Smart cards must speak to privacy
- By Vandana Sinha
- Jun 27, 2003
'Make sure the policy and its intentions are well-known in your organization,' said Jeff Katz, marketing vice president of Atmel Corp. of San Jose, Calif. 'Offer formal training on the policy for all staff who can access such information.'
Privacy has been a growing concern for agencies trying to use smart cards to verify identity. Some agencies are hiring privacy specialists for card projects, said Randy Vanderhoof, executive director of the Smart Card Alliance, which held a teleconference yesterday about privacy and security in smart-card applications.
The federal government has dozens of smart-card projects
under way at cabinet departments, the Food and Drug Administration, the General Services Administration, NASA, the Office of Management and Budget, and the military services.
One way to ensure privacy is to avoid gathering too much personal information from smart cards and transmitting it to personnel who don't need to see it for their daily duties, Katz said. For example, the data could be encrypted so that the card scanner would say only that a particular card is valid or invalid, without revealing the personal information that makes it one or the other.
Katz said original personal documents should be destroyed and biometric data stored in templates'a cautious approach that can go a long way to prevent fraud or theft. 'Periodically audit all saved information,' he said, then delete anything that's no longer necessary.
Another vendor recommended categorizing information into personal and public domains on the card's chip, with only the public domain visible to the card reader. 'It's up to the application or cardholder to decide what kind of information is public,' said Gilles Lisimaque, senior vice president and cofounder of Gemplus International SA, based in Luxembourg. 'That's a consent kind of approach.'