Identity Technology Working Group

April 21, 1999.

Professor Ian Orchard
Vice-Provost Students
Room 221
Simcoe Hall
University of Toronto

RE: The Smartcard Pilot Project Review Committee

The Identity Technology Working Group (ITWG) welcomes the establishment of a committee to review and assess the pilot implementation of the University of Toronto T-Card. You may recall that last November the ITWG held an open public forum on the T-Card bringing together a panel which included the Privacy Commissioner of Ontario, the Commissioner for Freedom of Information and Privacy of the University of Toronto, representatives of the University Implementation Team, including the Registrar, students and faculty. The forum revealed there was a substantial lack of knowledge about this card in particular, and identity technology in general, on the part of everyone there. Not surprisingly, significant issues have surfaced over this year as students and faculty of the university have begun to use the card.

We believe that the University of Toronto has the opportunity to take a leadership role in the emerging international debate on the role of identity technology and to demonstrate leadership in the socially responsible use of these technologies. Several faculty members currently have funded research in this area (both government and corporate): research that includes design and development as well as policy and evaluation aspects. A number of graduate students are working directly in this area and the issue in being raised in a variety of undergraduate courses. If we extend this to the issue of privacy more generally a larger group in the university are involved.

The review which is now being undertaken is the appropriate venue to address
these issues, but we feel that the mandate should be enlarged. There are a number of significant questions, social, technological and in terms of policy that need to be addressed. For example:

-- What efforts is the University of Toronto making in order to establish itself as a civic leader in the socially responsible use of technology?
-- How can the University ensure that an open and effective debate takes place prior to the implementation of innovative and controversial technologies about which there is little known and almost no experience?
-- Why are the recognised university experts on identity technology and privacy not on the committee?
-- How does the University ensure that card-holders are adequately informed about
the status of the implementation (voluntary or not), their rights, obligations and the potential risks of using the system?
-- The current practice of storing digitized images and signatures violates
fundamental privacy principles (including the University of Toronto's own privacy policies). What are the plans to resolve this?

More specifically:

-- Why are financial transactions and identity transactions not separate?
-- Given the possibilities for Trojan horses, viruses and other covert surveillance mechanisms: the absence of which is not easily verified by the cardholder, why is there a need for a chip on the card? What is gained by the chip in light of these tangible risks?
-- What social/technological options were explored to protect privacy, e.g., anonymity, pseudonymousness
-- How was the current vendor, CyberMark (from Florida), selected and why was preference given to a foreign supplier when the provincial government and GTA have claimed this area as a centre for technological leadership, innovation, entrepreneurship?
-- How secure are the data, what data are generated in different transactions, where are these data being stored, and who has access to them? What mechanisms are in place for individuals to ensure that their data are safe? Has the issue of data storage in a foreign country been addressed?
-- What is the role of the systems developer (CyberMark) in the handling of
data, i.e., how does the University ensure that access to the data is separated
from access to the infrastructure?

In terms of evaluation:

-- How will the system be evaluated and by whom?
-- What are the criteria to determine system success?
-- What steps will be taken to ensure openness and public transparency in the review process and in future development?


We look forward to working together with you to address these and other questions.

Sincerely,

Representatives of the Identity Technology Working Group, including:

Nimal Amitirigala, Masters candidate, Faculty of Information Studies
Andrew Clement, Professor, Faculty of Information Studies
C.C. Gotlieb, Emeritus Professor Department of Computer Science
James Hoch, PhD (Egyptology), GSU Executive Assistant
Steve Mann, Professor, Electrical and Computer Engineering
Gale Moore, PhD, Library/Sociology
Elan Ohayon, University of Toronto Governor 1999-2000.
Felix Stalder, PhD candidate, Faculty of Information Studies