Upload File

striking a balance on privacy

2
COMMENT STRIKING A BALANCE ON PRIVACY ::.: : l t !! :::::::::::::::::::::::::::: ::: :; ~::: :::::i~::!~::~: ~:~..~ :~i:.:~i!:! ~i ~i~::i i~::::~::i~i::i:::::.i :.:: :: ~ iiiii::i!iiiii:: !~ili:: i~:: ~ii:.i ~:.~ !i~i~i~i! ~ ~ ~ ~ ~ !~::i::~: :~ ~iii~:: ~!!::i~:: :. !: ~: ~::!:.i~.: i;:~!~:~!~i~ i:i !:~i::~!i i~i:.~:i ~!! ~ ~ ~=:~ THE PRIVATE DEBATE The debate on privacy and the introduc- tion of electronic purse schemes, already raging in the US, has begun in the UK. With the introduction of the Mondex electronic cash scheme last year, the UK assumed a world lead in the field. Unlike systems such as Visa, Proton and others, Mondex is 'unaccounted'. If I transfer £32.50 from my Mondex card to your Mondex card, that's the end of it. No collecting transactions, no mainframe computers clearing transactions, no in- ternational financial networks settling transactions. Privacy campaigners have naturally been concerned with the way in which an individual's transactions might be re- corded and used. In this vein, they have criticized Mondex for using words like 'anonymous' and 'private' in relation to Mondex transactions. Mondex has re- sponded by pointing out that cards record details of other cards, not people. Precisely because Mondex transactions do not require any clearing or settlement (this is why it provides such inexpensive payment services), there is no central database of who spent how much on what. If I wander into Tesco and buy a sandwich with a Mondex card, I wouldn't want this fact to be whipped off to a gigantic database (unless, of course, I am one of the more than 8 million Tesco 'Clubcard' holders). How- ever, just because the Tesco point-of-sale (POS) terminal knows which card and which sandwich doesn't mean that my privacy is in jeopardy. Why? Simply because I could have used any Mondex card to buy the sandwich - there is no authentication at point of sale - as the whole point of electronic purse cards is to replace cash. If a shopper has to sign something or punch in a PIN code, or whatever, then the advantages of using a purse card (speed, convenience, low cost) begin to erode. Mondex is therefore justified in describ- ing transactions as private. At no stage in any payment transaction is there a need to identify the person using the card. Mondex has always made it clear that the record of transaction collected by retailer POS terminals, which could theoretically be uploaded to the bank with the cash value deposit, would be made available to organizations with a statutory right to see it (e.g. the govern- ment, for example). In my opinion, this does not invalidate the use of strong words such as 'anonymous' to describe the transactions, since the transactions records are of cards and not people. Suppose I buy some perfume for my wife and I want it to be a surprise, so I don't want "The Perfume Shop" to show up in the transaction record on my Mondex card. I have a couple of options. I could, for example, put my card in my Mondex wallet and transfer 1p from the wallet to the card 10 times. This would cause the perfume transaction to 'drop off' the transaction list, which stores only the last 10 transactions. Alternatively, I could borrow a card from a friend in the office and use their card instead of mine. Either way, my privacy is preserved. The Mondex scheme has an inbuilt partitioning of potentially sensitive data. The people who know which card was used to make a retail transaction (i.e. shops) don't know who that card was issued to. The people who know who a card was issued to (i.e. the issuing bank) don't know what transactions it was used for unless the transactions happen to have occurred at a retailer equipped with a POS terminal that stores transac- tions and makes them available for uploading to the bank: none do, at present, for the very good commercial reason that retailers don't want banks to have this information because it's part of the retailer's competitive edge. Even then, the bank which acquires transac- tion data can only match it to people if it was the bank that issued the card in the first place. Furthermore, the POS term- inals in use don't record all transactions but only the last 300. This is because the transactions are being collected only to help with evaluation of the pilot schemes and to learn more about how consumers and retailers use the cards in practice and, if a problem should occur (perhaps a broken card), to help to resolve it as quickly as possible. But collecting Mondex transaction data to spy on people is pointless. Since there is no authentication at point of sale, no- one knows who used which card. Thus, even if a dedicated band of guerilla marketeers assembled a colossal data- base and a supercomputer to hack into every retail POS terminal in the country and suck up a list of all Mondex transactions, they still wouldn't know for certain who had bought that copy of The Economist in W.H. Smith. What's more, they have no access whatsoever to interpersonal transactions: if I use a Mondex phone or the Internet to send my brother the £35 I owe him, that transaction is only recorded in my card and his card. If I am concerned that an international conspiracy will replace ATMs with bogus replicas that will capture my transaction details next time I use an ATM, all I have to do is lock the card using my personal code (a locked card will not give up its transaction record). THE REAL WORLD We would all agree, of course, that there are circumstances where the legitimate needs of the state are such that a person's transactions might need to be examined. Imagine that the police are investigating a crime and they suspect that the perpetrator bought a copy of The Economist in a branch of W.H. Smith. Since I am not a lawyer, and my knowledge of police procedures is de- rived from watching old episodes of /1The Bill" on UK Gold, my terminology may be incorrect but I would imagine that the police could obtain some kind of warrant to inspect W.H. Smith's records. They might find that a particular card had indeed been used to purchase The Economist. Then they could obtain some kind of warrant to inspect the bank's records and get the name of the person that the card was issued to. From this, they could only infer that that individual had purchased The Economist (since it is 390

Post on 21-Jun-2016

217 views

Category:

Documents


1 download

Report

TRANSCRIPT

Page 1: Striking a balance on privacy

COMMENT

STRIKING A BALANCE ON PRIVACY

: : . : :

l

t

!! :::::::::::::::::::::::::::: ::: :; ~::: :::::i~::!~::~: ~:~..~

::~i:.::~i!::! ~i ~ii~::i i~::::~::i~i::i:::::.ii :.:: :: ~ iiiii::i!iiiii:: !~ili::iiiiiii~:: ~ii:.i ~:.~ !i~i~i~i! ~ ~ ~ ~ ~ !~::i::~: :~ ~iii~:: ~!!::i~:: :. !: ~: ~::!:.i~.: i;:~!~:~!~i~ i:i !:~i::~!i i~i:.~:i ~!! ~ ~ ~=:~

THE PRIVATE DEBATE The debate on privacy and the introduc- tion of electronic purse schemes, already raging in the US, has begun in the UK. With the introduction of the Mondex electronic cash scheme last year, the UK assumed a world lead in the field. Unlike systems such as Visa, Proton and others, Mondex is 'unaccounted'. If I transfer £32.50 from my Mondex card to your Mondex card, that's the end of it. No collecting transactions, no mainframe computers clearing transactions, no in- ternational financial networks settling transactions. Privacy campaigners have naturally been concerned with the way in which an individual's transactions might be re- corded and used. In this vein, they have criticized Mondex for using words like 'anonymous' and 'private' in relation to Mondex transactions. Mondex has re- sponded by pointing out that cards record details of other cards, not people. Precisely because Mondex transactions do not require any clearing or settlement (this is why it provides such inexpensive payment services), there is no central database of who spent how much on what. If I wander into Tesco and buy a sandwich with a Mondex card, I wouldn't want this fact to be whipped off to a gigantic database (unless, of course, I am one of the more than 8 million Tesco 'Clubcard' holders). How- ever, just because the Tesco point-of-sale (POS) terminal knows which card and which sandwich doesn't mean that my privacy is in jeopardy. Why? Simply because I could have used any Mondex card to buy the sandwich - there is no authentication at point of sale - as the whole point of electronic purse cards is to replace cash. If a shopper has to sign something or punch in a PIN code, or whatever, then the advantages of using

a purse card (speed, convenience, low cost) begin to erode. Mondex is therefore justified in describ- ing transactions as private. At no stage in any payment transaction is there a need to identify the person using the card. Mondex has always made it clear that the record of transaction collected by retailer POS terminals, which could theoretically be uploaded to the bank with the cash value deposit, would be made available to organizations with a statutory right to see it (e.g. the govern- ment, for example). In my opinion, this does not invalidate the use of strong words such as 'anonymous' to describe the transactions, since the transactions records are of cards and not people. Suppose I buy some perfume for my wife and I want it to be a surprise, so I don't want "The Perfume Shop" to show up in the transaction record on my Mondex card. I have a couple of options. I could, for example, put my card in my Mondex wallet and transfer 1 p from the wallet to the card 10 times. This would cause the perfume transaction to 'drop off' the transaction list, which stores only the last 10 transactions. Alternatively, I could borrow a card from a friend in the office and use their card instead of mine. Either way, my privacy is preserved. The Mondex scheme has an inbuilt partitioning of potentially sensitive data. The people who know which card was used to make a retail transaction (i.e. shops) don't know who that card was issued to. The people who know who a card was issued to (i.e. the issuing bank) don't know what transactions it was used for unless the transactions happen to have occurred at a retailer equipped with a POS terminal that stores transac- tions and makes them available for uploading to the bank: none do, at present, for the very good commercial reason that retailers don't want banks to have this information because it's part of the retailer's competitive edge. Even then, the bank which acquires transac- tion data can only match it to people if it was the bank that issued the card in the first place. Furthermore, the POS term- inals in use don't record all transactions but only the last 300. This is because the transactions are being collected only to

help with evaluation of the pilot schemes and to learn more about how consumers and retailers use the cards in practice and, if a problem should occur (perhaps a broken card), to help to resolve it as quickly as possible. But collecting Mondex transaction data to spy on people is pointless. Since there is no authentication at point of sale, no- one knows who used which card. Thus, even if a dedicated band of guerilla marketeers assembled a colossal data- base and a supercomputer to hack into every retail POS terminal in the country and suck up a list of all Mondex transactions, they still wouldn't know for certain who had bought that copy of The Economist in W.H. Smith. What's more, they have no access whatsoever to interpersonal transactions: if I use a Mondex phone or the Internet to send my brother the £35 I owe him, that transaction is only recorded in my card and his card. If I am concerned that an international conspiracy will replace ATMs with bogus replicas that will capture my transaction details next time I use an ATM, all I have to do is lock the card using my personal code (a locked card will not give up its transaction record).

THE REAL WORLD We would all agree, of course, that there are circumstances where the legitimate needs of the state are such that a person's transactions might need to be examined. Imagine that the police are investigating a crime and they suspect that the perpetrator bought a copy of The Economist in a branch of W.H. Smith. Since I am not a lawyer, and my knowledge of police procedures is de- rived from watching old episodes of /1The Bill" on UK Gold, my terminology may be incorrect but I would imagine that the police could obtain some kind of warrant to inspect W.H. Smith's records. They might find that a particular card had indeed been used to purchase The Economist. Then they could obtain some kind of warrant to inspect the bank's records and get the name of the person that the card was issued to. From this, they could only infer that that individual had purchased The Economist (since it is

390

Page 2: Striking a balance on privacy

DEf" ~ NOV THE COMPUTER LAW AND Sf~URITY RLI:-k')RT I19961 t2 C~.SR

reasonable to assume that most people use their own card most of the time) even though the records do not prove it. To me, this seems a sensible state of affairs. It becomes expensive, but not impossible, to recover transaction details and through a non-trivial process match them up with people. I think that expense is a far better deterrent to state abuse of personal data than any amount of data protection and other legislation. The privacy that individuals should ex- pect for their smaller transactions cannot be extended to all transactions. Mondex cards cannot store an infinite amount of money: the maximum that can be stored is fixed when the cards are 'personalized' and is obviously agreed between banks and regulators. In the UK, this limit is currently £500. The cards used by retailers, which have higher limits, need not be unrestricted. This is one area where Mondex is far better than cash from a regulatory perspective. A Safe- way supermarket, for example, might

contain a Mondex card with a limit of £310 000 - but the software security structure built in to Mondex means that Safeway's card can only pay cash out to a bank, not to individuals. Using the range of security options available, Mondex has struck a reason- able balance between (and deserves praise for addressing) the legitimate rights of: • Consumers, who do not want the

intimate details of their minor spend- ing habits to be collected in centra- lized databases. Mondex transactions are not centrally recorded and it's pointless for retailers to record card numbers since they (the retailers) don't know who those cards were issued to.

• Banks, who want to minimize the transaction costs associated with providing payment services and sup- porting law enforcement and regula- tory requi rements , and Law Enforcement Agencies, who want

to ensure that large transfers of money can be monitored and tracked.

There is an alternative to the Mondex approach: the fully authenticated and accounted electronic purses (better de- scribed as pre-authorized debit cards) coming in to use in some European countries. These offer a particular ad- vantage over Mondex, which is that you'll save a lot of time every year not having to fill in one of these new 'self assessment' tax returns: since the gov- ernment will be able to get all of your transactions from computers, they'll be able to fill in the form for you and just send you the bill.

David Birch, director of the UK consult- ing firm Hyperion, 8 Frederick Sanger Road, Surrey Research Park, Guildford, Surrey, GU2 5YD, UK; tel: +44 1483 301793; fax: +44 1483 561657, Web: http://www.hyperion.co, u k.

BOOK REVIEW MULTIMEDIA LAW

Multimedia Contracts, by J Dianne Brinson and Mark F Radcliffe, 1996, soft-cover, Ladera Press, US$79.95 (plus US $7 for shipping and handling). The authors of this text comprise a professor from Georgia State School of Law - a specialist in intellectual property, and a lawyer representing many multimedia clients within a Palo Alto law firm. The aim of this handbook is designed to help the process of establishing 'standard' type contracts which have yet to feature in the multimedia industry in the same way as they do in more mature industries, such as film and book publishing. This text contains more than 50 sample contracts and provides an opportunity for users to under- stand how companies in the multimedia industry are solving their problems. The contracts in the book are

divided into seven sections. These are: releases and licences; copyright assignment; production contracts; development contracts; publishing agreement; source code escrow agreement; and union contracts. The book also includes a brief overview of the legal issues facing the multimedia industry. The authors indicate that the contracts used in the text have been applied by companies in the multimedia industry. However, each should be considered as a sample rather than model agreement, since the authors recommend consultation with an experienced attorney prior to using any of these contracts. Available from: Ladera Press, clo R/S Associates, PO Box 5030, Port Heron, MI 48061-5030, USA, tel: 800 5233721 or fax: 810 9873562.

391


Striking a fair balance between foreign investor

STRIKING THE BALANCE: PRIVACY AND SPATIAL PATTERN ...comisiones.ipgh.org/CARTOGRAFIA/Premio/Tesis_2015/Tesis_Dara_Seidl.pdf · STRIKING THE BALANCE: PRIVACY AND SPATIAL PATTERN PRESERVATION

Striking a Balance With UI Tests - ConnectTech

IT Business Review Striking Balance Between Protection Enablement

Striking a balance between urban development and environmental

Energy and Environment Striking Balance : The CESC Experience Energy and Environment Striking Balance : The CESC Experience Kushal Bhowmick Dy. General

Striking the Balance: Approaches to Accountability and ...aws-cdn.internationalforum.bmj.com/pdfs/2016_A9.pdf · Striking the Balance: Approaches to Accountability and Quality Improvement

Striking a New Balance in the Store

Striking the right balance Budget Commentary Singapore - PwC

Striking a Balance - American Nurse

Managing obesity the rea lities striking a balance

Academic Espionage: Striking the Balance Between Open and

Risk and Return: Striking the Right Balance (Whitepaper)

Striking a Balance: Rapid Reporting Laws Combined with

Striking a balance: The centrality of the Hamiltonian

Positive and negative feedback: striking a balance …cinquin.org.uk/static/feedback.pdfPositive and negative feedback: striking a balance between necessary antagonists Olivier Cinquin

Striking the balance - Museums & open access

Striking a Better Balance - The New Zealand Herald

Striking the Balance Insect Pests Disease Mgt

Striking the Right Balance for Transparency

Striking a Balance in Your Library Catalog

Striking a balance between effective representation and ... · Striking a balance between effective representation and voter parity. Striking a balance between effective ... Dr. J

Striking a Balance- Kevin Richardson

Striking the Right Marketing Balance

DB9 – A STRIKING BALANCE

Striking a balance - Brookings

Chapter 8 Water and Electrolytes: Striking a Balance

VistaPre-T – striking an optimal balance VistaPre-T

Striking a Balance

Indirect Taxes Bootcamp Striking the right balance

Data & Privacy: Striking the Right Balance - Jonny Leroy

MOOCs: Striking the Right Balance between Facilitation and

Striking an Equitable Balance: Placing Reasonable Limits

Striking Balance a

STRIKING THE BALANCE: OWNERSHIP AND ... - pdf.wri.org