Those floundering 'smart' cards

Varsity, Thursday, March 11, 1999.

The introduction of the so-called smart card technology (T-Card) has raised a number of serious issues and is already causing problems. First, the privacy concerns--the University is almost certainly violating its own privacy policy (by collecting personal information that it does not need, for instance). When you got your card, were you informed that the University was storing your name and photo in a data-base? Did you give your consent for this? Do you know who has access to your signature and for what purposes? Indeed, why should anyone have control over your signature? Oh, and by the way, did they tell you that your personal information was going to be stored not just in Toronto, but also in Florida? University privacy policy is supposed to ensure the security of data by preventing unauthorized access. Are the needs of Cybermark more important than your privacy?

And when you pay for a meal in the cafeteria with your card, your student (or employee) number is printed on the receipt. This use of personal information is certainly not needed. The basic tenet of privacy is: collect only what you NEED. At U of T, there is not only the collection of unneeded information, but its use. When I get my T-Card, I will not allow my identity to be stored (some would say stolen) by U of T.

The administration claims that the new card "improves efficiency," but for whom? The implementation of the card has actually introduced a number of practical problems. Not the least concerns student society elections. A student's current year of registration nowhere appears on the card, so there is no way to prove one's eligibility to vote. Also, there is no way of marking the card to show that a student has voted. This year students will be required to present TWO pieces of ID (T-card and wallet)--so much for efficiency. And next year the card, as it has been implemented, will be useless for election purposes--so much for being "smart". The administration's proposed "solution" is unacceptable: "The opportunity to vote more than once is almost exclusively restricted to persons using their own photo ID cards. Students should be trusted not to try to do this." (emphasis added). Since when did the administration ever trust students?

The election problem is one of the clearest examples of what went wrong with the implementation process. Little if any forethought went into the process. Consultation with student societies began only after it dawned on the administration that elections would be a problem. By then it was too late--registration was around the corner.

The reason that the implementation turned out to be an all-around fiasco (not just for student elections) is simple. The administration did not follow a logical process starting with assessing the needs and culminating in the development of policy and producing an implementation plan before introducing the card. Instead they did everything backwards, and are now scrambling for fixes. But they are scrambling slowly, mind you. And so far their fixes don't work.

Whose idea was it to rush into uncharted waters without plotting a course? Surprisingly, nobody in the administration will publicly take "credit" for this "pilot" project that now engulfs us. Those in charge of the implementation say: We didn't make the decision; we are just following up on it. As it stands, Dr. John Dimond, U of T Privacy Commissioner was "handed the bag" on privacy issues. And technical and practical concerns were left with Karel Swift, Registrar. No matter who initiated the project, the administration remains responsible to find solutions and to ensure that U of T privacy protocols are of the highest calibre.

One of the basic questions that we have been asking is: "Why was this technology implemented?" There has been no answer of substance. Perhaps even more important is the question: "Who gave the authority for the administration to breach fundamental privacy protocols?" The matter is particularly disturbing since there are broader social implications. This technology is far more useful for surveillance than service. (That's why repressive governments are so keenly interested in it.) The University has a civic responsibility to bring leadership to social questions; instead it has recklessly plowed ahead, using our community as a testing ground for new digital technologies.

These and other questions were formally submitted to the administration in early December by the GSU. The administration's replies are eagerly awaited.

James E. Hoch
Identity Technology Working Group