SB 293-ELECTRONIC COMMUNICATION DEVICES  CHAIR FRENCH announced the consideration of SB 293. Before the committee was CSSB 293(L&C). TREVOR FULTON, Staff to Senator McGuire, said SB 293 is intended to protect personal and consumer privacy and to nip the potential for identity theft in the bud. The bill does this by regulating the use of radio frequency identification detector (RFID) technology in the state of Alaska. 1:39:40 PM MR. FULTON explained that RFID is wireless technology that includes three elements: a tag that has an antenna that is capable of transmitting data; a reader that receives data transmitted by the tag; and a database that stores the information that's exchanged. Common RFIDs include employee access passes, payment cards that don't require swiping, toll passes, and pet implants. Those sorts of RFIDs are good for the consumer and they won't be negatively impacted by this bill, he said. MR. FULTON said that some less overt examples of RFIDs are U.S. Food and Drug Administration approved tags that can be implanted in humans and contain patient records for use in hospitals. RFID tags are also being used to track the movement of products from the manufacturer to the retailer and points in between. RFIDs bring convenience but it could be at the cost of security, which is why SB 293 was introduced. Private information such as bank account numbers, Social Security numbers, driver's license numbers, or health records that are transmitted by RFID tags and stored in RFID databases can leave consumers vulnerable to identity theft. SB 293 seeks to minimize vulnerability and protect personal and consumer privacy by regulating the use of RFID technology in the state of Alaska. As RFID use becomes more widespread it will become increasingly important that consumers are informed about products that carry RFID tags, that businesses obtain consumer consent to using this technology, and that minimum security standards are adopted for RFID use. Currently there are no minimum standards for encryption technology used to relay personal information from a tag to a reader or for securing information that's stored in databases either. SB 293 aims to set standards for both. 1:44:37 PM MR. FULTON said that SB 293 establishes RFID regulations where none currently exist. It prohibits scanning or reading an RFID tag without the consumer's consent and it establishes that misuse of RFID devices would be an unfair trade practice. SB 293 is proactive and aims to stay ahead of those who would misuse this growing technology. He asked the committee to reflect on how being more proactive about protecting consumer and personal information 10 years ago might have lessened the epidemic of identity theft that's seen today. 1:46:34 PM CHAIR FRENCH referred to page 1, line 7, and asked if the provider of an RFID is the manufacturer. For example, HID Corporation is the provider for the capitol building RFIDs. MR. FULTON clarified that the business or office that issued the RFID would be considered the provider. CHAIR FRENCH referred to page 5, lines 28-29, that defines a provider as a person who sells, offers to sell, or issues an electronic communication device. He asked if the bill allows the consumer to know how much personal information is stored on the RFID tag they're carrying around. MR. FULTON directed attention to page 3, line 31, through page 4, line 2, that says, "an electronic or written record; the record must, at a minimum, clearly and conspicuously state the provider's privacy policy and the manner in which information relating to the consumer will be collected and disseminated;". SENATOR McGUIRE noted that page 2, lines 20-25, relate to consent. It says that the consumer shall be notified that the RFID transmits personal information and the consumer must give consent. But if it needs to be clearer then let's do so, she said. CHAIR FRENCH commented that he'd think twice about using an RFID card if he knew that his bank account number, driver's license number, and Social Security number was on that card. 1:50:47 PM MR. FULTON said that's a good point and he believes the sponsor would be happy to amend the bill to make that clear. CHAIR FRENCH said Section 45.48.020 is close and adding a word or two would tighten it up. SENATOR THERRIAULT commented that part of the concern relates to knowing what information your card is transmitting. That needs to be spelled out because a person may want to destroy or never accept a card that has too much personal information on it. SENATOR McGUIRE said that's the point of the bill. Although there are some very good uses for RFID technology, she believes that many Alaskans are unaware that their personal information is being collected and used. This is really more about information, she said. 1:52:33 PM CHAIR FRENCH noted that the "Stanford Technology Law Review" article was useful and he was surprised to learn how easy it is for some people to read information on passports and other documents that he thought were highly secure. He asked if any financial transactions have been intercepted using technology that captures RFID transmissions. MR. TREVOR replied he doesn't have documented examples, but it probably is occurring. The problem is that it's difficult to determine how identity theft occurs. It could be from RFID transmissions or from digging in someone's trash, or from stolen mail. CHAIR FRENCH asked to what extent RFIDs are used commercially in Alaska. MR. TREVOR replied it's difficult to quantify, but it's a growth industry worldwide. In 2006 there were about 1.3 billion RFIDs worldwide and the following year there were over 4 billion. SENATOR McGUIRE added that this bill will help to figure that out. CHAIR FRENCH asked if there is any opposition to the bill. MR. TREVOR replied two people spoke in opposition to the bill in the last committee; one was from EPC and the other was from the American Electronics Association. 1:55:16 PM SENATOR THERRIAULT asked if some of the 4 billion RFIDs he mentioned are for tracking products which wouldn't present any sort of security risk. MR. TREVOR said that's correct; most are probably used in supply chain management that has nothing to do with individuals. The scope of this bill is to address RFID devices that transmit personal information. 1:56:31 PM SENATOR THERRIAULT asked how the transmitting tag works. MR. TREVOR explained that there are two basic types of RFID devices - active and passive. Active RFID devices are larger, contain a power source, transmit a signal continuously, and transmit longer distances. Passive RFID devices are smaller and don't have a power supply. They use energy that's transmitted from the reader to create a signal and send it back to the reader. CHAIR FRENCH commented that most RFIDs must vary with regard to strength. For example, his capitol building RFID must be fairly close to the reader for it to unlock the door, but it's not necessary to get that close with toll booth easy passes. MR. TREVOR said that's a good example of the difference between a passive tag and an active tag. All toll passes are active so they transmit a signal all the time. 1:58:28 PM SENATOR McGUIRE highlighted the document summarizing the changes made in the L&C committee. CHAIR FRENCH asked if the bill is based on draft legislation from another state. MR. TREVOR replied it's based on legislation from Washington State. He added that in the last several years over 50 pieces of RFID legislation have been drawn up in 27 different states. CHAIR FRENCH opened public testimony. 2:00:10 PM ALLISON FLEMING, EPC Global, said she is representing a not-for- profit GS1 organization that works on international standards for RFID applications. Industries that participate in the standards development process include: aerospace, retail, entertainment, defense, healthcare, chemical, pharmaceutical, transportation and logistics. These industries use an electronic product code (EPC), which is a type of RFID application. They have unique numbers that are similar to a barcode. The number is stored on an RFID tag that combines a silicone chip and antennae. The EPC is read from the tag and can be associated with data that's held in a secure database where it'd be possible to find information like where an item originated or the date it was produced. EPC data is about products not people so the tags do not carry an individual's personal information. They carry information related to a product. MS. FLEMING said that EPC Global believes that EPC/RFID technology is in its infancy. In the short term EPC/RFID applications will be at the container, case, and pallet level. Wide scale item tagging applications are years away. RFID technology can be used for many different applications and it gives more information about a product than a barcode. In the future the extra information could help expedite all steps in the supply chain from manufacturing to checkout. Consumers will benefit from increased product availability and faster more efficient product recalls. Food safety is another potential benefit because the EPC allows manufacturers and retailers to monitor production, expiration dates, and temperature control to ensure food freshness. EPC can also reduce product counterfeiting. MS. FLEMING said that the next several years will be crucial to the development of the technology. Laws requiring specific types of notice, written consent, or deactivation at the point of sale could stifle innovation and delay potential benefits to consumers and businesses in Alaska and elsewhere. Specific legislation regulating the technology isn't flexible and could negatively impact advancements of EPC and RFID as new post- purchase benefits and uses are uncovered. She urged the committee to be prudent and pragmatic in considering measures that regulates this technology. CHAIR FRENCH asked if EPC is a particular sort of RFID that her organization uses. MS. FLEMING said yes. CHAIR FRENCH asked if the organization members use EPC in supply chain management or at point of sale where there is contact with an individual consumer. MS. FLEMING said currently the technology is used at the case and pallet level. Item level tagging is probably years in the future, but there may be item level tagging pilot programs where consumers would have direct contact. 2:06:09 PM CHAIR FRENCH asked if she's concerned with any particular part of the bill. MS. FLEMING expressed concern with the notice section, the consent section, and the deactivation at the point of sale section. SENATOR WIELECHOWSKI said he doesn't understand why stores would oppose this because from his perspective the bill is trying to prevent people from having RFID used in ways they don't agree with. MS. FLEMING explained that stores have consumer guidelines that member companies agree to. That includes providing notice and giving the consumer choices about how the RFID tag is used. With regard to notice, the issue is that if Alaska has specific tagging requirements that would present problems for members that have a global supply chain. At this point there's really no effective means for retailers to automatically deactivate EPC tags at the point of sale. For the most part any tag a consumer comes into contact with would be on the packaging so the consumer could just throw that away, she said. MS. FLEMING agreed with Mr. Fulton's statement that other states have proposed lots of RFID legislation, but there hasn't been any comprehensive bill like SB 293 that's been passed. The Washington State legislation originally looked like SB 293, but it was changed to look at the behavior of people who were using RFID for illegal means. 2:09:22 PM CHAIR FRENCH commented that this issue cries out for a federal solution. He asked if anything is happening at that level. MS. FLEMING replied there was a hearing about this technology about three years ago but she hasn't heard of any legislation since that time. A Senate caucus does meet to discuss technology and where it's going. SENATOR McGUIRE said this is an opportunity for Alaska to be a leader. With respect to the bills that have been introduced but have gone nowhere, she said it's because of the tremendous pressure that lobbyists apply. We tried to do this quietly to "get out ahead of it and get it as far as we possibly could because we knew that the pressure would come down from the different companies." Clearly it's in their best interest to do what they want with respect to collecting and using personal data. As policy makers it's in our best interest to look out for our constituents, she said. For the most part they're completely unaware that their information is being collected and used. She suggested EPC Global think about adopting an international policy that strikes a balance between the consumer and those that want to make money off the consumer 2:11:35 PM MELISSA NGO, Senior Counsel at the Electronic Privacy Information Center (EPIC) in Washington D.C. said she submitted written testimony. EPIC is a non partisan public interest research organization that was established in 1994 to focus attention on emerging civil liberties issues. EPIC has considerable expertise on RFID technology and has testified about security problems before Congress and state legislatures and has submitted detailed analyses on FRID programs to different federal agencies. This technology is increasing rapidly. It is currently used in easy pass highway systems, passports, university ID cards, credit and debit cards, and in addition to supply chain management. As this technology is increasingly used it's important to be aware of the many problems inherent in using this technology. If security isn't adequate, RFID tags are remotely and secretly readable. In fact, last week the Dutch government reported an RFID security breach because several researchers were able to hack into the system. Worldwide there are 1 billion cards using these RFID chips including government building access cards and the Boston transportation system. Hacking into the system allows criminals to clone the cards. RFID technology for supply chain management has never been controversial, but once it's used to attach an identifier and create a profile on a person there's a problem. 2:14:55 PM MS. NGO said that EPIC strongly supports SB 293 but it can be improved. The most important way is to address unique identifiers that are linked to databases containing personally identifiable information. Although companies have opposed this regulation, it should be included in the bill because the misuse of unique identifiers could be as risky as the misuse of Social Security numbers. Also, EPIC recommends an enforcement provision through a private right of action as well as through the attorney general, stronger provisions on deactivation of tags including permanent deactivation, and clear and prominent labeling of RFID readers and transponders. MS. NGO said she agrees with the sponsor that Alaska should be a leader in protecting consumers from misuse of RFID technology. 2:17:00 PM CHAIR FRENCH referred to the consent provisions on page 2, lines 22-25, and asked Ms. Bannister if the language is specific enough to capture the idea that the consumer would know what information is being disclosed. 2:17:55 PM THERESA BANNISTER, Legislative Counsel, Legislative Legal and Research Services Division, Legislative Affairs Agency, said the bill doesn't specify what information is being disclosed, what is transmitted, or what's on item itself. It does indicate that it is personal information and the definitions section of the bill indicates what personal information means. CHAIR FRENCH asked if she could draft an amendment that captures that idea. 2:18:54 PM MS. BANNISTER said she's been working on a conceptual amendment to Sec. 45.48.020, on page 2, line 23. CHAIR FRENCH moved conceptual Amendment 1. Conceptual Amendment 1  Page 2, line 23, following "consumer": Insert ", identify the type of personal information that is contained on or that may be scanned or read from the electronic communication device," Finding no objection, he announced that Conceptual Amendment 1 is adopted. CHAIR FRENCH closed public testimony. Finding no further discussion, he asked for a motion. 2:21:49 PM SENATOR McGUIRE motioned to report amended version E CS for SB 293 from committee with individual recommendations and attached fiscal note(s). CHAIR FRENCH announced that CSSB 293(JUD) is moved from committee.