Illegal to secretly read RFID identification tags in california

Re: Illegal to secretly read RFID identification tags in california

I am. I may not have called it "complaining", but you have a knack for calling 'em like you see 'em. And you're right. If I were to go to let's say Union Station in Los Angeles, wearing a sandwich board sign that read "I'm collecting RFID data for research, ask me for documentation" Having full documentation of the study on hand, giving full disclosure to anyone who will listen, I'd be guilty of a crime under this code. If it were written with the "malicious intent" clause I'd be fine in court based on the full disclosure alone, I don't think any judge would find malicious intent when you're literally advertising what you are doing.

Now granted, the same scenario would be perfectly fine if I were to ask random people "Would you mind if I scanned you with an RFID reader for research purposes, here's a detailed layout of the study" of course with the obligatory cover my own "please sign this waiver stating you agree to be scanned". I have no stake in this one way or another, because as of this moment in time, I have no plans to do much if any RFID research. My only point is that one would be free to do much more research, much more efficiently if this code stated intent. Don't get me wrong, I'm not saying if it did, that it'd be cool to secretly skim the public for your data, in fact, that's kind of a dick move. But if someone were to state clearly that they are scanning RFID, and why they are doing it, that should not be a crime.

Re: Illegal to secretly read RFID identification tags in california

No. Not from what is written above. There is no mention of intent to to do harm or use the information in an illegal way. The law, as written, appears to me to only have the following conditions:
1) Suspect reads RFID from someone remotely
2) That RDIF data is used in conjunction with other data to establish a person's identity
3) The reading of this data is done without the knowledge AND prior consent of the person that has the RFID information.

Maybe you see something I don't?

I think you are complaining about the lack of wording to include intent as a requirement in showing a person would be a criminal.

And your statements and comments seem to me perfectly fine and well inside the rules on no politics or religion. (This is stated for your benefit, and for those that are lurking and trying to better understand this is not a rule violation.) We are discussing laws and how they with help or hurt security, and that is on target with Defcon topics. If the became a partisan thread, or converted to political activism, then it would be heading in a political direction. :-)

Re: Illegal to secretly read RFID identification tags in california

That's the thing that bothered me most when I read this, I think. For most legislation I've read through in California, especially with regards to information gathering, digital or otherwise, "with malicious intent" or some other derivative is usually in place, protecting those doing legit research.

This is indeed an interesting question on many levels. First off, we're talking not only independent researchers, but those working directly for RFID manufacturers being unable to collect real world data (at least in CA). Everyone knows that lab data is a good proof of concept tool, but isn't going to help find vulnerabilities that only exist outside of the lab, let alone fix them. But why not preform "controlled field research"? Why not give your staff RFID devices used only for testing and test those in the field? Because while such an approach would indeed give you expanded results as opposed to what you'd get in a lab, it's essentially doing the same research in a bigger lab. Any results would be tainted by using a "special test card".

Though I haven't looked into it (yet) I'm curious to know how many states and countries have similar laws on the books, and how many cite intent. While I agree with xor that passive or blind scanning should be illegal, how many other people think that all or part of this code is just poorly written? I kind of get a sense of "Oh no, recent technology we all use that can be exploited! Hide!" It makes sense to outlaw RFID skimming when it comes to criminal activity and intent. But when that intent is in no way malicious, it's ridiculous.

Special note: This post is in no way intended to be of a political nature. If it comes off that way, please feel free to let me know.
[edit] redacted a sentence that I could see as somewhat political.

Re: Illegal to secretly read RFID identification tags in california

Passive RFID scanning I can see being made illegal, but not receiving signals from active devices. I think it all comes down to intention not always easily proved in a court of law.

xor

Re: Illegal to secretly read RFID identification tags in california

Reminds me of the old days of analog cell phones where they couldn't stop people from being able to listen to those frequencies, so they just made it illegal to sell receivers for those freqs.

Not like it stopped anyone, but it's one more thing that they can whack you with in court.

I'm curious though if the legislation was passed in order to stifle researchers being able to conduct field tests on RFID skimming. Lab examples are one thing, field data is another.

Re: Illegal to secretly read RFID identification tags in california

(WAIS Search came up with a blank page for me. Here are some other choices: 1, 2

This is interesting. If you can't provide sufficient security to safeguard the people from invasion of privacy with technology, then you just create laws to silence the people that might try to expose the problem with sensational news stories.

This is the worst kind of failure that exists in projects or any kind of system with people playing a game; it is the decoupling of responsibility from control.

So long as responsibility and control remain tied together, the players in a game will work to improve the things they control in such a way as to decrease their exposure to risk (responsibilities exposed.)

When responsibility is decoupled from control, then the burden of risk is placed on people that have no control over managing their own personal risks.

Some may counter with comment about citizens being able to protect themselves with RFID blocking wallets, or purses, but this is another example of creating a problem and pushing a burden to those that have no control over eliminating the problem by choosing not to accept the new risk that needs to be managed.

Jaywalking is illegal, but people still do it.
Speeding is illegal, but people still do that.
Murder is illegal, but people still murder.

With a law like this, it is known and expected that there will be people that will break this law. Even though an obvious method for 100% prevention would be to allow people to choose to NOT use RFID, and totally eliminate their risk to exposing their identity theft by RFID, such a solution will not be offered in the long term. (You can still choose to use credit cards that don't have RFID if you want, but there is little if any choice with government issued forms of identification, and history shows us that even if a choice is offered initially, that choice is ultimately eliminated.)

I had a boss once who said this often:
"If you can't afford to do something right, then maybe you shouldn't be doing it."

Though there are exceptions, it is a useful question as a reality check when considering the addition of new technology.

If they (credit card companies, governments, businesses, etc.) cannot be held responsible and accountable for using RFID, and if they do not offer a choice to allow people to not use RFID, then maybe RFID should not be used.

To legally defeat this, it would be easy to go to other states that do not have such laws and wait at the gates in airports for flights arriving from the states with RFID enabled devices. If laws are created in those places, then visit other countries and do the same for visitors from the countries with RFID.

Laws provide no protection in preventing criminals from committing crimes -- they provide a *penalty* after a crime is committed, but only if they are caught, prosecuted, and found guilty.

[For readers that might reply: notice that I've kept politics out of this, and focused on risk and exposure and failure in the use of technology.]