Privacy & Security
CATHERINE JOHNSTON
© 2006 FrontLine Security (Vol 1, No 4)

In a world plagued by terrorism, identity fraud, hackers and other security risks, there is a question of whether we need to give up our privacy to gain security. Canadians should refuse to enter this debate, because this is the wrong question if we seek to find a balance between our right to privacy, need for personal ­security and desire to conduct business electronically.

We routinely make decisions about our privacy and security, usually subconsciously. Over the past fifty years, Canadians have made choices that led to the installation of locks and deadbolts on our doors, as well as security systems for our homes and cars. We fingerprint our children. We buy and use firewalls and virus protection for our computers. Many of us worry about buying on the Internet. Canadians are rightfully cautious. This caution prompts us to keep personal information private, but now we must view privacy in a new light, because of the new risks we face.

My information is private, but if I don’t know and trust you, I wonder what you are hiding. Are you simply trying to keep similar personal information private or are you hiding a secret that could hurt me? How could anyone sit next to a stranger on a plane without asking that question these days?

So, personal privacy must be viewed in context. It is also important to accept that privacy is not an “all or nothing” condition. For example, we want to keep our financial information private, but we expect credit card companies to tell us where, when and how much money we charge. We would not likely pay a bill that simply provided a total amount for a month. Security also ranges from low to high, depending on many factors. When we accept that both privacy and security cover a span, we can accept that a balance between them can be reached. Even then, the balance will differ depending on the risk to be mitigated.

The New Risks and Necessary Changes
In this world there are still small communities where our face, handshake and word are all we need. Unfortunately, most of us don’t live in them. Today, we live, work and shop in a global community where we may question the identity of anyone we don’t personally know. We are more aware of and concerned about the rapidly growing threat of identity fraud and the vulnerabilities of the cards we carry in our wallets and databases holding our personal information.

In the past we focused on proving whom we were and what we were entitled to do, using passports, drivers licenses and other forms of card identification as proof of our identity. We didn’t worry about anyone impersonating us, but now it is too easy and profitable for people to steal or defraud our identities and pretend to be us. In fact, this is the fastest growing consumer crime of the decade and costing us as Canadians as well as our governments and corporations, so balancing privacy and security is a concern for all of us. Also, although many Canadians are experienced enough to ignore phishing and pharming emails, where fraudsters attempt to steal personal information to commit identity fraud, how much time every day does it cost each employee to deal with these emails? This is an increasingly expensive overhead. When someone does have their identity stolen, many of the steps they must take to repair the damage, are done in business hours. This too impacts an employer and ultimately consumers.

Governments suffer the same problems, as well as financial losses when government benefits are defrauded through identity fraud. The problem causes not only financial losses, but also a loss of reputation and goodwill for companies and political embarrassment for governments, as Canadians ask why more isn’t done to protect them. Disclosure laws, such as those in California, require organizations to notify their customers when there has been a breach of personal data. In a growing number of cases, employees, contractors or other third party service providers are involved, leading us to understand that we must not only protect data from external hackers, but also provide our own staff with identification that both controls their access and privileges to data and helps prove them innocent when a breach occurs.

In spite of these risks, we want to take advantage of global business and information opportunities. That means you must be able to properly identify yourself in order to travel, bank, shop and work. The same is true of the companies and governments doing business at the other end of the network connection. All parties see significant advantages to ­conducting transactions online, but that requires consumers to trust systems with varying degrees of their personal information. To do that, our ID must be counterfeit and tamper resistant and we must start to insist on ID where it wasn’t required in the past. We must also use ID that is capable of taking personal information off the face of cards and keeping it private and secured. Take a look at all the personal data on your driver’s license. An identity thief could make good use of it. We must also ensure that anyone presenting ID is the legitimate owner of it. Just having physical possession won’t be good enough.

Where it was once enough to control an employee’s access to buildings and offices, employers now need to look at corporate data with the same concerns.

The concept of controlling who may access data and what they can do with it is not new. That was always the case with mainframe computers. Not everyone with the right to use a specific mainframe application could access other programs. For example, if you were an inventory control clerk, you wouldn’t be able to get into the payroll system. If you were the payroll clerk, you would be restricted to certain functions and changing your own salary likely wasn’t one of them. When we went from mainframes to PCs many of these controls were lost. With today’s networked world and the value of data, it is time to re-introduce them.

Another risk is that of terrorists using false or stolen identities to attack our infrastructures. We must ensure that these people do not hide behind “privacy” to camouflage themselves. Again, we need to find a balance.

Technology, Policies and Procedures
Mitigating these and other risks and the desire to pursue opportunities has led many corporations to use advanced card technologies to provide secure and convenient physical and logical access. The same technologies are being used today to provide privacy enhancing ID. These mature technologies help find the balance we seek, as well as provide new convenience for Canadians.

There are two advanced card technologies in use in Canada. The first are smart, or chip cards. These use computer chips that sit on credit card-sized pieces of plastic and are being used throughout the world to provide new levels of security. They are highly counterfeit and tamper resistant and much of their strength comes from the fact that the computer can play an active role in enforcing security and privacy rules.

They can also carry biometrics, such as iris, face and fingerprint identifiers. These can be compared against the person offering the card to ensure that the ID does belong to the presenter. Where privacy is a requirement, the match is done on a one-to-one basis between the card and the person, not between the person and a database with multiple records. This additional security can help reduce identity theft.

The same is true of the second technology, optical or laser cards. Although they do not have a computer chip, they use a “write once – read many” technology capable of keeping an audit trail. These cards have a large data capacity and can carry multiple biometrics in addition to other data.

Both are capable of employing digital certificates. These are card technology platforms that support applications. Hybrid cards are available with both smart and optical interfaces. Privacy Impact Assessment and Design tools are available for applications using both these platforms from www.actcda.com.

Many governments throughout the world are turning to these technologies to provide security for applications that will combat fraud and identity theft, while delivering far more privacy protection for the identification we carry in our wallets.

Financial institutions throughout Canada are also moving our credit and debit applications to chip platforms to enhance security.

We have to look to technology to protect us, but in doing so we must maintain our ongoing rights to protection of privacy. As technology is employed we have the right and the obligation, to ensure that the new technologies do not expose us to new risks. We must educate ourselves on the ways in which new technologies can be used for privacy protection and ensure that we have sufficient information to understand the risks, opportunities, benefits and technologies associated with new programs.

Furthermore we must always be aware of public and corporate policies and be ever vigilant that they are equally committed to preserving our privacy and security. It is important to recognize that technology is only a tool. Whether it is employed for good or bad purposes is determined by someone’s policies, procedures and intent. Focusing on technology in isolation will serve none of us well.

The principles of privacy do not change to any great degree but new technologies enter the market place with great speed. Unfortunately, the risks that we face from those who would do us harm grow with each passing year.

If we continue to ask questions and debate issues such as “privacy versus security or technology” we will be our own worst enemies. We cannot divert our attention from the real issues of risk. The question and the debate should be on how well and how soon we will use all the tools at hand, including technology, to protect our privacy and our identity. Only when we demand a balance between security and privacy will we start to protect ourselves.

====
Catherine Johnston is the President and CEO of the Advanced Card Technology Association of Canada. She is also Chairman, International Smart Card Associations Network (ISCAN)

ACT Canada, the Advanced Card Technology Association, provides a neutral forum for stakeholders to learn, share information and pursue their goals. Domestic and international members benefit from access to information, networking and market analysis. A non-profit association founded in 1989, ACT Canada is internationally recognized as a reliable source of information on advanced cards and the Canadian marketplace. For more information please visit www.actcda.com
© FrontLine Security 2006

RELATED LINKS

Comments

CLICK HERE TO COMMENT ON THIS ARTICLE