IoT Security Blog

Articles and Posts on IoT Security, Embedded Systems, and the Internet of Things

Washington State RFID Bill Provides Exception for Security Research

Contributed by Joanne C. Kelleher

Washington State Bill HB 1011, Regulating the use of identification devices by governmental and business entities, was signed into law last week by the governor. See http://apps.leg.wa.gov/billinfo/summary.aspx?bill=1011&year=2009.

“Identification device” are defined as an item that uses radio frequency identification technology or facial recognition technology. A governmental or business entity may not remotely read an identification device using radio frequency identification technology for commercial purposes, unless that governmental or business entity, or one of their affiliates, is the same governmental or business entity that issued the identification device.

There are several exceptions such as if the individual initiates the reading (i.e. a contactless credit card), for emergency, law enforcement and medical situations or in the course of an act of good faith security research, experimentation, or scientific inquiry including, but not limited to, activities useful in identifying and analyzing security flaws and vulnerabilities.

This follows Washington State bill HB 1031, passed in March 2008, which states A person that intentionally scans another person’s identification device remotely, without that person’s prior knowledge and prior consent, for the purpose of fraud, identity theft, or for any other illegal purpose, shall be guilty of a class C felony. Last year’s bill did not have any exceptions for unintentional skimming or for research purposes.

More details are in the RFID Journal article – Washington State Adopts Second RFID Privacy Law.