A white paper released on Thursday by the Smart Card Alliance Inc. said smart cards protect the personal information of users in both the public and private sectors. But at least one Canadian contributor to the report says there is still a need to examine the use of the technology.
The report, entitled Privacy and Secure Identification Systems: The Role of Smart Cards as a Privacy-Enabling Technology, examines the privacy and data security concerns that should be considered when developing a system for individual identity verification. It was produced by the not-for-profit Alliance along with 19 other members, including the U.S. Department of Defence, MasterCard International, the Secure Personal ID Task Force, EDS and the Privacy Commissioner in Ontario.
Smart card technology is already prevalent today, appearing in cellular phones, local gas stations and grocery stores. Visa International developed a Java Card for smart card applications as well. Essentially, the smart card chip is like a tiny computer that has a memory and a storage capacity of around 3MB of data available.
What is still up for debate is how government will proceed with smart cards and if it can find a way to solve the privacy issues. The Ontario government has experimented with smart cards but as of yet, a decision around privacy or the type of information that could be embedded into the chip hasn’t been made in Ontario or at the federal level. Health care is one example of a vertical which could use the technology by putting Canadians’ information on the chip.
The issue in Ontario centres around privacy. In a letter written by Ontario’s Privacy Commissioner Ann Cavoukian in 2001 outlining its position, she wrote: “From the outset, my office has clearly stated that we cannot support a smart card that diminishes the privacy of Ontarians in any way that becomes the de facto government identity card…”
In what continues to be a balancing act between privacy and the accessibility of personal information, a spokesperson at the Commission’s office said that with a strong and viable retail use for the technology already in place, it is something that the government is continuing to examine.
“You have millions [of] smart cards in cell phones and that’s [certainly] commercial success but the government’s questions are different because there are questions that go beyond economics in trying to make the business case for smart cards,” said Mike Gurski, senior IT and policy advisor for the Information and Privacy Commissioner in Toronto.
One of the biggest hurdles to adoption is security, and over the last decade, strides have been made to improve the security around smart cards. While there are risks involved with the technology, the likelihood of successfully breaking down the security is minimal.
“The risks associated with the [security of] smart cards is the reading of the information, cracking the encryption algorithm or you could try to access the electrical path of the microchip, but the risk is [low] because you need a very sophisticated analysis system,” said Horst Karin, manager, information security services at KPMG LLP in Toronto.
As Korin explained, it would require some very sophisticated tools not readily available to the average hacker to break the security. However, as he pointed out, there does theoretically exist a way to steal data – by setting up a mechanism between the smart card reader and the computer, the data could be taken from the card.
Fellow analyst Adel Melek, partner and national leader for the security services practice at Deloitte & Touche LLP in Toronto, said that the security on the smart cards is more than adequate, and in some cases, is even better than what is offered on other devices. Consumers, he said, are ready for smart cards, privacy notwithstanding.
“Technologies like these are going to eventually prevail. Anyone who is fighting against these technologies, it’s a lost battle up front,” he said
The Smart Card Alliance is online at www.smartcardalliance.org.