SECURITY REPORTS

Privacy Problems Looming for Australia's Smartcards

Frank Rees

A ccording to Dr Mark Looi of the Queensland University of Technology, there are problems

of privacy and security looming for Australia's smartcards. At a seminar in the University's School of Data Communications, he said that privacy issues were a hot topic that everyone was afraid to discuss and very few organizations wanted to know anything about. Privacy was an additional expense that had to be incurred by commerc ia l organizations.

He told the University's journal, lnside QUT: "It a f fec ts the b o t t o m line and for this reason the p r o b l e m of s m a r t c a r d s ecu r i t y has not been adequately dealt with. Within two years many of our major business organizations will be introducing smartcards and there are no regulations in place to protect the customer."

Dr Looi said that even though customers might be concerned about privacy they would be tricked or fo rced into us ing smar tca rds . "Peop l e have concerns about 'big brother ' , or losing their card and someone else pretending to be them. With a smartcard, a bank may be able to access the telephone or shopping records of their customers using cross- vendor data."

Dr Looi said that there was little to prevent commercial organizations using all the information available through these cards in any way they chose. The best option was for governments to ensure privacy through legislation. However, he did not believe that Australian Governments would legislate because of the costs involved.

"Commercial organizations will probably object to having restrictions placed upon them and it is unlikely that Government will have the will to pass strong enough legislation to be effective", he said. "The Prime Minister, Mr John Howard, has already said the cost of compliance is too great for businesses. I think that human nature will just adapt and that people will

be foo led into sac r i f i c ing pr ivacy through inducements."

A leading national law firm, Clayton Utz, said that p r ivacy was one of severa l legal i ssues to be considered in the establishment of smartcard schemes.

The law firm commented, "The Federal Privacy Act does not cover the private sector except in respect of credit-related information about individuals and the handling of tax file numbers. In March 1997, the Prime Minister announced that, because of compliance costs on business, the Government would not proceed with national privacy legislation, but would instead ask the Federal Privacy Commissioner to work with business to develop voluntary industry codes of conduct on privacy."

Privacy groups in Aust ra l ia have argued for legislation to ensure security and privacy of smartcard schemes, rather than the voluntary code proposed by the Government.

The law firm notes that Australian privacy groups have promised test cases under the European Union Directive on Trans-border Data Flows which forbids the transfer of personal information from EU member states to a non-EU country for processing (including collection, storage, use or disclosure) unless the non- EU country ensures an adequate level of protection dependen t upon their con ten t and c o m p l i a n c e mechanisms.

"This will affect transfers of a wide range of data including marketing data, personal data, data on payments and credit in trans-border sales and other financial data, as well as any information sent purely for processing or storage", Clayton Utz said.

Consequently, the requirements of the European Di rec t ive could prove incen t ives for vo lun ta ry adopt ion of a pr ivacy code by some Aust ra l ian industries, but may also be a catalyst for national legislation to ensure data security.

Acknowledgements to the Queensland University of Technology.

Computer Fraud & Security August 1998 ISSN: 1361-3723/98/$19.00 © 1998 Elsevier Science Ltd. All rights reserved

7