Journal of Law, Information and Science
|
|
Home
| Databases
| WorldLII
| Search
| Feedback
Journal of Law, Information and Science |
|
KEVIN O'CONNOR[*]
This paper aims to canvass some preliminary issues and to stimulate discussion on the implications for personal privacy of the development and use of 'smart cards'. It addresses international developments in the technology and policy responses to it, the range of possible applications, the concerns they raise in terms of the OECD's privacy principles, which underpin the principles in the Commonwealth Privacy Act, and the desirability of paying timely policy attention to the technology. It includes a suggested approach to addressing privacy issues through the development of system protocols allowing assessment of the privacy implications of a smart card system and measures that may be taken to address them.
Smart cards are now an accepted mainstream technology, in increasing use by both the public and private sectors.[1] It is important that associated privacy issues be identified before many more systems have been designed and put into operation. It would be much better, both for those developing smart card systems and for the private citizen, if privacy concerns are addressed in a timely way. Otherwise the industry may find itself obliged to put substantial time and resources into altering already developed systems or, at worst, to abandon systems altogether because of resistance to their privacy invasiveness. This article gives a brief outline of what smart cards are, how they may be used and the privacy implications of their use. As well, it suggests some principles for handling these implications of smart card systems and measures to implement them.
The federal Privacy Commissioner's statutory functions include: to undertake research into, and to monitor developments in, data processing and computer technology; to ensure that any adverse affects of such developments on the privacy of individuals are minimised; and to encourage corporations to develop programs for the handling of records of personal information that are consistent with the Guidelines for the Protection of Privacy & Transborder Flows of Personal Data adopted by the Organisation for Economic Co-operation and Development in 1980.[2]
The Information Privacy Principles in the Privacy Act 1988 are based on the OECD principles. (As a member of the OECD, Australia is committed to taking its principles into account in domestic legislation.)
The OECD principles deal with: the need to limit appropriately the collection of personal information; the need to ensure that the information is relevant to the collection purpose of collection and is accurate, complete and up to date; making the subject of the information aware of its collection and use; ensuring that the information is not disclosed for other purposes without the consent of the data subject; safeguarding information against unauthorised access etc; openness of practices, ie, identifying what information is held, where and by whom; giving the data subject access to the information and a right to modify it if it is incorrect; and making accountable the person controlling the information.[3]
The relationship between smart card technology and the OECD guidelines is discussed below.
Other international privacy law developments will have a bearing on the development of smart card systems in Australia. The adequacy of the protection afforded to individuals in Australia as regards the collection, use and disclosure of personal information through electronic data systems will have an influence on the ability of Australia to trade in electronic data with other countries. These international developments include the following.
• OECD: Guidelines for the Security of Information Systems (1992).
• Council of Europe: Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data (No 108) which has been in force since 1981, together with sectoral recommendations covering medical data banks, scientific research and statistics, direct marketing, social security, police, employment records, financial services, public organisations and telecommunications services.
• United Nations: International Covenant on Civil and Political Rights (1966), Article 17: no arbitrary or unlawful interference with privacy.
• United Nations: Guidelines Concerning Computerised Data Files (1990).
• European Convention on Human Rights (1953), Article 8: right to respect for private life.
• European Union: Draft Directive on Data Protection.
Of particular significance is the European Union draft Directive on Data Protection, which will make it mandatory for EU countries to prohibit the export of personal data to countries that do not provide an adequate level of protection.[4] If Australian levels of protection are judged to be inadequate, this may prevent exchange of data with other countries, adversely affecting both public and private sectors.
At present the Commonwealth public sector is covered by the Information Privacy Principles set out in the Privacy Act 1988, but the private sector (apart from controls on credit reporting and the handling of tax file numbers) is largely unregulated. The NSW Parliament currently has a Bill before it setting out general information privacy principles for the private sector although, in the absence of enforcement provisions, its effectiveness remains to be seen.[5]
Greenleaf points out that, apart from the matters covered by the Privacy Act 1988, there is only a patchwork of privacy protection in Australia through common law doctrines such as breach of confidence and negligent misrepresentation or through specific computer crime laws.[6] In Greenleaf's view this patchwork falls well short of the European Union standards and hence would not be an 'adequate' standard. It is with these international considerations in mind that we should look to develop measures to ensure adequate levels of protection for personal data in the design and use of smart card systems.
Smart cards (or Integrated Circuit Cards) are portable devices, usually the size of a credit card, which have a micro-processor (ie, a computer) built in. Just like personal computers they can store and manipulate information. The essential characteristic of the smart card is the inclusion of a computer chip containing a processor as well as an information storage area. It is claimed that information stored in the smart card is kept extraordinarily secure because all the information is contained in the same computer chip as the processor[7]. The PIN (personal identification number) or other access codes are contained within a secure area of the computer chip and are only accessible through the card's own processor. This means that the security codes do not have to be passed to an external card reader or host computer. However, extensive trials run by Mastercard from 1984 to 1986 revealed the possibility of fraud by collusion between staff involved with smart card systems.[8]
New developments in the technology are rapidly changing the way smart cards operate and increasing their potential abilities and applications. Contactless cards now in use do not have to touch any surface in order for information to be passed to and from them; the transfer being achieved by radio technology. Transmission signals are generated by a 'target'. These transmissions can also be used to power the card to perform its processing. There are suggestions that, through the development of contactless technology, a card may not be the appropriate vehicle for this type of computer technology and that a small token, similar in size to a ten cent coin but twice as thick, may be more appropriate, being more robust and able to store a great deal more information.
In addition, some cards are now being produced with a tiny keyboard and a small character display (a liquid crystal unit) so that data can be directly entered into the card and the results of the card's processing shown to the holder. The authentication of the card holder by means of a PIN can be done directly on the card, reducing the ability of the PIN to be 'read' or copied.[9] Such cards may have their own inbuilt battery or be powered by a reader/target exchanging information with the card, either through contact or otherwise. These cards have been dubbed 'super smart cards'.
Large quantities of personal data can be kept in the memory banks of many smart cards. The card itself can be thought of as having the potential to store information in different areas, with varying levels of security and access rights for each of those areas. Access would be preset for particular areas of data, the information in those areas being added to or deleted according to the ongoing use of the card. Another way of retrieving information is through preprogrammed special search routines which can find the appropriate data for a particular user and present it in a suitable form without revealing any other data on the card.
What follows is a brief description of the steps involved in a common smart card transaction.
1. Connection: The card is inserted in a reader or is passed near a 'target' which is constantly emitting messages to establish a connection with any card in its vicinity.
2. Authentication of the card: The card generates a message to the reader/target which demonstrates that it is valid. This message may be encrypted for security purposes. If the card is identified as valid, the reader/target can check it against lists of stolen cards and, if it has been stolen, lock it so that it can no longer be used.
3. Authentication of the reader/target: The reader/target sends a message to the card which is checked against preprogrammed codes to establish if the reader/target is valid. If not satisfied, the card can prevent access to information by the reader/target.
4. Selecting the application: A card may be support many different applications, which may be interrelated or quite distinct. A single card, for instance, may allow payment for public transport use, the ability to enter a secure building and the ability to use and pay for sessions at a gym. The desired application can be selected by the cardholder, by a person with access to the reader/target, or automatically by the reader or card depending on the initial authentication.
5. Identifying security requirements: The card is able to define the security requirements for the selected application. The card can enforce different levels of security and methods of access for different purposes or users.
6. Authenticating the card-holder: This can be through either requiring a PIN number or some sort of biometric data (eg, fingerprints, retina scan, signature dynamics). The card keeps the relevant information to make a comparison in a secret area. It can make the comparison without divulging the data it holds for this authentication procedure.
7. The transaction: The transaction is generated by manual entry or by an automated process. The card and/or the reader/target will check and authorise the transaction.
8. Transaction record: The card will generate a record of the transaction and send it to the reader/target. The record can be used for a number of purposes. It may be used by the merchant or service provider for collecting the actual payment from a bank or by a third party to the transaction for other purposes or as a back up data storage in case the card is lost or damaged.
9. Hard copy: A paper record may be generated by the reader/target for the data subject or the service provider.
Smart cards can be used in a variety of applications and can be used in conjunction with on-line computer networks, with stand alone computers or on their own.
A smart card can function as a cash replacement, holding a numerical value (representing a dollar figure) that is reduced each time the card is presented as payment for goods or services. The service provider keeps a record of the transactions and is reimbursed at regular intervals by the system controller. The service provider does not have to identify the cardholder. Cards may be disposable or rechargeable. Rechargeable cards can be topped up by paying cash over the counter or by accessing a bank account through an ATM (existing machines would require adaption for the purpose). There are also systems which can automatically recharge the card from an account when another communication is made. The details of the transactions can be recorded in the memory area of the card's chip.
One example of this type of application is a patron card used by passengers on P & O's Fairstar cruise ship to pay for all goods and services on the ship. The card can be unidentified but most passengers have it personalised in case of loss.
The NSW Government, through its Commercial Services Group, has begun to develop an electronic purse system for low value transactions in both the public and private sectors. At this stage it is envisaged that the rechargeable card would not be identified with a particular individual and would be available for the purchase of public transport tickets, fast food etc.
With this type of application there is no reason to collect information on the use of the card except for statistical or market research purposes. If effective safeguards were in place to ensure that data was not linked to identified individuals, then this type of application does not pose a serious privacy problem.[10] However, there are pressures from direct marketing organisations to be able to use records from such transactions to target advertising. To address the privacy concerns raised by that sort of use, cardholders would need to be fully informed in advance about the potential for such use, as well as having a real choice about whether or not to participate.
Electronic road toll collection. These systems may use a contactless card system in order to automatically deduct toll charges. Monitoring of an individual's movements is possible where a card is identified with a particular individual or vehicle.[11]
Singapore's electronic road pricing system has been trialed successfully and will enter operation around the end of 1997. A smart card mounted on the windscreen of the car will be automatically debited by overhead card readers as the car passes a toll station. Privacy concerns have been raised and, as a response, the agency implementing the system has opted for a pre paid card system, so that there is no need for personalised billing and so no need for a particular card to be identified with a particular vehicle or driver.[12] This does not necessarily, however, constitute a complete deidentification of billing data. Once a card is linked with a person - and this requires only one transaction, such as topping up the card from a bank account - all the travel data becomes identified and therefore valuable to police forces, private enquiry agents, government agencies with law enforcement or national security functions and any other person or organisation with an interest in tracking the movements of particular vehicles or people.
Ticketing systems. The card does not need to pass through a card reader. A microprocessor embedded in plastic is activated when passed over a target device. This powers the card and enables it to communicate. Once a form of radio contact is established there is a two-way exchange of information between card and target. The card is identified and reports its remaining value; the target assesses if there is enough value in the card to enter the transport mode. If so, it transmits date, time and place of entry to the card. A similar process occurs at the end of a journey, with the cost of the fare being deducted on exit. This process takes around a third of a second at either end. The target's signal could be so powerful that a user need never take the card out. Currently the Victorian Public Transport Corporation, is introducing a contactless card for regular travellers. These cards are prepaid tokens but each use of the system is recorded for statistical purposes.
This type of application has the ability to collect detailed personal information on an individual's movements. It would be desirable that no link exist between the individual and the smart card used, or, if that were not possible, that strict limits be placed on the retention of the records of the individual's movements.
Here the card can act as a key to access bank accounts (through telephone lines, satellite or microwave technology) for direct banking activities such as transferring funds between different accounts or for the purchase of goods or services, such as pay TV. In this context the card has the ability to facilitate the recording of transactions and to develop profiles of the spending habits of the card holder.
This type of application raises concerns for individual privacy through the possible collection, use and disclosure of a wide range of personal information including financial status, spending habits, entertainment use, gambling etc.
Cards may be used to calculate the benefit to be given to the cardholder for purchasing goods and services from particular corporations. As well, the cardholder's transactions may be recorded, allowing the development of a profile of his or her buying habits and lifestyle. This type of application can have significant privacy implications if the cardholder is not fully informed of the uses to which the information recorded through the use of the card may be put.
Here the details of an account with a corporation are held on the card. The card may contain complex details of the holder's payments and his or her level of access to benefits provided by the corporation. The card is able to keep track of the payment limits and work through complex formulae to decide on the level of benefit to be paid, authorising payments from a third party organisation acting as an agent for the corporation. This could, for example, be used by health insurance funds to allow members to pay subscriptions and obtain benefit refunds through a third party agency that had an extensive computer network. In this case, serious privacy concerns would be raised if it meant there were possibilities of unauthorised access to confidential personal medical information.
This sort of system is primarily about authenticating a right to access something. It can range from a card that allows anyone who possesses it access to something, eg, a building, through to one that holds details of the vein patterns found in a person's retina and which needs a match with the card presenter's retina pattern before allowing access to the place or a service, eg, a computer network, mobile telephone etc. Security or authentication systems through the use of smart cards are being introduced at a rapid rate in Australia. The Department of Social Security is currently in the process of seeking tenders for a smart card system that will manage its employees access to computers and buildings. The Commonwealth Bank has had a system of this type in place for some time. Some digital mobile phone systems in Australia already use this technology.
There are serious privacy concerns raised by the potential use of smart cards in these types of applications to track an individual's movements, conversations etc. The potential for a single card to be used by many different organisations and to take on the characteristics of a defacto universal identity card is of serious concern.
Cards are in use in many countries to allow the collection of, and access to, highly sensitive medical records, as well as providing for the efficient billing and co-ordination of medical services. An individual's complete medical history may be held on the card or it may hold some of that history together with the ability to access medical files held in other databases. This information may be accessed by medical practitioners when they are making diagnoses. If the information were being sought for a particular diagnosis the card could be programmed to search the medical history for any previous information dealing with a particular type of condition. Ostensibly the patient would have to give authority to the practitioner to access the records by the use of a PIN number or similar security code but in practice the real extent of choice is likely to be limited. Moreover, much medical information is seen by medical practitioners as owned by them.
Smart cards recently introduced in the German health care system are used to store the individual's name, date of birth, health care company, identification number and expiry date, as well as a checksum function to verify the authenticity of the details. The system covers more than 20 million insured people. Privacy concerns lay behind a legislative requirement that, despite the technology available for protecting data held on the card, no medical information be recorded there.
In France medical history cards have been trialed in the public health system for the storage of information about family and personal medical histories, medical examination results and medication details. The system is likely to be extended, provided that the trial experience is satisfactory.
In Japan the Sante System Centre runs a voluntary smart card system, used mostly by older businessmen who travel regularly and suffer from conditions that require frequent checkups. The card holds information on medical centre, job code, name, address, identification number, occupation, issue date, sex, blood type, date of birth, phone numbers, allergies, a summary of past history, present illness, treatment, medication, height, weight, eyesight, blood pressure, hospital visits and more.
The health care debate in the US has featured proposals to computerise health records with a view to reducing administration costs. Public health clinics in Houston already issue optical cards (which employ a variant on compact disc technology, but without a processing unit) containing clients' medical history. Proposals for similar systems on a national basis created considerable concern among legislators and, in the absence of a national framework for privacy protection, drafting work was undertaken on a national health care privacy bill. The issue has lost some of its momentum as the political prospects of major health reform have faded.
In an October 1992 report, the Ontario IPC has also surveyed the use of health card systems in Canada (including smart card systems) and put forward a set of recommendations for their use, in line with the basic privacy principles set out in the OECD guidelines.
In March 1992, the Commonwealth Minister for Health issued a statement rejecting the idea of a medical smart card for Australia, specifically because of the privacy implications.
Health applications probably pose the most serious threat to individual privacy. The issues of ownership and custody of information are crucial, as well as the accuracy and completeness of the records. The ability of wide range of health workers and others, eg, hospital administrative staff, health funds employees, medical researchers, to access comprehensive patient records through a medical smart card puts the privacy of the individual at grave risk. Such an easily available record of a person's complete medical history would be of considerable interest to employers, insurance companies and others. If such cards were introduced, there would be a strong case for enforceable privacy protection along the lines of the Information Privacy Principles in the Privacy Act 1988 for this type of application.
Some Scandinavian countries have voting systems which incorporate the use of a smart card.[14] They are supposed to cut down on electoral fraud and enable the immediate tallying of votes at the close of polling. Keeping the identity of the voter secret, a cornerstone of western democracy, would mean strict security measures and an ability for those measures to be transparent so that the voters could have faith that their vote was secret.
The smart card is claimed to assist in reducing fraud in the delivery of government services because benefit recipients can be identified more accurately and the benefits can be issued more efficiently. Complex formulae taking into account a benefit recipient's assets, family responsibilities etc can be programmed into the card. When recipients frequently change address it is an easier way for their benefit entitlement to be accessed, particularly in remote regions or other areas where direct computer links are too expensive.
In Mexico, smart cards are issued for the collection of food rations. There, merchants have stand alone readers which can read the smart card, determine how much credit for a particular commodity remains and, after the provision of the commodity, adjust the balance. The reader then transfers the information to a smart card held by the merchant which he or she presents to the local social security office for payment for the commodities given out. The merchant's card is then updated with lists of stolen or defunct cards which are transferred into the stand alone reader.
The following discussion looks at the privacy implications of the introduction of smart card technology in terms of the eight principles that form the basis of the OECD guidelines on the protection of privacy and transborder flows of personal data.[15] The principles are briefly described at the beginning of each section. It is evident that many of the privacy implications of the use of smart card systems overlap with concerns regarding other methods of data collection, storage and use, particularly where electronic means are involved. However there are specific features associated with the use of smart card systems that need careful attention.
A smart card system involves a number of participants: the card system controller, direct users of the cards, users of information gathered from use of the card, and the card holder. Initiating bodies control who will have access to the card. The scheme may be so designed that participation requires a card. Alternatives such as cash payment may be made impossible. Without a card, a person may suffer serious financial or personal consequences, eg, the inability to access medical treatment, transport services or Government benefits. If a system is designed so that a service or a benefit can only be provided through the use of a smart card, the card holder is effectively compelled to use the card.
The main concern with any new technological system and its impact on individual privacy is whether it collects identifiable information. Pseudo-identifiers have been proposed as a way to allay this concern. A pseudo-identifier is an arbitrary identifier which is separated from the details of the cardholder's name and address. The actual identity of the data subject is suppressed but the information is still made available to third party organisations for market research purposes. The use of pseudo-identifiers or other mechanisms to de-identify profile research needs careful attention as there are risks that people will still be able to be identified through geographic indicators associated with demographic and socio-economic data. This is most likely to occur where the geographic detail is very precise, eg, street name. As well, cards identified in any way may be able to be linked to an individual through a pattern of use.
The use of new technology for everyday services and transactions makes it easier to record an individual's everyday activities and, with increasingly sophisticated systems, to use that information to build profiles of a person's lifestyle and habits.[16] Some people may not be concerned by this and may welcome more directed targeting by advertisers, but for others the possibility that an extensive dossier of everyday activity may be compiled is a very serious concern. From surveys commissioned by the Privacy Commissioner it is evident that most Australians want to be notified in advance when information is being collected, to be given a choice as to whether that information is to be passed on to others and to be made aware of what the information will be used for when it is being collected.[17] Blume sees the use of smart cards leading to more electronic trails being developed and an increased risk of surveillance.[18]
Most smart cards will include some form of identifier even if only for cancelling stolen cards and refunding the unused portion of stolen or malfunctioning cards. These identifiers may not be directly linked to any individual (although a cardholder would have to know the identifier in order to apply for a refund from a stolen or malfunctioning card).
The majority of privacy concerns focus on the potential for individuals to lose control over their personal information. If people know or suspect that their activities are being recorded they will tend to act cautiously to protect themselves, and are likely to censor their own conversations and modify their actions. This would be an undesirable outcome for personal and political freedom.
In some instances retention of data from smart cards will be irrelevant to the purpose of collection. For instance, the trip details of a public transport user are needed to determine the price of the ticket, but need not be retained after the trip (except perhaps in a de-identified form for statistical purposes). Retention of identified data raises the possibility of generating a profile of the user's daily movements. Similarly, only a running balance need be kept on smart cards used for highway tolls, pay TV or loyalty scheme points. Detailed identified information on usage is not relevant to the effective provision of the service. Any secondary purpose, such as marketing, should be a stated object of the data collection. In general, such systems should be designed so that identified user details are cleared at the end of the transaction. Some organisations may wish to keep a record of transactions for statistical purposes. To do this without identifying individual patterns of use, file separation features need to be built into the data storage systems.
Other problems may arise where the card functions as a mobile medical file. The complete record may not be attached to the card for various reasons and this may lead to mistakes in diagnosis. Some medical practitioners may be unwilling to record all the details of their diagnosis unless there is complete assurance that the cardholder or other health workers cannot access the information without the doctor's authority (for fear of negligence and defamation law suits).
Smart card systems can be designed to prevent data subjects from determining the full extent of data held about them or its purpose. The card can be programmed to use the collected information for secondary purposes unknown to the data subject. Smart cards allow personal information to be collected, used and disseminated continually. The challenge will be properly to inform data subjects about what information will be collected, how it will be used, to whom it will be communicated and who may have access to it.
Another important issue is the extent to which the information gathered by the use of smart cards may be accessible to a range of government agencies through the exercise of compulsory information gathering powers (eg: the Tax Office, DSS and law enforcement agencies). The desirability of new databases of information has to be assessed against the possibility that an individual's movements and everyday transactions will be increasingly exposed to various Government authorities. The card's use could modify the activities of the card holder if it were designed to detect 'unusual' activity. This ability may be programmed into the card for the purpose of preventing or detecting unauthorised use or fraud but may act as a more pervasive limiting agent on a cardholder's decisions.
With multiple applications there is the potential for users to access unrelated sensitive information. As well, with the use of contactless cards, the data subject may not know when the card is being accessed. The issue of consent to the use and disclosure of information will then be a thorny issue. Is the data subject to be required to give a cover-all consent when first issued with a card? Will there be any ability for the data subject to change his or her mind about the extent of consent at any time? How will the data subject know when information is being exchanged with the card he or she is carrying?
When refusal of a necessary service or benefit is the alternative, the card holder may not be in a position to question whether it is necessary for a particular individual or corporation to access the information in the smart card or add information to it. If a system is designed so that a service or benefit can only be provided through the use of a smart card, the perceived or stated consequences of refusal to turn over the smart card place the cardholder under duress and consent is meaningless.
Authorised users of the smart card are generally designated by the issuing body. Such decisions may happen entirely without the consent of the data subject. Cardholders may be required to produce the smart card on demand to various authorised users (or have the information held on the smart card read or added to without their knowledge), but can be excluded from decisions on who will have access to their personal information. This undermines the data subject's autonomy over their personal information. It is important to look at ways of maintaining that autonomy. For example, it may be beneficial to include representatives of data subjects in the design of smart card systems and hence in the decisions about who will have access to the information stored in the smart card.
The security safeguards available through the use of encryption and biometrics mean that smart cards are much more secure than previous card technologies. However, the claims that smart card encryption technology represents the high point of information security should be subject to close scrutiny. Recent reports suggest that the Clipper chip, the US Government's preferred electronic key for the encryption of data, is facing a number of security problems.[19] As well, the ability to combine personal data from different sources increases the potential for unauthorised use or disclosure and the incentive for people to invade the security systems to gain access to the data.
Bowcock points out that where an electronic purse smart card is tied to a bank account it would be desirable that the electronic purse clearing system is entirely separated from the bank's account management system, so that the identity of the card holder can only be established through a special process and not automatically.[20] However, it will always be possible for people with legitimate access to the system to disclose identified data, no matter what security measures are in place. This problem is not confined to the security of information kept on smart cards but, because extensive and highly sensitive information may be held on a smart card system, the illegal gains from disclosing such information may be tempting in the face of weak sanctions.
Smart card systems are being designed with no real input from consumer representative groups. It is at the design phase that irreversible decisions are made about how the information held on or collected by the card will be protected and managed and about how access to the information will be controlled. It is at this stage that most benefit would be gained by consulting consumer representative groups about how the completed systems will deal with personal data.
Every time a card is used, information on it can be downloaded to a database linked to the card reader. Davies draws our attention to the systems interacting with the cards themselves: a distributed network of data banks behind the smart cards themselves may, through the use of an identifier on the card itself, constitute a much greater privacy concern than a centralised databank, because of its greater flexibility and reach[21]. Gaining access to the network may require only penetration of its weakest link. There are many potential areas of weakness in a smart card system, particularly one where the information on the card is constantly being passed to and from other computers.
The challenge for the system here is to ensure that a data subject can find out what data is held about him or her, who is responsible for giving access to it and how a data subject would go about physically accessing the information. Although data subjects have physical possession of the card they may be unable to access the information it contains or control the flow of information to and from the card.
If cards are developed which have multiple uses, one organisation may be able to authorise the release of information held on the card or a data subject may be forced to go to several different organisations. Where organisations are sharing, or have access to, information in the card that is not directly relevant to their use of the card, significant privacy implications arise. There must be clear lines of accountability for all the organisations and users involved in a smart card system.
One of the main problems with the use of smart cards is the issue of who is in control of the data. There will often be a card manager or project developer, one or more 'users' of the card, third parties wishing to use the information for secondary purposes and the card holder (who will usually be the data subject). This clearly raises questions of the ownership of the data, who the controller of the information is, and who should be the parties to any consents or authorities for the use or disclosure of data.
There are other privacy concerns arising from the introduction of smart card technology that are not directly covered by the OECD principles. One of these is the possibility that a smart card will, by gradual application, become a universal identity card. A multiplicity of functions on any one card would probably mean that the card would be carried at all times. If it also included biometric details, ie, fingerprints, retina patterns, DNA material, it could potentially become the main form of identification needed to access goods and services. Whatever identifier the card used could quickly become a defacto universal identification number, allowing the cross-matching of many data banks of personal information in both the public and private sectors. Davies reports that a US company has develop a card that holds biometric details and is designed for multiple use. The card was due to go into production in Malaysia in 1993 and would be marketed world-wide.[22]
The first step towards establishing acceptable practices in the operation of smart card systems is to identify principles that can act as a guide in addressing the privacy concerns smart cards raise.
In Canada, where a number of smart card systems are under trial in public and private sectors, privacy policy advisers have taken a strong interest in developments. The Information and Privacy Commissioner, Ontario has issued a paper on smart card technology that recommends privacy standards for government card applications, including a recommendation for the issuing of privacy impact statements for such applications. Implementation of these recommendations would involve going beyond the existing legislative framework for privacy protection in the public sector. The paper recommended that:
• the government of Ontario develop government wide technical and privacy protection standards or guidelines to manage the introduction of government smart card applications;
• the Management Board Secretariat [which is already involved in the development of government wide information and technology standards] in concert with the Freedom of Information and Privacy Branch, take the lead role in this task;
• the Secretariat consider the privacy protection and privacy impact statement requirements outlined in this report when preparing the standards or guidelines;
• municipal officials and others should work on the standards or guidelines to ensure that they are applicable to municipal applications; and
• municipalities be encouraged to adopt these standards or guidelines
As will be noted, this study has influenced my office in developing some of the ideas expressed here. They seem to be entirely relevant to tackling the privacy concerns stemming from smart card systems development in Australia.[23] Moreover, it is encouraging that they are consistent with the existing framework set out in the Privacy Act 1988.
Smart card systems should be open and transparent to data subjects. They should know their inherent rights when using the card, what information the card contains, how it will be used and what risks that use implies. Data subjects should have the right to participate in the determination of what personal information the card contains and who has access to it. Data subjects should have the right of access to and correction of information held about them on the card as well as in any related databases.
All uses and disclosures of information on the card should be subject to the prior and informed consent of the data subject. Where cards are used for access to government services, a smart card should not confer benefits (other than perhaps enhanced service) unavailable to those without a card. The full measure of security available through the technology should be used to prevent misuse or inadvertent access. This should include the use of PINs, authentication protocols, encryption, and the segregation of multi-use applications to prevent possible merging or matching of various databases. The use of smart cards to conduct computer matches or linkages should be limited and regulated where they are dealing with highly sensitive personal information, eg, health information.
Smart card technology should only be used by government organisations to enhance access to government information and services, and not as an instrument of social control, eg, a method of conducting surveillance or a means of creating computer profiles.
The development of a guide to the privacy impact, and what measures will be taken to address those impacts, (hereafter referred to as a smart card protocol) prior to introducing a new system or revising an existing application, would appear to be a positive step in the process of focussing smart card system initiators', and developers', minds on the privacy issues involved. A smart card protocol might include, at a minimum, descriptions of the following:
• the proposed smart card application;
• how the proposed application is in compliance with the OECD privacy principles;
• the probable or potential effects that the proposed smart card application would have on the privacy of the data subjects and users;
• what methods will be used to restore any lost degree of privacy should the application compromise existing levels of privacy;
• the personal information to be collected for the entire application, the manner of collection, the method of notification, and the reasons why that information is necessary and relevant;
• the personal information to be held on the card and why; a listing of the proposed authorised users and what levels and/or types of access they would be provided;
• the proposed procedures for data subjects to gain access to, and to correct their personal information, including a mechanism for appealing denial of access or correction;
• the procedures to be used to ensure, as much as possible, the accuracy and timeliness of all personal information;
• all the security measures to be used to ensure the protection of personal information and to restrict the possibility of unauthorised computer matches or linkages;
• what previously unavailable/available personal information the proposed application would reveal or protect, make available or unavailable to any party; and
• the individual(s) responsible for the on-going assurance of security and privacy protection.
Outcomes can be measured against the criteria put forward in the protocol.
The widespread introduction of smart card technology to Australia is imminent and is being heralded by many as a great benefit in cutting down on fraud, making information storage safer and in increasing efficiency in the delivery of a wide range of services. This may be true but there are potential disadvantages in terms of personal privacy that can only usefully be addressed at the design and development stages. In the interests of the smart card issuers, users and cardholders it is imperative that the privacy issues be worked through early in the process. The use of protocols to create a framework for addressing privacy concerns for each system will benefit all concerned and assist to create a climate of public trust in the integrity of the systems.
[*] Privacy Commissioner
[1] 128,000 smart cards were claimed to be in circulation in Australia in 1993 in J Liston 'Smart solution on the cards' Australian Electronics Engineering July 1994 p 34
[2] Section 27(1)(c) of the Privacy Act 1988
[3] For the complete guidelines see the Organisation for Economic Co-operation and Development, Annex to Recommendation of Council of 23rd September 1980, guidelines governing the protection of privacy and transborder flows of personal data reproduced at p 1603 of the Privacy Commissioner's Federal Privacy Handbook Redfern Legal Centre Publishing 1992
[4] G Greenleaf ‘Implications for Australia of international privacy requirements’, paper given at IIR Conference Protecting Information Privacy, 6 and 7 June 1994, Boulevard Hotel, Sydney.
[5] Privacy and Data Protection Bill 1994
[6] Greenleaf op cit at p 23. For a fuller exposition of the "patchwork" of general law privacy protection see the paper by James Fitzsimons 'Smart Cards: Legal Concerns' given at the AIC conference Smart Cards 24-25 February 1994 Sheraton Wentworth, Sydney
[7] M. Prebble Integrated Circuit Cards: Is it smart to use a Smart Card? Victoria University Press for the Institute of Policy Studies Wellington 1990 p 4
[8] INTAMIC (1986) Microcircuit Card Laboratory Tests and Field Trials 1981-1986, Paris: INTAMIC quoted in Prebble op cit p 6
[9] For a very succinct explanation of the features and applications of smart cards see CJ Lokan 'The Design and Applications of Smart Cards' Vol 23 No 4 The Australian Computer Journal Nov 1991 p 159
[10] A system designed to allow the maintenance of privacy in the use of electronic cash has been described by D Chaum, 'Achieving Electronic Privacy', Scientific American, August 1992, p96
[11] For a comprehensive description of this type of application in use in Sweden and Norway see R Tomkins 'Heavy toll to bear' in The Financial Times, May 14, 1993; p 14
[12] Chou Fang Soong, 'Electronic Purse: currency for the information age?', paper presented to Smart Cards 94 conference, Hilton Hotel, Sydney, October 1994.
[13] The Privacy Commissioner recently received several technical briefs on information technology security systems prepared by the Information Security Research Centre at the Queensland University of Technology. Of relevance to authentication is Prof. WJ Caelli & M Looi Use of Smart Cards in Authentication QUT April 1994
[14] Information and Privacy Commissioner, Ontario, Smart Cards, April 1993, p 20
[15] Privacy Commissioner Federal Privacy Handbook - A Guide to Federal Privacy Law and Practice Redfern Legal Centre Publishing, Redfern 1992 p 1603
[16] For a comprehensive look at the present and future tracking of an individual's life by computer see N. Cobb 'The End of Privacy' in The Boston Globe, magazine section p 16 April 26, 1992. In that article Mr Cobb states that Gary Chapman, then director of the Cambridge office of Computer Professionals for Social Responsibility coined the term 'data shadow'
[17] The Roy Morgan Research Centre Pty Ltd A Summary Report - Privacy Act Survey 1994 p 51. Confidentiality of personal information ranked behind education as the second most important social issue identified by the Ray Morgan work; 74 per cent of respondents regarded it as very important, up from 67 per cent in 1990.
[18] Peter Blume 'The personal identity number in Danish law' in (1989-90) 3 Computer Law and Security Reporter 10 at p 13
[19] Australian Communications, Sept 1994 p 37
[20] M Bowcock 'Smart Cards and Information Privacy' a paper presented at the AIC conference Smart Cards 24-25 February 1994 Sheraton, Wentworth, Sydney
[21] Simon Davies 'Smart Cards and Clever Illusions' a paper presented at the 14th Data Protection and Privacy Commissioners Conference, Sydney, 29 October 1992.
[22] Davies op cit p 60
[23] Wright op cit pp 33 to 35
AustLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.austlii.edu.au/au/journals/JlLawInfoSci/1994/15.html