Privacy Law and Policy Reporter
The Privacy Committee of NSW released its report, 'Smart Cards: Big Brother's Little Helpers' on 25 August 1995. The 80-page report details the privacy and consumer issues likely to arise from the introduction of smart card technology in Australia, with particular emphasis on the use of smart cards as 'stored value cards or 'electronic purses'.
The media took a keen interest in the report, and the privacy issues associated with smart cards were widely discussed. The report recommended a three-layered approach to addressing privacy and consumer concerns for stored value cards:
The day after the report's release, the NSW Attorney General, the Hon Jeff Shaw, announced that he was committed to introducing new privacy and data protection legislation in NSW, and a Bill is expected to be introduced into Parliament in early 1996.
The second recommendation was also received enthusiastically, and an association of smart card companies under the banner, 'Asia-Pacific Smart Card Forum' has agreed to develop a code of conduct. Moreover, they have been provided with funding and staff from the Federal Department of Industry, Science and Technology to complete the task as soon as possible. The working group developing the code of conduct for the Forum is committed to wide community and industry consultation.
The third recommendation is being considered by the Reserve Bank of Australia and the Australian Payment Systems Council. While they are currently adopting a 'wait-and-see approach', they have recognised that:
Any material risk that an issuer of stored value cards would be unable to meet its obligations could disrupt financial system stability if, at some point well into the future, the cards were in very widespread use. Issuers of conventional currency in wide circulation must be undoubted in their capacity to meet their obligation to redeem it, on demand, for full value. The European Monetary Institute recommended that only banks and other supervised financial institutions would be appropriate issuers of widely used, stored value cards. (Australian Payment Systems Council Information Paper on Stored Value Cards, Sydney, September 1995)
Of course the knock-on effect for privacy of such a requirement is that banks and other supervised financial institutions are more likely to be bound by codes of conduct (for example, the Banking Code of Conduct and the EFT Code of Conduct) and strict licensing requirements. Unfortunately, under current legislation, anyone can issue stored value cards, free from any form of supervision.
Five smart card promoters were discussed in case studies in the report.
Mastercard has begun a trial of stored value cards in the Canberra suburb of Belconnen. The trial is expected to last nine months, and will initially involve only the simpler smart card functions. Mastercard differs from other promoters in that it is only offering smart cards linked to a Mastercard debit or credit account. There are no stand alone or disposable cards.
As a result, consumers have no option other than to forgo their anonymity to participate in the system. This appears incongruous in a system designed to be 'just like cash'.
Mondex International has begun a trial of its smart card system in Swindon in the UK. The system has run into early difficulties with reports from the UK press indicating that the Director of Privacy International, Simon Davies, has reported Mondex to local Fair Trading authorities for allegedly describing its system as anonymous. Davies claims that promotional material issued by Mondex is misleading with respect to customers' transactional data.
Mondex has been holding high level discussions with a number of Australian banks over recent months, and has indicated a desire to expand the system globally, including an Australian franchise. However, the 'anonymity' issue may prove an obstacle to further developments and consumer acceptance.
The 'anonymity' issue is also important in Australia, with the recent launch of the Quicklink card scheme. Quicklink won a NSW Government tender to develop a stored value card system in 1994. At a press conference in October 1994 to mark the event, the then Minister for Commercial Services stressed the importance of anonymity - 'the key benefits of the card to the consumer will include convenience, speedier transactions, ease of use, reduced dependence on coins, and the card's anonymity'.
However, Quicklink are now trialing the system in Newcastle without any anonymous cards in sight. No disposable cards are to be offered in the trial, although they have agreed to conduct market research on disposable cards as a future option. Reloadable cards will be offered, but will not be described in any promotional material as anonymous.
The fact that reloadable cards are not truly anonymous has been recognised by industry representatives for some time. Indeed, Matthew Bowcock from Security Domain (a leading Australian smart card company) speaking at the 'Protecting Information Privacy 'conference in Sydney made the point as early as June 1994, saying 'In many cases consumers want to be able to recharge their cards from their bank accounts at ATMs, EFTPOS terminals, or even from a terminal at home. This means that the card is no longer anonymous, as it can be tied to a completely different card system - one that does rely on identification of the individual.'
Transcard has a head start on other Australian smart card promoters, having completed trials in the western suburbs of Sydney earlier this year. Transcard's own research, conducted during the trial, has produced some interesting early results, including a high level of acceptance for contactless card technology. (Contactless cards can communicate with card readers via low frequency radio waves from a distance of about six inches).
All Transcard cards are reloadable, either by cash, or directly from bank accounts at EFTPOS outlets. At the time of writing, Transcard is hoping to expand their system to other parts of Sydney, and further consideration will be given to the promotion of Transcards as 'anonymous'.
Visa is the only smart card promoter operating in Australia to offer disposable cards. The trial of the Visa smart card system is being conducted on the Gold Coast, and a number of banks and credit unions are participating.
Visa will also be offering reloadable cards, but like Quicklink will not refer to these cards as anonymous in promotional material.
The development of stored value card systems in Australia continues at a rapid pace. Many of the promoters are now giving higher priority to privacy issues and developing individual privacy policies. This is likely to be supplemented by an industry code of conduct, and, in the near future, improved privacy and data protection legislation.
However, the anonymity of stored value cards remains the most controversial issue. Although smart cards are designed as a convenient replacement for cash, there is simply no comparison between most cards on the market and cash itself. The call for improved privacy and data protection legislation made in 'Smart Cards: Big Brother's Little Helpers' remains the most effective option in addressing the privacy issues which arise from this new technology.
In the early trials of smart cards, consumers have been using the cards five or six times a day. Until privacy legislation is introduced, there is very little any smart card promoter can say to reassure consumers about the collection of information on such an unprecedented scale.
Although stored value cards have been at the centre of attention in recent months, there are growing concerns about other smart card applications, particularly in the government sector.
Fears that the introduction of smart card technology might re-ignite the push towards a national identity card, or 'Australia Card', are not entirely unfounded. A combination of the increased availability of card readers and decreasing card and system costs mean that the use of smart cards for government functions will be tempting to many departments and government agencies.
Of most concern, is the growing support for the proposed use of smart cards as part of a national 'Public Key Authentication Framework' being considered by the Federal Government. The proposal is the result of work undertaken by a Standards Australia Committee known as the 'Public Key Authentication Framework Task Group', which has been looking at aspects of electronic commerce on the Internet and other electronic communications paths.
Their proposal is to offer security and integrity in electronic commerce by developing a Public Key Infrastructure with legislative backing. In such a system digital signatures would perform a role similar to that now played by handwritten signatures in paper based systems. In fact, the proposal will include legislation providing that a digital signature will have the same force in law as a handwritten signature, but only when it meets certain requirements.
The proposed requirements are that the digital signatures are issued by a certifying authority approved by a 'trusted central administration'. In a recent submission to a Senate Committee, Standards Australia described the system in the following terms:
Digital signatures are issued via a certifying authority, a trusted central administration willing to vouch for the identities of those to whom it issues certificates. This function is similar to the Births, Deaths and Marriages administrative function provided by government departments today. To obtain a digital certificate, an individual applies for one from the certifying authority, taking along conventional documents proving his/her identity. (Standards Australia Submission to the Telecommunications Development Inquiry of the Senate Economic References Committee, Canberra, 1995)
A member of the Standards Australia Committee, Mr Steve Orlowski (the Assistant Director of Security Management at the Federal Attorney-General's Department) has recommended the use of smart cards as the device to carry the digital signatures. Smart card readers could be added to computers and even telephones to enable secure communication and commerce. The cards could be multi-functions cards, offering digital signature, stored value and telecommunications functions. Mr Orlowski describes the proposal thus:
Such cards could be issued within the public key authentication framework referred to earlier. An individual could apply to a certifying authority for a smart card containing their secret key component of their digital signature. The card would be issued upon satisfaction of the one hundred point criteria currently used by banks to open accounts (where a passport or drivers licence equals forty points, a Medicare card equals twenty points etc). The individual could then use the card for both signature and identification purposes. (Steve Orlowski, Speaking at the Information Technology in Government Conference, Canberra, August 1995.)
From the last sentence of this statement, it might appear that this system contains a number of elements similar to the failed Australia Card proposal. Digital signatures may soon become an essential requirement of modern life, and participation in electronic commerce would then be dependent on carrying a card which contained identifying information, and which was standard across Australia.
But Mr Orlowski argues that the proposal is not 'Son-of-Australia Card'. Indeed, he says that 'obtaining the card would be optional, the user would determine what information other than basic identifying information would be held on the card, and the user would control which of this information would be released through a PIN pad on the card.'
Privacy advocates are warming to the task of responding to this proposal, and the debate should be widened with the publication later this year of a Standards Australia Discussion Paper outlining the details of the proposal. It seems set to ensure that smart cards remain the burning privacy issue of the nineties.
Chris Connolly is a Research Officer at the Privacy Committee of NSW and the coordinator of the Smart Card Advisory Network. He is the author of 'Smart Cards: Big Brother's Little Helpers'. The views expressed here are personal ones.