Legislature(2007 - 2008)BELTZ 211
03/17/2008 01:30 PM Senate JUDICIARY
| Audio | Topic |
|---|---|
| Start | |
| SB293 | |
| SB234 | |
| Adjourn |
* first hearing in first committee of referral
+ teleconferenced
= bill was previously heard/scheduled
+ teleconferenced
= bill was previously heard/scheduled
| += | SB 234 | TELECONFERENCED | |
| + | SB 293 | TELECONFERENCED | |
| + | TELECONFERENCED |
SB 293-ELECTRONIC COMMUNICATION DEVICES
CHAIR FRENCH announced the consideration of SB 293. Before the
committee was CSSB 293(L&C).
TREVOR FULTON, Staff to Senator McGuire, said SB 293 is intended
to protect personal and consumer privacy and to nip the
potential for identity theft in the bud. The bill does this by
regulating the use of radio frequency identification detector
(RFID) technology in the state of Alaska.
1:39:40 PM
MR. FULTON explained that RFID is wireless technology that
includes three elements: a tag that has an antenna that is
capable of transmitting data; a reader that receives data
transmitted by the tag; and a database that stores the
information that's exchanged. Common RFIDs include employee
access passes, payment cards that don't require swiping, toll
passes, and pet implants. Those sorts of RFIDs are good for the
consumer and they won't be negatively impacted by this bill, he
said.
MR. FULTON said that some less overt examples of RFIDs are U.S.
Food and Drug Administration approved tags that can be implanted
in humans and contain patient records for use in hospitals. RFID
tags are also being used to track the movement of products from
the manufacturer to the retailer and points in between. RFIDs
bring convenience but it could be at the cost of security, which
is why SB 293 was introduced. Private information such as bank
account numbers, Social Security numbers, driver's license
numbers, or health records that are transmitted by RFID tags and
stored in RFID databases can leave consumers vulnerable to
identity theft. SB 293 seeks to minimize vulnerability and
protect personal and consumer privacy by regulating the use of
RFID technology in the state of Alaska. As RFID use becomes more
widespread it will become increasingly important that consumers
are informed about products that carry RFID tags, that
businesses obtain consumer consent to using this technology, and
that minimum security standards are adopted for RFID use.
Currently there are no minimum standards for encryption
technology used to relay personal information from a tag to a
reader or for securing information that's stored in databases
either. SB 293 aims to set standards for both.
1:44:37 PM
MR. FULTON said that SB 293 establishes RFID regulations where
none currently exist. It prohibits scanning or reading an RFID
tag without the consumer's consent and it establishes that
misuse of RFID devices would be an unfair trade practice. SB 293
is proactive and aims to stay ahead of those who would misuse
this growing technology. He asked the committee to reflect on
how being more proactive about protecting consumer and personal
information 10 years ago might have lessened the epidemic of
identity theft that's seen today.
1:46:34 PM
CHAIR FRENCH referred to page 1, line 7, and asked if the
provider of an RFID is the manufacturer. For example, HID
Corporation is the provider for the capitol building RFIDs.
MR. FULTON clarified that the business or office that issued the
RFID would be considered the provider.
CHAIR FRENCH referred to page 5, lines 28-29, that defines a
provider as a person who sells, offers to sell, or issues an
electronic communication device. He asked if the bill allows the
consumer to know how much personal information is stored on the
RFID tag they're carrying around.
MR. FULTON directed attention to page 3, line 31, through page
4, line 2, that says, "an electronic or written record; the
record must, at a minimum, clearly and conspicuously state the
provider's privacy policy and the manner in which information
relating to the consumer will be collected and disseminated;".
SENATOR McGUIRE noted that page 2, lines 20-25, relate to
consent. It says that the consumer shall be notified that the
RFID transmits personal information and the consumer must give
consent. But if it needs to be clearer then let's do so, she
said.
CHAIR FRENCH commented that he'd think twice about using an RFID
card if he knew that his bank account number, driver's license
number, and Social Security number was on that card.
1:50:47 PM
MR. FULTON said that's a good point and he believes the sponsor
would be happy to amend the bill to make that clear.
CHAIR FRENCH said Section 45.48.020 is close and adding a word
or two would tighten it up.
SENATOR THERRIAULT commented that part of the concern relates to
knowing what information your card is transmitting. That needs
to be spelled out because a person may want to destroy or never
accept a card that has too much personal information on it.
SENATOR McGUIRE said that's the point of the bill. Although
there are some very good uses for RFID technology, she believes
that many Alaskans are unaware that their personal information
is being collected and used. This is really more about
information, she said.
1:52:33 PM
CHAIR FRENCH noted that the "Stanford Technology Law Review"
article was useful and he was surprised to learn how easy it is
for some people to read information on passports and other
documents that he thought were highly secure. He asked if any
financial transactions have been intercepted using technology
that captures RFID transmissions.
MR. TREVOR replied he doesn't have documented examples, but it
probably is occurring. The problem is that it's difficult to
determine how identity theft occurs. It could be from RFID
transmissions or from digging in someone's trash, or from stolen
mail.
CHAIR FRENCH asked to what extent RFIDs are used commercially in
Alaska.
MR. TREVOR replied it's difficult to quantify, but it's a growth
industry worldwide. In 2006 there were about 1.3 billion RFIDs
worldwide and the following year there were over 4 billion.
SENATOR McGUIRE added that this bill will help to figure that
out.
CHAIR FRENCH asked if there is any opposition to the bill.
MR. TREVOR replied two people spoke in opposition to the bill in
the last committee; one was from EPC and the other was from the
American Electronics Association.
1:55:16 PM
SENATOR THERRIAULT asked if some of the 4 billion RFIDs he
mentioned are for tracking products which wouldn't present any
sort of security risk.
MR. TREVOR said that's correct; most are probably used in supply
chain management that has nothing to do with individuals. The
scope of this bill is to address RFID devices that transmit
personal information.
1:56:31 PM
SENATOR THERRIAULT asked how the transmitting tag works.
MR. TREVOR explained that there are two basic types of RFID
devices - active and passive. Active RFID devices are larger,
contain a power source, transmit a signal continuously, and
transmit longer distances. Passive RFID devices are smaller and
don't have a power supply. They use energy that's transmitted
from the reader to create a signal and send it back to the
reader.
CHAIR FRENCH commented that most RFIDs must vary with regard to
strength. For example, his capitol building RFID must be fairly
close to the reader for it to unlock the door, but it's not
necessary to get that close with toll booth easy passes.
MR. TREVOR said that's a good example of the difference between
a passive tag and an active tag. All toll passes are active so
they transmit a signal all the time.
1:58:28 PM
SENATOR McGUIRE highlighted the document summarizing the changes
made in the L&C committee.
CHAIR FRENCH asked if the bill is based on draft legislation
from another state.
MR. TREVOR replied it's based on legislation from Washington
State. He added that in the last several years over 50 pieces of
RFID legislation have been drawn up in 27 different states.
CHAIR FRENCH opened public testimony.
2:00:10 PM
ALLISON FLEMING, EPC Global, said she is representing a not-for-
profit GS1 organization that works on international standards
for RFID applications. Industries that participate in the
standards development process include: aerospace, retail,
entertainment, defense, healthcare, chemical, pharmaceutical,
transportation and logistics. These industries use an electronic
product code (EPC), which is a type of RFID application. They
have unique numbers that are similar to a barcode. The number is
stored on an RFID tag that combines a silicone chip and
antennae. The EPC is read from the tag and can be associated
with data that's held in a secure database where it'd be
possible to find information like where an item originated or
the date it was produced. EPC data is about products not people
so the tags do not carry an individual's personal information.
They carry information related to a product.
MS. FLEMING said that EPC Global believes that EPC/RFID
technology is in its infancy. In the short term EPC/RFID
applications will be at the container, case, and pallet level.
Wide scale item tagging applications are years away. RFID
technology can be used for many different applications and it
gives more information about a product than a barcode. In the
future the extra information could help expedite all steps in
the supply chain from manufacturing to checkout. Consumers will
benefit from increased product availability and faster more
efficient product recalls. Food safety is another potential
benefit because the EPC allows manufacturers and retailers to
monitor production, expiration dates, and temperature control to
ensure food freshness. EPC can also reduce product
counterfeiting.
MS. FLEMING said that the next several years will be crucial to
the development of the technology. Laws requiring specific types
of notice, written consent, or deactivation at the point of sale
could stifle innovation and delay potential benefits to
consumers and businesses in Alaska and elsewhere. Specific
legislation regulating the technology isn't flexible and could
negatively impact advancements of EPC and RFID as new post-
purchase benefits and uses are uncovered. She urged the
committee to be prudent and pragmatic in considering measures
that regulates this technology.
CHAIR FRENCH asked if EPC is a particular sort of RFID that her
organization uses.
MS. FLEMING said yes.
CHAIR FRENCH asked if the organization members use EPC in supply
chain management or at point of sale where there is contact with
an individual consumer.
MS. FLEMING said currently the technology is used at the case
and pallet level. Item level tagging is probably years in the
future, but there may be item level tagging pilot programs where
consumers would have direct contact.
2:06:09 PM
CHAIR FRENCH asked if she's concerned with any particular part
of the bill.
MS. FLEMING expressed concern with the notice section, the
consent section, and the deactivation at the point of sale
section.
SENATOR WIELECHOWSKI said he doesn't understand why stores would
oppose this because from his perspective the bill is trying to
prevent people from having RFID used in ways they don't agree
with.
MS. FLEMING explained that stores have consumer guidelines that
member companies agree to. That includes providing notice and
giving the consumer choices about how the RFID tag is used. With
regard to notice, the issue is that if Alaska has specific
tagging requirements that would present problems for members
that have a global supply chain. At this point there's really no
effective means for retailers to automatically deactivate EPC
tags at the point of sale. For the most part any tag a consumer
comes into contact with would be on the packaging so the
consumer could just throw that away, she said.
MS. FLEMING agreed with Mr. Fulton's statement that other states
have proposed lots of RFID legislation, but there hasn't been
any comprehensive bill like SB 293 that's been passed. The
Washington State legislation originally looked like SB 293, but
it was changed to look at the behavior of people who were using
RFID for illegal means.
2:09:22 PM
CHAIR FRENCH commented that this issue cries out for a federal
solution. He asked if anything is happening at that level.
MS. FLEMING replied there was a hearing about this technology
about three years ago but she hasn't heard of any legislation
since that time. A Senate caucus does meet to discuss technology
and where it's going.
SENATOR McGUIRE said this is an opportunity for Alaska to be a
leader. With respect to the bills that have been introduced but
have gone nowhere, she said it's because of the tremendous
pressure that lobbyists apply. We tried to do this quietly to
"get out ahead of it and get it as far as we possibly could
because we knew that the pressure would come down from the
different companies." Clearly it's in their best interest to do
what they want with respect to collecting and using personal
data. As policy makers it's in our best interest to look out for
our constituents, she said. For the most part they're completely
unaware that their information is being collected and used. She
suggested EPC Global think about adopting an international
policy that strikes a balance between the consumer and those
that want to make money off the consumer
2:11:35 PM
MELISSA NGO, Senior Counsel at the Electronic Privacy
Information Center (EPIC) in Washington D.C. said she submitted
written testimony. EPIC is a non partisan public interest
research organization that was established in 1994 to focus
attention on emerging civil liberties issues. EPIC has
considerable expertise on RFID technology and has testified
about security problems before Congress and state legislatures
and has submitted detailed analyses on FRID programs to
different federal agencies. This technology is increasing
rapidly. It is currently used in easy pass highway systems,
passports, university ID cards, credit and debit cards, and in
addition to supply chain management. As this technology is
increasingly used it's important to be aware of the many
problems inherent in using this technology. If security isn't
adequate, RFID tags are remotely and secretly readable. In fact,
last week the Dutch government reported an RFID security breach
because several researchers were able to hack into the system.
Worldwide there are 1 billion cards using these RFID chips
including government building access cards and the Boston
transportation system. Hacking into the system allows criminals
to clone the cards. RFID technology for supply chain management
has never been controversial, but once it's used to attach an
identifier and create a profile on a person there's a problem.
2:14:55 PM
MS. NGO said that EPIC strongly supports SB 293 but it can be
improved. The most important way is to address unique
identifiers that are linked to databases containing personally
identifiable information. Although companies have opposed this
regulation, it should be included in the bill because the misuse
of unique identifiers could be as risky as the misuse of Social
Security numbers. Also, EPIC recommends an enforcement provision
through a private right of action as well as through the
attorney general, stronger provisions on deactivation of tags
including permanent deactivation, and clear and prominent
labeling of RFID readers and transponders.
MS. NGO said she agrees with the sponsor that Alaska should be a
leader in protecting consumers from misuse of RFID technology.
2:17:00 PM
CHAIR FRENCH referred to the consent provisions on page 2, lines
22-25, and asked Ms. Bannister if the language is specific
enough to capture the idea that the consumer would know what
information is being disclosed.
2:17:55 PM
THERESA BANNISTER, Legislative Counsel, Legislative Legal and
Research Services Division, Legislative Affairs Agency, said the
bill doesn't specify what information is being disclosed, what
is transmitted, or what's on item itself. It does indicate that
it is personal information and the definitions section of the
bill indicates what personal information means.
CHAIR FRENCH asked if she could draft an amendment that captures
that idea.
2:18:54 PM
MS. BANNISTER said she's been working on a conceptual amendment
to Sec. 45.48.020, on page 2, line 23.
CHAIR FRENCH moved conceptual Amendment 1.
Conceptual Amendment 1
Page 2, line 23, following "consumer":
Insert ", identify the type of personal information
that is contained on or that may be scanned or read
from the electronic communication device,"
Finding no objection, he announced that Conceptual Amendment 1
is adopted.
CHAIR FRENCH closed public testimony. Finding no further
discussion, he asked for a motion.
2:21:49 PM
SENATOR McGUIRE motioned to report amended version E CS for SB
293 from committee with individual recommendations and attached
fiscal note(s).
CHAIR FRENCH announced that CSSB 293(JUD) is moved from
committee.
| Document Name | Date/Time | Subjects |
|---|