Prop-ID is pleased to be participating in the privacy discourse about the technological advancements of identity cards and digital wallets. During our research, we’ve come across numerous papers, projects and organizations that share our interests and have presented interesting perspectives. These resources provide a great opportunity to learn more about privacy and digital/mobile wallet technology.
The annotated resources provided on this page only represent a portion of our research. We have been selective about what to present here in order to keep the page to a reasonable length. Download our complete annotated bibliography here (PDF file).
We’ve divided the resources into four sections:
Annotated Papers and Websites
- Anderson, R. (2011). Can We Fix the Security Economics of Federated Authentication? University of Cambridge, 1-8.
Anderson analyzes the potential shortcomings of federated authentication in the mobile wallet space and proposes a number of regulatory solutions. First, Anderson briefly discusses the four main types of federated authentication technology deployed thus far – SSO, SSL, 3DS and OpenID. He points out reasons why these technologies have all failed to truly catch on.
- Canadian Internet Policy and Public Interest Clinic. (2006). On the Data Trail: how detailed information about you gets into the hands of organizations with whom you have no relationship.
This is the most comprehensive and specific analysis of data collecting practices that we have been able to find. The report explains how data are commonly collected and disseminated across companies. A detailed “data supply chain” diagram is provided on page 7.
- Cleff, E.B. (2010). Effective approaches to regulate mobile advertising: Moving towards a coordinated legal, self-regulatory and technical response. Computer Law & Security Review, 26, 158-169.
Cleff points out the limitations of relying on either a legal, self-regulatory or technical response to abuses of personal information by the mobile advertising industry. She suggests that a combination of these practices might be the best approach. Cleff, quoting Solove, points out the need for privacy-enhancing technologies (PETs) that allow users to stipulate the use of only parts of their personal information for certain reasons. The Prop-ID app would address this need.
- Copes, H. and Vieraitis, L.M. (2009). Understanding Identity Theft: Offenders’ Accounts of Their Lives and Crimes. Criminal Justice Review, 34(3), 329-349.
This revealing paper problematizes a number of popular assumptions regarding identity theft. Mainly, it is commonly assumed that identity theft is a white collar crime perpetrated by business professionals. But empirical evidence reveals that this simply isn’t the case – identity theft perpetrators come from all walks of life. Particularly relevant to Prop-ID is that the article describes common ways in which identity theft is committed. This paper convincingly establishes the Prop-ID notion that only information essential to a transaction should be provided and that no institution, even the most official, should be trusted blindingly with one’s personal information.
- Cross, J.T. (2005). Age Verification in the 21st Century: Swiping Away Your Privacy. The John Marshall Journal of Computer & Information Law, 363, 1-59.
This paper provides a balanced look at the practice of ID card swiping, particularly within the United States. Various states have created legislation to regulate ID swiping, e.g. Ohio, New Hampshire, New York. Cross argues that state legislation has proved to be too inconsistent and federal measures are required. Cross provides useful technical explanations of the differences between magnetic strips and two-dimensional barcodes. Cross shows that card swiping in the US has largely not been conforming to the FTC’s fair information practice principles. But he also acknowledges the potential benefits of card swiping, e.g. reduced selling to minors.
- Gadzheva, M. (2008). Privacy in the Age of Transparency: The New Vulnerability of the Individual. Social Science Computer Review, 26(1), 60-74.
Gadzheva suggests that the ongoing development of ambient intelligence (AmI) technologies threatens to leave people without any control over their personal information. With AmI, the information processing power of technology becomes truly invisible. People do not realize what exactly is happening behind the scenes whenever they use a function on their mobile phone, for instance. They do not understand the consequences of the data profiling facilitated by AmI technologies. But this profiling often affects one’s life chances. Gadzheva recommends that new technologies be developed for protecting privacy, especially in the mobile space where lengthy, traditional privacy policies are not feasible. But, Gadzheva says, technical developments are not sufficient. We must also build legal, regulatory and self-regulatory mechanisms to complement the technologies.
- Genosko, G. and Thompson, S. (2006). Administrative surveillance of alcohol consumption in Ontario, Canada: pre-electronic technologies of control. Surveillance & Society, 4(1/2), 1-28.
This paper uses the Liquor Control Board of Ontario (LCBO) as a case study to explore how public sector organizations administer their social control mandate. The LCBO, in particular, has long employed well-disguised technologies to aid in carrying out its social control mandate. First Nations and Inuit peoples were particularly ostracized through these practices; a “drunk list” was established that barred many from purchasing alcohol. This drunk list was determined by sometimes very questionable statistical analysis. Often, people – particularly minorities – were placed on this list without having done anything wrong. The punch card-based system was discontinued, but now technologies like scanners, barcodes and loyalty cards provide an alternate means of control.
- Gerdes Jr., J.H., Kalvenes, J., & Huang, C. (2009). Multi-dimensional credentialing using veiled certificates: Protecting privacy in the face of regulatory reporting requirements. Computer & Security, 28, 248-259.
This technical paper introduces the privacy protective concept of the veiled certificate, which is a type of digital certificate compatible with X.509 standards. Veiled certificates address the ongoing privacy problem of people losing control over their personal identifiers when they disclose then to third parties. Veiled certificates are similar to anonymous credentials and zero-knowledge proofs like U-Prove. They also enable users to authenticate themselves without having to actually hand over personal information, e.g. date of birth, to a third party.
- Manzerolle, V. and Smeltzer, S. (2011). Consumer Databases and the Commercial Mediation of Identity. Surveillance & Society, 8(3), 323-37.
This paper uses database aggregation practices as an explanation for many of the failings of neoliberal ideology. Consumer debt is exacerbated largely because of commercial entities that – based on aggregated data profiles – convince citizens to make purchasing decisions they can’t afford. Prop-ID would encourage citizens to be more reflective and selective about their personal information and, therefore, lead to an economically stabler populace.
- Morawczynski, O. and Miscione, G. (2008). Examining trust in mobile banking transactions: the case of M-PESA in Kenya. In C. Avgerou, M.L. Smith and P. Besselaar (Eds.), IFIP International Federation for Information Processing, 282, 287-298.
This paper explores the notion that the establishment of trust is crucial for the acceptance of a mobile payment system. It looks specifically at the success of the mobile payment system M-PESA in Kenya. The authors suggest that a major reason why M-PESA was accepted so readily by Kenyans was because of their well-established trust in Safaricom, the telco company behind the project. How will Western companies gain a similar level of trust with customers when attempting to deploy mobile payment systems? The Prop-ID project could certainly help companies to establish this much-needed trust factor in the deployment of mobile payment/identity systems by helping them to show that they take privacy seriously.
- Office of the Privacy Commissioner of Canada. (2008). Identification machines and video cameras in bars examined.
Canad Inns based in Manitoba committed a number of PIPEDA violations. Especially relevant to Prop-ID is the fact that the company used a card reader to collect a bar patron’s driver’s license information without forewarning her about this practice.
- Rauhofer, J. (2008). Privacy is dead, get over it! Information privacy and the dream of a risk-free society. Information & Communications Technology Law, 17(3), 185-197.
This paper explores the idea that the market value of privacy has declined in recent years to become something of a non-entity. People are continually coaxed into disclosing more and more information about themselves. They are persuaded by organizations that the benefits of disclosing this information outweigh the risks. Brandeis’ concept of privacy as “the right to be let alone” is discussed. Rauhofer ultimately argues that this is an overly narrow conception of privacy because it privileges individual over community values.
- Shilton, K. (2010). Participatory Sensing: Building Empowering Surveillance. Surveillance & Society, 8(2), 131-50.
This paper puts forth the idea of participatory sensing (PS) as a means of providing individuals with “the capacity to answer back.” Using mobile phones, people can collect and aggregate their own data. This will allow people to make an alternate case to corporations/governments that have engaged in data collection about them. This broadly relates to Prop-ID in that we share the same goal as PS – to challenge the data aggregation power structures of the status quo and give everyday citizens more agency within surveillance mechanisms.
- Solove, D.J. (2007). ‘I’ve Got Nothing to Hide’ and Other Misunderstandings of Privacy. San Diego Law Review, 44, 745-72.
This paper represents the most nuanced conception of privacy that we have encountered. Solove makes it clear that privacy should be a concern for everyone, even if you think you have nothing to hide.
- Stoddart, E. (2008). Who watches the watchers? Towards an ethic of surveillance in a digital age. Studies in Christian Ethics, 21(3), 362-381.
Although Prop-ID is a secular academic project, this paper illustrates concepts behind Christian social teaching that fit well with the Prop-ID project. Namely, the concept of subsidiarity is stressed. Stoddart argues that human dignity is best preserved when control over surveillance is localized and put in the hands of citizens. Centralizing initiatives that push decisionmaking into higher realms of power need to be clearly justified. Prop-ID, similarly, is all about allowing decisions relating to the dissemination of personal information to be made locally by the citizens themselves.
- SWIPE Toolkit. (2003).
The SWIPE project was created by a group of innovative US-based artists in 2003. The project was critical about data collection practices and attempted to bring the issues to public attention. One aspect of the project was the SWIPE Toolkit, “a collection of web-based tools that sheds light on personal data collection and usage practices in the United States.” It includes a tool for decoding your driver’s license barcode to understand its contents, a tool for requesting your personal information from data warehouses and a tool for calculating how much your personal information is worth so that you can ask for appropriate compensation.
- Bernard, T.S. and Miller, C.C. (2011). Swiping is the easy part. Retrieved on April 25, 2011.
This article describes the ongoing battle between various stakeholders in the mobile wallet domain, primarily in the United States. The authors suggest that the success of mobile wallets in Japan might be because it has a single dominant mobile carrier and small number of banks. In the US, however, the field is more fragmented: telcos, banks, card issuers and platform providers are all vying for control over a mobile payment system and seem reluctant to agree on anything.
- Bolton, M. (2011). NFC in phones: what you need to know. Retrieved on April 27, 2011.
This article provides a thorough explanation of near field communication (NFC) technology with specific reference to mobile phones. NFC is not new technology and is actually based on RFID. Bolton describes three different uses for NFC: sharing, pairing and transactions. The contactless payment capability has been garnering the most attention. When paying via NFC chip with a phone, the customer can receive back digital information in the form of coupons, loyalty cards, receipts, etc. These ads would be very targeted because the store(s) will know the customer’s transaction history through NFC. This is mentioned uncritically and is a practice that the Prop-ID project wants to question.
- Bosker, B. (2011). Google’s Digital Wallet: Why Google Wants To Reinvent How You Pay. Retrieved on May 26, 2011.
This article clearly, although uncritically, outlines many of the privacy concerns relating to the deployment of digital wallet technology. It specifically focuses on Google’s upcoming digital wallet, which will allow Google to tap into an even broader range of personal information about its users than it already has access to via online services. Now, Google will collect information about one’s point-of-sale purchasing decisions and use that to strengthen its advertising initiatives. The Prop-ID project is interested in being critical about these targeted advertising practices and introducing into this market an element of privacy discourse that seems to be missing.
- Gosselin, S. (2011). QR Codes vs. Near Field Communications: Do you need to choose? Retrieved on April 26, 2011.
This article makes the argument that there will be a place in the smartphone market for both QR codes and NFC. Various sources have been claiming that NFC will make QR codes obsolete. Brief definitions of QR and NFC are provided in layman’s terms. The key difference is that an NFC chip must be embedded in or attached to a phone, whereas a QR code only requires a QR reader app.
- Kwang, K. (2011). Swift mobile wallet adoption hinges on apps. Retrieved on April 30, 2011.
The article explains that the release of NFC standards mean that the NFC interoperability problem has largely been solved and it is now up to innovative app developers to generate consumer demand and push the mobile wallet market forward. The moves that major players Google and Nokia have been making into NFC handset territory signify the oncoming popularity of mobile wallets. One study predicted that NFC-enabled smartphones will comprise almost 30% of all smartphone sales by 2015. Tagawa, chairman of the NFC Forum, encourages developers to start mapping out use cases for NFC-enabled mobile phones in order to foster demand.
- Martin, Z. (2011). The mobile as a credential. Regarding ID Magazine. Retrieved on May 2, 2011.
This cover story for re:ID Magazine provides a balanced overview of current industry discourse about digital wallets. Telcos, phone manufacturers and payment processors are all suddenly jumping on the NFC bandwagon but, as Martin notes, trust between consumers and industry regarding digital wallets has yet to be established. The article looks at some of the technical issues behind developing digital wallets, e.g. authentication.
- Perez, S. (2011). NFC in 2011: Who’s building your mobile wallet? Retrieved on April 24, 2011.
This article provides an overview of the key stakeholders in the burgeoning mobile wallet field: mobile platform providers, telecommunications operators and banks. The article begins with a definition of mobile wallet, explaining that the term refers not just to an app but also to the secure element on the phone. Platform providers like Apple and Google are interested in using the secure element embedded in each phone to store and authenticate personal information.
- Wladawsky-Berger, I. (2011). The evolution of money. Retrieved on April 26, 2011.
The author predicts that ‘smart digital wallets’ will be disruptive technologies that transform the global financial landscape. He compares digital wallets to browsers, noting that browsers became the standard technology for accessing the internet. Similarly, he claims, digital wallets will become the standard for accessing money. He takes a very optimistic view of digital wallet technology by claiming that it will also lead to enhanced universal inclusiveness.
- Digitally Mediated Surveillance
- Identity, Privacy and Security Institute
- Information Policy Research Program
- Knowledge Media Design Institute
- The New Transparency: Surveillance and Social Sorting
- Office of the Privacy Commissioner of Canada (funding)
- Social Sciences and Humanities Research Council (funding)
- Video Surveillance Studies
- EnCoRe Project
- Inside Privacy
- Kim Cameron’s Identity Weblog
- Mydex: Mydex gives you back control over your personal data
- Office of the Information and Privacy Commissioner of Ontario
- Privacy Sense
- The Surveillance Studies Network
- Vendor Relationship Management