Term Paper: Privacy, Smartcards and the Nigerian System by David Oladeji

8/8/2019 Term Paper: Privacy, Smartcards and the Nigerian System by David Oladeji

1/27

1

Chapter 1: Smartcards

1.0 What are Smartcards?

A Smartcard is a plastic card with an integrated circuit that conforms to the International Standards

Organization (ISO) standards 7816, series 1-10, for contact smartcards, and ISO 14443 for contactless

cards.

A Smartcard is a type of embedded computer chip card, which could either be a memory type or a

microprocessorthat stores data. This data is usually associated with either value, information, or both

and is stored and processed within the card's chip. The card data is transacted via a reader that is part of

a computing system. Systems that are enhanced with Smartcards are in use today throughout the world.

Some key applications of Smartcards are in healthcare, banking, entertainment, and transportation. All

applications can benefit from the added features over its predecessors and security that Smartcards

provide. According to Eurosmart (the voice of the smart security industry), worldwide Smartcard

shipments will grow 10% in 2010 to 5.455 billion cards. Markets that have been traditionally served by

other machine readable card technologies, such as barcode and magnetic stripe, are converting to

Smartcards as the calculated return on investment is revisited by each card issuer year after year.

1.1 Categories of Smartcards

Smartcards are categorized according to the type of chip implanted within the card and its

capabilities. The categories are as follows:

1.1.1 Memory cards cannot manage files and have no processing power for data management. All

memory cards communicate to readers through synchronous protocols. In all memory cards

you read and write to a fixed address on the card. There are three primary types of memory

cards: Straight, Protected, and Stored Value. Before designing in these cards into a proposed

system the issuer should check to see if the readers and/or terminals support the

communication protocols of the chip. Most contactless cards are variants on the protected

memory/segmented memory card idiom.


2/27

2

a. Straight Memory Cards: These cards just store data and have no data processing

capabilities. These cards were traditionally the lowest cost per bit for user memory. This

has now changed with the larger quantities of processors being built for the GSM

market. This has dramatically cut into the advantage of these types of devices. They

should be regarded as floppy disks of varying sizes without the lock mechanism. These

cards cannot identify themselves to the reader, so your host system has to know what

type of card is being inserted into a reader. These cards are easily duplicated and

cannot be tracked by on-card identifiers.

b. Protected / Segmented Memory Cards: These cards have built-in logic to control the

access to the memory of the card. Sometimes referred to as Intelligent Memory cards,

these devices can be set to write- protect some or the entire memory array. Some of

these cards can be configured to restrict access to both reading and writing. This is

usually done through a password or system key. Segmented memory cards can be

divided into logical sections for planned multi-functionality. These cards are not easily

duplicated but can possibly be impersonated by hackers. They typically can be tracked

by an on-card identifier.

c. Stored Value Memory Cards: These cards are designed for the specific purpose of

storing value or tokens. The cards are either disposable or rechargeable. Most cards of

this type incorporate permanent security measures at the point of manufacture. These

measures can include password keys and logic that are hard-coded into the chip by the

manufacturer. The memory arrays on these devices are set-up as decrements or

counters. There is little or no memory left for any other function. For simple applications

such as a telephone card, the chip has 60 or 12 memory cells, one for each telephone

unit. A memory cell is cleared each time a telephone unit is used. Once all the memory

units are used, the card becomes useless and is thrown away. This process can be

reversed in the case of rechargeable cards.


3/27

3

1.1.2 CPU/MPU Microprocessor Multifunction Cards have on-card dynamic data

processing capabilities. Multifunction Smartcards allocate card memory into independent

sections or files assigned to a specific function or application. Within the card is a

microprocessor or microcontroller chip that manages this memory allocation and file

access. This type of chip is similar to those found inside all personal computers and

when implanted in a Smartcard, manages data in organized file structures, via a card

operating system (COS). Unlike other operating systems, this software controls access

to the on-card user memory. This capability permits different and multiple functions

and/or different applications to reside on the card, allowing businesses to issue and

maintain a diversity of products through the card. One example of this is a debit card

that also enables building access on a college campus. Multifunction cards benefit

issuers by enabling them to market their products and services via state-of-the-art

transaction and encryption technology. Specifically, the technology enables secure

identification of users and permits information updates without replacement of the

installed base of cards, simplifying program changes and reducing costs. For the card

user, multifunction means greater convenience and security, and ultimately,

consolidation of multiple cards down to a select few that serve many purposes.

1.2 Types of Smartcards

Smartcards types are defined according to how the card data is read and written. This could be

contact or contactless.

1.2.1 Contact Smartcards are required to be inserted into a Smartcard reader, making physical

contact with the reader. These are the most common type of Smartcard. Electrical contacts

located on the outside of the card connect to a card reader when the card is inserted. This

connector is bonded to the encapsulated chip in the card. Examples of Contact Cards are

ATM cards.


4/27

4

Figure 1.1: Structure of a contact smartcard.

Figure 1.2: Segment of a smartcards contact Module

Source: www.smartcardbasics.com

1.2.2 Contactless Smartcards have an antenna embedded inside the card that enables

communication with the reader without physical contact. These are Smartcards that

employ a radio frequency (RFID) between card and reader without physical insertion of

the card. Instead, the card is passed along the exterior of the reader and read. Types

include proximity cards which are implemented as a read-only technology for building

access. These cards function with a very limited memory and communicate at 125 MHz.

Another type of limited card is the Gen 2 UHF Card that operates at 860 MHz to 960

MHz. True read and write contactless cards were first used in transportation

applications. They communicate at 13.56 MHz and conform to the ISO 14443 standard.

These cards are often protected memory types. They are also gaining popularity in retail

Module

contact Micro-Computer

Card Body

back

Card Body


5/27

5

stored value since they can speed up transactions without lowering transaction

processing revenues (i.e. Visa and MasterCard), unlike traditional Smartcards.

Variations of the ISO14443 specification include A, B, and C, which specify chips from

either specific or various manufacturers. A=NXP-(Philips) B=Everybody else and

C=Sony only chips. Contactless card drawbacks include the limits of cryptographic

functions and user memory, versus microprocessor cards and the limited distance

between card and reader required for operation.

Figure 1.3: Structure of a contactless smartcard.

Figure 1.4: Diagram illustrating relationship between categories and types of Smartcard

Source: www.smartcardbasics.com

Micro-Computer

Card Body

front

Antenna


6/27

6

1.3 Why Smartcards?

Smartcards improve the convenience and security of any transaction. They provide tamper-proof

storage of user and account identity. Smartcard systems have proven to be more reliable than other

machine-readable cards, like magnetic stripe and barcode. Smartcards also provide vital components

of system security for the exchange of data throughout virtually any type of network. They are a cost-

effective solution in these environments. Multifunction cards can also be used to manage network

system access and store value and other data. Worldwide, people are now using Smartcards for a

wide variety of daily tasks, which include:

1.3.1 SIM Cards and Telecommunication: The most prominent application of Smartcard

technology is in Subscriber Identity Modules (SIM), required for all phone systems under the

Global System for Mobile Communication (GSM) standard. Each phone utilizes the unique

identifier, stored in the SIM, to manage the rights and privileges of each subscriber on various

networks. This use case represents over half of all Smartcards consumed each year. The

Universal Subscriber Identification Modules (USIM) is also being used to bridge the identity

gap as phones transition between GSM, UTMS, and 3G network operators.

1.3.2 Loyalty and Stored Value:Another use of Smartcards is stored value, particularly loyalty

programs that track and provide incentives to repeat customers. Stored value is more

convenient and safer than cash. For multi-chain retailers that administer loyalty programs

across many different businesses and POS systems, Smartcards can centrally locate and

track all data. The applications are numerous, such as transportation, parking, laundry,

gaming, retail, and entertainment.

1.3.3 Securing Digital Content and Physical Assets: In addition to information security,

Smartcards can ensure greater security of services and even equipment by restricting access

to only authorized user(s). Information and entertainment is being delivered via satellite or

cable to the home DVR player or cable box or cable-enabled PC. Home delivery of service

is encrypted and decrypted via the Smartcard per subscriber access. Digital video broadcast

systems have already adopted Smartcards as electronic keys for protection. Smartcards can

also act as keys to machine settings for sensitive laboratory equipment and dispensers for


7/27

7

drugs, tools, library cards, health club equipment etc. In some environments, Smartcard

enabled- SD and microSD cards are protecting digital content as it is being delivered to the

mobile hand-sets/phones.

1.3.4 E-Commerce: Smartcards make it easy for consumers to securely store information and

cash for purchasing. The advantages they offer consumers are:

o The card can carry personal account, credit and buying preference information that can

be accessed with a mouse click instead of filling out forms.

o Cards can manage and control expenditures with automatic limits and reporting.

o Internet loyalty programs can be deployed across multiple vendors with disparate POS

systems and the card acts as a secure central depository for points or rewards.

o Micro Payments - paying nominal costs without transaction fees associated with credit

cards, or for amounts too small for cash, like reprint charges.

1.3.5 Bank Issued Smartcards: Around the globe, bank controlled co-ops (Visa, MasterCard,

Discover, and American Express, in Nigeria, Interswitch, CardBASE/ValuCard) have rolled

out millions of Smartcards under the EMV (Europay, MasterCard, VISA) standard. Often

referred to as chip and PINcards; these are the de facto types of cards for bank issuance in

most countries. Smartcards have been proven to secure transactions with regularity, so much

so that the EMV standard has become the norm. On the prompt of the Central Bank of

Nigeria, Banks and card issuers have also migrated to the EMV standard. Some of the

advantages for banks are:

o Smartcards increase trust through improved security. Two-Factor Authentication insures

protection of data and value across the internet. Threats such as the "Man in the middle"

and "Trojan Horses" that replay a user name and password are eliminated

o This is improving customer service. Customers can use secure Smartcards for fast, 24-

hour electronic funds transfers over the internet

o Costs are reduced: transactions that normally would require a bank employee's time and

paperwork can be managed electronically by the customer with a Smartcard


8/27

8

1.3.6 Healthcare Informatics: The explosion of health care data introduces new challenges in

maintaining the efficiency of patient care and privacy safeguards. Smartcards address both of

these challenges with secure, mobile storage and distribution of patient information, from

emergency data to benefits status. Many socialized countries have already adopted

Smartcards as credentials for their health networks and as a means of carrying an

immediately retrievable Electronic Health Record (EHR). Smartcard benefits in healthcare

include:

o Rapid, accurate identification of patients; improved treatment

o Reducing fraud through authentication of provider/patient visits and insurance eligibility

o A convenient way to carry data between systems or to sites without systems

o Reducing record maintenance costs

1.3.7 Embedded Medical Device Control: For years, embedded controllers have been in many

types of machines, governing the quality and precision of their function. In Healthcare,

embedded Smartcards ensure the best and safest delivery of care in devices such as dialysis

machines, blood analyzers and laser eye surgery equipment.

1.3.8 Enterprise and Network Security: Microsoft Windows, Sun Microsystems (a subsidiary of

Oracle Corporation) and all new versions of Linux have built-in software hooks to deploy

Smartcards as a replacement for user name and passwords. Business-to-business Intranets

and Virtual Private Networks (VPNs) are enhanced by the use of Smartcards. Users can be

authenticated and authorized to have access to specific information based on preset

privileges. Additional applications range from secure email to electronic commerce.

1.3.9 Physical Access:Businesses and universities of all types need simple identity cards for all

employees and students. Most of these individuals are also granted access to certain data,

equipment, and departments according to their status. Multifunction, microprocessor-based

Smartcards incorporate identity with access privileges and can also store value for use in

various locations, such as cafeterias and stores. Many hotels have also adopted ISO 7816

type card readers to secure staff-only rooms and facilities.


9/27

9

1.4 Benefits of Smartcards

The first main advantage of Smartcards is their flexibility. There is no need, for example, to carry

several cards: one card can simultaneously be an ID, a credit card, a stored-value cash card, and a

repository of personal information such as telephone numbers or medical history. Such a card can be

easily replaced if lost, and, because a PIN number (or other form of security) must be used to access

information, is totally useless to people other than its legal bearer. At a few attempts to use it illegally,

the card would be deactivated by the card reader itself.

The second main advantage is security. Smartcards can be electronic key rings, giving the bearer

ability to access information and physical places without need for online connections. They are

encryption devices, so that the user can encrypt and decrypt information without relying on unknown,

and therefore potentially untrustworthy, appliances such as ATMs. Smartcards are very flexible in

providing authentication at different level of the bearer and the counterpart. Finally, with the

information about the user that Smartcards can provide to the other parties, they are useful devices

for customizing products and services. Other general benefits of Smartcards are:

y Intelligence: they can process and store information, and communicate with other

computing devices. The following are what make Smartcards Smart:

o Smartcards are capable of not just storing data but also have processing power.

o They have larger storage capacity when compared to magnetic swipe cards.

o The data stored can be protected against unauthorized access and tampering

o They are appropriate for secure and convenient data storage.

o Smartcards have the property of multi-functionality.

y Portability/Convenience: Owing to their small size, they can be easily carried along, and

can contain multiple applications on a single card, and can be updated without renewal.

y Increasing data storage capacity: As technology improves their memory can and will be

improved upon.

y Reliability: In other words, they are virtually unaffected by electrical and magnetic fields.


10/27

10

Chapter 2: Privacy and Smartcards

2.0 What is Privacy?

The term privacy refers to individuals interests in preventing the inappropriate collection, use, and

release of personally identifiable information. Privacy interests include privacy of personal behavior,

privacy of personal communications, and privacy of personal data.

Privacy has been described in various ways ranging simply from the right to be left alone, to the

interest that individuals have in sustaining a personal space, free from interference by others.

Increasing requirements for identity confirmation and for transactions of almost any kind to require

personal identification have caused the definition of privacy to change. Modern privacy requires

constraints on the collection, use and release of personal information, as well as the imposition of

measures to protect such information. Its several dimensions can be summarized as:

y Privacy as a civil liberty: safeguarding the privacy of individuals, simply the right to be left

alone. Just like there is freedom of speech etc.

y Data protection: safeguarding the confidentiality of information about individuals, protection of

our personal data, also described as informational privacy or data protection. As individuals, we

do not want data about ourselves to automatically be made available to other individuals or

organizations. When another party holds our data, the individual must be able to exercise a

substantial degree of control over that data and its use.

y Security: safeguarding the infrastructure the systems and networks that hold and transport

electronic data and communications,

2.1 What Is Personally Identifiable Information? Personally identifiable information is one or more

pieces of information that when considered together or when considered in the context of how it is

presented or how it is gathered is sufficient to specify a unique individual. The pieces of information

can be personal characteristics, a unique set of numbers or characters assigned to a specific

individual, descriptions of events or points in time, and descriptions of locations or places.

2.2 What Are Civil Liberties? Civil liberties are fundamental individual rights or freedoms, such as

freedom of speech, press, assembly, or religion; the right to due process, to fair trial, and to privacy;

and other limitations on the power of the government to restrain or dictate the actions of individuals.


11/27

11

Civil liberties offer protection to individuals from improper government action and arbitrary

governmental interference. Generally, the term civil rights involves positive (or affirmative)

government action, while the term civil liberties involves restrictions on government.

2.3 What Is a Privacy and Civil Liberties Policy? A privacy and civil liberties policy is a written,

published statement that articulates the policy position of an organization on how it handles the

personally identifiable information that it gathers and uses in the normal course of business. The

policy should include information relating to the processes of information collection, analysis,

maintenance, dissemination, access, and disposition. Privacy and civil liberties policies relate to the

role of government and how government agencies conduct themselves. Civil liberties offer protection

to individuals from improper government action and arbitrary governmental interference in the

conduct of their lives. The purpose of a privacy and civil liberties policy is to articulate publicly that the

agency will adhere to legal requirements and agency policy determinations that enable gathering and

sharing of information to occur in a manner that protects personal privacy and civil liberties interests.

A well-developed and implemented privacy and civil liberties policy uses justice entity resources

wisely and effectively; protects the agency, the individual, and the public; and contributes to public

trust and confidence that the justice system understands its role and promotes the rule of law.

2.4 Why is Privacy Important?

Think of your own privacy for a minute. Who knows what about you? If you begin with your wallet and

the cards you carry, you start to realize that a lot of companies, government and other organizations

know, and likely have stored somewhere, your personal information. Now, lets take that a step

further. Are you sure that you know every organization or company that has your personal

information in its possession? If a company that you gave information to has sold it to another

company, you might not know. In that case, you would find it very difficult to identify the new

companies who now have your personal information, to check the completeness and correctness of

that data, and to correct any errors or omissions.

Since your information belongs to you have a right to determine who has access to it, to authorize

what it is used for, and to be provided with a mechanism to review the data and bring about any


12/27

12

necessary corrections. Such information is a valuable commodity, which is regularly bought and sold,

usually without your knowledge.

2.5 Vulnerabilities of Smartcards in relation to Privacy Issues

Octopus Holdings card system (in Hong Kong) is the worlds first contactless card system.

95% of Hong Kong people make use of the card system. Octopus Holdings made 44 million

Hong Kong dollars ($5.7M USD) over 4.5 years. On July 15, 2010, despite Octopus' claims to

have never sold data, a former employee of the CIGNA insurance company claimed CIGNA

purchased records for 1.97 million users out of 2.4 million Octopus users (82% of users

data). On July 20, Octopus acknowledged the sales of customers' personal details to Cigna

and CPP, particularly by two of its subsidiaries: Octopus Connect and Octopus

Rewards. Roderick Woo Bun, Hong Kong's Privacy Commissioner for Personal Data, gave

radio interviews and called for transparent investigation, but his term expires at the end of

July 2010. Allan Chiang Yam-wang was announced as the incoming Privacy Commissioner.

This news was met with protests and international outrage, due to his prior history of privacy

invasions involving cameras used to spy on his employees at the Post Office, and disclosing

hundreds of job applicants' personal data to corporations. Outgoing Privacy Commissioner

Woo pledged to finish a preliminary report on the Octopus privacy abuse before his term

ends, and called for a new law making it a criminal offense for companies to sell personal

data.

As was earlier stated personal information is fast becoming valuable commodity especially when in

millions. Large companies with lax policies or practices may fall prey of the temptation to

trade/exchange such information without customers consent.

This is primarily due to the fact that Smartcards allow individuals to carry more information in their

wallets than they previously did. Like PCs, smartcards are capable of running multiple applications

that can store data from multiple sources and perform computations on that data, and like PCs, they

are capable of running multiple applications. In each of the applications of smartcards there is

personal information that should be protected, but that information is a part of the overall system, not

just linked to the card or the application. In the case of electronic payments, a person wants to know


13/27

13

who will have access to their information about their purchases. With transportation/ticketing, a

person wants to identify who will know where and when they have traveled. And yet, this is coupled

with the desire to have all the convenience and benefits offered by these cards.

With multi-application cards, there may be more than the card user and issuer involved. Third-party

suppliers or service providers may be used to manage card personalization, data management

including backup and restore functions, application loading, transaction processing and other

functions. In this event, they must be bound by the same privacy protection rules and procedures as

all other parties who have access to information related to the card. It is important to note that

information may reside not only on the card, but also on other devices such as servers or even tape.

All this becomes more complex when contactless technology is used. The person carrying the card

does not need to insert it into a reader, so may not always be aware of information being read. In

most cases, the distance needed between the card and the reader in order to read the card is very

small, so the consumer should be aware to protect his privacy, but it is important for card issuers, to

take additional steps to ensure privacy protection. It is important to note that in the case of identity

management; most reputable technology providers make available technologies such as mutual

authentication, as well as secure channel communication, to ensure that the transaction between the

reader and the contactless card is secure.

According to Dr. Stefan Brands in his whitepaper titled Private Credentials. The Smartcard systems

currently in use rarely do anything to prevent organizations from linking and tracing all

communications and transactions by the same cardholder. For security reasons, they operate by

transmitting in each transaction a unique card identifier that can be linked to central database entries

that hold all kinds of identifiable personal data. This enables organizations to compile extremely

precise personal records, containing detailed information about a person's financial situation, medical

history, lifestyle, habits, references, whereabouts, and so on. The records can be compiled, linked,

and updated in real time without human intervention. Since Smartcards shield their internal

operations from their holder, it is virtually impossible to verify that a card does not leak personal data,

its device identifier, its access control code, its communication and transaction history, data from

other applications running on the same device, and so on. It is important to understand that even if


14/27

14

nominative data is not stored or transmitted, the resulting profile linked to the identities on the card

can most likely be linked to the holder of the card. Certainly in legal investigations, the holder of the

card would be hard pressed to deny ownership of the data trail.

Many of the concerns expressed by consumers about privacy relate to the manner in which personal

information is collected, used and disclosed. When organizations collect information without the

knowledge or consent of the individual to whom the information relates, or use that information in

ways that are unknown to the individual, or disclose the information without the consent of the

individual, informational privacy is violated.

There is another compelling reason to protect our personal information. Identity theft is a serious

consumer fraud. The U.S. Federal Trade Commission says it accounts for 40 per cent of all consumer

fraud complaints. A September 2003 survey for the U.S. Federal Trade Commission (FTC) found that

within a one-year period nearly 10 million persons in the United States -- 4.6 per cent of the adult U.S.

population -- discovered that they were victims of some form of identity theft. PhoneBusters,

established in January of 1993, is Canadas national anti-fraud call centre jointly operated by the

Ontario Provincial Police and the Royal Canadian Mounted Police. PhoneBusters as the central

agency in Canada that collects information on telemarketing, advanced fee fraud letters (so called

Nigerian letters) and identity theft complaints. Their statistics show the extent to which complaints

have been registered. What is uncertain is the extent to which this problem will grow as more and

more personal information is stored electronically and becomes subject to attack. Identity theft or

fraud occurs when someone uses someone elses personal information without his or her knowledge

to commit fraud or theft. Thieves can use your drivers licence, birth certificate, Social Insurance

Number, and mothers maiden name along with other ID to convince people that they are you. It is

important to keep personal information out of the hands of criminals. There are several steps that

consumers can take to minimize becoming a victim of identity theft, but the problem is largely out of

their hands. Organizations have a growing need to protect personal information from external and

internal threats. Those who collect massive amounts of personal information and leave it largely

unencrypted, and in clear view of insiders and outsiders contribute to the problem. It is critically

important that organizations proactively protect the personal information of their customers and


15/27

15

constituents. Customers are becoming increasingly concerned about the loss and theft of data from

corporate databases. By providing well thought out and implemented privacy protection,

organizations may gain and retain more customers.

2.6 Tackling the Privacy Issues in relation to Smartcards

The concern for privacy as a result of smartcard usage is starting to affect business practices. When

companies fail to respond to consumer concerns they can lose revenue and jeopardize customer

relationships. Fortunately, companies are increasingly recognizing that responding to their clients

desire to control the use of their personal information makes good business sense that will provide a

competitive advantage in the marketplace. A set of privacy practices that combines the use of

personal information for business purposes taking into consideration an individuals right to privacy

protection. The practices that follow reflect these business practices, modified to fit the circumstances

relating to advanced card technologies. This set of principles is an abridged version adapted from

2.6.1 Privacy Protection Principles

The practices that follow reflect these business practices modified to fit the circumstances

relating to Smartcard. In regards to each of these principles, I would recommend that those

who own or design applications that use advanced card technologies, or those who market

them, to commit to the following.

Accountability

o There should exist a designated, accountable department or individual in the

organization for privacy issues.

o All staff should know about privacy policies and practices. They should be sufficiently

trained to enable them to reasonably and consistently recognize and respond to privacy

issues. They should also be accountable for adherence to those policies and practices.

o Conduct periodic reviews of your privacy policies and practices to ensure that they are in

line with your customers expectations, as well as international developments.

Recognition and Respect for Privacy

o Know that personal information always remains personal and customers should be

contacted before actions that may impact their privacy are taken.


16/27

16

o Adopt privacy protection practices and apply them when handling all customer personal

information.

o Assess, prior to implementation, the impact on privacy of any proposed new policy,

service or product.

Openness

o Ensure there is openness about your policies and practices relating to your customers

personal information, and that the existence of any record-keeping systems containing

your customers personal information is not kept secret from them -- they should be

transparent.

o Develop and publicize a process for addressing and responding to any customer inquiry

or complaint regarding the handling of his or her personal information.

Purpose Specification

o Identify the purposes for which your customers personal information is to be collected,

used or routinely disclosed, before it is collected. The purposes must be clear and

understandable.

o Do not withdraw access to services or products if your customers subsequently refuse to

permit the use of their personal information for a purpose not identified at the time of

collection, including the exchange or sale of that information to a third party for

marketing purposes.

Collection Limitations

o Only collect personal information about your customers that is necessary and relevant

for the transaction(s) involved.

o Collect personal information about your customers directly from the individuals

concerned, whenever it is reasonably possible.

o Collect customers personal information with the knowledge and consent of the

customers, except in very limited circumstances, and inform the customers of these

circumstances at, or prior to, the time of collection.


17/27

17

Notification

o Notify your customers, at or before the time of collection, of the:

o Purposes for which the personal information is to be used or/and disclosed; and

o Source(s) from which the personal information is to be collected, if not directly from the

customer.

o Notification must be clear and easy to understand. Short and/or layered notices should

be considered to facilitate customer understanding.

Use Only use personal information for the purposes identified to the customers at the time of

collection unless the customers explicitly consent to a new use, or law authorizes the

activity.

Right of Access

o Establish a right for customers to have access to their personal information, subject to

clear and limited exceptions (i.e., if such access would constitute an invasion of another

persons privacy).

o Provide customers with access to their personal information in a form understandable to

them, without undue delay or expense.

o If they are denied access, you should inform the customers of the reasons why and

provide them with a fair opportunity to challenge the denial.

o Where an incorrect inference has been made from the analysis of multiple sources of

information, the customers must have the right to correct the inference.

Right of Correction

o Establish a right for customers to challenge the accuracy of their personal information.

o Amend customers personal information if it is found to be inaccurate, incomplete,

irrelevant or inappropriate.

o Make note in customers files of any discrepancies regarding the accuracy or

completeness of their personal information.

o Take all reasonable measures to inform third parties who also use your customers

personal information, of corrections or changes that have been made.


18/27

18

Accuracy Take all reasonable and appropriate measures to ensure that the personal information

you collect, use and disclose, meets the highest possible standard of accuracy, completeness

and timeliness.

Disclosure

o Obtain customers consent prior to disclosure of their personal information, except where

authorized by law or in exceptional circumstances. These limited, exceptional

circumstances should be identified and customer informed of them at, or prior to, the time

of collection.

o Obtain your customers consent prior to renting, selling, trading or otherwise disclosing

their personal information to a third party.

Retention and Disposal

o Retain personal information only for as long as it is relevant to the purposes for which it

was collected, or as required by law.

o Dispose of personal information in a consistent and secure manner, or remove all

references that would link the data to a specific identifiable person (thereby rendering it

anonymous), once it has served its purpose.

o For more information on retention and disposal, please refer to the IPC Fact Sheet #10

on the Secure Destruction of Personal Information . You might also refer to PHIPA order

HO-001regarding the inadvertent disclosure of health records in downtown Toronto as

part of a movie shoot, due in part, to improper procedures.

Security

o Adopt appropriate and comprehensive measures to ensure the security of your

customers personal information against loss or unauthorized access, use, alteration,

disclosure, or destruction.

o Where multiple sources of information are collected for different purposes, the security

measures taken must ensure that one person cannot link the different sources of

information together.


19/27

19

o Where multiple sources of information are held on the same physical device, the

information must be separated so that an application controlling one set of information

cannot access the information controlled by another application.

Aggregation

o Where a company collects information about a customer for different purposes, that

information should remain separated unless the customer permits the information to be

aggregated.

o Information from different sources should not be collated and analyzed to infer additional

characteristics, behaviours, activities, or attributes of a customer without the prior

permission of the customer.

o Contractual Agreements

o Stipulate clearly right in your contract:

the privacy protection measures to be adopted by business partners or third

parties using your customers personal information; and

the purposes for which your customers personal information may be used and

disclosed by business partners or third parties.

Anonymity and Pseudonymity

o Reduce, to the greatest possible extent, the collection and retention of identifiable

transactions, i.e., those transactions in which the data in the record could be readily

linked to an identifiable individual. This can be achieved through the use of either:

o Anonymity - Ideally, there should be no personal identifiers involved in the transaction --

you have de-identified it.

o Pseudonymity - Where the functional or administrative needs of the application require

some link between transactional data and identity, it is often possible to use

pseudonymous techniques. These include such procedures as storage of partial

identifiers by two or more organizations, both of whom must provide their portions of the

transaction trail in order for the identity of the individual to be constructed; storing of an

indirect identifier with the transactional data which serves as a pointer to the personal


20/27

20

identifiers; and storing separately a cross-index between the indirect identifier and the

individuals true identity.

2.6.2 Data Protection PrinciplesConcern about informational privacy in Europe in the early

1970s gave rise to the need for data protection. Data protection focuses on peoples

personal information and the ability to maintain some degree of control over its use and

dissemination. What followed from the concern for data protection was the

development of a set of practices commonly referred to as fair information practices or

FIPS.

There have been several attempts to develop a complete and comprehensive set of

FIPs. One of the earliest was undertaken in 1980 by the Organisation for Economic Co-

operation and Development (OECD) in theirGuidelines Governing the Protection of

Privacy and Trans-border Flows of Personal Data. Efforts in the 1990s to protect

privacy included the European Unions Directive on the Protection of Personal Data

with Regard to the Processing of Personal Data and on the Free Movement of such

Data, adopted on July 25, 1995, and Qubecs The Act Respecting the Protection of

Personal Information in the PrivateSector, which sets out fair information practices for

businesses operating in Qubec. The Canadian Standards Associations Model Code

for the Protection of Personal Information was created in the mid 1990s and is

incorporated as the practices to be observed in Canadas Personal Information

Protection and Electronic Documents Act(PIPEDA). Global Privacy Standards adopted

by International Data Protection Commissioners Conference or the Generally Accepted

Privacy Principles (GAPP) that have been adopted by Canadian and U.S. accounting

bodies are standards that multinationals could also adopt. Data protection principles

accept Smartcard technology as being naturally invasive, and consequently try merely

to contain the privacy problem that the technology leaves us with. As an example, we

could consider how the UK Government framed its privacy concerns within its

Smartcard consultation document


21/27

21

It is important that data-protection issues be considered from the outset of the introduction

of any Smartcard scheme. ... The contractor shall implement procedures to ensure that

information held on the Smartcard, and on any associated data processing or storage

system, is accurate, current and the minimum necessary for the purpose. When no longer

required, information shall be purged from the card and associated systems.

The UK Government assumes that the "outset'' refers to merely the discussion on how personal data

is handled once gathered; the accumulation of personal data is considered to be the default.

Privacy authorities are skilled at investigating breaches of data protection, and at analyzing data-flows

and determining which instances of collection, use, and disclosure are justified and permissible in

law, and which are not. This expertise must be brought to bear in the development of standards and

technologies, because it is a rare to find a technologist who is totally familiar with the lexicon of

privacy protection.

Security and privacy should not be seen as two totally disparate issues. Adding privacy policies to

ensure data protection once data has been gathered does nothing to address growing security risks

from within and without an organization, from disgruntled employees, from hackers and industrial

espionage artists, from hostile actors in civil litigation cases such as divorce liability and copyright

infringement, and from ostensibly legitimate secondary users within the organizations themselves.

Both public and private sector data users are under increasing economic pressure to use data more,

to sell it to improve the bottom line, to analyse it intensively to minimize risk and ensure better returns

on investment, to establish long-term customer relationships. In this paper we argue that it is time for

privacy commissioners and other privacy advocates to take a more active stance. Methods exist to

design privacy into Smartcard/database infrastructures that meet the interests of all actors, including

industry, government, and privacy advocates. In fact, as we will argue, by considering privacy as a

design issue, everyone will have much less to worry about when it comes to security. We must insist

on no less.


22/27

22

Chapter 3: Privacy, Smartcards and the Nigerian System

3.0 Introduction

The use of Smart cards in Nigeria is not as far established as the countries mentioned in previous

sections of this discourse. However, as a result of the large population and growth rate (about 3.2%

per year) of the country, Nigeria is one of the largest markets targeted by producers of smart-cards.

Since the introduction of Smartcards into the system, there has being a steady increase in the range

of applications in the populaces day-to-day transactions and activities. Although the application of

Smartcard cuts across most sectors of the Nigerian system, two applications stand out for the

purpose of this paper; highlighting the privacy concerns in the Nigerian System as regards

smartcards. The two applications are e-commerce and Telecommunications.

3.1 Major Applications of Smart cards in Nigeria thatbring privacy concerns

3.1.1 E-banking/E-commerce: Globally, Automatic Teller Machines (ATMs) have been adopted

and are still being adopted by banks. They offer considerable benefits to both banks and

their depositors. The machines can enable depositors to withdraw cash at more convenient

times and places than during banking hours at branches. In addition, by automating services

that were previously completed manually, ATMs reduce the costs of servicing some depositor

demands. These potential benefits are multiplied when banks share their ATMs, allowing

depositors of other banks to access their accounts through a banks ATM. Banks have

become the principal deployers of ATMs. A group of banks came together and formed the

ATM consortium, with earlymember banks such as: Afribank, Diamond, Finbank, First Bank,UBA, Union Bank, Unity Bank, Wema Bank. Recently, banks like Ecobank, GT Bank and

Oceanic Bank also joined this consortium. The consortium primarily is for offsite deployment

of ATMs (the QuickCash ATM network) and no doubt at the end of the day exchange of data

for interoperability. The number of ATM transactions through the Interswitch network had

increased from, 1,065,972 in 2004, to 14, 448, 615 between January 2005 to March 2006.

This is a rise of 92.6 percent with respect to the previous years. As at 2009, Nigerian banks

have issued over 25 million cards. These cards are being used to process payment

transactions on over 11,000 Point of Sale (PoS) terminals, 7,000 ATMs and 200 Web


23/27

23

locations, 50,000 mobile devices. This is to show the colossal amount of data gatherable

from ATM card users. A recent survey conducted by Intermarc Consulting Limited revealed

that ATM services provided by banks and non-financial institutions stood as the most popular

e-commerce platform in Nigeria.

3.1.2 The Role of National and International Regulatory Bodies

The Central Bank of Nigeria in its Standards and Guidelines on Automated Teller Machine

(ATM) states that All ATM deployers/acquirers shall comply with Payment Industry Security

Standards The PCIDSS is a worldwide information security standard defined by the Payment

Card Industry Security Standards Council. The standard was created to help payment card

industry organizations that process card payments prevent credit card fraud through

increased controls around data and its exposure to compromise. The standard applies to all

organizations that hold, process, or exchange cardholder information from any card branded

with the logo of one of the card brands. By the definition of the standard, all banks, switching

companies, ATM deployers/acquirers (mostly switching companies and banks respectively),

and other card processing companies in Nigeria should be compliant to this standard. In the

control objectives of the standard (v1.2: 01/10/2008) requirements for compliance include the

following:

a. Organizations concerned are expected to build an maintain a secure network by:

o Installing and maintaining a firewall configuration to protect cardholder data

o Not making use of vendor-supplied defaults for system passwords and other security

parameters.

b. Protect Cardholders data by

o Protect stored cardholder data

o Encrypt transmission of cardholder data across open, public networks

c. Maintain a Vulnerability Management Program

o Use and regularly update anti-virus software on all systems commonly affected by malware

o Develop and maintain secure systems and applications

d. Implement Strong Access Control Measures


24/27

24

o Restrict access to cardholder data by business need-to-know

o Assign a unique ID to each person with computer access

o Restrict physical access to cardholder data

e. Regularly Monitor and Test Networks

o Track and monitor all access to network resources and cardholder data

o Regularly test security systems and processes

f. Maintain an Information Security Policy

Another Standard by the PCI SSC, the Payment Application Data Security Standard (PA-

DSS), formerly referred to as the Payment Application Best Practices (PABP), was

implemented in an effort to provide the definitive data standard for software vendors that

develop payment applications. The standard aims to prevent developed payment applications

for third parties from storing prohibited secure data including magnetic stripe, CVV2, or PIN.

In that process, the standard also dictates that software vendors develop payment

applications that are compliant with the Payment Card Industry Data Security Standards (PCI

DSS). The following are the PA-DSS requirements:

1. Do not retain full magnetic stripe, card validation, code or value, or PIN block data.

2. Protect stored cardholder data.

3. Provide secure authentication features.

4. Log payment application activity.

5. Develop secure payment applications.

6. Protect wireless transmissions.

7. Test payment applications to address vulnerabilities.

8. Facilitate secure network implementation.

9. Cardholder data must never be stored on a server connected to the internet.

10. Facilitate secure remote software updates.

11. Facilitate secure remote access to payment application.

12. Encrypt sensitive traffic over public networks.

13. Encrypt all non-console administrative access.


25/27

25

14. Maintain instructional documentation and training programs for customers, resellers, and

integrators.

3.1.3 Attitude of the Payment card industry in Nigeria to privacy

In the standards cited above it is important to note that security of information is as a means

to guard cardholders data From the aforementioned principles, policies and standards, in this

chapter and the previous chapter, it can be said that standards are in place to caution all

stake-holders in the care of card-holders personal information.

Organizations such as Interswitch and Valucard are analogous to the Hong Kong Octopus

Holdings since they also possess large amounts of personal information of card users; Banks

also have large chunks of personal data which are potential sources of privacy abuse.

However, it is interesting to note that, the key players in the industry like Interswitch and

Valucard are PCI DSS compliant and strive continuously to keep abreast of national

standards and regulations (primarily put in place by the CBN) as well as international

standards in trying to be globally competitive. Also, interswitch, in 2009, announced its

partnership with Gemalto, the world leader in digital security, in deploying a complete Ezio

strong authentication solution to secure Interswitchs e-payment services in Nigeria.

Interswitch also launched its EMV migration program in partnership with Gemalto.

As far as the industry has gone, there has been no report of issues pertaining to privacy

intrusion by card issuers or organisations in the industry with such large data as Octopus

Holdings had.

However, this doesnt live out the fact that although these companies do not seem to be

interested in selling large chunks of users data, they might be have been able to withstand

the crooked nature of economy in their application of security to users data. They seem to

have failed in securing this data from external intrusion as it is said that 40 per cent of ATM

card users in Nigeria have in one way or the other been victim of ATM fraudsters. This

excludes cases in which liability shift is possible as stated in the CBN guideline concerning

ATMs i.e. carelessness or non compliance to security directives on the part of card users.


26/27

26

3.2 Telecommunication

At the Inception of this industry in Nigeria, marked by the licensing of the first National carrier, MTN

(an operator of South African origin), the issue of privacy may not have been of concern in this sector.

However, the recent request for registration of Subscriber Identification Module (SIM) registration by

the Nation Communication Commission (NCC) brings up such concerns. The importance of the

registration is to curb crime and identify individuals with specific SIMs. Although the NCC assures that

only the commission and operators will have access to the subscribers database may raise a concern

on SIM card users privacy particularly pertaining to the approach by the wireless operators in

carrying out the exercise. In Nigeria, where there are approximately 75 million subscribers, MTN has

a chunk of 35.1 million subscribers (a little over 50 per cent of the whole lot). MTN was one of the first

companies to establish nation-wide walk-in shops and outlets for the implementation of the SIM

registration exercise. All other operators have also adopted the walk-in shop system. Although the

walk-in shops would speed up the process, this is contradictory to employee exposure to customer

information. The amount of personal information that will be gathered by MTN, if the process is

successful as is hoped, will be so large. It is interesting to know that not even the National Identity

management Commission currently has such details of the citizenry of Nigeria.

When SIM registration was required by the government in India, even before the government could

begin, the documents of the process were already being sold on the streets. In Nigeria, where fraud

(particularly identity theft as pertaining to our discourse) is no strange thing this is also very possible.

Based on the operators approach to the exercise, what are we putting ourselves in? I would say this

is tantamount to walking decisively into a position exposes SIM subscribers to privacy intrusion,

potential identity theft, potential privacy abuse accompanied with threats National Security. Threats to

National security in the sense that majority of operators with the largest market shares are not

indigenous.


27/27

Chapter 4: Conclusion and Recommendations

The use of smartcards in the world is guarded by standards, policies which seek to caution

custodians of personal information in the use and dissemination of acquired customer database at the

same time imploring the use of appropriate technology in providing security for users data.

Regulatory bodies (like the Central Bank of Nigeria) have the responsibility of monitoring international

trends and enforcing it on the in-scope organisations (in the sector concerned) in this case banks,

merchants, card issuers, switching companies, ATM deployers/acquirers. However, compliance

seems not to be the issue here in Nigeria, as compliance is seen more as an edge over competition

(market strategy), for example the Valucard-Interswitch completion for supremacy concerning

compliance with the EMV standard. Rather, the problem that seems to be at hand is the protection of

user data from external Intrusion. Therefore, it is important that all stake-holders, card users,

merchants, card issuers, switching companies, and ATM deployers/acquirers take responsibility for

providing security against external intrusion or mount pressure on responsible individuals.