Monday, February 23, 2009

RFID Crime

On February 10, Nevada Senate Bill 125 was introduced into the Nevada legislature and then referred to the Nevada Senate Judiciary Committee.

The Committee is scheduled to discuss the bill today, February 23, 2009.
Section 1 of the bill would add the following new crime to the Nevada criminal code:
1. Except as otherwise provided in this section, a person who knowingly and intentionally possesses, reads or captures the personal identifying information of another person using radio frequency identification, without that person's knowledge and prior consent, is guilty of a category C felony and shall be punished as provided in [Nevada Revised Statutes §] 193.130.

2. The provisions of this section do not prohibit the possession or use of any personal identifying information through radio frequency identification by officers of local police, sheriff and metropolitan police departments and by agents of the Investigation Division of the Department of Public Safety while engaged in undercover investigations related to the lawful discharge of their duties.

3. As used in this section, 'radio frequency identification' means the use of electromagnetic radiating waves or reactive field coupling in the radio frequency portion of the spectrum to read or communicate to or from personal identifying information through a variety of modulation and encoding schemes.
Nevada Senate Bill 125(1). The bill defines radio frequency identification as “the use of electromagnetic radiating waves or reactive field coupling in the radio frequency portion of the spectrum to read or communicate to or from personal identifying information through a variety of modulation and encoding schemes.” Nevada Senate Bill 125(3). It doesn’t seem to define “personal identifying information.”

Section 4 of Senate Bill 125 says that someone who violated § 1 of the Bill can be prosecuted for the violation “whether or not the person whose personal identifying information forms a part of the violation” is (i) “living or deceased during the course of the violation or the prosecution”; (ii) an artificial person (e.g., a corporation); or (iii) suffered financial loss or injury as a result of the violation.

Section 5 of Senate Bill 125 provides as follows:
The provisions of . . . section 1 of this act do not apply to any person who, without the intent to defraud or commit an unlawful act, possesses or uses any personal identifying information of another person:

1. In the ordinary course of his business or employment; or

2. Pursuant to a financial transaction entered into with an authorized user of a payment card who has given permission for the financial transaction.
Nevada Senate Bill 125.

The bill, as originally introduced, was the target of criticism from the Electronic Frontier Foundation and other sources because it does not explicitly exempt legitimate security researchers from liability for violating § 1. According to an article in The Register, the bill’s sponsor – State Senator Parks – says he intends to introduce an amendment on Monday that would specifically exempt legitimate researchers from liability for violating § 1.

The Nevada bill isn’t the only legislation on this issue. A California statute added by 2008 legislation makes it a crime for a “person or entity” to “intentionally remotely read[] or attempt[] to remotely read a person’s identification document using radio frequency identification (RFID), for the purpose of reading that person’s identification document without that person’s prior consent”. California Civil Code § 1798.79(a). A related statute defines “radio frequency identification” as “the use of electromagnetic radiating waves or reactive field coupling in the radio frequency portion of the spectrum to communicate to or from an identification document through a variety of modulation and encoding schemes.” California Civil Code § 1798.795(e).

The same statute defines an identification document as “any document containing data that is issued to an individual and which that individual, and only that individual, uses alone or in conjunction with any other information for the primary purpose of establishing his or her identity.” California Civil Code § 1798.795(c). A violation of § 1798.79(a is punishable “by imprisonment in a county jail for up to one year, a fine of not more than one thousand five hundred dollars . . . or both”. California Civil Code § 1798.79(a).

And last year, Washington also adopted a statute that makes it a felony to intentionally possess, or read or capture remotely “using radio waves, information contained on another person’s identification document, including the unique personal identifier number encoded on the identification document, without that person’s knowledge or consent.” Washington Revised Code § 9A.58.020(1). The Washington statute also says this section – the section that defines the crime – does not apply to a “person or entity” that
(i) “reads an identification document to facilitate border crossing”;
(ii) “reads a person's identification document in the course of an act of good faith security research . . . or scientific inquiry including . . . activities useful in identifying and analyzing security flaws and vulnerabilities”; or
(iii) “unintentionally reads an identification document remotely in the course of operating its own radio frequency identification system, provided that the inadvertently received information is not disclosed to any other person, is not used for any purpose and is not stored or is promptly destroyed.”
Washington Revised Code § 9A.58.020(2). A related Washington statute defines “identification document” as “an enhanced driver’s license or an enhanced identicard” and defines radio frequency identification as “a technology that uses radio waves to transmit data remotely to readers.” Washington Revised Code § 9A.58.010(3)-(4).

The California and Washington statutes seem to be narrower in focus than the proposed Nevada legislation: They make it a crime to use RFID technology to remotely read an “identification document.” Washington defines such a document very narrowly, while California defines it more broadly; the constant in both statutes, though, is to read an “identification document.” The Nevada statute is at least potentially broader in its scope, since it focuses on using RFID technology to obtain “personal identifying information.”

As long as legislation like this exempts legitimate researchers and other legitimate uses of RFID technology, I really don’t see that it’s problematic in terms of privacy or criminal law concerns. The purpose, of course, is to help protect our privacy in an era in which communication technology becomes increasingly embedded in various aspects of our lives . . . invisibly embedded, which may make it harder for us to keep track of it and protect it. These statutes seem to do this, and they seem to do it by focusing on the data, instead of the technology.

A law review article argues that this is the appropriate approach for preventing RFID-predicated invasions of data privacy because it is less likely to interfere with the development and implementation of RFID technology. See Justin M. Schmidt. RFID and Privacy: Living in Perfect Harmony, 34 Rutgers Computer and Technology Law Journal 247 (2007).


2 comments:

Russ Cooper said...

I'd be amazed to read the legal definition of "legitimate researcher" which hasn't been abused by less than honorable people in the past.

It is all well and good for EFF and others to fight anything that doesn't include such a clause, but until such a statement can be turned into a legal definition it will continue to be abused. There must be a test that can be applied, both by the researcher and others, that makes it clear whether the research is legitimate.

Researchers generally are not professionals since there is no concept of disbarment. Until there is, there's no distinction between them and anyone else, and any exemptions only hamper strong laws and enforcement.

Cheers,
Russ

Unknown said...

I'd be amazed to read the legal definition of "Law Enforcement Officer" which hasn't been abused by less than honorable people in the past.

Same difference IMHO. Exemptions are always subject to abuse.