Alliance Activities : Publications : Identity

Identity Management Systems, Smart Cards and Privacy

No matter where you go today, it is likely that at some point someone will ask to see your ID. Today identity verification is routinely requested in a variety of familiar situations–when someone wants to obtain health care, enter a public building or corporate office, or get on an airplane.

Organizations that need to verify identities find that concerns about privacy and the protection of personal information quickly emerge as key issues when they consider new identity management systems. An organization’s specific requirements for safety and security must be balanced against the genuine desire to protect the privacy of the individuals whose identities need to be verified. This requirement–how to identify people unequivocally while also protecting their privacy-shapes every discussion of how to design, build, or implement a new, secure, identity management system.

Designing a new identity management system is complex, and the requirement to balance security and privacy affects everything about a system design, from the policies and processes formulated to support and maintain the system to the system’s architecture and the particular technology chosen to authenticate individuals. For example:

Designing an identity management system to guard individual privacy therefore involves more than simply selecting a particular type of ID technology. The organization issuing the ID must design information privacy and security into the overall system, have the appropriate policies and processes in place to support the privacy and security requirements, and implement the technologies that deliver these features. Issuing organizations must also have the operational practices in place to monitor and ensure that privacy and security policies are implemented and strictly followed.

ID Technology Selection

The selection of an ID technology is also critical. The ID technology must be one that can both facilitate and reinforce the system’s privacy and security design and goals. Many ID or badging systems currently rely on technologies such as magnetic stripes or bar codes. Such technologies are no longer appropriate, since they cannot meet the requirement to provide strong security while guarding privacy. IDs based on these technologies are tamper-prone, can easily be counterfeited, and provide little or no protection for the information they carry.

Only IDs that use smart card technology have the strong security features that can enhance privacy protection in a well-designed and properly-implemented system. IDs using smart card technology include a secure microcontroller, or equivalent intelligence, and internal memory and are available in a variety of form factors (for example, plastic cards, documents or other handheld devices). Relying on smart card technology provides an identity management system with the following advantages:

Implemented properly, smart card technology strengthens the ability of any organization to protect the privacy of individuals whose identity the organization needs to verify. Unlike other IDs, smart-card-based IDs can implement a personal “firewall,” releasing only required information and only when it is genuinely required. Smart cards are excellent guardians for personal information and individual privacy.

Conclusion

The Smart Card Alliance believes that protection of individual privacy is a critical goal for any identity management system. The Smart Card Alliance recommends that organizations considering new identity management systems follow several guidelines:

The use of smart card technology in the design of an identity management system represents a smart first step to preserving and protecting individual privacy while achieving secure, strong identity verification.

For more information about smart cards and the role that they play in secure identification and other applications, please visit the Smart Card Alliance web site at http://www.smartcardalliance.org or contact the Smart Card Alliance directly at 1-800-556-6828.

Other Smart Card Alliance Resources

About this Document

The Smart Card Alliance wishes to thank the Alliance members who participated in the project to develop a briefing on identity management systems, smart cards and privacy. Contributors included individuals from the following organizations: AMAG Technology, Atmel Corporation, CardLogix, Fargo Electronics, Gemplus, EDS, Hitachi America, IBM, Lockheed Martin, MartSoft Corporation, Northrop Grumman Corporation, Philips Semiconductors, SafeNet, Inc., Smart Commerce, Inc., SuperCom, Inc., VeriFone.

About the Smart Card Alliance

The Smart Card Alliance is the leading not-for-profit, multi-industry association of member firms working to accelerate the widespread acceptance of multiple applications for smart card technology. Through specific projects such as education programs, market research, advocacy, industry relations and open forums, the Alliance keeps its members connected to industry leaders and innovative thought. The Alliance is the single industry voice for smart cards, leading industry discussion on the impact and value of smart cards in the U.S. and Latin America. For more information, visit http://www.smartcardalliance.org.