Dangerous Things
Custom gadgetry for the discerning hacker

The Store is now open! Check out the gadgetry »
Like what you're reading?
Share It.

An examination of California bill banning forced RFID implantation

This is very old news, but people keep asking me about it (CA SB362), so here goes:

quote source:

California Senate Bill 362, which would prohibit any person from forcing any other person to undergo an implant in their body of a radio frequency identification (RFID) device, passed the Senate Floor on a 28-9 vote Thursday, and will now go to Governor Schwarzenegger.

“RFID technology is not in and of itself the issue. RFID is a minor miracle, with all sorts of good uses,” said the bill sponsor Senator Joe Simitian. “But we shouldn’t condone forced ‘tagging’ of humans. It’s the ultimate invasion of privacy.”

I can think of another form of privacy invasion that is far more insidious… passive biometric enrollment. When you get an RFID implant, its no secret. It will most likely be known by the recipient that they are getting one, and the tag itself is easily seen in an x-ray. Passive biometric enrollment, by contrast, requires no knowledge of the users’ participation in the ID/tracking system, and does not require the user to carry anything or do/be anything but themselves. This type of technology is in wide use already in security checkpoints, city wide camera systems, etc. Computers watch faces, analyze gaits (the way you walk), track license plates throughout the city, etc. and assign you (or your car) an ID. There are even truck mounted camera systems now for tow truck drivers that allow them to just drive down the street and let the camera system ID license plates of cars that are clear to tow/repo. It wouldn’t take much to link these systems to GPS to generate reports of license plate locations.

The problem here is; if any system operator or power abusing government employee wants to know where you’ve been, they simply click on you and get a video history with dates, times, locations, etc. This is not happening at some undefined time in the future, it is happening now.

The attempt to build an electronic “dog nose” that could sniff out various chemicals lead to some interesting off-chutes. One these off-chutes is a chemical scent detection and identification system that has been developed and has enjoyed limited deployment. This system can tell who you are by your smell by “sniffing” the air as people pass through the detection area. It breaks down and identifies the unique chemical markers each of us have. These types of systems are new, but quietly being improved while the privacy debate rages around RFID.

Despite wide-ranging support, the RFID industry has declined to support SB 362. In response, Simitian said, “I think it’s unfortunate and regrettable that the industry hasn’t come out in support of SB 362. I understand why we’re having a robust debate about the privacy concerns related to RFID, but at the very least, we should be able to agree that the forced implanting of under-the-skin technology into human beings is just plain wrong. I’m deeply concerned that this isn’t a given for the industry.”

I don’t know why the RFID industry did not support this bill, it seems pretty straight forward… until you look at the word “forced”. I know VeriChip in particular wants to use their implant tech to track senile or otherwise “out of it” people around facilities. If the person cannot give consent, is that “forcing them”? What about a legal requirement like the migrant workers argument? If it is legally required to get an implant to come into the country on certain types of work visas, is that considered “forced”, or is that still considered a “choice”.

“Passage of SB 362 ensures that no Californian is compelled to have electronic identifiers of any type embedded in their body. This provides Californians with the personal agency to make such decisions should they have a reason to, as well as another means of protecting their personal information,” said Jennifer King, Research Specialist at the Samuelson Law, Technology and Public Policy Clinic at U.C. Berkeley School of Law.

If the governor signs SB 362, California would join Wisconsin and North Dakota, which have already banned forced RFID implantation.

I wonder what the definition of “embedded” is… I wonder if swallowing something is considered “embedded”.

The Council on Ethical and Judicial Affairs (CEJA), which develops ethics policies for the American Medical Association, recently issued a report raising concerns about the human implantation of RFID tags. The report stresses that RFID devices may compromise a person’s privacy and security because it is not yet clear if the information contained in the tags can be properly protected. Further, CEJA finds that RFID tagging may present physical risks because the tags may migrate under the skin, making them hard to remove at a later time.

What the hell are they talking about? The FDA approved tags utilize an anti-migration coating which locks the tag in place. That coating is precisely what makes the tag “hard to remove at a later time”. Obviously the CEJA is ill-informed, which is the unfortunate modus operandi for those making laws that govern the rest of us.

The bottom line here is, I think this is a law pointed in the right direction, but ultimately it will stop here. There are two reasons you will never see a similar law that protects Californians from forced or involuntary biometric enrollment. The first reason is that so many types of advanced security systems rely on involuntary/unknown enrollment that it would render illegal all that expensive gear bought with homeland security funds. The second reason is; nobody gets as worked up about a camera staring at them as they do about a physical, tangible glass encased RFID tag. Something about the psyche of the average person just can’t bridge the gap between a camera or chemical scent detection system and massive abuse of personal privacy… they just don’t understand why/how something like that could be such a big risk to their privacy. But, ask them to imagine/consider putting something (anything) under their skin, and they immediately understand why they don’t want it. They might not understand what that thing is, what it can do, or more importantly what it can’t do… but they do understand they don’t want it anywhere near them.

The confusing thing for me is the cell phone argument vs RFID tags on things like clothes and such. For less than a dollar, I can get a carrier to tell me where your cell phone is. Because of the enhanced 911 requirement, carriers built (and are improving) ways to locate phones into their tower systems. An off-chute of this is LBS (location based services). I worked with carriers for a time setting up various location based services, and with a very simple signed agreement, I was able to pay carriers to tell me where any cell number is at any time. Tons of non-carrier, non-government 3rd party services are doing this. Because it is tied in with E911 and there is no legal provision for it yet, there is no way to “opt-out” of this kind of reporting with your carrier.

People either don’t seem to know/understand how crazy that is, or don’t seem to care as much because the cell phone is a device that is designed to do something else, but can just happen to be used to find/track you. The argument against RFID tagged clothes and other personal items (which I happen to agree with) gets a ton of press and ticked off people because the RFID tag is designed to do only one thing; identify. They subsequently feel there will be this giant, expensive interlinked grid of RFID readers in every doorway that will track you around the city based on your RFID tags. To those people I say; relax. I can already find you using city wide cameras, mobile phone LBS, store loyalty card usage, debit/credit card purchases, etc.

Wait… does the bill actually touch biometrics?

However, looking into the text of the bill a littler further, one thing I find interesting is the definitions used:

“Identification device” means any item, application, or product that is passively or actively capable of transmitting personal information, including, but not limited to, devices using radio frequency technology.

“Subcutaneous” means existing, performed, or introduced under or on the skin.

So, the bill covers more than just RFID devices… it really covers anything used to ID a person that is “Subcutaneous”. Their definition of subcutaneous seems odd to me that it would include the word “existing”. What does that mean? Does that actually mean it is illegal to develop/use a technology that identifies a person based on something that already exists under the skin, like facial bone structure? Does this bill actually reach through the RFID debate and touch biometrics? Anyone with bar certified legal experience, please comment!

Tags: , , , , , ,

Leave a Reply

Get Adobe Flash player