Smart cards have been in the news in recent months following the announcement by the Secretary for Information Technology about the multi-functional features of the new smart HKID cards and the awarding of contracts for them. There was debate at the time on the personal privacy issues that any such smart card project would raise, including excessive accumulation of data and cross-use of data by co-issuers.
Now the focus is on security issues. A consortium of airlines have announced plans for frequent flyers to carry smart cards containing personal bio-metric information (for example retinal scans) and security devices to facilitate check-in and transit through airports.
The card holder's personal details and bio-metric data will also be held on a central database. Alitalia passengers on the Milan-Zurich route will be the first to trial the system.
The system will be managed by IT supplier Sita and run by the International Air Transport Association.
At the same time researchers at Cambridge University in Britain released findings suggesting major problems for smart card manufacturers and organisations such as the airline grouping and the Immigration Department intending to roll out smart card applications.
The Cambridge team described how using a standard laboratory microscope and a US$250 camera flash they could access confidential information on the integrated chips on smart cards including private encryption keys and personal data. A student discovered that a chip stopped working properly when the microscope's light was shone on it. He also discovered that with a normal camera flash he could set the individual memory bits to zero or one and then deduce the chip's original contents. The team withheld its findings for a year so that it could work on counter measures of its own to be released to smart card manufacturers.
What are the consequences of using fake smart cards? On a practical level the existence of a perfect copy of somebody else's smart ID card could lead to identity theft. An impostor could, depending on what services the owner had used the card to sign up for, access the individual's e-mail, bank records and medical records. This could lead to disastrous consequences for the owner.
Hong Kong computer crimes and privacy law may undergo reform before many major smart card systems are rolled out. However, the copying and misuse of smart cards will have significant consequences under the law as it currently stands.
Use of a copy card at a remote terminal, for example to access a service or make a purchase, is likely to constitute several serious offences.
These would include access to a computer with dishonest intent to deceive and possibly criminal damage involving misuse of a computer under the Crimes Ordinance, as well as unauthorised access to a computer by telecommunications under the Telecommunications Ordinance.
Those offences lead one to focus on the access to the central computer running the smart card system, but there is no reason why the smart card itself should not be regarded as a computer for these purposes.
Looking at matters from the card issuer's point of view, the Personal Data (Privacy) Ordinance provides that personal data must be kept secure from unauthorised access, processing, erasure or other use.
Where an issuer such as the Immigration Department collects personal data from an individual verbally or on a form and uploads it to a smart card system this principle will come into play. It will require the issuer to ensure that it has adequate security measures in place to protect both the card and the central system from unauthorised access. The Cambridge team has shown this may be no easy matter.
Edward Alder is head of the IT practice group at Bird & Bird in Hong Kong. He can be reached on [email protected]
