Let me preface this by stating I am not a lawyer. I don’t live in California. I’m also not an expert at reading legislation, and I may also be thinking about this the wrong way.
That said, I’ve been reading California’s legislation marked SB 31, which makes it illegal to read RFID without the possessor’s prior consent and approval. This raises some very interesting questions to me…
How does this affect installed systems used for automobile toll collection? Does this mean that each time I drive through a tollbooth with this technology, the State of California has to ask my permission to read, and then I have to consent? Certainly, they can pre-authorize consent through the usage agreement, which they may need to change now. Until then (if it isn’t already in the agreement), is the State of California currently engaging in an illegal act?outlaw_rfid.jpg
The same becomes true of those using RFID for access control or payment information. Does my employer need to ask me permission to read my RFID enabled badge every time I enter the building? Or, do they need to cover it with a blanket usage agreement?
In my opinion, I think that the legislators went about this a little backwards. I personally think that they should not have made it illegal to read without permission, but that they should have done the opposite; pass legislation that requires the RFID vendors to implement technology to prevent unauthorized, unencrypted reading of data from RFID. Sure, form a technological standpoint it is certainly a challenge, but consider making it a future rollout, such as the new digital TV rollout here in the US.
Certainly neither plan is perfect or foolproof. I just see this as going after the attacker, while really not fixing the problem.
When you outlaw reading RFID, only outlaws will read RFID.