"Smart" Cards on Campus: Social choices in the formative development of identity technologies
by Andrew Clement
(a slightly edited version of this paper was published as "The Advent of Smart Cards" in the University of Toronto Bulletin, Monday, April 26, 1999)
It is a truism to observe that we are all increasingly implicated in rapid technological transformations that affect many aspects of our daily lives. One technology after another appears to arise suddenly from obscurity and before we can question the pros and cons, it has been worked into the social fabric. This pace of change and the disarming rhetorics typically used to push such developments make it very hard, even seemingly silly, to involve the public in making key choices in a manner befitting a democratic society. As these technologies wash over us, they give the impression of inevitability even as serious problems with them emerge that could be avoided had more care been taken in the early stages. The Internet is the most prominent current instance of the familiar trajectory from technological wonder to everyday mixed blessing. Hard on its heels are "identity technologies," of which the recently introduced University of Toronto "smart card" (the TCard) offers a vivid example.
The TCard is a combination identity card and wallet which authorises access to various campus facilities, such as the library and gym, and enables purchasing goods with the cash stored on the chip. Visible on each smart card -- now carried by thousands of U of T students, faculty and staff members -- are the user's digitized photograph and signature, academic division, student/employee number and library barcode number. Material provided with the card states that its magnetic stripe contains name, student number, library barcode number and issue date and that the "cash" chip contains this same information as well as a Personal Identification Number and the card's serial number. There is, however, no way to verify that this is all the information stored. The card's vendor, CyberMark of Florida, claims that its chip-based card technology is the most advanced in the world and "has incredible future application potential."
The Tcard's introduction not only offers us a ringside seat for witnessing the early formative stages of a significant new societal technology, but more importantly, it provides the university community with an unusual opportunity to contribute positively to the development of a technology with complex and widespread social ramifications. Unfortunately, the experience so far with the card's implementation is disappointing in this regard. The administration has treated the TCard's introduction as a routine internal matter of little concern to its users. Promoted under the slogan "Making University Life Easier," administrators present it to us as offering obvious benefits of efficiency and convenience, with no drawbacks worth considering. Wider social concerns commonly associated with identity technologies, such as privacy, surveillance, access, security, dependence and participation, have been largely ignored. Furthermore, current TCard technology and practices do not meet the university's own regulations regarding privacy and access to information. In violation of well established fair information practice principles, personal information is collected and stored unnecessarily and without the required prior specification of purpose. Previously anonymous cash transactions now leave a personally identifiable trace that could be used for tracking and marketing purposes. There has been remarkably little public disclosure about rationales, practices, safeguards, avenues for redress or organizational accountability. Fortunately the recently established Committee to Review the Smart Card Pilot Project, chaired by Professor Ian Orchard, vice-provost (students), provides an excellent opportunity to remedy this situation. But to achieve this will require a broader understanding of the issues at stake as well a greater willingness to engage in an open and participatory approach to the development than those responsible have so far displayed.
For the past year, a group of U of T students, faculty and staff concerned about the social implications of identity technologies and the TCard in particular have provided the main focus of discussion of the issues surrounding smart cards on campus. Many members of this Identity Technology Working Group have research interests in privacy, information access, and user participation in the development of new technologies. The group began its work by assembling resources and discussing developments in other locales. It was clear that smart card technologies are spreading rapidly as various public and private enterprises around the world seek to more tightly link their clients into online record keeping systems. University campuses are particularly popular sites for trial projects, likely because they offer large, multi-use "captive" markets that can be bought en masse. In many jurisdictions smart card development is controversial, with recurrent concerns that they pose serious threats to privacy and civil liberties.
The technology working group views the University of Toronto's official Policy on Access to Information and Protection of Privacy as an excellent starting point for dealing with the particular issues around the campus smart card. Based on Ontario statutes, this policy begins with the following statement of basic principles: As a publicly-funded institution which operates with a high degree of autonomy and self-regulation, the University of Toronto affirms the importance of the principle of freedom of information and the obligation to conduct its operations as much as possible in ways that are open to public scrutiny. The university is also committed to the protection of the privacy of those who work and study at the university (see, http://www.utoronto.ca/govcncl/pap/policies/access.html). However, the group was dismayed that these principles did not appear to be practiced. There were clear indications that the TCard system was designed and implemented in ways that were oblivious to or deliberately ignored the large body of readily available information concerning the issues (e.g. privacy) and how to deal with them. Last November, the group organized an open forum on the University of Toronto smart card. It was "intended to provide the university community with an opportunity to learn more about the implications of the use of smart card technologies and to encourage more open and inclusive processes for the development of new technologies in the university." Invited speakers included the Information and Privacy Commissioner of Ontario, the University Commissioner for Freedom of Information and Privacy, the University Registrar who chaired the TCard Implementation Committee, representatives of the Graduate Student Union and Student Administrative Council and a doctoral candidate studying smart cards. Representatives of CyberMark were invited but declined to attend. This author served as moderator.
The forum made clear there is very little known either by university officials or students about the wider implications of the TCard. However, a great many useful questions were raised, such as: Do we really need the smart card? Why are digital photos and signatures stored when there is no apparent reason for it? What individual information is the university collecting and who has access to that information? While the administration has not substantially answered these questions, Professor Orchard's review committee is a welcome and timely opportunity to deal systemically with these concerns. To be effective and legitimate, the committee must make clear from the beginning that it welcomes an open and substantive discussion of the full breadth of issues related to smart cards on campus. The committee should ensure that its membership includes the range of relevant expertises and interests on campus. To encourage informed debate, before soliciting input it should make exisiting materials public, including the rationales behind the decision to adopt the card, the current information handling principles and practices, the agreement with CyberMark, the costs of implementation and the benefits that have accrued, the technical and administrative problems encountered, and any planning so far for future development and application. The committee's meetings should also be publicized, with written and oral submissions actively encouraged and made public.
In addition to procedural concerns the committee should consider a range of social/technical design choices. As a start, it could study Hart House's policy on the use of smart cards, developed with the technology working group's assistance. Now close to official approval, the policy adopts the principles of anonymity and transparency in an explicit attempt to balance the various competing legitimate data handling interests. For instance, no point-of-sale equipment will log personal data, a fact that can be independently verified by examining the relevant computer code available for public scruntiny. The committee could also draw upon the work of such international experts as Roger Clarke, who proposes the following privacy-sensitive design options: electronic signature cards less subject to abuse than all-purpose identification cards; no central storage of biometrics; two-way device authentication (i.e. the card checks the reader for authenticity as well as the other way round); less identity authentication, and more eligibility authentication (the TCard simply establishes that the holder is a registered student rather than who in particular she is); fewer identified transaction trails, and more anonymity and pseudonymity.
While these are complex issues, the university is unique in having the design expertise in the technical and social sciences to set a fine example. The technology is still in a formative stage when choices can be made that have long term consequences. The university can show civic leadership by demonstrating how the members of a community can be engaged actively as citizens in technological change and contribute specifically to the development of identity technologies in ways that fully respect privacy and other social values. The university can do this by applying its own core principles and mobilizing the talents of its members. In this way it would perform a lasting public service and earn well-deserved respect.
On the other hand, if the current pattern of putting administrative convenience ahead of other values prevails, we are faced with several unpleasant lessons. The university will show that it does not respect its own policies nor the privacy of its members. It will have missed a rare opportunity to influence positively the course of technological development. Furthermore, as members of the university community feel thwarted in their attempts to have the social issues addressed through the review process, they will undoubtedly seek less institutional means to express their frustration and make their concerns heard. The university has an important choice to make that can affect the welfare of its members and the long term development of identity technologies. Let's not blow it.
Professor Andrew Clement of the Faculty of Information Studies is the Coordinator of the Information Policy Research Program and an active member of the campus based Identity Technology Working Group (www.utoronto.ca/itwg). The group's Web site has links to many of the resources mentioned above.