Snapping at privacy

August 20, 2008 at 12:33 am 2 comments

There have been some negative reports around Snapper and its approach to privacy so I decided to take a look.

Snapper is a stored-value contactless smartcard that can be used in Wellington’s buses and as an alternative to cash/EFTPOS for low value purchases. It’s similar to Oyster, Octopus, etc. but with a more secure chip.

Losing a Snapper card is like losing cash. So people will soon be able to register their cards online. If a registered card is lost, the person can transfer the balance to a new card.

That’s a good feature but the personal information Snapper collects has reportedly got the Privacy Commissioner “concerned” and “is asking the company to rewrite its privacy policy.” The concerns are around “the potential for the Snapper card to track an individual’s movements and spending, and the indefinite retention of this information.”

Next stop then, a look at its privacy policy.

As expected, Snapper’s privacy policy declares that “We are committed to protecting your privacy” which is a good start. One would hardly have expected them to say anything else.

After that, it’s all downhill. A very slippery, steep decline at that.

Part 4 of the privacy policy provides details of what and when personal information is collected. Over twelve sections, it then lays out the absolutely amazing jaw-dropping amount of personal information it will collect. For a company that has pretty slick marketing and advertising, it’s as if they’ve given Mr Hyde (the evil side of Dr Jekyll) the job of developing the most privacy-invasive approach possible.

For example, to set up an online account, Snapper says “we will collect personal information from you, including your name, title, email address, password, gender, date of birth, telephone numbers, postal or physical addresses, preferences, demographic information, and other personal information.”

Why? What possible justification can they have to collect this information? Incidentally, this probably makes it downright illegal.

Not being satisfied with that, they go on to say that “the information we collect when that Card is used will be associated with any personal information about the card holder that you supply.” So, they want both personal information plus profiling information. Wow! Considering the range of uses for the Snapper card outlined- everyday purchases, loyalty card, building access control, ticketing and event access- they seem more intent on being a datamart than a smartcard company.

Still not satisfied with that, they go on further to envisage Snapper being used as an identity card. They will then “collect additional information about you, which may include:

  • your date of birth
  • any relevant licences or endorsements that you hold
  • other attributes relevant for identification purposes (for example, which school or university you attend)”

I’m left shaking my head in wonder. Did a dinosaur somehow survive the Ice Age?

I can’t see how they can verify the information people give. So, despite their warnings of giving incorrect personal information, I’m willing to bet that a lot of people will do just that.

And yet, the solution for the most part is actually quite simple. Snapper could use pseudonymous identity rather than real identity. Leaving aside tracking usage or their notion of becoming an identity card (which I can’t even begin to imagine as even remotely realistic), using pseudonymous identity could keep everyone happy.

Otherwise, I’ll just stick to good old anonymous cash, thank you.

Entry filed under: identity, ID_cards, NZ, personal_info, privacy. Tags: .

UK: e-petition and proof of citizenship Notes from the Privacy Issues Forum

2 Comments Add your own

  • 1. Stephen  |  August 20, 2008 at 11:35 am

    Vikram – a friend alerted me to your post. I too have very similar concerns (http://vital.org.nz/entry/tag/snapper).

    You have great powers of prediction. I did sign up with bogus details.

    Reply
  • 2. Vikram  |  August 21, 2008 at 7:27 pm

    Good on you Stephen!

    It seems that Snapper has got carried away with what a smartcard could do and overlooked the basics. Such as, trust. There is no way that people will choose to use a single smartcard for multiple purposes if they don’t trust the issuer.

    In fact, Snapper’s privacy policy is probably a classic example of what not to do…

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed


This blog is no longer updated. See the About page for more info. I'm currently active on Twitter.

Follow me on twitter

  • I've written about the 3 areas that companies can find opportunities to get started with IoT kotahi.net/enterprise-iot… 11 hours ago
  • RT @KotahiNet: We think the newly available Bluetooth 5 offers excellent options to combine with LoRa for hybrid networks- low... https://t… 16 hours ago
  • Amazon Go (retail with 0 staff) will kill low end jobs like check out operators, packers. Gives coming jobs impact a stark, human-less face 1 day ago
  • Like it each time I come across it: “If privacy is outlawed, only outlaws will have privacy.” — Philip Zimmermann, creator of PGP 3 days ago
  • RT @ChristopherWr11: Scientists have long feared this 'feedback' to the climate system. Now they say it's happening wpo.st/L-pI2 1 week ago

Feeds


%d bloggers like this: