Engaging, Enabling and Evolving Commerce in Canada since 1989

Articles - Privacy & Security

Where do we go now?

So many questions arise from the tragedy of September 11th, but one frequently asked, hits each and every one of us. Will we need to give up our privacy to gain security? Canadians should refuse to debate this, because it isn't the right question if we are going to find a balance between our right to privacy and need for personal security.

In this world there are still small communities where our face, handshake and word are all we need. Unfortunately, most of us don't live in them. Since September 11th, we all live in a global community where we may no longer trust the identity of anyone we don't personally know. Now we must be more concerned about the threat of identity theft. Until now we have focused on proving whom we are and what we are entitled to do; using passports, drivers licenses and other forms of card identification as proof of our identity. We suffered from counterfeit identification, but it was normally presented in person, giving us some additional chance to question it's authentication.

Today we work and shop in a virtual world and it is easier for people to steal our identities and impersonate us. According to the Federal Bureau of Investigation, there are 350,000 to 500,000 instances of identity theft each year in the US. In Canada, our Social Insurance Number has become a target for identity thieves. As far back as 1998, there were 17% more Social Insurance numbers in the registry than Canadians aged 20 or older, the age at which most Canadians have obtained a SIN. Who is using that ID and for what purposes? It is no longer enough to prove who we are; we must also stop others from impersonating us, adding to our need for security.

We routinely make decisions about our privacy and security, usually subconsciously. Over the past fifty years, Canadians have made choices that led to the installation of locks and deadbolts on our doors, as well as security systems for our homes and cars. We fingerprint our children. We buy and use firewalls and virus protection for our computers. Many of us worry about using credit cards on the Internet. Canadians are cautious.

This caution prompts us to keep personal information private, but now we must make a very conscious decision. My information is private, but if I don't know and trust you, I wonder what you are hiding. Are you simply trying to keep similar personal information private or are you hiding a secret that could hurt me? How could we possibly sit next to a stranger on a plane without asking that question these days?

In the aftermath of last month's tragedy, we are being asked what we are prepared to give up in order to increase our security. It isn't the right question. There are three fundamental questions in a world where we carry so much personal information on cards in our wallets. The first is whether those who issue cards do enough to verify the identity of the applicant. The second is whether the cards they provide are sufficiently resistant to counterfeiting. The third is concerned with what they do with the information they collect.

The first and second questions are inevitably linked in a Catch 22 scenario. If someone has stolen or counterfeited a driver's license, they can easily get other ID, so we must ensure that all cards that serve as identification are as secure as technology can offer. They must be highly resistant to counterfeiting, as well as privacy enabling to protect both personal information and identity.

The card technology in my wallet today offers no privacy whatsoever and if anything, puts my identity at risk if I lose it. Today's cards have personal information on their surface; ready for use and abuse, so we need to look at what information we carry and insist upon both privacy and security.

I carry a passport. I willingly provided personal data to get it so that I may travel. As long as I'm sure that everyone else with a passport provided honest and accurate information, I gain from the existence of passports. They are, in effect, a type of travel insurance. The problem occurs when they are illegally obtained. The same is true of driver's licenses, health cards, credit and debit cards, as well as other forms of identification. So how do we protect that information and control counterfeiting?

Many governments are turning to a thirty year old technology called smart cards. The Government of Ontario announced their intentions in October 1999. They are now in a position to provide Ontarians with cards that will combat fraud and identity theft, while delivering far more privacy protection for the identification we carry in our wallets.

These computer chip cards are designed to meet both the privacy and security requirements of today's world. You've recently heard people erroneously suggest that smart cards put our privacy at risk. Most often, if you probe their concerns, you find that it is not technology, but rather policies and procedures that worry them. Clearly these people fail to understand the privacy enabling strength of smart cards. It is the aforementioned third question that causes them concern, but they would rather curtail the use of technology than tackle the harder issues of policies and procedures. In doing so, they fail to make use of technology to protect us.

Let's look at how smart card applications can protect our privacy and security. A smart card is basically a personal computer on a piece of plastic, but with mainframe computer security. Mainframe applications are designed so that every field or piece of data is analyzed as to who may view, add, modify or delete it.

The same process is used to develop applications for smart and other advanced cards, allowing us to put information on smart cards and protect it from access by unauthorized persons. It also allows us to make information viewable by the card owner, in other words you and me, giving us an opportunity to verify the information on the card.

They can be programmed to detect intrusions by unauthorized sources and destroy their communication links. We have now seen the first non-military smart card product that has achieved an Information Security (ITSEC) level 6 rating from the CESG, a UK government agency. More will follow, as applications requiring that level of security are developed. Smart cards also have the most extensive set of security tools available for a portable card and those tools are used to protect against counterfeiting.

Plans are in place for leading manufacturers to include smart card reader/writers in new pc's. This will lead to many new applications for smart cards and security will be a prerequisite. In the business world, smart cards will be the inevitable e-commerce enabler, because of the security and portability they offer. We will also use them to provide personal identification, while maintaining a level of convenience for the cardholder.

The Advanced Card Technology Association of Canada believes strongly in the need to understand privacy protection and to build it into all applications that sit on smart and other advanced card platforms. To that end, we have worked with the Office of the Information and Privacy Commissioner/Ontario to produce two procedures for application designers.

The first deals with single application cards and the newest, the first of its kind in the world, is entitled, "Multi-Application Smart Cards; How to do a Privacy Assessment. They are designed to ensure that proper thought is given to privacy protection during the design stages of an application

We have to look to technology to protect us, but in doing so we must maintain our ongoing rights to protection of privacy. As technology is employed we have the right and the obligation, to ensure that the new technologies do not expose us to new risks. We must educate ourselves on the ways in which new technologies can be used for privacy protection and ensure that we have sufficient information to understand the risks, opportunities, benefits and technologies associated with new programs.

Furthermore we must always be aware of public and corporate policies and be ever vigilant that they are equally committed to preserving our privacy and security. It is important to recognize that technology is only a tool. Whether it is employed for good or bad purposes is determined by someone's policies, procedures and intent. Focusing on technology in isolation will serve none of us well.

The principles of privacy do not change to any great degree but new technologies enter the market place with great speed. Unfortunately, the risks that we face from those who would do us harm grow with each passing year. Theft of identity is becoming one of the fastest growing frauds of this decade.

If we continue to ask questions and debate issues such as "privacy versus technology" we will be our own worst enemies. We cannot divert our attention from the real issues of risk. The question and the debate should be on how well and how soon we will use all the tools at hand, including technology, to protect our privacy and our identity. Only when we demand efficiency and privacy will we start to protect ourselves.

Source: Congressional Press Release, September 12, 2000