This piece originally appeared on the ACLU of Northern California's blog.
If someone tried to sell you security software that was ten years old, would you buy it? Of course, it wouldn’t make sense to spend money on something that’s now outdated and vulnerable. Just like it doesn’t make sense for California to spend millions on driver’s licenses that come with unencrypted computer chips – especially when you consider that those chips have been widely recognized as insecure for over a decade.
Unfortunately, the California legislature passed a bill that would do just that.
If Gov. Brown doesn’t veto SB 249 (Hueso), the California Department of Motor Vehicles will issue “enhanced” driver’s licenses (EDLs) that use unencrypted computer chips called Radio Frequency Identification (RFID) tags.
Experts warned that this technology was insecure ten years ago, when the Department of Homeland Security (DHS) under President Bush first introduced these licenses. Back then, DHS admitted that the personal information stored in these chips could be read from a distance of up to 30 feet.
In fact, a security researcher built a reader with $250 in spare parts, drove around downtown San Francisco, and proved how easy it is to read and copy these documents – without anyone ever knowing or even suspecting their information was being skimmed.
Sound creepy? That’s because it is. This technology is a dream come true for identity thieves and stalkers, and a civil liberties nightmare for Californians concerned about government intrusion and tracking.
Proponents of these EDLs are pitching these licenses as a way to speed up border crossings. But that is an empty promise when the state can’t control border wait times, and SB 249 fails to ensure that EDLs have even the most basic privacy and security safeguards included in a U.S. passport and modern smartchip credit cards. These days even smartphone messages are encrypted. Should your driver’s license be less protected than your text messages?
The bill would also give any employer in the state the green light to make EDLs a job requirement even if the licenses are not job-related. This would allow an employer to fire or refuse to hire those who are unwilling to put their personal privacy at risk or anyone not eligible for an EDL, such as noncitizens or those that don’t pass a federal background check.
For this reason, and many others, the ACLU of California and numerous other organizations across the political spectrum have expressed significant privacy and safety concerns.
Other states have rightly refused to adopt EDLs. There is no reason why California should settle for this unnecessary, outdated and risky technology.