Smart Cards at the Crossroads: Authenticator or Privacy Invader

By Ari Schwartz, The Center for Democracy and Technology

Published by the Direct Selling Education Foundation, in “At Home With Consumers,” Volume 19/Number 3/December 1998

As our economy moves increasingly into a networked world, more information is collected and retained on the daily interactions of individuals. Everyday individuals unwittingly hand over personal information that quickly finds its way into a consumer profile or “digital dossier.” In the supermarket we hand over our frequent shopper card and pay with a credit or ATM card. The information collected from this transaction is captured and stored and often combined with other information gleaned from “public records” and private sources. Concerns over these “digital footprints” are the basis for growing consumer concerns with privacy in the networked economy.

In the mind of a thoughtful consumer, smart cards escalate these concerns. Creating a single card that could merge their financial affairs with health information and even interactions with government raises unease and mistrust. Individuals fear that a single card will accelerate the centralization and sharing of personal information in ways that will erode privacy. While the increased use of smart cards poses challenges to protecting privacy, smart card designers and policy makers have the opportunity to devise privacy protections that many believe are crucial for gaining the trust of consumers in the digital economy.

Authentication and Smart Cards

Creating tools that will both protect privacy and provide the convenience of the networked world require us to examine the nature and purpose behind each function of the card or “application.” Smart cards are diverse, ranging from simple single function cards like credit cards to cards serving multiple functions such as a student ID on a university campus which allows access into buildings, pays for meals and serves as a library card. While diverse all share a common basic function: authentication. A driver s license, e-cash and even a door key are simply tools that authenticate or certify different things about the individual: a drivers license their ability to drive and identity; e-cash their ability to pay for goods; a door key their authority to enter a building. Simply put, authentication is different from identity. We can break authentication into three boxes:

* Identity
Birth certificates and state issued identification cards prove that we are who we claim ourselves to be.

* Eligibility
Various keys allow us or those with whom we share them to enter our home, car or office. Documents such as a frequent flyer numbers allow us to prove membership in an organization.

* Value
Currency acts as one form of certifier, performing the narrow function of proving that an individual is able to pay for a good or service.

While authentication mechanisms are necessary for a thriving and rich networked economy, their development and implementation raise important individual privacy, system security, and social concerns. These concerns multiply as we begin to use single cards smart cards to bundle different services and with them authentication systems created to support them. For example, when we pay cash we do not expect people to ask for our identity but on a smart card it is quite possible that someone will be providing this information and more when paying with e-cash. The merging of services could have extreme social effects on consumers, some examples are:

* Centralization of personal information collection
A single card used for different purposes runs the risk of creating a centralized warehouse of data about an individual s activities. Today various record-keepers have information that reflects different aspects of an individual s life. The bank has banking records; doctors have medical records; and credit card companies have records of credit transactions. The walls between these records protect individual privacy in two ways. First they limit, to some extent, the damage to individual privacy that occurs through either misuse by an authorized user or unauthorized access by an intruder. Second, they place checks on the surveillance and monitoring capacity of each system. If all of an individual s transactions occurred through, or were recorded at, the same source we would create a powerful center of data on all citizens that would be ripe for misuse and abuse.

* Means for new social controls
The issuing, revoking, or withholding of such a card could be used to control social behavior, limit an individual s activities, or punish unrelated activities. Today, specific tokens enable specific activities. While losing a driver s license may limit a person s ability to drive, it does not impact on her ability to purchase goods in the market, seek health care, or engage in other transactions. A single card does not provide the same flexibility.

* Greater collection and use of personal information
When a single card is used across all transactions, it could become a default personal identification or a national ID card. As mentioned above, many of our daily activities require far less “personal” means of certification. A single certifier will result in more data being collected than is needed for many interactions. In the most extreme case it could lead to every online interaction being fully identifiable and traceable to an individual. Utilizing a single card for all purposes could create an electronic trail of all personal interactions.

Keys on a Key Ring

Perhaps the best real world metaphor for the problems that smart cards pose to personal privacy is the key ring. Given the choice between a ring with multiple keys or a single key to open all doors, most consumers would stick with the key ring despite the initial appeal of the single key. The single key could be easily lost or misused and its functions could not be isolated; the keys would have to remain connected at all times by giving someone the key to your car you would be in effect giving them the key to your life. The popular conception of smart cards has been this single key with the related possibility of tying all data inexorably together, but this does not have to be the case. Cards with complex operating systems are already being devised, but questions remain as to how to maintain the walls between different kinds of personal information. How will the data be stored and who will have access to it?

Fortunately, at this nascent stage in the adoption of smart cards in the marketplace, smart card designers and policy makers still have the opportunity to heed the advice of consumer and privacy advocates and create a tool offering the convenience intended and protections for privacy. In order to accomplish this goal, smart card designers should be asking themselves questions about privacy, such as:

* What type of authentication is required for this application? Do we need to know “who” the individual is or not?

* How can the collection of information be limited to only what is necessary? Can any of the applications utilize and maintain anonymity (e.g. electronic cash)?

* Has the application changed (technologically or otherwise) since the creation

of the application, that may warrant a rethinking of the authentication needed?
* Are there risks of placing this application onto a card with other applications?

* What safeguards are employed to limit the ability to combine and warehouse data elements collected by different applications?

* What protections can be utilized to prevent the disclosure of information across applications?

In short, designers should not be afraid to think about changing the way that old applications were used if the changes will help to protect the consumer on the new format of the smart card.

While technology can be implemented with an increased focus on protecting consumer privacy, there is still a role for policy makers. Policy makers will need to look into such issues as:

* the ability of government to use the card to track individuals;

* the information handling practices of the different applications on the card; and

* the ability of smart card companies to warehouse and package data for sale to third parties.

Conclusions

Ultimately, smart cards will not be able to succeed if consumers do not trust them. If the tracking ability of the cards weighs greater in the minds of consumers than convenience, the cards will not succeed in the market. Now is the opportune time for those who would like to see smart cards succeed to build in privacy enhancing features and eliminate the valid privacy concerns of consumers.