The Tech Scene: The Know-It-All Smart Card Stirs Privacy Fears

Smart cards do hold out the promise of convenience - a bank in your pocket, as the saying goes - but banks that offer them or are thinking about doing so must be mindful of public perceptions that these powerful devices are a privacy risk.

Developers and marketers of the latest generation of chip cards swear up and down that their technology gives the public more privacy safeguards than ever: passwords and personal identification numbers are needed to unlock the devices, firewalls guard one application from another, and biometric identification can be placed on a card to ensure it is used by the right person.

But these arguments may not be enough for a wary public.

Regardless of the strength of the security in place, the truth is that no technology is foolproof, and the idea of storing a great deal of sensitive information on a single chip is enough to make anyone take pause. Indeed, some consumer privacy experts are already sounding alarms about the potential smart cards have to lead us down a slippery slope toward Big Brother.

There are a variety of concerns. A lost card could fall into the hands of someone who has figured out how to crack it and to assume the owner's identity. An insurance company or potential employer could demand access to health records or other information stored on a card. Or an application provider could - through malice or bungling - track data about a person's movements and transactions in an inflammatory way.

"If it's an all-purpose card for commercial transactions, it can also be an all-purpose card for verifying your identity and allowing you to do certain things," warned Robert Ellis Smith, publisher of a newsletter called Privacy Journal. "It will basically be a national ID card."

For the moment, the cards that are on the market do not aggregate data in a way that privacy buffs find particularly dangerous. But smart cards are certainly envisioned as an all-in-one answer to wallet clutter, repositories of payment and bank account information, health records, driving records, and more.

"Even though it's physically in your pocket, that information could leave your pocket against your wishes," said Evan Hendricks, editor of another newsletter, Privacy Times. "It could be lost, stolen, subpoenaed, or demanded in a situation where you don't have much leverage," like a job interview.

American Express Co., FleetBoston Financial Corp., and Providian Financial Corp. are marketing smart-card products that rely on a chip primarily for online authentication. The chip can help fill in forms at Internet merchants and can keep track of loyalty points, and the basic idea is for consumers to use the card as a secure hardware token, an extra piece of identification when presenting oneself in cyberspace.

"What smart cards do is provide a tool to protect privacy," argues Gary Glickman, president of Phoenix Maximus, a Rockville, Md., technology firm that implements smart-card systems, primarily for government agencies. "If you look at applications - not just government, but commercial applications - if you use the card as a key, then it's just like holding any other physical key. It puts control over the application in the hands of the cardholder."

John L. Burke Jr., general counsel to the Smart Card Forum and a partner in the Washington office of the Boston law firm of Foley, Hoag & Eliot, called the card a "privacy enhancer." If applications are created with "appropriate respect for the consumer, the consumer is going to determine how much information he'll give in exchange for what benefit," he said.

Both sides of the debate are valid, and banks should be mindful of them as they decide how to design and promote smart cards. While microprocessor chips can work to consumers' favor in providing extra protection, nagging concerns over how things could go wrong will need to be addressed at every step of the way.

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER