State bill would turn RFID researchers into felons

The sponsor of a controversial bill before the Nevada legislature has promised to introduce amendments after security experts and civil libertarians warned it would make felons of people studying privacy threats involving RFID, or radio frequency identification.

In its present form, Senate Bill 125 (PDF) would make it a felony for anyone to possess, read or capture the personally identifying RFID information of others without their consent. Without changes, the legislation would prevent the testing and demonstrating of RFID weaknesses in a state that hosts Defcon and Black Hat, the biggest hacker conference and one of the biggest security conferences respectively.

State Senator David Parks, the original sponsor of the bill, said he intends to amend the bill on Monday to exempt people carrying out "legitimate research." Security experts say that is important because the bill as it's now written would seriously impinge on their ability to test the security of RFID in real-world scenarios.

"The ability to be able to take this RFID technology into the real world and actually show it to people is pretty crucial because there is a lot of misunderstanding about the technology and people need practical demonstrations of things in order to understand the weaknesses in it," said Chris Paget, who last month demonstrated a low-cost mobile platform that can clone large numbers of unique RFID tags embedded in US passport cards and next generation drivers licenses. "It definitely needs an exception."

Paget's $250 RFID war-driving device managed to clone three passport card RFID tags during a 20-minute drive in downtown San Francisco. The exercise was legal because it was conducted in California, where an anti-skimming measure that became law last year expressly exempts skimming "in the course of an act of good faith security research, experimentation, or scientific inquiry."

The safe-harbor provision was added after the Electronic Frontier Foundation and the American Civil Liberties Union of Northern California pushed for it. Lee Tien, a senior staff attorney for the EFF, said a similar exemption is needed in Nevada as well.

"Because the privacy risks of RFID include the likelihood that malevolent entities will 'skim' individuals' RFID-enabled devices in public places without their knowledge, it is important that security researchers be able to lawfully demonstrate that these vulnerabilities exist in real-world settings – not only in controlled conditions," he wrote in a letter sent to the Senator Terry Care, Chairman of the Senate Judiciary Committee, where the bill will be introduced Monday.

Nevada is one of a handful of states with a legislature that meets only once every two years. That means legislation often moves very quickly with little opportunity for changes.

"We have a politically realistic window of Monday morning at 9 am in Carson City to let the legislators know that there is a major problem with this bill," said Ira Victor, president of the Sierra Nevada chapter of InfraGard, which acts as a liaison between the FBI and private enterprise to protect cybersecurity and critical infrastructure.

That's 9am Nevada time. The hearing is expected to be viewable by webcast at this link. ®