Home | Databases | WorldLII | Search | Feedback Privacy Law and Policy Reporter

Walters, Michael --- "Smart Cards and Privacy" [1994] PrivLawPRpr 110; (1994) 1(8) Privacy Law & Policy Reporter 143

Smart Cards and Privacy

Michael Walters

While the smart card was first patented 20 years ago and has been in use for over ten years in some countries, it has only been in the past year or two that the broad application of smart card technology internationally has commenced. Smart cards are increasingly being used for a wide range of applications including mobile telecommunications, pay television, pay phones, public transport ticketing, building and computer access control, health care and customer loyalty.

While applications such as these will result in a significant number of smart cards being issued to consumers for a single purpose, the recent decision by MasterCard and Visa to progressively implement smart cards will ensure the vast majority of consumers will carry and utilise these cards on a daily basis for multiple purposes within five years.

However, despite these recent developments, there has been little discussion of the implications that the widespread use of such a technology may have on personal privacy. This article provides a description of smart card technology and outlines its use as a financial transaction card, before discussing the possible impact on personal privacy.

An introduction to smart cards

Basically, a smart card can be described as a plastic card physically similar to the magnetic-striped debit or credit card most of us carry. However, beneath the surface of the card is an embedded integrated circuit or ''chip' which gives the card the ability to communicate, store and (in some cases) process data with a terminal.

The following schema illustrates the components of a high-end contemporary smart card chip. Most smart cards support a ''contact' communications interface through a ''pad' in the upper left hand corner of the card face. When a contact smart card is inserted into a card reader, the pad allows the terminal to supply power to and communicate with the chip.

Some smart cards may instead support a ''contactless' (or proximity) communications interface. A contactless smart card contains a coil which generates power when it is passed through an electrical field, allowing the terminal to communicate with the chip using radio communications.

Contactless smart cards are typically used in public transport and road toll applications where transaction times must be kept to a minimum. Within three to five years, hybrid smart cards which support both a contact and contactless communications interface are likely to become widely available.

Smart cards can be further divided into ''memory' and ''microprocessor' cards. Memory cards do not contain a CPU and so rely entirely on the terminal carrying out any processing. On the other hand, a microprocessor card contains a CPU and so is capable of processing data independently of the terminal. Thus, while a memory card can generally only store data (like a floppy disk), a microprocessor card can also process data (like a computer).

Although the majority of cards manufactured to date have been memory smart cards, the use of microprocessor smart cards is becoming more widespread as the applications for which they are issued become more complex (for example, cryptographic processing for telecommunications and financial transaction cards).

There are typically up to three types of memory supported on a smart card chip. These are:

1. EPROM/EEPROM as ''user memory', which contains data and additional procedures typically generated through the customisation and operation of the smartcard.
2. ROM as ''application memory', which contains the procedures and data required for the smartcard to operate.
3. RAM as ''working memory', which stores data temporarily during a session with a terminal. ROM and EPROM (Erasable Programmable Read Only Memory) or EEPROM (Electrically Erasable Programmable Read Only Memory) are non-volatile; that is, they retain data even where power is withdrawn. RAM, on the other hand, is volatile and so loses data once power is withdrawn. EEPROM differs from EPROM in that its memory is electrically erasable and thus can be re-used, whereas EPROM can not be electrically erased once data is written to it.

MasterCard and Visa have recently decided to adopt smart card technology and phase out magnetic-stripe based systems in order to reduce the cost of bad debt, fraud and authorisations. Initially, this is likely to involve the card PIN and product account numbers being stored on the chip. The card itself will be a hybrid smart/magnetic stripe card until the existing terminal infrastructure is either upgraded or replaced.

The new card is likely to support a stored value product, together with the debit and or credit product. Although stored value products have been issued internationally for around a decade, it is only recently that they have evolved from relatively ''closed' products accepted by only a few merchants (for example, pay phone cards, public transport cards) to ''open' products accepted by a broad range of merchants. The three card-based payment products likely to be supported on the new

''smart' financial transaction card can be characterised as follows:

1. Stored value: ''pay before' product (cardholder payment occurs prior to purchase) targeted at lower value ($1 to $25) convenience purchases, competing with cash, and likely to generate between 200 and 1,000 transactions per annum.
2. Debit: ''pay-now' product (cardholder payment occurs at purchase) targeted at moderate value ($25 to $100) budgetary purchases, competing with cheques, and likely to generate between 50 and 250 transactions per annum.
3. Credit: ''pay later' product (cardholder payment occurs following purchase) targeted at higher value ($75 +) discretionary purchases, competing with finance and debtor accounts, and likely to generate between 20 and 100 transactions per annum.

Under the scenario being proposed by MasterCard and Visa, a financial institution will be able to issue a single financial transaction card to each of its customers, with this card containing credit, debit and stored value products (as requested by the customer). This assists in ensuring the card has the greatest possible ''utility' or usefulness, and so will be carried at all times and utilised by the customer frequently.

However, it is also possible that the financial institution may ''rent' (with the customers consent) any remaining capacity on the chip to other organisations, for example:

(a) a retailer for a discount or frequency product;

(b) an airline for a frequent flyer or lounge product;

(c) a public transport authority for a period or multi-trip ticket;

(d) a health insurer for insurance coverage details;

(e) a telecommunications supplier for a calling card; and/or

(f) a government authority for identification purposes.

In fact, the number of payment, loyalty and identification cards issued to some consumers is now greater than the capacity of their purses or wallets to carry them, many organisations would welcome the opportunity to have their product on a card carried and utilised every day, rather than having their own ''low utility' card.

Impacts on privacy

How will these multi-functional, financial transaction, loyalty and identification cards impact upon personal privacy?

Multi-functional smart cards will undoubtably result in a significantly greater volume of consumer transactional data being captured, processed and stored than is currently the case with magnetic stripe cards. Additionally, these cards are capable of enabling greater cross-referencing and data-matching (through the use of a single key for multiple products; that is, the smart card number) amongst a broader community of organisations which utilise the card.

For example, a stored value product card alone could generate more than five times as many transactions than all debit and credit card transactions combined. Many payment transactions carried out on the card may also generate one or more ''loyalty' or ''identification' transactions (for example, frequent buyer points). Thus, information on both a transaction and a customer could technically be captured by the card issuer and any organisation involved in the transaction which utilises the card to support their own payment, loyalty or identification products.

However, at this stage it is difficult to determine the likely impact as the design of these systems is yet to be finalised. For example, it is not known what transactional and personal data will be stored on the card and centralised systems, and what access certain parties will be given to this data.

At the card level, if the design is carried out with personal privacy in mind, it is possible that a quite favourable outcome could be achieved.

For example, if access to specific data stored on the card is only available with cardholder authorisation (for example, a customer-selected PIN), the need for, and frequency of, access to a centralised system would be minimised. This assumes that customer-controlled access to a distributed database (that is, the customer smart card) is more privacy-friendly than third-party controlled access to a centralised database.

At the product level, if the design of a stored value product supports anonymous transactions (that is a transaction cannot be attributed to a card or customer), as is the case for cash, then the product is unlikely to have a detrimental effect on personal privacy.

The stored value product proposed by MasterCard and Visa, however, is likely to involve transactions being routed to and processed by a centralised system (this approach is likely to be adopted in order to maintain the integrity and security of the payments system).

Regardless, a certain proportion of non-transactional data contained on the card will need to be replicated (or backed-up) by the card issuer on one or more systems, probably together with cardholder details. These systems would be accessed infrequently to, for example, allow re-issue where a card is lost or stolen. Thus, access to this data would need to be strictly controlled with the one or more systems ideally being physically and logically separate from transaction processing systems.

Another issue of concern to personal privacy would be the threat of tracking consumers through their transaction records. Although most consumers would be unlikely to use their debit or credit cards more than once a day on average, the addition of a stored value product could result in up to five transactions being captured daily. Although these are unlikely to occur in real-time (stored value transactions captured by terminals are likely to be forwarded to the processing system no more than once per day), detailed historical customer profiles could be developed over time.

Finally, as has been observed with the recent ''Fly Buys' launch, the capture of data for direct marketing and market research purposes is a key aspect of any loyalty product. While most organisations launching or participating in such loyalty schemes are increasingly unlikely to provide any such data to other organisations (for inevitably, it will fall into the hands of their competitors), they rarely have the systems or controls in place to defeat deliberate attempts to access data (unlike financial institutions). Thus, the privacy of customer personal and transactional data may be compromised by inadequate data security on the part of some participating organisations.

While several key issues pertaining to smart cards and personal privacy have been discussed at a high level in this article, there are many others that have not. In short, smart cards present both an opportunity to improve, and a threat to reduce, personal privacy. Thus, it is critical to incorporate during the design and development of smart card systems features and controls that will at least maintain, if not enhance, personal privacy.

Michael Walters, consultant with Electronic Trading Concepts, Sydney.