RFID in California

Let me preface this by stating I am not a lawyer. I don’t live in California. I’m also not an expert at reading legislation, and I may also be thinking about this the wrong way.
That said, I’ve been reading California’s legislation marked SB 31, which makes it illegal to read RFID without the possessor’s prior consent and approval. This raises some very interesting questions to me…
How does this affect installed systems used for automobile toll collection? Does this mean that each time I drive through a tollbooth with this technology, the State of California has to ask my permission to read, and then I have to consent? Certainly, they can pre-authorize consent through the usage agreement, which they may need to change now. Until then (if it isn’t already in the agreement), is the State of California currently engaging in an illegal act?outlaw_rfid.jpg
The same becomes true of those using RFID for access control or payment information. Does my employer need to ask me permission to read my RFID enabled badge every time I enter the building? Or, do they need to cover it with a blanket usage agreement?
In my opinion, I think that the legislators went about this a little backwards. I personally think that they should not have made it illegal to read without permission, but that they should have done the opposite; pass legislation that requires the RFID vendors to implement technology to prevent unauthorized, unencrypted reading of data from RFID. Sure, form a technological standpoint it is certainly a challenge, but consider making it a future rollout, such as the new digital TV rollout here in the US.
Certainly neither plan is perfect or foolproof. I just see this as going after the attacker, while really not fixing the problem.
When you outlaw reading RFID, only outlaws will read RFID.

Larry Pesce

A self-professed, lifelong “tinkerer and explorer,” Larry always wanted to know how things work. “I found myself getting to engage in deep dives of technology from an early age: My dad built the family television from a kit, and I helped. It caught fire. Twice. I helped fix it both times.”

The help and advice received from the infosec community throughout his career inspired him to share what he had learned to help others secure their networks and improve their craft. Part of that ongoing sharing has been as the co-founder and co-host of the international award winning Paul’s Security Weekly podcast for more than 19 years.

Larry has spent the last 15 years as a penetration tester, spending lots of time focused on Healthcare, ICS/OT, Wireless, and IoT/IIoT/Embedded Devices, but now focuses his efforts on securing the software supply chain at Finite State.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.