BILL ANALYSIS �Ó
SB 249
Page 1
Date of Hearing: September 8, 2015
ASSEMBLY COMMITTEE ON JUDICIARY
Mark Stone, Chair
SB
249 (Hueso) - As Amended September 4, 2015
As Proposed to be Amended
SENATE VOTE: 36-3
SUBJECT: Vehicles: enhanced driver's license
KEY ISSUE: Should the Department of Motor Vehicles enter into a
memorandum of understanding with the federal government in order
to issue, to drivers who opt to obtain them, an "enhanced
driver's license," which uses "RFID" CHIP Technology to
facilitate movement across the california-mexico border?
SYNOPSIS
This bill would authorize the Department of Motor Vehicles (DMV)
to enter into a Memorandum of Understanding with the federal
government to issue "enhanced driver's licenses" (EDL) that
would effectively serve as both a driver's license and a
passport to persons who request them. Pursuant to the federal
Western Hemisphere Travel Initiative (WHTI), persons entering
the United States by land or sea from Canada, Mexico, Bermuda,
�
SB 249
Page 2
or the Caribbean must present a passport, EDL, or some other
official document that proves identity or citizenship. Before
9-11, land travel across borders, especially between the U.S.
and Canada, tended to informal. However, more rigorous
enforcement since 9-11 has slowed border crossings and led to
longer wait lines. To reduce congestion, WHTI authorized the
use of EDL and the U.S. Customs and Border Protection created
"Ready Lanes" for persons possessing an EDL. Under WHTI, and
rules promulgated by the Department of Homeland Security (DHS),
states bordering Mexico and Canada may enter into agreements
with DHS to allow issuance of EDL that meet certain criteria,
including the use of radio frequency identification (RFID)
technology. Proponents of this bill, mostly business groups and
local officials from Southern California and Northern Mexico,
argue that this measure will reduce wait times and facilitate
cross-border travel and trade. Opponents contend that
RFID-enabled documents, which can be read remotely, pose a
significant threat to personal privacy and could be
surreptitiously copied to allow unauthorized border crossings.
When the Committee heard a version of this bill in July of this
year, the author responded to privacy concerns by stressing the
voluntary nature of the program and noting that RFID-enabled
licenses will only contain a randomly-assigned number, not
personal information. However, for reasons detailed below,
recent amendments undermine those responses to privacy concerns.
The author will take amendments in this Committee to restore,
albeit partially, some of the earlier protections that were in
the bill. Privacy rights groups remain opposed.
SUMMARY: Authorizes the Department of Motor Vehicles (DMV) to
enter into a Memorandum of Understanding with a federal agency
to allow DMV to offer an enhanced driver's license, as defined,
to applicants who request it. Specifically, this bill:
1)Makes various legislative findings and declarations regarding
traffic congestion and wait times at points of entry between
California and Mexico and the potentially negative impact of
�
SB 249
Page 3
these wait times on international trade, travel, and commerce.
States that it is the intent of the Legislature that
employers be prohibited from requiring employees to obtain an
EDL as a condition of employment or retaliating against
employees who refuse to obtain an EDL.
2)Authorizes the DMV to enter into a Memorandum of Understanding
(MOU) for the purpose of issuing an enhanced driver's license,
provisional license, or identification card [hereafter EDL] to
a person who is at least 16 years of age, a resident of
California, and a citizen of the United States. Requires the
applicant to submit sufficient proof that meets the
requirements of the Western Hemisphere Travel Initiative to
establish his or her identity, residency, and citizenship.
3)Requires an applicant for an EDL to sign a declaration
acknowledging his or her understanding of radio frequency
identification (RFID) technology.
4)Requires the EDL to include reasonable security measures,
including the use of tamper-resistant features, to protect
against unauthorized duplication or disclosure of personal
information.
5)Requires DMV to provide the applicant with a protective shield
at the time the EDL is issued and inform the applicant that
information on the EDL may be read without the holder's
knowledge if the protective shield is not used.
6)Requires that RFID technology contain only a randomly assigned
number or employ other security measures deemed necessary by
the department that make any information on the EDL
unintelligible to an unauthorized reader. In any event the
radio frequency technology shall contain no more information
�
SB 249
Page 4
than is required by the United States Department of Homeland
Security requirements to permit a border crossing.
7)Requires an applicant for an EDL to have his or her photograph
and signature captured or reproduced by DMV at the time of
application or renewal.
8)Makes the facial image, signature, and copies or digital
images of any documents required for application exempt from
public records request.
9)Permits DMV to deny an application for an EDL if it is not
satisfied with the genuineness of the applicant's supporting
materials, subject to the applicant's right to appeal the
denial, as specified.
10) Requires an applicant for an EDL to pay a fee, as set by the
DMV but not to exceed $55, and provides that fees shall be
deposited in an account and to be used by DMV to implement the
provisions of this bill.
11)Requires DMV to make an annual report to relevant legislative
committees, as specified.
EXISTING LAW:
1)Requires DMV, upon proper application, to issue driver's
licenses and identification cards.
2)Authorizes, under the federal Western Hemisphere Travel
Initiative, the use of EDLs to prove identity and citizenship
�
SB 249
Page 5
for purposes of traveling between the United States, Canada,
Mexico, Bermuda, and the Caribbean, so long as the EDL meets
specified requirements, including radio frequency
identification (RFID) that signals a secure government data
base maintained by the United States Customs and Border
Protection. (Public Law 110-53.)
FISCAL EFFECT: As currently in print this bill is keyed fiscal.
COMMENTS: The Western Hemisphere Travel Initiative (WHTI)
represents a joint effort by the Department of Homeland Security
(DHS) and United States Customs and Border Protection (CBP) to
implement provisions of the Intelligence Reform and Terrorism
Prevention Act (IRTPA) of 2004. As of January 1, 2009, WHTI
began requiring U.S. citizens traveling between the U.S. and
Canada, Mexico, Bermuda, and the Caribbean by land or sea to
present a valid U.S. Passport or another WHTI-compliant
document. Among the accepted documents are passports, a U.S.
passport card, Trusted Traveler Program cards (NEXUS, FAST, or
SENTRI), or an enhanced driver's license (EDL). Before 9-11,
land travel across borders, especially between the United States
and Canada, tended to be informal and less rigorous, with border
agents often accepting a birth certificate or even a person's
verbal affirmation of citizenship. However, more rigorous
enforcement and new requirements under IRTPA slowed border
crossings and led to longer wait lines. In an effort to reduce
this congestion, WHTI authorized the use of EDLs (including
state-issued identification cards), and the CBP created "Ready
Lanes" dedicated to travelers with RFID-enabled travel
documents. The goal of the EDL program is to strengthen border
security and facilitate ease of entry into the United States for
U.S. Citizens, especially those driving across the border on a
regular basis.
Federal law requires that any border state wishing to adopt EDLs
�
SB 249
Page 6
must first sign a Memorandum of Understanding (MOU) with DHS.
So far at least four states - Vermont, New York, Michigan, and
Washington - have enacted authorizing legislation and already
have EDLs in place. New York was the first state to sign an MOU
in 2007.
In other states the program has been a success. For example,
the New York State DMV reports that over 100,000 persons have
availed themselves of the new licenses, especially in upstate
New York, near the Canadian border. In addition to decreasing
overall wait times for travelers, EDL holders often use
RFID-enabled "Ready Lanes" created by CBP. According to other
states' DMV websites, use of RFID allows border patrol agents to
pull up a person's information and photograph immediately
without having to collect paper documents, inspect them, and
then key in any required information. All of this is done
automatically when the traveler holds the EDL in front of the
RFID reader. The system does not allow the EDL holder to simply
pass through, as in the case, for example, with FasTrak; the
border patrol agents must still make a visual identification
with the accessed photograph and may ask questions or inspect
the EDL.
This bill would permit California citizens traveling across the
California-Mexico border to take advantage of this more
convenient and time-saving process. According to the author,
the idea for this bill grew out of his experience as Chair of
the Select Committee on California-Mexico-Bi-National Affairs,
where he became aware of the significant impact of border wait
times on our state's economy. Indeed, the author provided the
Committee with a 2007 report suggesting that long wait times
slow commerce and discourage personal trips across the
California-Mexico border. The report claims that delays at the
border at the San Ysidro, Otay Mesa, and Tecate points-of-entry
result in the loss of millions of dollars (and even billions) in
lost revenue and tens of thousands of jobs in the San Diego-Baja
region. (San Diego Association of Governments and the
�
SB 249
Page 7
California Department of Transportation, 2007 Update to Economic
Impacts of Wait Times at the San Diego-Baja California Border:
Final Report.) Not surprisingly, many of the supporters of this
bill represent chambers of commerce and local officials who
believe that shorter wait times and more travel across the
border will translate into more trade and tourism. In addition
to these economic benefits, the author also believes that this
bill will allow persons who regularly cross the border to make
use of the RFID-enabled "Ready Lanes."
Under the MOU authorized by this bill, the DMV could only issue
an EDL to a person who requests it and is willing to pay the
designated fee. Although many of the details of the program
would presumably be specified in the MOU, the bill nonetheless
sets forth a number of specific requirements that the MOU must
contain. For example, the bill would specify that the RFID
technology must only contain a random number or, if it contains
other information, the EDL must employ other security measures
that render the information unintelligible to an unauthorized
reader. All of the states that have adopted EDL to this point
apparently use only the randomly assigned number on the RFID
chip. The border patrol matches this random to the personal
information already in a database. Presumably, a California EDL
would similarly contain only a random number, but the bill, as
recently amended, would potentially allow the EDL to contain
other information, including personal information, so long as it
is rendered unintelligible to an unauthorized user and so long
as the license contains no more information that is required to
permit a border crossing. The bill requires DMV to employ other
reasonable security measures, including a shield that would
prevent interception by an unauthorized reader. EDL applicants
must acknowledge their understanding of RFID technology and be
informed that the information on the card or license may be read
remotely without the holder's knowledge if the EDL is removed
from the protective shield. The DMV websites of other states
indicate that these protections are standard practice.
�
SB 249
Page 8
Finally, the bill also sets forth requirements for applying for
an EDL. In addition to paying a fee not to exceed $55 and
submitting documents proving identity and citizenship,
applicants would also be required to agree to have their
photograph and signature captured by DMV at the time of
application or renewal. The bill exempts the photograph,
signature, or other required documents from required disclosure
under the Public Records Act. Finally, the bill seeks to make
the program self-funding. Proceeds from the application fee
will be deposited into the Enhanced Driver's License and
Identification Subaccount, which DMV will use to implement the
program.
Privacy Concerns Surrounding the use of RFID. Much of the
concern relating to EDLs, and especially the DHS rule that they
include RFID technology, has focused on potential threats to
privacy. Despite some technical-sounding terminology, RFID
technology is fairly easy to understand. RFID "tags" or "chips"
can be embedded into objects, including documents, clothing,
pets, and even people. The RFID technology used in the EDL
typically consists of a microchip (that stores a randomly
assigned number) and one or more antennae. Remote "readers" can
read this tag via radio waves. The reader constantly emits
radio signals. As a person or object with an RFID tag moves
near the reader - the distance varies depending upon the device
- the antennae pick up the signal and transmit the number stored
on the RFID tag to the reader. Most RFID tags, and apparently
all of the ones used thus far for EDLs are "passive," meaning
they can only be activated by the reader's radio signal. Some
RFID tags are "active," meaning they can actively search out
readers in the area. In either case, an authorized reader with
access to a secure database can then match the number to the
holder's information in the database.
In some ways, RFID technology is a higher-tech version of bar
code and magnetic strip scanning. However, bar code and strip
scanning requires direct contact between the scanner and the
�
SB 249
Page 9
stored information (or at least the magnetic strip or barcode
must be in the direct line of sight of a laser). RFID readers,
on the other hand, can read the information stored on the RFID
tag remotely. Many of these, like the security badges used in
the Legislature, must be held within a few inches of the reader.
Some RFID readers, however, may read tags from distances of 30
feet or more, according to some studies. Experts disagree on
the potential range of RFID readers in the future, but as
technology advances it seems reasonable to assume that those
ranges will increase. However, the fact that RFID tags can be
read at any distance creates the possibility that information
stored on an identification document could be read remotely
without the holder's knowledge or consent.
Information Stored on the RFID Tag. Given that RFID tags can be
read at a distance, and potentially without the holder's
knowledge, the critical privacy concern relates to the kind of
information that is actually stored on the RFID tag and the
usefulness of that information to any unauthorized reader.
According to CBP and agency websites in the four states that
have adopted EDLs, the RFID chip only contains a randomly
assigned number that has no meaning until an authorized reader
matches the random number to information already in the secure
data base. The random number does not provide access to the
database; it only allows those who already have access to pull
up the EDL holder's data. Where EDLs have been used, personal
information does not appear on the card, and the random number,
therefore, is only useful to someone who already has access to
the database.
Even if the RFID tag contains only a random number, however,
privacy concerns do not necessarily stop there. For example,
privacy advocates claim that security measures must address more
than the ability of the reader to access intelligible
information from the tag; they must also address potential
security breaches along the entire transmission process from
tag, to reader, to computer database. Proponents of RFID, on
�
SB 249
Page 10
the other hand, claim that RFID applications are confined to a
closed system of authorized tags, readers, and databases within
that system. Even if outsiders with remote readers obtained
information from an RFID tag that "information" will typically
only consist of a random number that is only intelligible to
persons within the system or to those who can access that
system. If an unauthorized person has accessed a secure
government database, then clearly there is bigger problem than
the unauthorized reading of the random number on an RFID tag.
That number does not provide access to a database or make it
easier to hack the data base.
Opponents also contend that a random number can itself become a
piece of personally identifiable information, noting Civil Code
Section 1798.3, which defines "personal information" as "any
information that identifies or describes an individual."
Opponents note, for example, that the social security number was
originally a more or less random number that nonetheless has
become permanently associated with the person to which it was
assigned for the limited purpose of tracking social security
benefits. However, the danger that results from the
unauthorized disclosure of a social security number stems from
the fact that a social security number is used for
identification purposes in a variety of other contexts, such as
obtaining credit, opening a bank account, or applying for a job.
No one could use the random number on the EDL, as one could use
a social security number, to open a line of credit or otherwise
commit identity theft. The comparison between the random RFID
number and a social security number, therefore, is not
persuasive. In addition, according to the websites of the
states that have entered into MOUs with DHS, the EDL is issued
with a protective "sleeve" or "Faraday shield" that covers the
EDL and thereby prevents unauthorized reading of the RFID chip -
so long as the sleeve is in place.
RFID and Possible Border Security Concerns. Opponents also
contend that using RFID technology could pose security as well
�
SB 249
Page 11
as privacy risks. That is, even if an RFID reader cannot access
the secure data base it could potentially copy the random number
and use it to create a counterfeit license. According to the
ACLU of Washington State, studies suggest that such duplication
is possible. However, the bill appears to anticipate this
problem by specifying that security measures shall include the
protective sleeve. In addition, even if a counterfeit EDL were
made with the help of a surreptitious reader, the border patrol
must still visually determine that the person presenting the EDL
matches the photograph that is pulled up from the secure
database. Obviously there is no unassailable means of
preventing a determined person from making counterfeit EDLs,
just as there is no unassailable means of preventing that person
from obtaining counterfeit copies of regular driver's licenses
or passports or any other form of identification.
Recent Amendments Cause Concern: The Committee is hearing this
bill for a second time because of recent amendments that
eliminate some of the privacy and employee protections that were
added to earlier versions of the bill. Although opinions differ
on the extent to which the EDL will create privacy or security
risks, the author's strongest responses to privacy concerns
raised in the past were as follows: (1) the decision to obtain
an EDL is entirely voluntary; and (2) the only information that
the EDL will contain is a random number that is meaningless to
anyone other than an authorized reader who has access to the
relevant data base. Recent amendments undermined both of these
responses.
First, when the Committee heard the first iteration of this bill
(AB 2113 in 2012), the author agreed to amend the bill to
prohibit an employer from requiring an employee to obtain an EDL
as a condition of employment. The Committee felt, and the
author agreed, that this ran contrary to the author's desire
that the EDL program be strictly voluntary. When the present
bill was heard by the Senate Judiciary Committee earlier this
year, that Committee recommended, and the author agreed, to add
�
SB 249
Page 12
enforcement provisions to the employer prohibition. Recent
amendments removed the entire subdivision setting forth these
employee protections. As noted below, the author has agreed to
amend the bill again in this Committee to clarify that it is the
Legislature's intent to prohibit employers from both requiring
employees to obtain an EDL as a condition of employment and
taking adverse action against an employee who refuses to obtain
an EDL. While the author realizes that intent language is not
binding in the same manner as statutory language, he notes that
this bill merely permits DMV to enter into a memorandum of
understanding and, as such, it will be some time before EDLs are
issued. The bill now requires DMV to consult with interested
parties, including privacy rights groups and employers, among
others, before entering into the MOU. Once the MOU is approved
by the federal government, there will still be some amount of
time before the EDLs would become available. State law could be
enacted to place restrictions on the use of EDLs in the future.
Therefore, according to the author, there is no urgent need to
address the respective rights of employers and employees at this
time.
In addition to the employee protections, the prior versions of
this bill contained a number of security provisions suggested by
privacy rights groups, including, most notably, that the EDL
only contain a randomly assigned number and that it not contain
any other personal information. The most recent amendments
removed these protections. Specifically, the recent amendments
eliminated the requirement that the EDL contain only an
encrypted random number and replaced that provision with a
requirement that the EDL contain only as much information as
required by DHS to permit a border crossing. This means,
contrary to the amendments previously negotiated and agreed to,
the RFID technology on the EDL could, in fact, contain personal
information. This could apparently include, at minimum, a name,
photograph, and passport information. In short, if the RFID
technology did not contain a random number used to match the
personal information in the data base, then the EDL would
presumably include personal information on the license or card.
�
SB 249
Page 13
PROPOSED AUTHOR AMENDMENTS: In an effort to restore some of the
privacy and employee protections that were in the version of
this bill when it was heard and approved by the Committee, the
author has agreed to take the following amendments:
In the Section 1 findings and declarations, a new
subdivision (m) will be added to read as follows:
(m) It is the intent of Legislature that the decision to
obtain or not obtain an enhanced driver's license is
strictly voluntary. To that end, if California enters into
a Memorandum of Understanding to issue an enhanced driver's
license pursuant to the federal Western Hemisphere Travel
Initiative (Public Law 110-53 and Public Law 108-458), it is
the intent of the Legislature that an employer shall not
require an employee to apply for, or use, an enhanced
driver's license, provisional license, or identification
card as a condition of employment, nor shall an employer
discharge an employee or otherwise discriminate or retaliate
against an employee who refuses to apply for, or use, an
enhanced driver's license, provisional license, or
identification card.
Replace subdivision (d) in section 15401 with a new
subdivision (d) that reads as follows:
(d) Radio frequency identification technology shall contain
only a randomly assigned number or employ other security
measures deemed necessary by the department that make any
information on the license or card unintelligible to an
unauthorized reader. In any event the radio frequency
technology shall contain no more information than is needed
to comply with the United States Department of Homeland
Security requirements and a machine-readable zone or barcode
that contains only so much information as is required by the
�
SB 249
Page 14
federal Western Hemisphere Travel Initiative (Public Law
110-53 and Public Law 108-45) to permit a border crossing.
In paragraph (3) of subdivision (b) of Section 15401
replace "randomly assigned radio frequency identification
number" with "information on the license or card"
ARGUMENTS IN SUPPORT: According to the California Chamber of
Commerce, the "ports of entry along the California-Mexico border
are among the busiest ports in the world." The Chamber claims
that each year forty-five million vehicle passengers cross the
border at one of six points of entry, and that "the average wait
for travelers at these ports is over an hour." The Chamber
further claims that these delays "result in a loss of eight
million trips each year," and that in San Diego County alone
this translates into an estimated loss of $1.2 billion in
revenues. The Chamber believes that this bill will relieve
border congestion by allowing travelers to use "ready lanes,"
and that it will allow CBP officers to quickly assess
information "and focus on the traveler's vehicle as opposed to
scanning documents - reducing wait time by up to 60%."
The Imperial County Transportation Commission supports this bill
for substantially the same reasons, claiming that border wait
times cause "a devastating loss of nearly $1.5 billion in
revenues, 3.4 million potential working hours, 39, 500 jobs, and
$59 million in wages annually in the San Diego and Imperial
region alone." Several other business groups, both from
Southern California and from Baja California, support this bill
and cite similar statistics for the economic impact on their
respective locales.
ARGUMENTS IN OPPOSITION: In a joint letter, the ACLU, Consumer
Watchdog, the Eagle Forum of California, the Electronic Frontier
Foundation, and the Privacy Rights Clearing House oppose this
bill primarily due to their "profound privacy and security
concerns about the use of insecure Radio Frequency Identity
�
SB 249
Page 15
(RFID) computer chips in EDL identity documents." In addition
to their general concerns that EDLs will compromise the privacy
of the holder's personal information, opponents also point out
that the EDL lacks some of the security measures used in
passports. For example, they claim that in U.S. passports a new
random number is generated each time the RFID is read, whereas
EDLs now in use in other states appear to use a random number
that does not change with each reading. Also, while the data
embedded on the passport is encrypted, this bill only provides
that the number will be encrypted if "agreed to by the United
States Department of Homeland Security." Finally, opponents
claim that while EDLs may be optional now, "optional government
programs often turn into permanent mandatory programs."
The Ella Baker Center for Human Rights and the Legal Services
for Prisoners with Children (LSPC) oppose this bill for many of
the same reasons raised by the ACLU and others; however, the
Baker Center and LSPC also believe that SB 249 will "allow law
enforcement officers to racially profile Californians from a
distance and without their knowledge." The Baker Center
contends that "personal information contained on EDLs will be
accessed by [CBP] through the National Law Enforcement
Telecommunications System (NLETS), which in turn is "accessible
to local law enforcement."
In addition to the above arguments, which were made to prior
versions of the bill, the ACLU and the Privacy Rights
Clearinghouse have submitted additional letters expressing grave
concerns that the recent amendments mean that the bill will pose
an even greater threat to privacy rights and civil liberties.
They also object to the author removing previously negotiated
provisions from the bill.
PREVIOUS LEGISLATION: SB 397 (Hueso) of 2014 was substantially
similar to this bill except that it did not contain a
requirement that the applicant be informed, in writing, that
�
SB 249
Page 16
RFID random number could be read remotely and it did not provide
penalty provisions enforcing the prohibition against employers
taking adverse action against an employee who refused to apply
for or use an EDL. That bill passed unanimously off the Senate
Floor and unanimously out of this Committee but was held in the
Assembly Appropriations Committee.
AB 2113 (Hueso) of 2012, was similar to SB 397. That bill
passed unanimously out of this Committee but was held in the
Assembly Appropriations Committee.
REGISTERED SUPPORT / OPPOSITION:
Support
Calexico Chamber of Commerce
California Chamber of Commerce
Casa Familiar
Chula Vista Mayor's Office
City of El Centro
City of San Diego
�
SB 249
Page 17
El Centro Chamber of Commerce
Todd Gloria, San Diego City Council Member
Imperial County Transportation Commission
Otay Mesa Chamber of Commerce
Representative Juan Vargas
San Diego Association of Governments
San Diego Regional Chamber
San Diego-Tijuana Smart Border Coalition
State of Baja, California
Opposition
ACLU
Consumer Watchdog
Eagle Forum
�
SB 249
Page 18
Ella Baker Center for Human Rights
Electronic Frontier Federation
Legal Services for Prisoners with Children
Privacy Rights Clearinghouse
Analysis Prepared by:Thomas Clark / JUD. / (916)
319-2334