Roger Clarke's Web-Site
© Xamax Consultancy Pty Ltd, 1995-2014
|Identity Matters||Other Topics||Waltzing Matilda||What's New|
Principal, Xamax Consultancy Pty Ltd, Canberra
Visiting Fellow, Department of Computer Science, Australian National University
Version of 16 March 1996
© Xamax Consultancy Pty Ltd, 1996
This paper is at http://www.rogerclarke.com/DV/ACFF.html
prepared for the Centre for Electronic Commerce, Monash University and The Australian Commission For The Future
and published by the Commission in 'Smart Cards and the Future of Your Money', June 1996, pp. 157-184
This preliminary sub-section provides a brief summary of the current situation in relation to privacy protection in Australia, followed by an outline of the structure of this segment of the Report.
The most commonly cited set of general principles for protecting information privacy is that of the OECD ( 1980). The principles of most direct relevance to financial applications of smart cards relate to:
The vast majority of the countries in Australia's reference group implemented privacy protection laws in the 1970s and early 1980s. But although Australia acceded to the OECD Guidelines well over a decade ago, it has been very slow to implement laws which would bring it into conformance. Only the Commonwealth public sector and the credit reporting industry are subject to any significant regulation.
Beyond anecdotes, very little authoritative information is available about the attitudes of the Australian public to privacy generally. The only careful study that appears to have been undertaken is a series of surveys between 1991 and 1994 by the Privacy Commissioner's Office, whose key finding were that the confidentiality of personal information held by government and business was a very important social issue; the public was becoming increasingly anxious about others prying into their business; computers were seen as the major threat; and only a small minority believed there were adequate safeguards; however there was a reasonable level of trust in doctors and hospitals, and in particular government agencies; and the vast majority saw the responsibility for protecting privacy as a role for government rather than for individuals.
In relation to smart-card-based financial services, existing law, including the Privacy Act, provides only incidental protections for consumers and citizens.
Very little research has been undertaken to date relating to privacy issues arising in the context of smart cards. The few authoritative reports that have been written stress the need for analysis, and for action to ensure that suitable privacy protections are established.
The situation in Australia in 1996 is that new waves of information technology, such as smart cards, are being introduced in a regulatory vacuum: very little framework exists, within which sophisticated privacy protections can be devised to cope with modern technology.
This segment of the Report commences by examining several matters which establish the framework within which privacy issues arising from smart cards can be addressed. These include the notion of privacy, the threats to privacy, the state of privacy protection in Australia generally, and public opinion about privacy matters. In addition, privacy protection relating to smart cards is considered. The last sub-section clarifies the important concepts of identified, anonymous and pseudonymous transactions.
The body of this segment then undertakes analyses of the opportunities for privacy protection afforded by smart cards, and the threats arising from them. Trade-offs between privacy and other values are assessed, and public opinion about the matter discussed. Relevant smart card schemes are assessed, on the basis of a classification framework.
The remaining sections then consider policy issues arising from the analysis. Firstly, reactions by services providers and regulatory agencies are considered. Policy factors and options are presented, and conclusions drawn.
This segment of the Report has been prepared on the basis of:
During interviews, the issues that were canvassed were as follows:
The focus groups considered a wide range of matters, of which privacy was intended to form a relatively small proportion. In practice, it loomed rather larger than had been intended.
Privacy is sometimes depicted as a 'right'. In most jurisdictions, however, it is not a 'legal right'. Moreover, although it may be argued to be a 'moral right', exercise of a privacy right by one person frequently generates conflicts with other people's privacy rights. It also generates conflicts with other kinds of rights and interests, at the levels of individuals, groups and societies-at-large.
Rather than defining it as a right, a more practicable approach is to treat privacy as:
the interest that individuals have in sustaining a 'personal space', free from interference by other people and organisations.
It has the following dimensions:
With the close coupling that has occurred between computing and communications during the last 15 years, the last two aspects have become closely linked, and are commonly referred to as 'information privacy'.
The scope of this report includes all of these dimensions; but particular weight is placed on the questions of personal behaviour and personal data.
Contemporary society involves large institutions, such as the Taxation Office, the Department of Social Security, Medicare, banks and insurance companies, operating at great 'social distance' from individuals. People do no feel any great affinity to these institutions, and in some cases their morality in their dealings with such organisations is not high.
To guard themselves against human errors, misdemeanours and fraud, these organisations have come to apply a high degree of 'data intensity' to the administration of their relationships with individuals. Associated with these practices has been the explosion of information technologies, including the digital computer, data capture devices, storage devices, and local and tele-communications.
From these technologies has emerged the phenomenon of 'dataveillance'. This is the monitoring of people not through their actions, but through data trails about them. Monitoring of identified individuals is referred to as personal dataveillance, and of whole populations as mass dataveillance.
The physical surveillance of individuals is generally fairly apparent, and oppressive. Dataveillance is less overt, and more surreptitious. It is applied not to the individual themselves, but to a data-shadow of the real person, or 'digital persona'. It sustains the feeling of oppression, but adds to it fears of the unseen and unknown, and significant risks of error, ambiguity and misinterpretation.
Together, these trends have brought about a very considerable increase in the privacy-invasiveness of organisations' operations, and resultant serious public concern about the inadequacy of privacy protections.
One of the many possible purposes to which smart cards may be put is to support the surveillance of individuals through their data. People leave trails of transactions behind them, which disclose a great deal about their patterns of behaviour. Smart cards can be used to generate yet more intensive transaction trails, because they make possible the gathering of data about what have until now been anonymous cash transactions. It is for this reason that the inventor of the smart card in 1974, and the N.S.W. Privacy Committee again in its 1995 report, referred to the smart card as 'Big Brother's Little Helper'.
A primary purpose of this segment of the Report is to examine the extent to which this fear is justified, and whether the benefits of smart cards can be gained without people having to give up yet more of their privacy.
Some limited intrinsic protections exist. Conventional means of submitting people to surveillance requires physical resources, specifically people to do the monitoring. It is accordingly expensive, and, in most societies, including Australia's, its use is restrained. Dataveillance, on the other hand, is automated and cheap. With the economic restraint removed, it could be expected to burgeon, and empirical studies of the use of techniques such as computer matching have shown this to be the case.
Other possible protections include political factors (e.g. negative media exposure might cost the perpetrator dearly), and social factors (employees may feel discomfort in invading the privacy of their employers' clients; and professionals may be prevented by their Codes of Ethics from some kinds of behaviour). There is little evidence, however, that such factors act as a significant control on privacy invasions.
There are also a number of largely accidental protections in the common law, such as the torts of confidence and passing off. Studies during the last thirty years have shown that these protections are limited in scope, complex, and of negligible effect.
Since about 1970, most nations in Australia's reference group have recognised the need for action, and enacted substantial legislation establishing controls over privacy-invasive practices. The first round of statutory initiatives created general controls, whereas the more recent 'second wave' is addressing specific industry sectors and particular practices.
The most commonly cited set of general principles for protecting information privacy is that of the OECD ( 1980). The principles of most direct relevance to financial applications of smart cards relate to:
Australia's response to the need has, however, been very slow and very limited. One State, N.S.W., has had a watchdog agency in place for 20 years, and some form of substantive legislation has seemed imminent on several occasions; but no Bill has ever been passed. Other States have examined the need for privacy protections, but no watchdog agencies currently exist, there is almost no legislation, and there are few sets of guidelines of any consequence.
At federal level, the Privacy Act was passed only in 1988, and only then as a means of gaining the Senate's support for substantial and highly privacy-intrusive enhancements to the Tax File Number scheme. That statute effectively entrenched a great many existing practices within the Commonwealth public sector, but did establish a range of controls over agencies' practices, and has led to a greater degree of openness and confidence among agencies in their dealings with the public. Critically, it established a permanent 'watchdog', the Privacy Commissioner, who operates within the context of the Human Rights & Equal Opportunities Commission.
The Act's original scope was restricted to (the majority of) public sector agencies. It was subsequently extended to cover credit reporting. Consideration has subsequently been given to further extending its scope, to cover other industry sectors. However, the Information Privacy Principles (IPPs) it embodies were written to apply to public service practices, and are long, legalistic and defensive. Their appropriateness as a starting point for the regulation of private sector practices is accordingly very limited.
In addition, privacy-protective frameworks conceived in the context of 1970s technology have been undermined by significant subsequent technological change. Reference therefore needs to be made to more recent sources than the OECD Guidelines and the IPPs, such as the Australian Privacy Charter of 1994, and the European Directive of 1995.
The situation in Australia at the end of 1995 is that new waves of information technology, such as smart cards, are being introduced in a regulatory vacuum: very little framework exists, within which sophisticated privacy protections can be devised to cope with modern technology.
A great deal of anecdotal evidence exists evidencing the Australian public's attitudes to privacy; for example, the public demonstrations and the dramatic flood of letters to newspaper editors that expressed opposition to the Australia Card proposal in 1987; the strong reactions engendered in the public by talk-back radio hosts and television programs from time to time, on a wide variety of topics; and the pattern which emerged during the focus groups conducted for this study, which showed that privacy becomes more of an issue when one activist in a group stirs up the others. Howvever, strong public reactions are seldom invented by media coverage or stirring oratory, but rather they arise because there is already a latent feeling of concern, and the 'stirrer' strikes a chord or a raw nerve, or provides a nucleus for the expression of opinion.
Beyond anecdotes, however, there is very little authoritative information available. Prior to this study, the only significant research that appears to have been undertaken is a series of surveys between 1991 and 1994 by the Privacy Commissioner's Office, a summary of which was published in August 1995. Key conclusions from this Report are summarised in Exhibit 1.
Discussions about smart card based schemes inevitably involve questions about the extent to which data recording transactions identifies the parties, particularly those parties who are humans, rather than corporations. This preliminary section accordingly identifies the different degrees of identification, as a prelude to subsequent analysis.
An identified transaction is one in which the data can be readily related to a particular individual. This may be because it carries a direct identifier of the person concerned, or because it contains data which, in combination with other available data, links the data to a particular person.
Anonymity, on the other hand, refers to the complete absence of identification data in a transaction. The key characteristic of an anonymous transaction is that the specific identity of one or more of the parties to the transaction cannot be extracted from the data itself, nor by combining the transaction with other data.
Some examples of non-identified, anonymous transactions include:
People desire anonymity for a variety of reasons. Some of these are of dubious social value, such as avoiding detection of their whereabouts in order to escape responsibilities such as paying debts and supporting the children from a broken marriage; avoiding retribution for financial fraud; and obscuring the flow of funds arising from illegal activities such as theft, drug-trading and extortion (commonly referred to as 'money-laundering').
Other reasons for seeking anonymity are of arguably significant social value, such as to avoid being found by people who wish to inflict physical harm, to obscure the source of information made available in the public interest (in particular, journalists' sources and 'whistle-blowing'), to avoid unjustified exposure of information about people's private lives (particularly in the case of celebrities), to keep personal data out of the hands of marketing organisations, and to prevent government agencies using irrelevant and oudated information, of varying meaning and quality.
There are many circumstances in which the interests of all parties to a transaction can be protected, despite the absence of a record of identity; for example, by authenticating the party's eligibility and/or capability to conduct that particular kind of transaction, rather than by authenticating the individual themselves.
It is commonly assumed that a tension exists between the proponents of all transaction data being identified (typified by the presumption that "the only people who want privacy are the ones with something to hide"), and the adherents to the view that all data is private. In fact, another alternative exists which can be used to address the desires of both sides.
A pseudonym is an identifier for a party to a transaction, which is not, in the normal course of events, sufficient to associate the transaction with a particular human being. Hence a transaction is pseudonymous in relation to a particular party if the transaction data contains no direct identifier for that party, and can only be related to them in the event that a very specific piece of additional data is associated with it. The data may, however, be indirectly associated with the person, if particular procedures are followed.
There are several ways in which the requirements of pseudonymity can be achieved. One is the storage of partial identifiers by two or more organisations, which must both provide their portions of the transaction trail in order that the identity of the party can be constructed.
A more common way is to:
Such mechanisms already exist in a variety of settings; for example, epidemiological research in the health-care and social-science arenas needs longitudinal data, including demographic data about the individuals concerned, but does not necessarily need to know their identities: a pseudo-identity is sufficient.
Another example is 'anonymous re-mailers', which enable individuals to obscure their identities when they send email messages, by filtering them through a service which undertakes to protect the linkage between real and nominal identity. Such undertakings might be able to be iron-clad, and the transactions thereby entirely anonymous, where the service-operator and its clients forego a transaction trail, and thereby any form of traceability. In many cases, however, a transaction trail is likely to be maintained, and be subject to, for example, court orders, search warrants and sub poenas; and the messages are therefore pseudonymous rather than anonymous.
There are also applications in the area of financial services, whereby some financial institutions in some countries protect the identities of companies and individuals which have deposits with them, or undertake transactions through them. Similarly, buyers and sellers on exchanges which deal in stocks, shares, financial derivatives and foreign currencies do not, and do not need to, know the identity of the other party to the transaction. Innovative mechanisms which have been developed to serve the interests of the wealthy are capable of adaptation to the needs of people generally.
Debit-cards and credit-cards necessarily carry some form of identification, because the nature of the service is such that each transaction must be recorded against an account. On the other hand, stored value transactions using smart cards can be anonymous. This occurs if the card carries no identification, and no record is kept of who purchased it, loaded or re-loaded it, or spent money using it. An intermediate approach in the case of smart cards is to record data about each transaction performed using it, including an indirect identifier. This might be an account number or a chip-number, such that the owner is not apparent from the number or other associated data, and can only be inferred by accessing a cross-index which is subject to technical and legal protections.
It was noteworthy that on one occasion that pseudonymity was raised by an industry interviewee during the course of this study, it was clear that the matter had not been sufficiently thought through (in particular, no appreciation was shown of the need, in some forms of both health and market research for example, for future transactions to be associated with previous ones). This suggests that considerable additional exposure is needed for the principles of pseudonymity, in order to ensure that corporate strategy and public policy choices are fully informed.
Very little research has been undertaken to date relating to privacy issues arising in the context of smart cards. Apart from a small number of conference papers, there are important documents published by the Ontario Information and Privacy Commissioner (April 1993), the N.S.W. Privacy Committee (July 1995), and the Australian Privacy Commissioner (August 1995). These stress the need for analysis and action, to ensure that suitable privacy protections exist.
Existing law, including the Privacy Act, provides only incidental protections for consumers and citizens in relation to smart-card-based financial services. Industry Codes of Practice and Conduct provide some further, but generally vague, and unenforceable, protections. In particular, the EFTS Code of Conduct, which is unenforceable, but generally complied with by financial institutions, applies only to transactions undertaken using a card and PIN. Transactions undertaken using smart cards, especially with SVCs, are generally designed to be performed without a PIN. (Exceptions exist, e.g. when downloading value using a debit-card; and with MasterCard Cash, which may require a PIN every 10th transaction). However, in general, SVC transactions are not subject to the EFTS Code of Conduct as it is currently expressed.
The Code of Banking Practice and the Australian Banking Industry Ombudsman (ABIO) address issues arising from breakdowns in system processes or security, or from criminal attack; but breach of privacy is outside the ABIO's terms of reference. Moreover, the organisation's scope is limited to banks, and excludes other forms of financial institution. The Telecommunications Privacy Committee of the Australian Telecommunications Authority (Austel) is similarly sectorally limited and although it has published a discussion paper on the matter, it remains very much under-developed as a privacy protection mechanism.
The FBCA's summary was that the existing privacy protection regime is completely inadequate as a framework within which to establish more specific privacy protections in the area of smart cards. It is accordingly highly desirable that privacy legislation be enacted which applies to the private sector.
Chip-cards embody the capabilities to either provide substantial privacy protections, or to significantly increase the privacy-invasiveness of schemes, depending on the details of the scheme's design. This section examines firstly the possibilities which exist for using smart cards to protect privacy, and then the threats that they entail. This is followed by an examination of the trade-offs between privacy and other considerations, and a review of the available information about the Australian public's attitudes to privacy in the context of smart cards.
At one extreme, it is technically entirely feasible to devise a scheme which provides secure value-transfer, without any record being kept at all, and in particular without any record being kept of the individual's identity. Schemes have been demonstrated in which both sides of the transaction are entirely anonymous, and others in which only one side is anonymous, in particular the payer (e.g. a scheme established by David Chaum of Digicash). This latter approach has the advantage that taxation authorities can establish evidence that funds reached an account.
Hence the discussion of the privacy implications of smart cards in financial services must contemplate fully anonymous schemes which have very limited privacy implications; pseudonymous schemes in which the privacy risks are manageable; and fully identified schemes which are inherently privacy-invasive.
This section considers a number of ways in which smart cards have been argued, or might be argued, to protect privacy.
Claims have been made on occasions that smart-card-based storage of personal data will provide enhanced privacy protection.
There are few schemes which involve the storage of data exclusively on a card carried by an individual. In general, this would create great fragility in the system, because of the danger of loss of the data without the ability to recover it. There will therefore be in most cases an arrangement whereby data stored on a card is also stored in some separate database.
Where the backup copy is as much under the control of the individual as the card is, then the scheme can be reasonably argued to be strongly privacy-protective. However, as both the FBCA and the Attorney-General's Department noted in interview, the potential positive privacy impact of storing data on a smart card in the possession of the individual is of little consequence, because of the inevitable duplication of the data in another location.
The Attorney-General's Department and the FBCA acknowledged that cards that did not carry the identity of the card-holder had potential for privacy protection; but once again considered that the positive impact is slight, because non-identified cards are likely to be used primarily to replace cash transactions, and cash transactions are already anonymous.
This was particularly so because of the maximum amounts that appear likely to be set by banks (encouraged by law enforcement authorities), or in practice applied by consumers in order to protect their funds. The Attorney-General's Department has the impression that the maximum value to be placed on disposable cards is of the order of $20-$50. (Maximum value on psuedonymous and identified cards, on the other hand, appear more likely to be in the range $300-$1,000).
Most smart cards are designed to support multiple applications. This is achieved by providing separate 'zones' within the card which are segregated from one another, and hence enable the various applications to be operated independently from one another.
The use of segregated zones on the card was recognised by the Attorney-General's Department as having theoretical value for privacy protection. In practice, however, both the Department and the FBCA recognised that shopping will take place in one of the zones of the card; although there could be some advantage if, say, road-tolls, were in a separate zone. In any case, the use of multiple segregated zones on one card is merely a replacement of, say, six cards, with one card with six zones. It therefore represents at best only a 'holding of the line', rather than any improvement. Moreover, the danger remains of organisations which operate different zones sharing the resultant data separately from the card.
The FBCA noted that the growing incidence of multiple-participant 'loyalty cards' has the effect of establishing linkages among the multiple cards or multiple zones. This movement can provide benefits to consumers, but can also have deleterious effects, such as by limiting the availability of a service depending on some largely irrelevant test, for example, credit-worthiness when the payments are made by direct debit or value-transfer. It was noted that government agencies are able to apply sanctions which are disproportionate to the original defect, and are therefore the best debt-collectors, and hence valuable members of a loyalty club. (This is referred to among data surveillance researchers as 'cross-system enforcement'). However, the focus group discussions suggested that the gloss may have already gone off loyalty schemes.
It has been argued by some scheme developers that their schemes protect privacy because the line-item details of purchases are not recorded, and that only the consumer and the merchant know them.
While highly desirable from a privacy viewpoint, this was not considered by the Attorney-General's Department to be in any sense an addition to privacy-protections. This is because line-item details of SVC transactions represent additional data that was not previously available to anyone at all.
In a 'fully accounted' scheme, the summary data (generally the total value, date, time, and terminal and merchant identifiers) is transmitted to a central point and stored. This represents, in its own right, a significant increase in the trail, and hence in the evidence relating to the person's behaviour.
Conventional written signatures provide a (limited) degree of confidence that letters, memos and cheques were actually sent by the right person. In the case of electronic messages, public key cryptography offers the prospect of 'digital signatures' which provide far greater confidence in the authenticity of messages' origins.
The digital signature mechanism requires secure storage and processing capabilities (to perform encryption and decryption), and hence many proposed schemes incorporate a chip in the possession of each individual, most commonly carried on a smart card. The means of validating digital signatures (referred to as public key authentication facilities - PKAF) is claimed by its proponents in industry and government to function in a privacy-sensitive manner: the recipient of a message has to know the identity of the person who purported to send the message in order to authenticate the signature.
It is likely that a biometric measure may be proposed as an adjunct to such signature-verification cards, to ensure that the individual using it is the person to whom it was issued. However it is claimed that this can also be implemented in a privacy-sensitive manner. This is because the biometric needs to be stored on the card, but not necessarily in any central database. If it is stored centrally, it could be stored in a location of the individual's choice, and protected by the individual's key.
Digital signature verification with the aid of smart cards is a current and rapid area of development, and its public policy implications need careful consideration.
Public understanding of the matters discussed in this section is very limited. Indeed, it appears that some scheme operators may not be fully aware of important aspects of the analysis pursued in this part of the Report; for example, the ACCC noted the incidence of misleading assertions by scheme-operators about such matters as anonymity; and several members of the financial services industry mis-used the term 'anonymous' during interviews.
Hence public awareness and education campaigns are needed in relation to smart cards generally, and consumer financial applications in particular, targeted not only at the general public, but also at staff within the financial services sector.
There is a substantial number of ways in which smart cards may have negative effects on individual privacy. Exhibit 2 summarises them, and the following sub-sections discuss each in turn.
(1) The Front-Line Concerns
(1.1) Greatly Increased Intensity of Transaction Trails
'whereas your credit-card and debit-card generated a trail of 5-10 transactions per month, or perhaps per week, your smart card can enable the recording of your whereabouts and what you were doing 5-10 times per day'
(1.2) Exploitation of the Transaction Trails
(a) by government agencies for purposes which were not original purposes for which the data was gathered, which increases the risk of misunderstanding and misinterpretation due to differeing data definitions and inadequate data quality standards, and represents oppressive use of the State's power over individuals
(b) by consumer marketing corporations to better target prospects for their goods and services, involving the exercise of information-based power to manipulate consumers and compromise their freedom of self-determination
(1.3) The Risk of 'Function Creep'
(1.4) Potential for Operation Without Consumer Consent
(2) 'Proof of Identity' Concerns
(2.1) 'Proof of Identity' in Relation to the Acquisition or Use of a Card
(2.2) Use of a Smart Card as Multi-Purpose 'Proof of Identity'
(3) Other Areas of Concern
(3.1) Access for Audit and Risk Management Purposes
(3.2) Casual Disclosure of Personal Data
Smart cards offer the prospect of much cheaper data capture, storage, and transmission than has previously been available. Schemes using smart cards can therefore be designed to gather far greater volumes of data about people's behaviour than ever before. Scheme operators may do so because of a desire to convert transactions that were previously anonymous into recorded, identified records of behaviour; but there are a number of other reasons for doing so which play a role in many of the schemes. In order to provide context to this vital aspect of smart card schemes, it is important to first consider the nature of the transaction data that arises from existing payments mechanisms.
Large-value transactions, primarily purchases of significant goods and the settlement of significant debts, have been recorded in identified form for at least a century, since the emergence of the cheque as the dominant payment mechanism. Progressively, relatively expensive cheque-processing has been giving way to transactions conducted using cards. Credit-card and debit-card transactions, both manual and more recently computer-supported, are currently used for a large proportion of consumer transactions, both large (say, greater than $100) and medium (say, $20-$100). Cards carry identification data in the embossing, and on magnetic stripes, and give rise to a substantial trail of the medium- and high-value transactions conducted by card-holders.
The volume of small-value transactions is much larger than those of medium-sized and high value. They have continued to be conducted almost exclusively using physical cash, i.e. notes and coins. Although some rare instances have occurred in which a person has been traced through the use of banknotes' numbers, cash transactions are essentially anonymous in nature. The use of smart cards to deliver inexpensive value-transfer enables low-value transactions to be cost-effectively performed using electronic means. The effect could be described as follows: 'whereas you've been used to using your card 5-10 times per month, or perhaps per week, you'll use your smart card 5-10 times per day'.
Some stored value schemes have been designed to be as anonymous as the physical cash they replace. On the other hand, many schemes are designed to record data about the transaction. If the data contains an identifier, it is feasible for individuals' movements and activities to be tracked in much greated detail than before, and retrospectively analysed.
Where transaction trail data is gathered and processed by corporations with an interest in marketing, it is viewed by many people as consumer manipulation. Where this is done by governments, it may represent anything from a balanced and fair mechanism for protecting the public purse, to an oppressive exercise of power by the State over the citizen.
There is also the scope for transaction trail data to be used by individuals against one another. This raises concerns about embarrassment to individuals. It also raises more general fears about the viability of representative government, because of the ease with which smear campaigns could be mounted against candidates for election to public office.
Where identified or pseudonymous data about low-value transactions is recorded, it is important to distinguish where it is stored. If it is maintained on the chip alone, then the data remains under the control of the individual concerned, and the privacy implications are very limited. Where it is stored for a short time (e.g. for 24 hours, to enable reconciliation to be performed, and any queries to be resolved), and especially where it never goes any further than the terminal at which the transaction was conducted, the privacy implications are still quite limited.
Where, however, identified or pseudonymous data finds its way into long-term storage, a very substantial leap in data intensity occurs, and substantial risks are created. The privacy-invasive effect of schemes involving identification could be summed up, by extending the earlier depiction of card-use, as follows: 'whereas your credit-card and debit-card generated a trail of 5-10 transactions per month, or perhaps per week, your smart card can enable the recording of your whereabouts and what you were doing 5-10 times per day'.
The primary focus of this study is SVCs, and to a lesser extent the migration of credit-card and debit-card functions to smart cards. Another closely related application is the use of chips to customise digital mobile telephones to a particular person. The combination of the two raises the spectre of the construction of a transaction trail of not only an individual's locations, but also their communications partners.
The Australian Privacy Foundation, in an interview undertaken as part of this study, questioned the need for so much data to be gathered and retained as part of the various schemes. It considers that a significant part of the motivation to retain data, and in some cases to gather it in the first place, may derive from purposes other than the primary service. This is further discussed in the following section.
Some possible mitigating factors need to be considered. One is the explicit 'trading-off' of privacy for some form of consideration, e.g. price-discounts or 'loyalty'-system points in return for rights to gather and use transaction data. This is at least nominally an act of free choice on the part of each individual. It is being practised in some parts of the United States, and forms part of the business case underlying at least one of the schemes being launched in Australia (Transcard). Such incentive and award schemes are capable of being designed to be data-intensive and potentially privacy-invasive, or alternatively in a privacy-sensitive manner.
However consumer participation may not be an act of free choice if all organisations offering a particular service apply the same conditions. The FBCA expressed concern as to the extent to which corporations and industries would use market power to make consent meaningless; e.g. apart from credit-granting, which is already regulated, consider insurance industry pooling of claims data. The Australian Privacy Foundation also drew attention to what it claims is abuse of authority to access personal data committed by Telstra in its application form for the Telstra/ANZ card, whereby the statutorily specified clauses in relation to access to credit reference data has been extended to authorise use not only for credit-granting, but also for marketing purposes.
From a privacy perspective, the increase in intensity of people's transaction trails represents a very serious concern. Given the newness of the technology, however, the level of awareness of the Australian public of these matters is very low, and it would be unreasonable to expect a consensual social view of the issues to emerge in the short term.
Two ways in which intensive smart-card-enabled data trails may come to be exploited are:
At present, there appear to be no government proposals to use smart cards to generate intensive transaction trails, nor to gain routine access to trails generated by private-sector schemes. Indeed, during the early 1990s, rumours about the possibility of a smart-card-based 'health card' being introduced prompted denials by successive Commonwealth Health Ministers of any intention to involve smart cards in health care.
There has, however, been a succession of dataveillance schemes implemented or proposed by government agencies during recent decades, particularly by Commonwealth agencies. Schemes are also being developed or proposed by governments overseas, in such areas as health (e.g. the United States, and the province of Ontario), and identification cards / passports / visas (e.g. the European community). It would be naive to expect that similar proposals will not re-emerge in Australia in the near future. Depending on the nature of the designs, and the degree of public awareness of and participation in the process, they may prove to be highly contentious.
Some agencies such as the Australian Tax Office and the Department of Social Security have sweeping statutory powers to access personal information held by both government agencies and corporations. In the absence of new laws, such agencies will have the power to demand the additional information that may arise in the context of smart-card-based schemes. It would be reasonable to expect that they would do so, at least in some circumstances. These powers do not involve oversight by the Parliament, nor by the Privacy Commissioner, and these agencies are under no obligation to seek a reasonable balance between privacy and other interests. Consideration should be given to imposing on such agencies the responsibility to balance privacy against other interests, and to providing the Privacy Commissioner with the power to review the manner in which those agencies decide on that balance.
Financial applications of smart cards are generally being developed by the private sector, rather than by governments. Their primary purpose is the facilitation of payments. In many cases, another reason for gathering identified data may be to contribute to the security of the scheme itself, and in particular to enable the flows of stored value to be reconciled, and patterns of usage monitored. In a 'fully accounted' scheme, this is done in order to be able to detect signs of counterfeiting.
Any retention of identified or pseudonymous data beyond a period in which claims, queries, reconciliation and monitoring may reasonably need to be performed appears to be unnecessary to the primary purposes. Careful analysis is required to determine, in each particular case, whether there is any need for the transaction data to be, or to remain, identified.
In at least one case (Transcard, which is more than just an SVC), there is an expressed intention to produce, as a by-product, information of value to market research. This necessitates the association of socio/demographic profile data with the transactions; but the actual identity of the individuals is not needed by market research users.
Recently, some scheme operators have provided public assurances that their schemes are not intended to produce information for marketing purposes. However, the original documentation promoting some of the schemes mentioned as a major feature, or as a side-benefit, the production of data about the consumption patterns of individual people. In summary, the public perception that the transaction trails generated by smart card based transactions will be, or at least may be, used for extraneous purposes, is not far-fetched.
The FBCA is concerned about the availability of consumer transaction patterns, and their being sold and rented on to third parties. Its 1995 report raised the question "will information about transactions be used only to operate the payments system, or could it be passed to third parties and used for other purposes, such as direct marketing?" (p.???). It foresees that smart-card-based schemes may result in data becoming more readily available; and hence mechanisms are needed to control data flows.
The Privacy Committee of NSW Report (August 1995) also referred to the opportunities that smart cards provided, for gathering data that can be used for marketing and other purposes (p.???). In an interview conducted as part of this study, the N.S.W. Department of Fair Trading expressed concerned about the possibility of scheme operators using data captured for loyalty schemes to be used by the issuers and merchants for marketing purposes. They considered that the terms and conditions need to be carefully examined to see if this is spelt out.
These concerns, together with the Privacy Commissioner's study findings and the focus group discussions, lead to the conclusion that protection for personal data arising from transactions is an aspect of great importance to consumers. Regulatory action of some kind is already overdue, and the need is exacerbated by the emergence of smart-card-based schemes.
The Privacy Commissioner's Office, the Attorney-General's Department and the Australian Consumers' Association separately expressed considerable concern about what has been termed 'function creep'. By this is meant the commencement of a scheme with a small number of uses, but with accretion of additional uses (and often intrinsically more invasive ones) at a later stage.
This implies a need to draw the line at the very beginning, impose privacy standards, and deny just-in-case collection of data and the creation of future potentialities. The Privacy Commissioner's Office also argued that this implies the need for ongoing vigilance, because of the ease with which card-issuers unilaterally modify terms and conditions subsequent to the original launch of a product.
The Privacy Commissioner expressed concern that the Australian market may be too small to enable stored-value cards to be cost-justifiable in their own right. This view has also been expressed by one of the major international card scheme operators. If so, there will therefore be an economic imperative to run on the same card both stored-value and other applications (such as debit-card, credit-card, and incentive / award / loyalty programmes). Privacy advocacy groups and regulators alike will need to be satisfied that the various applications, and the transaction data arising from them, can be successfully segragated from one another.
In general, schemes are being designed in such a manner that the active (and presumably also informed and freely-given) consent of the consumer is necessary before the card and a terminal will process a transaction, such as transferring value from an SVC to a vending machine or retailer terminal.
However, proximity technology and contactless cards raise the prospect of chips being operated without the knowledge of the person carrying them. One example is the confirmation of the identity of a card being carried into a zone within a building. Another is the deduction of value, particularly in such applications as road-toll collection, where value must be transferred at speed and therefore human intervention may be too slow. This would have serious implications for the notion, and perhaps the practicability, of consent.
The Privacy Commissioner's Office drew attention to the data that may need to be presented by individuals to 'prove' their identity, as a condition of obtaining a public key and the card that is likely to go with it. This may result in a data base of information about individuals that would represent a most serious privacy risk. Indeed, the issue is quite general: individuals might also be required to 'prove' their identity when collecting identified cards, or when using them.
It is likely that considerable public disquiet would arise if so-called 'high integrity' identification were to be required as a pre-condition for the issue or use of cards of any kind, including SVCs.
There are many circumstances in which organisations need to confirm with a reasonable degree of confidence the identity of the person presenting before them, or with whom they are undertaking a transaction. Identification schemes, particularly ones with moderate integrity, are expensive to establish and operate. There is therefore apparent scope for schemes to be used by more than one organisation.
Cost-efficiencies may be able to be achieved through multi-purpose identification cards; but such efficiency sits very uncomfortably with civil rights. Privacy interest groups are generally not opposed to the use of identification in specific contexts (although some technologies, particularly biometrics, do raise serious issues); but it is the drawing together of information by means of common identifiers which causes them the greatest concern. Id cards have always been seen in Australian society as an imposition by the State on individuals, which is acceptable in only quite extreme circumstances. The only such scheme to have ever run in Australia was during World War II, justified by the needs for security and conscription. It was highly unpopular, and unsustainable once rationing ended.
There are many directions from which proposals for a multi-purpose identifier might emerge, including SVCs, drivers' licences, health cards and mobile telephone personalisation chips. In addition, a proposal is currently being prepared by government and industry representatives, under the auspices of Standards Australia, which involves the use of a smart card as a means of authenticating individuals' 'digital signatures'. If this were to become general-purpose, compulsory, and/or government-controlled, it would be of the nature of a national id card.
Another area of special concern is the chip which specialises digital mobile telephones to a particular person, and enables the charging of call-costs to that person's account. The very strong likelihood is that this technology will be extended in two ways:
Focus groups were particularly sensitive to the possibility of the driver's licence becoming associated with SVCs. The Australian Privacy Foundation expressed serious concern about the possible emergence of multi-purpose person identifiers, perhaps initially on a voluntary basis, but perhaps soon afterwards on an obligatory basis.
Very careful consideration of, and public debate concerning, identification applications of smart cards will be essential, to ensure that an infrastructure is not created for a supremely privacy-invasive consumer marketing mechanism, and for oppressive government.
It is normal for transaction data to be accessed on occasions by extraneous parties, in order to test the performance of the system, and to ensure that contingent risks are being appropriately addressed. This creates the scope for leakage of data.
In general, this is a manageable risk, provided that conventional control mechanisms are applied. Moreover, it usually represents an isolated event, rather than potential for a systematic abuse of the privacy of personal data.
Focus group participants identified two areas of concern about casual (as distinct from systematic) access to personal data:
As was stressed during the preliminary discussion about the concept of privacy, it is but one of a large number of interests that individuals have. There are inevitable and necessary compromises that have to be made to privacy interests, in order to achieve a satisfactory mix, and privacy issues accordingly generally involve an exercise of discovering a suitable balance.
This section considers the inter-relationship between privacy and several other important interests, and assesses the extent to which trade-offs may be necessary between them.
These two topics are confused in both the literature and in the public mind, and are accordingly treated together.
Anonymous cards offer the greatest privacy protectiveness. However they also preclude the refund of value in the case of cards which are lost or stolen, because a claim of ownership cannot generally be supported by evidence. Hence a card-issuer would be at risk if it recognised a claim, because it would have no reasonable grounds for distinguishing between multiple claimants for the value on the same card, or for refusing to refund to the second and subsequent claimants in respect of the same card.
One outcome of the focus groups was that crime is higher in the poorer areas, and the poorer consumers see the SVC as a security device as a more important issue than protecting privacy". This led the interviewee to the conclusion that people in lower socio-economic groups should prefer that SVCs are refundable, and to be refundable, they must carry identification.
The focus groups undertaken as part of this study also highlighted the preparedness of participants to trade off privacy protections in return for security. However the presumptions made by participants were that "not anyone could use their card" (which is incorrect, because almost all schemes are unprotected by a PIN), "the card could be 'stopped' in the event of theft/loss" (which is a feature of some schemes, but not of others), "one might feel safer carrying it" (which is by and large not justified, because SVCs are generally bearer instruments) and that lost and stolen cards "might be reimbursable" (which is analysed below).
Value is only recoverable if all of the following conditions are satisfied:
In general, the schemes' security features are designed to protect card-issuers and merchants (and hence indirectly the general public), rather than the public directly. For example, no scheme appears to offer the ability for a consumer to use the card in a locked state (in which case a PIN is required in order for payment to be effected), or an unlocked one (in which case transactions can be undertaken without a PIN).
Some schemes may therefore feature a trade-off between privacy and the recovery of value on lost and stolen cards; but many others do not in fact offer anything in this regard in return for the privacy risk.
It should also be noted that some schemes (in particular, Transcard; but possibly also Visa), do not offer any ability to redeem the stored value for cash. This applies even if the card-holder is leaving the geographic area in which the scheme operates. (This appears to be not because of any intention to cheat consumers, but rather to avoid any implication of being a deposit-taker, which would cause the scheme operator to be subject to additional and onerous regulatory provisions).
Pseudonymous schemes can also be designed to offer recovery of value from lost and stolen cards. This can be achieved (subject to much the same considerations as are listed earlier in this sub-section) by making a request by the card-holder one of the conditions under which the cross-index between the card-identifier and the card-holder's identity can be used.
Participants in the focus groups were attracted to the idea of a multi-functional card which incorporated an SVC, a debit-card capability and (optionally) a credit-card capability. The reason was that this would reduce 'wallet-bulk', and (perhaps) reduce the number of PINs to be remembered.
Most preferred, however, to have separate 'financial' and 'personal' cards, as a safeguard. The reasons for this were firstly concerns about loss of control of their identity (what might be termed the 'Sandra Bullock syndrome', from the recent film, 'The Net'), and secondly the negative connotations of an ID card.
It is feasible for scheme operators to deliver segregated SVC, financial, identification and data segments on a single card. and, indeed, multiple of each on a single card. It is also feasible for some of these to be identified, some pseudonymous and some anonymous. Hence if scheme designers use the possibilities created by the technology, it is not necessary for consumers to have to trade-off privacy in order to gain the convenience they seek.
Anonymous cards deny law enforcement agencies information. This is the same condition that holds with cash. To the extent that SVCs replace cash transactions, there is no diminution in the ability of law enforcement agencies to trace the flow of funds, and to use payment systems as locator mechanisms for persons under investigation. To the extent, however, that they replace payment mechanisms that are identified, and that are currently used to support investigations (e.g. transactions with banks in excess of $10,000, which since about 1990 have been routinely reported to Austrac), SVCs could indeed represent a threat to law enforcement agencies' ability to trace funds and people.
The Office of Strategic Crime Asessment, which plays a pivotal role within the law enforcement community in relation to future technologies, stated in interview that current cards are not viewed as a threat, but that law enforcement agencies are concerned with where they will go in the future. As the cards have higher limits, support multiple currencies, and allow person-to-person transfer of money, the level of concern will rise. Totally anonymous transaction under these circumstances are not favoured; however, OSCA and other agencies will discuss the issues with consumer and privacy groups and regulators, and it is considered that some acceptable form of compromise can be reached.
The focus groups recognised that, in addition to the 'non-worthy folk' for whom a cashless society represented a threat (e.g. criminals, drug dealers and 'people who have something to hide'), there are also 'worthy folk' who were cash-oriented (e.g. casual workers, cash businesses, tradesmen and some people on social security; the ACCC in interview also mentioned street markets, gifts, garage-sales, buskers and street and front-door donations; and to this could be added people in remote locations).
Identified schemes can be accessed by law enforcement agencies, subject to search warrant or other legal authority. So too can pseudonymous schemes; although in this case it is necessary to arrange for authority to access the index of pseudo-identifier to person-identifier, as well as the transaction trail.
Hence it is entirely feasible to design smart-card-based schemes that do not involve trade-off between privacy and law enforcement interests.
There is a limited amount of information available about what the public thinks about the privacy implications of smart cards. This section draws together the material which has been located, together with the key outcomes of the focus groups undertaken as part of this study.
MasterCard has undertaken surveys of consumer views in the United States, and concluded that "transaction information generated by card use is highly sensitive", that "82% of those polled would consider it 'extremely serious' if someone obtained their credit card purchase record without their authorization", that "over 90% agree that they want to be told before information about themselves and their families is made available for other purposes, and want a choice in what information is made available", that "over 80% would do business with companies that take steps to protect 'confidentiality'", and that "60% of cardholders say that they already make it a point to conduct business with such companies".
The Branch of the Commonwealth Attorney-General's Department responsible for privacy noted in interview that there is a generalised public concern about smart cards, particularly in relation to the possible concentration of multiple functions onto a single card, and hence increased control of information about people. This was evident not only from media coverage, but also from letters to Ministers.
These concerns are in part impressionistic and even imaginary; but in part real. The Department believes that this draws attention to an important and urgent need for clarification of the real as distinct from the imaginary issues. This needs to be followed by analysis and public awareness and education.
The Department considered that the use of a smart card as an identifier (even the upgrade of drivers' licences to smart-card technology) would be certain to raise the same issues in the public's mind as the Australia Card debate.
Exhibit 3 summarises the further information gathered as part of this study by means of a series of focus groups.
In evaluating these results, it should be noted that the context was explicitly that of consumer attitudes, and privacy was just one issue in a long list. It appears likely that, had the context for group participants been set instead as citizens' attitudes to the social implications of the technology, the privacy issues may have loomed still larger.
Consumer privacy concerns evidence rather different patterns in Australia compared to the United States, and it is important that scheme operators take those differences into account in the design of their schemes, in their privacy strategies, and in their public communications. Reflecting that concern, MasterCard is understood to be preparing to undertake a survey in Australia, along the lines of the earlier U.S.-based research.
There are many different ways in which smart cards can be used to support consumer financial transactions. This section develops a classification of the key factors.
One classification scheme, provided by David Chaum of Digicash bv in The Netherlands, reflects the historical development of smart cards:
Valuable though this analysis is, it omits additional factors of relevance to the present study, which are summarised in Exhibit 4.
The greatest privacy concerns would be created by a scheme which comprised a re-loadable card, which identified the card-holder, generated a transaction trail stored centrally, supported a multiplicity of functions, and was used generally. If any such attempt were to be made to introduce such a scheme, it would be reasonable to expect that the Australian populace would make its feelings known at least forcefully as was the case with the Australia Card in 1987. The reasons are that this would make people's lives entirely transparent to government agencies at least, and perhaps also to marketers.
At the other extreme, a smart card based scheme that involves anonymous value transfers, or which generates no off-card transaction trail, is of very limited concern from the viewpoint of privacy-invasiveness.
Exhibit 5 identifies a few key points along the continuum of privacy-invasiveness, listed in sequence from the most privacy-invasive to the least.
* A GENERAL-PURPOSE IDENTIFIED SCHEME
a scheme with identified transactions and a centralised transaction trail, supporting many functions with limited relationship to one another, and used by organisations generally
* MULTI-ORGANISATION / MULTI-FUNCTION INTEGRATED SCHEMES
schemes with identified transactions and a centralised transaction trail, many functions which are related to at least some degree, and which are used by many organisations, with cross-access among the functions
* MULTI-ORGANISATION / MULTI-FUNCTION SEGREGATED SCHEMES
schemes with identified transactions and multiple transaction trails, many functions which are largely independent of one another, each of which is used by a single organisation or related cluster of organisations, with limited cross-access among the functions
* SINGLE-ORGANISATION / SINGLE-FUNCTION SCHEMES
schemes with identified transactions, a centralised transaction trail, one or a few closely related functions, and used by a single organisation (or a few closely related organisations with whom the consumer generally has only a single association, such as credit unions)
* PSEUDONYMOUS SCHEMES
schemes using strictly-managed pseudonymity to provide a protective buffer between the transaction trail and the individual's identity
* TEMPORARY TRANSACTION TRAIL SCHEMES
schemes with identified transactions, with transaction trails limited to short-term retention on the card or at the terminal at which the transaction occurred, but without central storage
* ANONYMOUS SCHEMES
schemes whose design is such that any identification of the individual who conducted the transaction is unlikely, accidental and dependent on additional information extraneous to the scheme
This section analyses the four schemes in pilot in Australia, in alphabetical order. In addition to the schemes which are in pilot, or due for short-term implementation, in Australia, three other products are outlined which have particular privacy profiles and which may become relevant to Australia. A comparison of the schemes against the taxonomy is provided in Exhibit 6.
The MasterCard Cash SVC incorporates a transaction trail, which is gathered on the merchant terminal, and down-loaded to MasterCard's processor periodically. The MasterCard is therefore clearly a multiple-organisation scheme with identified transactions, a centralised transaction trail, at this stage only a single function but later multiple functions, to be used by many financial institutions. The scheme has substantial privacy implications, because it replaces hitherto anonymous cash transactions with an identified and recorded transaction trail. If the scheme were able to ensure that the card-holder's identity were not apparent from the card or the transaction trail, then it may be feasible for the scheme to be pseudonymous rather than identified.
The QuickLink SVC, developed to facilitate the N.S.W. Government's transport operations, was launched in Newcastle in November 1995. The current implementation is an anonymous, bearer-instrument value-card, purchasable and re-loadable at various locations such as newsagents. The card-identifier is transferred to card-issuers and financial institutions when the stored-value is downloaded using a credit- or debit-card. The scheme is therefore pseudonymous, and the degree of privacy risk is dependent on the extent to which the linkage between the transaction trail data and the card-holder identity is protected. It appears, however, that it may be later developed further to support additional functions, and some or all of these may involve identification.
* Transcard / Wizard
The Transcard scheme, and the underlying Wizard technology, is more than just an SVC, and includes ticketing and incentive/award applications. Two kinds of cards are involved:
The current Transcard scheme is anonymous if value is always loaded using cash; and pseudonymous if value is loaded using credit-card or debit-card transaction. The degree of privacy risk is dependent on the extent to which the linkage between the transaction trail data and the card-holder identity is protected.
The planned Transcard Plus scheme, on the other hand, will involve identification of transactions. CTA adopted a strategy in 1993 to ensure that the scheme would be pseudonymous, by carefully segregating the identifier from the transaction trail. Whether the protection afforded by a pseudonymous scheme exists will depend on whether the undertaking is delivered upon, and the legal framework to which it is subject.
Visa International plans several different implementations, at least two of which are to be trialed in Australia. Visa Type 1 was launched in a pilot implementation on the Gold Coast in November 1995. This is an anonymous, disposable / non-reloadable SVC. Visa Type 1 is an essentially anonymous scheme, with minimal privacy implications.
Visa Type 2 is to be an identified, reloadable stored-value card. A detailed transaction trail is to be maintained, which contains the card-identifier (both external and internal). Visa processes the transactions and manages the account. Financial institutions will record credit-card and debit-card transfers of value onto the SVC. This appears to be of a similarly privacy-threatening profile to MasterCard, i.e. a multiple-organisation scheme with identified transactions, and a centralised transaction trail, to be used by many financial institutions. It may be feasible, however, for the the full requirements of pseudonymity to be implemented.
Visa Type 3 is to be a multi-function card, comprising an SVC, a debit-card and (optionally) a credit-card function. The debit-card and credit-card capabilities may be initially implemented on the magnetic-stripe, but would migrate onto the chip in due course. Because of the potential for inter-relation between the various functions, this would be a potentially even more privacy-invasive scheme, unless great care were taken in the design to ensure that the functions remain entirely segregated, that the SVC-derived data is not directly identifiable, and that the cross-index between the indirect and actual identities are suitably protected.
Mondex is an SVC which was developed in the United Kingdom, primarily by the Midland and NatWest banks. It is being franchised throughout the world, but an Australian franchise has yet to be announced. A pilot was commenced in Swindon, an hour west of London, in mid-1995, with many of the ATMs and pay-phones in the area converted to support download of value to the card. The architecture supports direct transfer of value between individuals' cards, a feature that has attracted attention from law enforcement authorities, because it creates an additional value-transfer mechanism which could be exploited by criminals to transfer funds without being traceable.
A limited transaction trail is maintained on each card, and on each terminal. This carries the identity of the card, and, depending on the particular implementation, a short, confirmatory identifier for the card-holder. In principle, only the card-issuer is aware of the relationship between the card identifier and the account-holder. The scheme is not 'anonymous', as some the early promotional material suggested, and as the advertising slogan 'Mondex is Cash' implies. It is technically 'pseudonymous', and it generates a significantly more intensive transaction trail than cash. The substantive privacy-invasiveness of the basic scheme does not appear to be great; but the potential effects are substantial.
* Digicash Projects
One of the most original, complex but privacy-sensitive schemes is that devised by David Chaum, principal of Digicash bv of The Netherlands. It is being trialled by a variety of companies in a variety of countries, and appears likely to be applied in Australia as well.
Using public key cryptography techniques, the Digicash approach provides high security while safeguarding the privacy of consumers. It fully protects the identity of the payer, but is traceable as regards the recipient, and hence satisfies the needs of law enforcement agencies and taxation authorities.
* The European CAFE Project
Conditional Access For Europe (CAFE) is an Esprit project, supported by the European Commission, and being carried out by a consortium of companies and research organisations. It is developing an electronic wallet for consumer payments, access to information services and possibly also identification. A field trial was reported to be running in the premises of the European Commission during the last quarter of 1995.
The electronic wallets, which look like a personal digital assistant (PDA), would be sold like a normal appliance. Electronic money, issued by a bank, is tagged with a unique electronic signature per payment, analogously to the unique number on printed bank notes, and downloaded into a person's wallet. It can then be transferred between wallets.
CAFE is claimed to provide a high degree of security, and to protect the issuer against fraud and the holder against loss. Participants are claimed not to have to trust one other, nor to have to negotiate on the division of the risk involved. Once in use, multiple providers of goods and services can join the system, reducing the overall costs for each participant. Moreover, multiple issuers of electronic money, such as banks and credit card companies, can join the operation after its launch.
When used in the context of data access, it is claimed that the scheme enables checking of a person's authority to have access to restricted information, services and areas, while maintaining their privacy (which implies authentication of their right to conduct such a transaction, rather than authentication of their identity). This is achieved using Chaumian/Digicash technology. This achieves anonymity in the value-transfer process, because the card uses a different, unique identifier for each successive transaction, which cannot be traced back to the originating card.
There appear to be some tensions, however, between the anonymising technology on the one hand and the proclivities of European countries to demand that their citizens carry ID-cards, on the other.
Exhibit 6 provides a summary of the schemes against the taxonomy developed in the previous section.
* A GENERAL-PURPOSE IDENTIFIED SCHEME
There are no such proposals in Australia at present
* MULTI-ORGANISATION / MULTI-FUNCTION INTEGRATED SCHEMES
The MasterCard and future Visa Types 2 and 3 schemes could come close to this classification, depending on the details of the implementations
* MULTI-ORGANISATION / MULTI-FUNCTION SEGREGATED SCHEMES
The MasterCard and the future Visa Type 2 and 3 schemes appear likely to fall into this category, provided that the promised data segregation is actually implemented. The future Transcard Plus scheme would also fall into this category if the promised privacy-protective measures were not delivered. The Digicash scheme falls into this category in respect of privacy of the payee
* SINGLE-ORGANISATION / SINGLE-FUNCTION SCHEMES
There are no proposals in Australia at present, but it appears likely that some may emerge, e.g. applications of CTA's Wizard product
* PSEUDONYMOUS SCHEMES
With limited qualifications, Quicklink, Transcard, and Mondex. Provided that the promised privacy-protective measures are delivered, the future Transcard Plus scheme is of this kind. Depending on the implementation details, it would be feasible for the MasterCard and Visa Type 2 and 3 schemes to be of this kind
* TEMPORARY TRANSACTION TRAIL SCHEMES
There are no proposals in Australia at present
* ANONYMOUS SCHEMES
Visa Type 1, Transcard (provided that it is only ever loaded from cash rather than from a debit-card or credit-card), possible future phone-cards, and other bearer instruments which carry no card-identifier. The Digicash scheme falls into this category in respect of the payer
This final section commences by noting a number of general perspectives on policy matters by key players. It then identifies a set of policy considerations, evaluates alternative general policy options relating to the privacy regulatory regime, and draws conclusions.
There is ample evidence of appreciation by services providers that privacy represents a serious threat to the viability of smart-card schemes. For example:
On the other hand, two representatives of major banks, interviewed as part of this study, considered that the smart card should not raise any new privacy issues; that the banks have always been aware of the need for privacy because of their existing relationship with customers; that in their considerable use of confidential information (cheques, loans, credit and debit cards, etc,), the banks have always respected the confidentiality of the information; and that, as new technologies develop, new conventions will develop, and the same will occur with smart cards. This suggests a failure on the part of at least some financial institutions to appreciate both the concerns that an appreciable proportion of the public feels about the performance of banks in relation to personal data, and the significant increase in the intensity of transaction trails arising from smart-card-based consumer financial services.
It was apparent from the focus groups that consumers are far from impressed with banks. The banks' behaviour in relation to fees for credit cards and EFTPOS was seen as incontrovertible evidence that, having lured the consumer with no fees, they will charge once the customer is habituated / trapped into use. Resentment is heightened by the perception of banks as greedy profiteering organisations, making huge profits at customer expense. Even their reputation in relation to the confidentiality of client data is not all that high, as evidenced by the Privacy Commissioner's surveys, in which the respondents ranked 'financial institutions' well behind doctors and hospitals, behind the Tax Office, Medicare, the Police and DSS (the last three of which have been documented as having breached confidentiality on occasions), only marginally ahead of market researchers, and not all that far ahead of credit agencies and retail stores (1995, p.12).
The N.S.W. Privacy Committee is concerned that the scheme operators, including the banks, cannot be relied upon to fulfil their promises that the information collected will not be used at some later time. They consider that banks generally do adhere to codes of conduct and regulations, but note that the applicability of the codes to smart card schemes is at present very limited. Non-bank schemes (e.g. Transcard and Quicklink) are not subject to these codes and therefore the scheme operators do not need to comply or conform with them.
FBCA and the Privacy Commssioner's Office separately raised questions as to whether pseudonymous schemes would be practical and economic, and ACCC and the Privacy Commissioner's Office separately raised questions about their understandability. It was noted by FBCA that pseudonymity may be of limited consequence in the case of frequent dealings with a major supplier (e.g. a person's account with DJs), but may be of much more consequence in other contexts, such as road-tolls, where movements could be traced rather than just consumption behaviour.
This sub-section identifies matters that need to be addressed if the interests of the Australian public are to be protected.
It was noted at several points within this part of the Report that both the general public and members of the financial services industry lacked knowledge about smart cards and their applications. In particular, it was noted that considerable additional exposure is needed for the principles of pseudonymity, in order to ensure that corporate strategy and public policy choices are fully informed. Both regulatory agencies and the focus groups referred to the need for action to overcome the lack of awareness and understanding of the technology and of the schemes applying the technology.
Concern exists as to whether scheme designers and operators will be adequately sensitive to consumers' needs, especially in relation to particular classes of consumer market segments (such as low-income earners, people who have a poor command of the english language, and people with relevant disabilities).
Ways in which this can be addressed include:
It is important that consumers have an effective choice between identified schemes on the one hand, and anonymous or at least pseudonymous schemes on the other. Some specific regulatory measures that require consideration are:
There is considerable prospect that schemes based on the separation of the consumer's identity from the transaction trail can successfully address most of the privacy concerns at quite limited cost and quite limited compromise to other interests. Measures to encourage this could include the inbuilding of material relating to pseudonymity into awareness and education programs, especially those targeted at the financial services industry and other smart card scheme designers and operators.
However, pseudonymous schemes depend on the establishment of legal protections against access to the index of identities. Access would be by way of search warrant or consent of the individual concerned. This implies the need for legislative action to provide these protections.
It is apparent that a great deal of the motivation for retaining data, and in some cases for gathering it at all, derives from purposes that are extraneous to the basic service (e.g. chip-based payment). This is in direct conflict with the OECD Guidelines' stipulation of limitations on the use of data to the original purposes.
In relation to the use of line-item data for the modelling of customer buying patterns by, in particular, supermarkets, the Attorney-General's Department considered it to be essential to ensure that use is made of personal data only where the organisation has fully-informed consent by the consumer.
One matter of particular concern in this regard is the use, possibly in conjunction with smart card transaction data, of so-called 'public registers', including the Telstra White Pages and the Electoral Roll. The notion of a 'public register' is directly in conflict with the OECD Principles of Purpose Specification and control of uses against Purposes. The appropriate control mechanism is for so-called 'public registers' to be available for use by any person or organisation, but only for the designated purpose.
The strict application of this approach would have the effect of entirely halting use of such databases for marketing purposes, except where individuals consented. This is equivalent to the 'opt-in' approach, and is consistent with the Privacy Charter formulation. Alternatively, particular marketing uses could be authorised in law, subject to the creation and operation of an effective and convenient 'opt-out' mechanism.
In order to satisfy consumers' privacy interests the onus must be placed squarely on services providers to justify their needs for collection and retention of personal data, and inter-relationship to data derived from other sources. This will reqiure explicit elements within the privacy-protective regime.
It is vital that the Terms and Conditions applicable to schemes be assessed prior to launch, and subjected to continual re-assessment, especially when changes are made. To achieve reasonable levels of consumer and privacy protection, it may be necessary for regulatory agencies and privacy advocacy groups to have access to draft modifications prior to their release; and even for the approval of one or more appropriate regulatory agencies to be necessary before modifications become effective.
Focus group participants generally assumed that SVCs would be issued by banks, and that this would provide some degree of protection. This is incorrect on both counts. Firstly, there are only very limited protections currently available even for schemes run by banks, let alone non-bank financial institutions, let alone other-than financial institutions. Secondly, the issue of cards is highly unlikely to be limited to banks, and unlikely to be limited to financial institutions, but rather is likely to include network services providers, retailers, and various kinds of network-based intermediaries. The range of organisations which do, and which will, offer retail financial and other services using smart cards constrains the choices of ways in which policy can be implemented. This points to the need for comprehensive privacy legislation affecting the entire private sector, within which specific sectors and activities can be considered.
The regulation of advanced technologies in Australia is hamstrung at present by the lack of a generally applicable framework for protecting privacy. There appears to be general support for the proposition that an urgent need exists for privacy laws regulating the private sector generally. This feeling is clearly 'in the air', and was raised by regulatory agencies, by industry associations, by companies involved in the industry, and by focus group participants. The then Labor Government made a firm commitment to proceed with regulation of the private sector during 1995, indicating a clear preference for aspects of the New Zealand legislation, and in particular the enactment of statutory general principles and the creation of subsidiary industry and activity codes. During the course of the study, the conservative business magazine 'The Economist' called for adoption of privacy laws affecting the private sector, arguing that "There is little reason to suppose that market-driven practices will by themselves be enough to protect privacy" (Editorial, 10 February 1996).
The OECD Guidelines, promulgated in 1980, are fairly abstract, and have not been updated to take account of developments in technology generally and data surveillance in particular. For example, they fail to contemplate:
The OECD Guidelines therefore provide a reference point which continues to be used by governments, industry associations and corporations when they set out to establish legislation and codes of practice; but they need to be supplemented and interpreted with the assistance of more recent information such as that contained in the EC Directive and the Australian Privacy Charter, and by reference to the accumulated experiences of relevant watchdog agencies, especially the Australian Privacy Commissioner, the N.S.W. Privacy Committee, the New Zealand Privacy Commissioner and the Information and Privacy Commissioners of Ontario and British Columbia.
Smart card based schemes in consumer financial services are currently being implemented. Post-implementation modification of existing hardware, software and procedures is inevitably difficult and expensive. Indeed, one of the standard defence-mechanisms used by organisations in both the public and private sectors to hold off regulation is to ensure that schemes are in place before the public needs are formulated. It can then be shown that satisfying those needs would be expensive, and therefore unjustified.
On the other hand, the designing of features into a scheme in the first place, while not always costless, is relatively inexpensive. Pseudonymous schemes involve some additional infrastructure, but, particularly in view of the scale of the undertaking as a whole, this should not prove prohibitively expensive.
It is therefore very much in the interests of the public for an understanding of the public's needs to be established very early in the life of smart card applications. It has been argued that the viability of schemes will depend on public acceptance; and hence early action is also arguably in the interests of scheme operators. In short, the clarification of public needs is an urgent matter, in order to ensure that they can be satisfied for minimum additional cost.
This section evaluates the alternative approaches which could be adopted to the establishment of an effective privacy regulatory regime for smart card based financial services. It is presaged on the assumption that a general framework for privacy protection will be established.
The approaches can be divided into relatively 'hard' and relatively 'soft' approaches, and are canvassed below in ascending order of interventionism.
There are signs that scheme proponents are aware of the public's sensitivity in relation to privacy. It might therefore be questioned whether any governmental action is necessary.
On the other hand, some of the attitudes prevalent within companies suggest that they are likely to focus on image rather than substance in their privacy-protective features; and that much of their awareness derives from the active involvement not only of interest groups, but also of regulatory agencies. Even 'The Economist' agress that market forces alone would be unlikely to result in outcomes acceptable to the Australian public, and hence some policy measures are essential.
Awareness and education campaigns for consumers and for the financial services sector were identified above as important pre-cursors to appropriate scheme design, and to consumer acceptance of the technology and products embodying it. Important though it is in its own right, it would appear unlikely that such campaigns would be a sufficient pre-condition for appropriate balances to be found.
There are some instances of regulatory agencies being able to bring about change in behaviour by an industry sector on the basis of analysis, discussions and negotiations. The Reserve Bank of Australia would be very likely to argue that this has been more effective in the case of the EFTS Code of Conduct than other approaches might have been. It would appear, however, that few industry sectors are likely to be as amenable to this approach as the banking sector has been.
On the other hand, it may be feasible for regulatory authorities, particularly if they act in concert, to strongly and effectively encourage the adoption of pseudonymous rather than fully identified schemes.
Given the diversity of applications and industry sectors which will be involved, it appears this this approach may be a valuable adjunct to other measures, but is very unlikely to fully satisfy the public need.
Industry codes of conduct are generally not held in high regard by public interest advocates. On the other hand, at least the ACCC, and possibly some other regulatory agencies have greater faith in the ability of voluntary codes to contribute to solutions to public needs, at least in industries in which one or more associations have very substantial coverage. The difficulties lie in ensuring compliance, and in taking action when the code is ignored or abused.
The Privacy Commissioner's Office expressed doubt as to whether the recently-formed special-purpose industry association, the Asia-Pacific Smart Card Forum, is sufficiently representative to develop an industry-wide code of conduct. Once again, the wide diversity of applications and industry sectors leads to the conclusion that voluntary codes would be unlikely to satisfy the need.
A mechanism which addresses some of the weaknesses of the 'voluntary code' approach involves the establishment of a code by one or more industry associations, with statutory provision for behaviour consistent with the code to be legal and/or behaviour inconsistent with the code illegal. The code may or may not be implemented as delegated legislation, e.g. through Regulations, or by the act of an agency or appointee provided with an appropriate statutory power, as the Privacy Commissioner has in certain instances.
To gain the confidence of the public, the process whereby the code is established and maintained would need to be subject to the purview of relevant regulatory agencies and the participation of appropriate advocacy groups on behalf of affected classes of people. An example of this approach, provided in interview by ACCC, is the 'approved code' mechanism under the Life Insurance Act. Another instance is the proposed regulatory mechanism for offensive materials on the Internet, which is currently being considered by several agencies, including the Australian Broadcasting Authority.
The FBCA, in interview, stated that there are real prospects of effective regulatory mechanisms being imposed on, and accepted by, the direct marketing community. This is partly because governments are showing greater willingness to act in relation to the private sector generally, but also because industry is increasingly comfortable with the prospects of a form of regulation which involves detailed industry-based (and to an extent industry-controlled) codes of practice or conduct, with disputes procedures and sanctions given statutory force. This view was echoed by the Privacy Commissioner's Office, the Attorney-General's Department and the ACCC; by a number of industry associations, including ADMA; and by the Australian Privacy Foundation.
In the context of marketing uses of personal data, the FBCA considers that 'opt-in' schemes may be difficult to achieve in practice, and that 'opt-out' schemes may be more workable. The Bureau perceives as achievable some scheme whereby list-users, -sellers and -brokers will have an obligation to enable individual consumers to have their name not put on lists, and removed from lists. However if this were to be done through amendments to the Fair Trading legislation in each State, achieving adequate consistency will be a serious challenge.
Enforceable codes of conduct, predicated on legislation establishing at least OECD-level standards of privacy protection on the private sector, appear to offer an effective and workable solution to the public need.
It is feasible for not just a framework, but all regulatory details, to be expressed in statute. Because of the fixity that this would bring, and the inevitably abstract level at which it would be expressed, this is generally regarded as undesirable by the relevant industry associations and regulatory agencies, and indeed by many public interest advocates.
On the other hand, participants in focus groups saw the need for formal controls to be established over access to and use of personal data arising from smart-card-based schemes, that would apply to both government authorities and telemarketers. It was presumed (in general, wrongly) that present banking legislation /controls would apply to SVCs. It was expected that new provisions would be required, and that this would take the form of legislation.
It appears that the satisfaction of consumers' expectations would necessarily involve at least statute-backed codes which provide complete coverage of all aspects of data usage.
A detailed legislative regulatory framework would be likely to create unnecessary difficulties for scheme operators, and hence delay or prevent schemes' beneficial consequences being achieved. It would also require continual updating as the technology changed. The difficulties would be compounded by the lack of existing legislation regulating the finance sector, and the consequential lack of specific experience among 'watchdog' agencies.
On the other hand, the public need has been expressed very firmly by advocacy groups and regulatory agencies, and confirmed through focus groups. The 'softer' approaches to privacy regulation appear to be incapable of delivering the degree of control sought.
Because of the diversity of applications and industry sectors involved, and hence a multiplicity of industry associations, even one or more industry-produced and administered codes of practice appear incapable of satisfying the need.
The most effective approach would be a code of practice negotiated among relevant parties including regulatory agencies and advocacy groups, administered by the industry, and subject to overview and sanctions by an appropriate 'watchdog' body.
Possible organisations which could perform the 'watchdog' role include the Australian Payments System Council, the Banking Ombudsman and Austel. The range of organisations which do, and which will, offer retail financial and other services using smart cards is expanding, however. It seems unlikely that they could be successfully restricted to banks, or even to banks and non-bank financial institutions (NBFIs), but rather may include network services providers, retailers, and various kinds of network-based intermediaries. The watchdog agency needs to have sufficient breadth of jurisdiction, as well as sufficient depth of understanding, and sufficient powers, and sufficient preparedness to use them. It is unlikely that a sector-specific organisation would be able to satisfy the need. It appears that, to achieve the degree of confidence the public is seeking, the powers and resources of the Privacy Commissioner would need to be extended to cover this area.
Smart cards can be applied to retail financial services in a wide variety of ways. Depending on the details of the scheme, they may provide entirely satisfactory privacy protections (possibly at a cost to other interests), or adequately satisfactory privacy protections balanced against other interests, or privacy-invasiveness varying from serious to so serious as to be incompatible with contemporary social values.
It is unlikely that an appropriate balance can be found through market forces alone. Policy measures are therefore necessary in order to establish an appropriate balance.
The schemes are in the process of being trialled, and the scope for changes in design is already diminishing. It is much more difficult and expensive to modify schemes after they have been put into operation than it is to design privacy-protective features into the system in the first place. The policy measures are therefore very urgent.
Relatively 'hard' policy measures, such as a detailed legislative regulatory framework, would be very likely to create unnecessary difficulties for scheme operators, and hence delay or prevent the scheme's beneficial consequences. On the other hand, 'soft' policy measures are unable to deliver the required degree of confidence.
The most effective approach is a code of practice negotiated among relevant parties, and administered by the industry, but subject to overview and sanctions by an appropriate 'watchdog' body, very probably the Privacy Commissioner. The scheme would need to address the wide range of specific issues identified in section 4.2.
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.
From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 40 million by the end of 2012.
Sponsored by Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916
Created: 14 January 1997 - Last Amended: 14 January 1997 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at www.rogerclarke.com/DV/ACFF.html