Home
About ACT Canada
Membership
Resource Centre
Newsletter
Members Only
Glossary
Articles
Presentations
Directory
Calendar of Events
Press Centre
Affiliations
Contact

Presentations

PRIVACY AND SMART CARDS presented at CARDWARE 2001: RIDE THE WAVE

September 6, 2001

by Catherine Johnston, President & CEO, The Advanced Card Technology Association of Canada

In this world there are still small communities where your face, your handshake and your word are all you need. Unfortunately most of us don't live in those communities. We need to carry something that not only identifies who we are, but also what we are entitled to do or have. Without them, we can't prove that we have the right to drive, to travel across borders or in some cases receive medical care. Where we drive and travel, and information about our health is personal and we have the right to privacy.

In essence, our drivers license, passport and medical cards provide entitlement information in the same way that our credit cards carry information that allows future payment to be made for our purchases. We've become accustomed to carrying many cards, either because we want to use the service offered by each, or because a government has mandated us to do so.

Let's take a look at the contents of our wallets. In mine, related to my car, I carry my driver's license, vehicle registration, insurance papers, and gas company loyalty cards. For travel, I have my birth certificate, provincial medical card, travel insurance card, telephone charge cards and numerous other credit cards. In addition to these there are debit cards and a various loyalty programs, video rentals and grocery stores cards.

What do these cards reveal about Catherine Johnston? If we look at the papers that the government issues to me or requires me to carry in order to drive, you would learn my name, address, date of birth, height, the fact that I wear corrective lenses, my driver's license number, which car I drive, my vehicle plate number and you would also have a copy of my signature and picture. In other words, you would have the basics of my identity. It is right there for anyone who cares to read the information on the surface of these cards. Right there for anyone who wishes to steal my identity.

This panel deals with privacy and technology. The technology in my wallet offers no privacy whatsoever. If anything, carrying these cards puts my identity at risk if I lose my wallet.

Let's move to my provincial health card. What does it reveal about me? By comparison to my driver's ID, my health card is a model of discretion. It has my name and signature, as well as the number used by the health care system to identify me as being eligible for provincial health care. Privacy versus technology? This card is the model of privacy but is inefficient as a secure billing mechanism, because it was not designed to withstand attacks by people who counterfeit and sell health cards to people who are not entitled to government paid health care. It also doesn't allow me to add my Doctor's name and phone number, a person to call in case of emergencies, my blood type, drug allergies, current treatments or any other information that would be vital if I were sick and unable to verbally provide it.

If I were a senior citizen, a child or an adult with a condition requiring me to see more than one doctor, my card doesn't allow me to give permission for them to share data electronically. This means that I am more likely to be tested twice for the same condition so that each doctor can have timely test results. It also means that I'm more likely to suffer from a drug interaction since today I'm the only person who can tell each doctor which drugs I am already taking. In addition to these risks, we are seeing a cut back in health care services because budgets are being cut and yet we are not effectively cutting health card fraud.

What has this got to do with privacy and smart cards? Today's government issued cards are extremely easy to counterfeit and so they are readily available for purchase outside of the province. The use of our medical care system by unauthorized persons has contributed to the budget crisis.

You've recently read in the press articles erroneously suggesting that smart cards put our privacy at risk. Clearly the people who write those articles fail to understand the privacy enabling strength of the technology. Most often, if you probe their concerns, you find that it is not technology, but rather policies and procedures that worry them. Because of that, they fail to make use of technology to protect us.

Let's look at how smart card applications can protect our privacy. We know that a smart card is basically a pc on a piece of plastic. Let's compare this to computers. On your corporate mainframe computer you may run a payroll application. If you have physical access to the computer or a terminal linked to it, you do not necessarily have access to the payroll application. The application itself is designed so that only those who are authorized may access the payroll data. Even then, they can't necessarily change it; otherwise payroll clerks would likely have the biggest pay cheques. These mainframe applications are designed so that every field or piece of data is analyzed as to who may view it, add to it, modify or delete it.
The same process is used to develop applications for smart and other advanced cards. This allows us to put information on smart cards and protect it from access by unauthorized persons. It also allows us to make information easily viewable by the card owner, in other words you and me, giving us an opportunity to verify the information on the card.

Can smart card technology protect your privacy? A pioneer in the field of smart cards once commented that they are the only technology in the world designed to kill themselves rather than give up their secrets. Somewhat like the Mission Impossible tapes, but without that sexy little puff of smoke. Smart cards can be programmed to detect intrusions by unauthorized sources and destroy their communication links. We have now seen the first non-military smart card product that has achieved an Information Security (ITSEC) level 6 rating from the CESG, a UK government agency. More will follow, as applications requiring that level of security are developed.

Plans are now in place for leading manufacturers to include smart card reader/writers in new pc's. This will lead to the development of many new applications for smart cards and security to support those applications will be a prerequisite. In the business world, smart cards will be the inevitable e-commerce enabler, because of the security and portability they offer.

The Advanced Card Technology Association of Canada believes strongly in the need to understand privacy protection and to build it into all applications that sit on smart and other advanced card platforms. To that end, we have worked with the Office of the Information and Privacy Commissioner/Ontario to produce two procedures for application designers.

The first deals with single application cards and the newest, which I believe is the first of its kind in the world, is entitled, "Multi-Application Smart Cards; How to do a Privacy Assessment". It teaches the reader the principles of privacy protection and the need to look at privacy systematically. This document stresses that the responsibility for privacy protection is not limited to the data on the card but extends to all mediums on which the data is collected and subsequently stored. The designer is then provided with checklists that allow the assessment and documentation of procedures for each privacy principle. Once the application has been viewed as a whole, the individual data fields are listed on other checklists. These are used to help the designer determine who should have access to each data field and what rights they have to view, add, change, or delete each field. The procedure also identifies the protection in place between applications residing on a multi-application card.

This procedure is designed to ensure that proper thought is given to privacy protection during the design stages of an application. It also builds documentation that records the privacy protection design. Checklists can be copied and used with each new design.

As for public consultation, I believe that the public should be informed, but care must be taken to ensure that they have sufficient information to understand the risks, opportunities, benefits and technologies associated with new programs.

Several years ago the Toronto Star asked a question related to ID cards in their popular "You Asked Us" column. They asked whether citizens would be willing to carry a national ID card. Although more than half who responded by phone said they would, there were several comments about police states and similar concerns. A second question was asked several months later. This time more information was provided as to the reason why such a card would be issued. The question was, "Do you think all Canadians should carry an identity card to crack down on welfare and medicare abuses?" Of 1,535 calls 89% said yes. As individuals we constantly assess the risks that we face in the world and make decisions related to minimizing those risks.

We must look to technology to protect us, but in doing so we must maintain our ongoing rights to protection of privacy. As technology is employed we have the right and, I believe the obligation, to ensure that the new technologies do not expose us to new risks. To that end we must educate ourselves on the ways in which new technologies can be used for privacy protection.

Furthermore we must always be aware of public and corporate policies and be ever vigilant that they are equally committed to preserving our privacy. It is important to recognize that technology is only a tool. Whether it is employed for good or bad purposes is determined by someone's policies, procedures and intent. Focusing on technology in isolation will serve none of us well.

In closing, I would say that the principles of privacy do not change to any great degree. On the other hand, new technologies enter the market place with great speed. Unfortunately, the risks that we face from those who would do us harm grow with each passing year. Theft of identity is becoming one of the fastest growing frauds of rest of this decade.

If we continue to ask questions and debate items such as "privacy versus technology" we will be our own worst enemies. We cannot divert our attention from the real issues of risk. The question and the debate should be on how well and how soon we will use all the tools at hand to protect our privacy and our identity. Only when we demand efficiency and privacy will we start to protect ourselves.

Thank you.

Catherine Johnston
President & CEO
Advanced Card Technology Association of Canada
905 426-6360

ACT Canada is an international non-profit association for the advancement of card technologies. We work on behalf of our members to promote the awareness, understanding and use of all advanced card technologies; including optical, smart, capacitive and emerging technologies. If you would like to learn more about ACT Canada membership please visit the membership section of our web site or contact our office at (905) 426-6360.


Please forward any comments, suggestions, or questions to info(AT)actcda.com

About ACT Canada | Membership | Resource Centre | Directory | Calendar of Events | Press Centre | Affiliations | Contact

Please direct general inquiries, questions, comments and concerns to info(AT)actcda.com
© Copyright 2002-2008 ACT Canada
Privacy Policy