotMan View Post
              <snip snip>I think you are complaining about the lack of wording to include intent as a requirement in showing a person would be a criminal.<snip snip>
              I am. I may not have called it "complaining", but you have a knack for calling 'em like you see 'em. And you're right. If I were to go to let's say Union Station in Los Angeles, wearing a sandwich board sign that read "I'm collecting RFID data for research, ask me for documentation" Having full documentation of the study on hand, giving full disclosure to anyone who will listen, I'd be guilty of a crime under this code. If it were written with the "malicious intent" clause I'd be fine in court based on the full disclosure alone, I don't think any judge would find malicious intent when you're literally advertising what you are doing.

              Now granted, the same scenario would be perfectly fine if I were to ask random people "Would you mind if I scanned you with an RFID reader for research purposes, here's a detailed layout of the study" of course with the obligatory cover my own "please sign this waiver stating you agree to be scanned". I have no stake in this one way or another, because as of this moment in time, I have no plans to do much if any RFID research. My only point is that one would be free to do much more research, much more efficiently if this code stated intent. Don't get me wrong, I'm not saying if it did, that it'd be cool to secretly skim the public for your data, in fact, that's kind of a dick move. But if someone were to state clearly that they are scanning RFID, and why they are doing it, that should not be a crime.
              "You have cubed asscheeks?"... "Do you not?"

              Comment


              • #8
                Re: Illegal to secretly read RFID identification tags in california

                Originally posted by sintax_error View Post
                I am. I may not have called it "complaining", but you have a knack for calling 'em like you see 'em. And you're right. If I were to go to let's say Union Station in Los Angeles, wearing a sandwich board sign that read "I'm collecting RFID data for research, ask me for documentation" Having full documentation of the study on hand, giving full disclosure to anyone who will listen, I'd be guilty of a crime under this code. If it were written with the "malicious intent" clause I'd be fine in court based on the full disclosure alone, I don't think any judge would find malicious intent when you're literally advertising what you are doing.

                Now granted, the same scenario would be perfectly fine if I were to ask random people "Would you mind if I scanned you with an RFID reader for research purposes, here's a detailed layout of the study" of course with the obligatory cover my own "please sign this waiver stating you agree to be scanned". I have no stake in this one way or another, because as of this moment in time, I have no plans to do much if any RFID research. My only point is that one would be free to do much more research, much more efficiently if this code stated intent. Don't get me wrong, I'm not saying if it did, that it'd be cool to secretly skim the public for your data, in fact, that's kind of a dick move. But if someone were to state clearly that they are scanning RFID, and why they are doing it, that should not be a crime.
                There is an attempt to provide "security by illegality" which is worse than "security by obscurity" because not only is it a known risk and not obscure, but there is no successor to the present system that would solve the actual problem. Instead, the passing of legislation is used to dissuade people from showing how such an attack in the real world could harm consumers, and citizens.

                A very good summary of this as miniature cautionary tale is included in The Wizard of Oz with the quote, "pay no attention to that man behind the curtain," but with an addendum of, "or else we will imprison and maybe fine you."

                So long as people are not made aware of a failure or critical flaw, they can continue to assume there is no flaw, and no weakness or exploit. It becomes denial by legislation.

                Consider this instead: will it be possible in California for companies to audit RFID security procedures in situ? Surely, examination of policy is not sufficient for a comprehensive audit, as failures in security often happen in the implementation even if the policy would otherwise be, "secure."

                These kinds of laws can make a legal, comprehensive audit of site authentication, especially for various companies looking for government contracts, impossible. Of course, with laws like this, they could say things like, "the last audit found no security problems at all with our employee RFID authentication and validation system." ]:>

                This example will likely be more easily understood by common people as a valid and useful thing more than a free security audit at the airport. :-)
                Last edited by TheCotMan; September 8, 2009, 03:25.

                Comment


                • #9
                  Re: Illegal to secretly read RFID identification tags in california

                  Slow down guys. Two things:

                  1) California Civil Code, Title 1.80 (Identification Documents) Section 1798.79 applies only to California documents issued by California DMV. (i.e. Driver's licenses and registrations). This is because it is part of the motor vehicle law, and as such, it does not apply to any other documents issued or used in California.

                  2) Before everyone get all cranked up and rants about how wrong a law is, you might want to actually READ THE WHOLE LAW! I say that because Section 1798.79 Subsection (e) specifically makes a provision allowing for exactly the kind of research and other activities that you all are complaining is missing. In fact, it specifically mentions research such as "identifying and analyzing security flaws and vulnerabilities".

                  (e) Subdivisions (a) and (d) shall not apply to the reading, storage, use, or disclosure to a third party of a person’s identification document, or information derived therefrom, in the course of an act of good faith security research, experimentation, or scientific inquiry, including, but not limited to, activities useful in identifying and analyzing security flaws and vulnerabilities.
                  The whole law is available on this link (originally provided by TheCotman):
                  http://www.dmv.ca.gov/pubs/vctop/app...civ1798_79.htm

                  Taking a specific section of subsection of a law [in this case Section 1798.79 Subsection (a)] without reading or including the rest of the law [Subsections (b) through (e)] ends up with people being completely misinformed. Laws have to be read as complete works or much of the information is lost. Think of it this way: It is like reading the main() in C code, but never reading the other functions. You only get a portion of the information, and don't see how that information is modified or otherwise enacted upon. The same thing applies to laws.
                  Thorn
                  "If you can't be a good example, then you'll just have to be a horrible warning." - Catherine Aird

                  Comment


                  • #10
                    Re: Illegal to secretly read RFID identification tags in california

                    Originally posted by Thorn View Post
                    Slow down guys...
                    Originally posted by The law in question
                    ...act of good faith security research, experimentation, or scientific inquiry, including, but not limited to, activities useful in identifying and analyzing security flaws and vulnerabilities...
                    And that seems like a pretty broad exemption as well.
                    "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

                    Comment


                    • #11
                      Re: Illegal to secretly read RFID identification tags in california

                      Originally posted by Thorn View Post
                      Originally posted by law
                      (e) Subdivisions (a) and (d) shall not apply to the reading, storage, use, or disclosure to a third party of a person’s identification document, or information derived therefrom, in the course of an act of good faith security research, experimentation, or scientific inquiry, including, but not limited to, activities useful in identifying and analyzing security flaws and vulnerabilities.
                      The whole law is available on this link (originally provided by TheCotman):
                      http://www.dmv.ca.gov/pubs/vctop/app...civ1798_79.htm
                      I totally missed that exception the first time through. Sorry about that; my mistake. I went to read the law so I *could* find th exact wording and look for exceptions, but I somehow missed the exception I was looking for. Thanks for finding this and reporting my failure. :-)

                      Comment


                      • #12
                        Re: Illegal to secretly read RFID identification tags in california

                        Originally posted by theprez98 View Post
                        And that seems like a pretty broad exemption as well.
                        Probably. Although I'd imagine that any defense of "security research" would be clearly supported or denied based on the use of the data.

                        Originally posted by TheCotMan View Post
                        I totally missed that exception the first time through. Sorry about that; my mistake. I went to read the law so I *could* find th exact wording and look for exceptions, but I somehow missed the exception I was looking for. Thanks for finding this and reporting my failure. :-)
                        No problem, and it wasn't aimed specifically at you. I'm the first one to bitch about badly written laws, but I hate seeing rants about "bad" laws when in fact the law addresses the concerns that are raised in the first place.
                        Thorn
                        "If you can't be a good example, then you'll just have to be a horrible warning." - Catherine Aird

                        Comment


                        • #13
                          Re: Illegal to secretly read RFID identification tags in california

                          Ah! I too missed section (e). Sorry! Thanks thorn!

                          However, the "Identification documents" applies to privately issued ones as well: 1798.795(c)(2) "Identification cards for employees or contractors."

                          http://www.dmv.ca.gov/pubs/vctop/app...iv1798_795.htm

                          Kallahar
                          --- The fuck? Have you ever BEEN to Defcon?

                          Comment


                          • #14
                            Re: Illegal to secretly read RFID identification tags in california

                            As did I. I was actually reading the whole context of the code at work this morning when I caught it before even seeing your post, Thorn. A classic example of how misreading can lead to jumping the proverbial gun. But I do think that everyone's opinions thus far are still valid and open to more discussion especially now that we're all on the same page.
                            "You have cubed asscheeks?"... "Do you not?"

                            Comment


                            • #15
                              Re: Illegal to secretly read RFID identification tags in california

                              Originally posted by sintax_error View Post
                              As did I. I was actually reading the whole context of the code at work this morning when I caught it before even seeing your post, Thorn. A classic example of how misreading can lead to jumping the proverbial gun. But I do think that everyone's opinions thus far are still valid and open to more discussion especially now that we're all on the same page.
                              Agreed. Being allowed to look for vulnerabilities is needed, no question. Bad laws that say "thou shalt not do X" as some sort of a bass-ackwards 'security' measure only server to allow the bad guys free access, but prevent the good guys from figuring out where the problems really are.
                              Thorn
                              "If you can't be a good example, then you'll just have to be a horrible warning." - Catherine Aird

                              Comment

                              Working...
                              X