|
Articles - Privacy & Security
Where do we go now?
So many questions
arise from the tragedy
of September 11th,
but one frequently
asked,
hits each and every
one of us. Will we
need
to give up our privacy
to gain security?
Canadians should
refuse to debate
this, because
it isn't the right
question if we are
going
to find a balance
between our right
to privacy
and need for personal
security.
In this world there
are still small communities
where our face, handshake
and word are all
we need. Unfortunately,
most of us don't
live in them. Since
September 11th, we all
live in a global
community where we may no
longer trust the
identity of anyone we don't
personally know.
Now we must be more concerned
about the threat
of identity theft. Until
now we have focused
on proving whom we are
and what we are entitled
to do; using passports,
drivers licenses
and other forms of card
identification as
proof of our identity.
We suffered from
counterfeit identification,
but it was normally
presented in person,
giving us some additional
chance to question
it's authentication.
Today we work and
shop in a virtual world
and it is easier
for people to steal our
identities and impersonate
us. According
to the Federal Bureau
of Investigation, there
are 350,000 to 500,000
instances of identity
theft each year in
the US. In Canada, our
Social Insurance
Number has become a target
for identity thieves.
As far back as 1998,
there were 17% more
Social Insurance numbers
in the registry than
Canadians aged 20 or
older, the age at
which most Canadians have
obtained a SIN. Who
is using that ID and
for what purposes?
It is no longer enough
to prove who we are;
we must also stop others
from impersonating
us, adding to our need
for security.
We routinely make
decisions about our privacy
and security, usually
subconsciously. Over
the past fifty years,
Canadians have made
choices that led
to the installation of locks
and deadbolts on
our doors, as well as security
systems for our homes
and cars. We fingerprint
our children. We
buy and use firewalls and
virus protection
for our computers. Many
of us worry about
using credit cards on the
Internet. Canadians
are cautious.
This caution prompts
us to keep personal
information private,
but now we must make
a very conscious
decision. My information
is private, but if
I don't know and trust
you, I wonder what
you are hiding. Are you
simply trying to
keep similar personal information
private or are you
hiding a secret that could
hurt me? How could
we possibly sit next to
a stranger on a plane
without asking that
question these days?
In the aftermath
of last month's tragedy,
we are being asked
what we are prepared to
give up in order
to increase our security.
It isn't the right
question. There are three
fundamental questions
in a world where we
carry so much personal
information on cards
in our wallets. The
first is whether those
who issue cards do
enough to verify the identity
of the applicant.
The second is whether the
cards they provide
are sufficiently resistant
to counterfeiting.
The third is concerned
with what they do
with the information they
collect.
The first and second
questions are inevitably
linked in a Catch
22 scenario. If someone
has stolen or counterfeited
a driver's license,
they can easily get
other ID, so we must
ensure that all cards
that serve as identification
are as secure as
technology can offer. They
must be highly resistant
to counterfeiting,
as well as privacy
enabling to protect both
personal information
and identity.
The card technology
in my wallet today offers
no privacy whatsoever
and if anything, puts
my identity at risk
if I lose it. Today's
cards have personal
information on their
surface; ready for
use and abuse, so we need
to look at what information
we carry and
insist upon both
privacy and security.
I carry a passport.
I willingly provided
personal data to
get it so that I may travel.
As long as I'm sure
that everyone else with
a passport provided
honest and accurate information,
I gain from the existence
of passports. They
are, in effect, a
type of travel insurance.
The problem occurs
when they are illegally
obtained. The same
is true of driver's licenses,
health cards, credit
and debit cards, as
well as other forms
of identification. So
how do we protect
that information and control
counterfeiting?
Many governments
are turning to a thirty
year old technology
called smart cards. The
Government of Ontario
announced their intentions
in October 1999.
They are now in a position
to provide Ontarians
with cards that will
combat fraud and
identity theft, while delivering
far more privacy
protection for the identification
we carry in our wallets.
These computer chip
cards are designed to
meet both the privacy
and security requirements
of today's world.
You've recently heard people
erroneously suggest
that smart cards put
our privacy at risk.
Most often, if you probe
their concerns, you
find that it is not technology,
but rather policies
and procedures that worry
them. Clearly these
people fail to understand
the privacy enabling
strength of smart cards.
It is the aforementioned
third question that
causes them concern,
but they would rather
curtail the use of
technology than tackle
the harder issues
of policies and procedures.
In doing so, they
fail to make use of technology
to protect us.
Let's look at how
smart card applications
can protect our privacy
and security. A smart
card is basically
a personal computer on
a piece of plastic,
but with mainframe computer
security. Mainframe
applications are designed
so that every field
or piece of data is analyzed
as to who may view,
add, modify or delete
it.
The same process
is used to develop applications
for smart and other
advanced cards, allowing
us to put information
on smart cards and
protect it from access
by unauthorized persons.
It also allows us
to make information viewable
by the card owner,
in other words you and
me, giving us an
opportunity to verify the
information on the
card.
They can be programmed
to detect intrusions
by unauthorized sources
and destroy their
communication links.
We have now seen the
first non-military
smart card product that
has achieved an Information
Security (ITSEC)
level 6 rating from
the CESG, a UK government
agency. More will
follow, as applications
requiring that level
of security are developed.
Smart cards also
have the most extensive
set of security tools
available for a portable
card and those tools
are used to protect
against counterfeiting.
Plans are in place
for leading manufacturers
to include smart
card reader/writers in new
pc's. This will lead
to many new applications
for smart cards and
security will be a prerequisite.
In the business world,
smart cards will be
the inevitable e-commerce
enabler, because
of the security and
portability they offer.
We will also use
them to provide personal
identification, while
maintaining a level
of convenience for
the cardholder.
The Advanced Card
Technology Association
of Canada believes
strongly in the need to
understand privacy
protection and to build
it into all applications
that sit on smart
and other advanced
card platforms. To that
end, we have worked
with the Office of the
Information and Privacy
Commissioner/Ontario
to produce two procedures
for application
designers.
The first deals with
single application cards
and the newest, the
first of its kind in
the world, is entitled,
"Multi-Application
Smart Cards; How
to do a Privacy Assessment.
They are designed
to ensure that proper thought
is given to privacy
protection during the
design stages of
an application
We have to look to
technology to protect
us, but in doing
so we must maintain our
ongoing rights to
protection of privacy.
As technology is
employed we have the right
and the obligation,
to ensure that the new
technologies do not
expose us to new risks.
We must educate ourselves
on the ways in
which new technologies
can be used for privacy
protection and ensure
that we have sufficient
information to understand
the risks, opportunities,
benefits and technologies
associated with
new programs.
Furthermore we must
always be aware of public
and corporate policies
and be ever vigilant
that they are equally
committed to preserving
our privacy and security.
It is important
to recognize that
technology is only a tool.
Whether it is employed
for good or bad purposes
is determined by
someone's policies, procedures
and intent. Focusing
on technology in isolation
will serve none of
us well.
The principles of
privacy do not change to
any great degree
but new technologies enter
the market place
with great speed. Unfortunately,
the risks that we
face from those who would
do us harm grow with
each passing year. Theft
of identity is becoming
one of the fastest
growing frauds of
this decade.
If we continue to
ask questions and debate
issues such as "privacy
versus technology"
we will be our own
worst enemies. We cannot
divert our attention
from the real issues
of risk. The question
and the debate should
be on how well and
how soon we will use all
the tools at hand,
including technology,
to protect our privacy
and our identity.
Only when we demand
efficiency and privacy
will we start to
protect ourselves.
Source: Congressional
Press Release, September
12, 2000
ACT Canada is an international non-profit
association for the advancement of card technologies.
We work on behalf of our members to promote
the awareness, understanding and use of all
advanced card technologies; including optical,
smart, capacitive and emerging technologies.
If you would like to learn more about ACT
Canada membership please visit the membership section of our web site or contact our office at
(905) 426-6360.
Please forward any comments, suggestions,
or questions to info(AT)actcda.com
|
 |
