Addressing Privacy Concerns With Smart Cards: Be Aware
What Are Smart Cards?
Before you can really understand the privacy issues surrounding smart cards, you need to have an idea of what a smart card is. Essentially, a smart card is any card that has an integrated circuit within it, hence their more formal name, ICC or Integrated Circuit Cards.
From here, we can divide smart cards into two broad categories. The first category is memory cards, which contain non-volatile memory only. These are used to store data. The second category is microprocessor cards. These cards contain volatile memory as well as—you guessed it—a microprocessor.
Another two distinctions that can be drawn: between contact smart cards, and contactless smart cards. Contact smart cards require physical contact with the card reader, whereas contactless ones don’t. So, a contact smart card actually requires that you remove it from its housing and bare it to the general public, which is a security no-no, whereas contactless cards do not require this. However, this also means that anyone who knew what signal to broadcast could identify you, and potentially locate critical private data about your person, whereas a degree of consent exists with contact smart cards.
Check out this BrightHub article for more details on what a smart card is and how it works.
Example Smart Cards
So, these are pretty obviously powerful pieces of technology, and one that is evolving quickly. The single best thing that you can do to address privacy concerns on smart cards is simply to know what’s going on with regards to smart card policy, technology and applications. Awareness is powerful!
There are three main applications of smart cards: financial services, ID services, and public transportation, each with unique security issues associated with them.
Financially oriented smart cards have been rolling gradually into the system for several years now. They are largely held to be more secure than non-smart cards—think credit cards with a lot more anti-forgery support built in.
Government ID services have been looking at smart cards for some time now as a way to keep better track of citizens to fight everything from terrorism to illegal immigration. With all the data placed together, as opposed to sprawled out amongst agencies at the local, state and federal level, it could be much more difficult to hide in the shadows. This has a very deep potential for abuse, though, particularly if the information got into the hands of a malicious third party.
Public transportation is not the most conspicuous use for smart cards, but it’s a growing market. The most notable use is the Oyster Cards used in London public transportation system. These cards could theoretically be used to track an individual’s movement throughout the city by either the operator of the public transit or the government, which presents a privacy concern. For example, this has already been an issue in the UK, where M15 wanted to use this information to track terrorists, even the the card has already been cracked.
Health information is another concern. While smart cards with health information is not all that common yet, it’s another use that’s growing, and that’s certainly sensitive information that could potentially be abused by third parties.
Now, mostly there are different smart cards for different applications. However, many people are frightened at the prospect of having a single card for all of them—a combined national ID card, credit card, biometric, driver’s license, anything you can think of, in a single square of plastic and circuitry. The wonderful usefulness of such a universal card is only matched by the frightening potential for abuse. Instead of having to individually track down each item to take advantage of someone, you instead of a single piece of technology that contains someone’s entire life.
Right now, smart cards have no real standards, varying from company to company, and government policy progress on unifying forms of identification has been markedly slow worldwide. The only real success story has been Malaysia’s MyKad program launched in 2001, and even that has been greatly underused.
So, there’s no immediate threat, if you find this concept to be uncomfortable, but the possibility is there.
This is a constantly evolving field of both policy and technology, so keeping an eye on the news for changes in trends is, again, the best thing you can do to address any privacy concerns you might have.
Fake It: The Problem With Forgeries
One of the biggest fears with these cards is that it will be possible for forge them.
A solution has been proposed: introduce biometric data into these cards. By intimately connecting the cards to your unique biological signatures, such as fingerprints and DNA, forgeries would be nigh impossible to make, and easy to detect. However, many privacy groups have difficulty with the concept of giving up one’s very biological data to third parties.
Other, less controversial changes have been proposed to increase the security of the cards, from holograms to encrypted signals and more. While the proficiency of forgers is sure to increase along with the complexity of the security measures, it’s important to remember that an arms race when it comes to security is inevitable, be it with automated smart cards or with old-fashioned hoodwinking the bureaucracy. Furthermore, the changes that smart cards have introduced in the interest of increased security have made these cards much safer to use, replacing old-fashioned magnetic strips.
Your best way to avoid a forgery of your own card is to simply protect your card well. Don’t use it when you don’t have to, and keep it in a very secure place around your person. Consider investing in a money belt or other accessory that is difficult to pickpocket. When using the card in public, cover sensitive parts of the card with one hand during transactions.
Want To Get Involved?
If this really bothers you and simply staying abreast on the news doesn’t seem satisfying enough, there are many privacy organizations that work with technology like smart cards that you can get involved with.
For the US, one of the better anti-smart card organizations to look at is probably the EFF, the Electronic Frontier Organization. Here is a link to their take on smart cards.
The ACLU, the American Civil Liberties Union, has also done some work against smart cards. Here is a link to example testimony that one member gave on security issues associated with the RealID act.
Of course, there are numerous other organizations out there that fit into a broad ideological spectrum. If you feel passionate about this topic, by all means, seek them out and get involved!
For some interesting discussions of smart cards, check out these articles:
Smart ID Cards Debated (PC World)
Smart Credit Cards Arrive In US… Finally (ComputerWorld)