Alliance: Really smart cards guard privacy
- By Vandana Sinha
- Feb 18, 2003
Individual privacy should rank as high as building security in smart-card authentication policies and procedures, the Smart Card Alliance says. 'Both privacy and security must be considered fundamental design goals for any personal ID system' based on smart cards, the alliance said in a white paper released last week at its winter meeting in Salt Lake City.
The level of privacy protection depends on when and how smart-card data is accessed, distributed and destroyed. When authenticating a person's identity, a smart-card system should automatically prevent copying, spoofing and unauthorized sharing of the information, and it should access only as much data as is necessary for the immediate task, the alliance said.
It suggested that each smart card should incorporate a safety measure such as a personal firewall, public-key cryptography or biometrics'especially when one card serves several functions. The additional safeguards would not only boost protection but also boost user confidence, it said.
The alliance made these privacy recommendations:
- Smart card-related databases of personal information should be encrypted and should transmit only encrypted information.
- Transactions between smart card and reader should be offline only, and any information captured by a reader or other intermediate system should be deleted as soon as a transaction is complete.
- Organizations should set up checklists to show who is authorized to see or change information in each data field.
- Cardholders should be required to authorize, via password, personal identification number or biometric permission, the extraction of any data from their smart cards.
- Applications should be structured so that transaction records can't be used as surveillance tools.