A proposed bill in the Nevada State Legislature would make it a crime to do legitimate research on security weaknesses in radio frequency identification, the Electronic Frontier Foundation said on Friday.
The bill, S.B. 125, would make it a Class 3 felony to possess, read, or capture another person's personal identifying information through RFID, subject to up to five years in prison and a $10,000 fine.
The measure is scheduled to be discussed Monday morning in the Nevada Senate Judiciary Committee in Carson City, Nev. The hearing will be Webcast.
The EFF hasn't taken a formal position on the measure because attorneys haven't yet had time to analyze it thoroughly, but the group is concerned about its unintended consequences, said Lee Tien, a senior staff attorney at EFF. The nonprofit civil rights group is concerned that it will quash legitimate research (PDF) and land innocent people in jail.
When RFID companies and government proponents of the technology make claims about privacy protections, often the only way to disprove those claims is to test the technology in real-world demonstrations, Tien said.
In a letter to the Nevada Senate Judiciary Committee sent Thursday, Tien wrote that the bill in its current form does not protect information security research.
"Because the privacy risks of RFID include the likelihood that malevolent entities will 'skim' individuals' RFID-enabled devices in public places without their knowledge, it is important that security researchers be able to lawfully demonstrate that these vulnerabilities exist in real-world settings--not only in controlled conditions," he wrote.
California's recently enacted anti-skimming law, S.B. 31, contains a safe harbor provision for researchers, Tien noted.
The Northern Nevada chapter of Infragard, a public-private cybersecurity partnership, opposes the measure, said Ira Victor, president of the group.
"Not only is it already a felony to hack and steal someone's personally identifiable data" but the measure would make some of the presentations at the Defcon and Black Hat security conferences held in Las Vegas every year illegal, said Victor.
One person at risk would be security researcher Chris Paget, of IOActive, who demonstrated the security risks of RFID to The Register earlier this month. A video shows Paget driving around downtown San Francisco grabbing data from random RFID-based passport cards and cloning them.
RFID has proved to be a controversial research area, with security experts saying the technology, in general, does not have adequate security protections.
In 2007, Paget pulled his demonstration of a device that could clone RFID-enabled proximity badges from his presentation at the Black Hat DC Training conference after getting legal threats from the chipmaker. Paget gave a redacted version of his presentation.
An RFID technology provider unsuccessfully took Dutch researchers to court over their research last year. And the Massachusetts Bay Transportation Authority stopped three MIT students from presenting their RFID security research at Defcon last summer, but a court ruled later that they should be allowed to go public with their findings.