How Smart Is the IC Card?: The Proposed National Smart Card Plan, BOO Strategy, Electronic Commerce, and the Emerging Danger to Online Privacy in Asia
Ching-Yi Liu (firstname.lastname@example.org)
Assistant Professor of Law, Tamkang University
By comparing two vigorously debated electronic national identification card plans launched separately in Taiwan and South Korea in the past several years, this paper discusses the problems presented by Taiwan's eager to escalate a thriving "electronic commerce" via the adoption is of a BOO (Build-Operate-Own) strategy for government databases. It analyzes what is missing in the projection of the government's information future, as well as what could happen to online security and electronic privacy if this kind of project is put in place. This paper concludes that a smart card based national ID system is a solution looking for more problems because it only gives rise to a Big Brother phenomenon----the public's distrust towards the government and uneasiness towards the booming electronic commerce.
To overcome the obstacle which seems the unfortunate mixed product of the Asian cultural tradition ignorant of privacy conceptions and the Asian governments' hype for information technology, the proposition that the long-term interests of the governments are compatible with that of the commerce should not be taken for granted any more. To create a marketplace for electronic commerce, we should reconsider whether there are other feasible and sensible market models of electronic commerce to develop in Asian countries, and think over carefully as to under what kind of technological and regulatory architecture the marketplace of electronic commerce would work better. Before we have a great argument about the future architecture of electronic commerce, my idea is that public values such as privacy protection should be preserved in Asia's young constitutional democracies. This approach will contribute to electronic commerce in the long run.
National Identification Card Systems and Smart Cards in Asia
BOO Strategy, Outsourcing and the Future of Electronic Commerce
Online Privacy under the Emergent Smart Card Based National ID Regime
Conclusion: How Smart Would the Smart Card Regime Be?
Information about the Author
While the emergence of the digital economy is undoubtedly creating exciting opportunities for Asian countries  and it is a popular prediction that smart cards would be the next technological transition,  the upheaval associated with them is producing profound changes and challenges. Attracted either by business reasons or mass dataveillance efficiency, some Asian countries, including Taiwan and South Korea, have initiated governmental projects to implement full scale smart card based national ID schemes for the past several years. For the present these governmental projects have either been delayed or cancelled. In the case of South Korea's proposed electronic national ID card project, the result of presidential election in December 1997 and the economic crisis forced South Korean government to reconsider the project. As the Taiwanese case has shown us, a public request for proposals was announced in June 1998 by the authority, the IC Cards Planning and Development Committee. It follows that four proposals had been submitted and a consortium was selected in August to negotiate a contract with the government. It turned out the deal broke down and no contract was signed in late November 1998 amid strong public protests from non-governmental organizations. However, it was reported that the government has been considering a second round initiation to save the project for smart card based national ID system.
Based upon an account as to how the smart card based national ID system projects in Taiwan and South Korea failed to succeed under strong protests, this paper elaborates why the scheme seems to become a particularly favored strategy for some Asian governments, especially those who already have national ID card systems in place for several decades, to adopt in vitalizing or escalating their electronic commerce. It is followed by an analysis on how this kind of projects could be examined through the lens of achieving long-term success of digital economy and preserving online privacy protection. This paper concludes with some observations on the sensible approach under which a smarter architecture for electronic commerce might be built in Asia countries like Taiwan or South Korea.
National Identification Card Systems and Smart Cards in Asia
There is no denying that the power of smart cards should never be understated in the digital age. While credit and debit cards have a magnetic strip which contains limited information about the cardholder, a smart card, a credit-card size plastic card with an embedded central processing unit (CPU) and random access memory (RAM), is equipped with all the memory and processing functions its name implies. As widely known, however, as long as it is inserted into a smart card reader, a smart card could be activated to exchange data with the reader, to download/upload data from/to a remote server via the card reader and network. Under this smart card architecture, it seems not difficult at all to track and record the use of a particular card. As a result, it is not inconceivable that electronic ID systems supported by smart card technologies would be haunted by controversies about possible violations of personal privacy.
As a matter of fact, the necessity and appropriateness of creating a national ID scheme has long been a controversial issue in countries around the world. In United States, the proliferation of the social security number (SSN) for purposes unrelated to the administration of the SSN system and the use of SSN to uncover or link databases on many aspects of a person's life have disturbed many civil libertarians. In addition, whether it is appropriate to utilize SSN as the individual identifier for the health ID card system, as well as whether all Americans should receive a health identifier under the health care system, gave rise to privacy and security concerns. Similarly, proposals for a national ID system had been confronted by oppositions both in Austria and New Zealand. Even in Asia, the Supreme Court of Philippine struck down an administrative order which authorized the adoption of its national computerized identification reference system in the summer of 1998. 
On the other hand, however, for countries who already runs a national ID card system, the increasing computerization in the information age proves to be an irresistible temptation. In Singapore, for example, not only the universal resident ID has a bar code, its government employee and military personnel even also use smart card based ID cards for years. The powers of fascination the "digitized nation" dream has prove to be equally irresistible for Taiwan and South Korea.
Several East Asian countries, such as Japan, South Korea, and Taiwan, have the long practices of maintaining a "resident administration system'' by a particular government agency to keep track of their people's movement and household information. In Taiwan, for example, the law requires timely report to the government agency about changes of the family's addresses, members, and so on. Under the context, the resident administration system has the potential to serve as the foundation of a surveillance society. In Taiwan, again, the local resident administration office is where a citizen applies for his/her national ID card. Also mandated by the law, a person is supposed to carry with him/her the national ID for purposes of conducting various daily transactions both in the public and private sectors. For instance, the national ID is widely used as a person tries to apply for a job, to see a doctor with his/her health insurance plan, to get a credit card or passport, to cash a check, to cast his/her vote, etc. It seems beyond all imagination for a citizen to live a life without a national ID in Taiwan's society. However, it is noticeable that while the resident administration system is usually closed related to the national ID system, some countries with a resident administration system still might not have a national ID scheme in place. For example, Japan has never implemented any national ID scheme even though it has a similar resident administration system.
As mentioned briefly earlier, the year of 1998 witnessed several ambitious efforts to implement full scale smart card based national ID schemes in at least three Asian countries: South Korea, Malaysia, and Taiwan. South Korean government has pushed for one of the world's most extensive national ID card projects since mid-1990s. This project, Electronic National Identification Card Project, was given birth by the cooperation of the Ministry of Domestic Affairs and the Korean Computer Institute. Under this project, a smart card would be used to integrate various ID cards, including current universal ID card, resident registration card, driver's license, national pension card, medical insurance certificate, and scanned fingerprints, among other things. After 50 billion won (Korean dollars) has been invested on building the preliminary infrastructures, the plan was stalled in early 1998 primarily due to South Korea's national economic hardship. It is also worthwhile to mention that civil rights groups in South Korea have been strongly opposed to the project. Furthermore, the project became an issue in a TV debate during South Korea's 1997 presidential election which leads to the first change of political power in its history.
The similar project set in motion in Malaysia originally aimed at assigning every resident of the city of Kuala Lumpur an IC card. However, it seemed the government in Malaysia has planed to make it a flagship application of its full-scale Multimedia Super Corridor project. In terms of its scope, the Malaysian project covered more than the South Korean one did. The national ID card, which might be accompanied by a secondary card, would support financial purposes such as those performed by an e-cash card, ATM card, or debit card. It was reported that the project had been delayed, probably also due to Malaysia's recent ordeal of financial difficulties.
The Taiwanese project might be the most complicated one. As noted earlier, the Taiwanese plan was initiated in 1997 and a public request for proposals was announced in June 1998. As originally planned, the project, under a governmental contract, was to be led by a consortium joined by private sector enterprises. What the Taiwanese government proposed has been a smart card based citizen card plan aiming at the combination of current national ID, the health insurance card, driver's license, digitized fingerprints, digital signature functions, among other personal data. Although it was undecided whether financial functions would be available under the original three-in-one ID plan at the outset, it seems more than obvious that the potential contractors planed to add electronic purses and debit card functions in the future. The Ministry of Finance in Taiwan even considered seriously the feasibility of revising domestic financial regulations to support these financial functions and attract financial and banking institutes to this project.
To seize the electronic business opportunities, four private sector consortiums were formed in a very short period of time to compete for the government contract. Consequently, four proposals were submitted and one of them was selected by a committee in August 1998 to negotiate a final contract with the government. News had it that some fundamental disagreements over the rate of card-issuing fees and value-added business opportunities between the government and the selected consortium led to the result of no final contract being signed. Nevertheless, it was also reported recently that the government is now considering to make some changes, mainly giving up the idea of contracting out the project to a private sector consortium in its very early stages, on the project of smart card based national ID system, so that the project could be put into implement smoothly as soon as possible. Although it has not been clear yet whether the revitalized project would survive public scrutiny eventually, this kind of smart card based national ID system indeed gives rise to some fundamental questions which are interesting enough for us to consider in the electronic commerce age.
BOO Strategy, Outsourcing and the Future of Electronic Commerce
One of the most prominent characteristics of the smart card based national ID project in Taiwan is its proposed BOO (Build-Operate-Own) strategy. The gist of the BOO strategy is each of the governmental agencies involved in the smart card based national ID project would not have any dedicated budget for it. In other words, the original plan of the project anticipated private sector investments to become the driving force in helping build its electronic government and promote the electronic commerce.
Moreover, although the original plan of the project to permit the private BOO contractor to collect fees from citizens does create huge revenue incentives, it is a popular prediction that anticipated additional follow-on business opportunities under the national smart card regime are far more attractive for businesses interested in electronic commerce than the fee-collection authorization. For instance, the certificate authorization function of the smart card project would offer opportunities to vendors of digital signature technologies. As the government in Taiwan is currently making every effort everything to promote the idea and architecture of "electronic government" and electronic commerce, the electronic signature authorized for the smart card would be applied not only to personal identifications but also to all the electronic transactions conducted both in the public and private sectors.
It is not difficult to understand that the adoption of the original BOO Strategy is expected to minimize potential costs associated with the implementation of the project. As it has been shown by the Request of the proposals issued by the authority in charge of this project, the government intended not only to outsource all components of the project, but also to save the costs of purchasing equipment and hiring support personnel via the BOO strategy. According to the authority, private sector resources and efficiencies would be most appropriate for the project. Also, what is more significant, according to the committee, is local IC card-related industry would be therefore encouraged to develop and produce related products and applications. However, it seems to the author that something is missing on the optimistically projected electronic commerce landscape constructed by the BOO strategy.
The BOO strategy described above is quite similar to outsourcing in many aspects. Outsourcing government services is not uncommon at all in today's world. For various economic reasons, information technology related industries around the world have been competing to contract with government agencies on government databases and taking over the responsibilities for running traditional governmental services. For instance, Electronic Data Systems (EDS) in British, one of the world's largest outsourcers, plays a leading role in the oursourcing of government services in UK. Similarly, a legislative bill authorizing a project which is to combine all medical records, family trees and assorted genetic information into a single computerized database with the help of deCode, an Icelandic biotechnology company, was put into serious consideration by Iceland's parliament in early 1999.
Consider the implications of Taiwan's BOO strategy and the Iceland project. It is apparent that both governments would not have to bear the costs of building the infrastructure of the systems and their maintenance. Particularly under the BOO regime, the building and maintenance of the systems would be undertaken by the commercial consortium in exchange for exclusive rights of operating the system and the provision of value-added services associated with the system. The nature and scope of the value-added services associated with the national ID system would be negotiated by the government and the consortium. In Taiwan, the commercial interests of the smart card based electronic commerce seem to be a further promise to business prosperity for potential contractors. At the same time, projects like the creation of a comprehensive electronic database by linking the information a biotechnology company, such as deCode, has collected with a national database of medical records would prove to be very attractive not only for the private sector's R&D, but also for government health care policymaking.
It is true that the projects described above are not related at all and are different both in their natures and purposes to some extent. It is also true, however, that both projects involve commercial uses of huge bulk of personal information that were originally collected and controlled by public sector agencies and not accessible for commercial processing by the private sector. It is therefore not difficult at all to understand why private sector investors would grasp the rare opportunity to take advantage of the free use of the existing governmental databases and rush to contract with government agencies under various terms. For instance, the Taiwanese project is based on a national computerized resident administration system, a national ID scheme, and a national health insurance scheme. According to the current resident administration regulations in Taiwan, a Taiwanese should carry his/her ID card for check all the time. Moreover, the health insurance ID is a legally compulsory paper-based ID too. At this point, it seems more than clear that the vision brought us by the multi-purpose smart card based national ID system is a prosperous e-commerce society built upon an electronic government who governs its 22 million law abiding citizens. Although the Icelandic project involves a much more comprehensive database of genetic information and medical records of its small population, the potential benefits of this project does include a better cost management of its health care system, which is also one of the primary purposes the authority in charge of the Taiwanese project aimed to achieve with the help of the multi-purpose, smart card based national ID system.
Compared to the cost of collecting personal information all by themselves, it goes without saying that both BOO and outsourcing are much more efficient and effective for the private sector as the contracting commercial companies are allowed to access to the government's comprehensive databases. As this information accessibility advantage gives rise to the possibility of more effective profiling  which opens up almost endless lucrative opportunities for the private sector at the same time, the legitimate worry as to whether the utilization and maintenance of government databases, one of the most significant functions performed by modern governments, should be taken over by the private sector indeed arises both in Taiwan and Iceland.
What seems equally controversial is whether BOO initiative or outsourcing would be a sensible choice for governments positioned in the information age. First, smart card technologies involve a wide range of variables such as standards, fingerprint recognition, security controls, card readers, computer monitor information display content and format, and function convergence and integration methods. In Taiwan, only some of the required technologies are available locally, but most of the applications would have to require active foreign participation. Reconsider the insistence that the smart card based national ID scheme would elevate the technological level of local industries the authority maintains. It seems, however, theoretically and empirically uncertain what the BOO strategy would create for local information industries is incentive or disincentive.
Second, my sense is there should be some alternatives for a better health care cost-benefit control, and thus it seems quite doubtful whether the proposed multi-purpose smart card scheme would be the only cure for the failing cost management of Taiwan's health care system. Even though the smart card scheme is the most effective auditing tool for health care cost control, a multi-purpose national ID scheme is not necessarily the indispensable solution.
Third, as it seems widely questioned whether either case would be able to clearly specify the exact BOO and outsourced scope, the current exclusive contracting design gives rise to some antitrust concerns. Legally speaking, not only the potential monopolization problems arising from the exclusive deal should be carefully addressed, it is also desirable to consider whether the BOO or outsourcing initiative might immediately create profound network effects, as well as the antitrust implications of the effects. In addition, it would not be an overstatement at all to say that the policymakers should fully consider the possible application of the essential facilities doctrines for the marketplace founded on the smart card based national ID scheme . In sum, it seems also fair to predict that the potential of electronic commerce or similar business opportunities would not be fully appreciated under the above legal uncertainties.
Fourth, since rarely put under public scrutiny, as it happened in Taiwan, the BOO and outsourcing processes might be the quietest privatization in history in which no accountibility problems have evern been seriously considered. Aside from the unprecedented political accountibility implications, these technology and efficiency oriented projects also bring about serious privacy and security worries for Asia's half-grown constitutional democracies like Taiwan and South Korea .
Online Privacy under the Emergent Smart Card Based National ID Regime
As noted above, we are living in an age when almost all kinds of personal information could be recorded and stored in digitized forms. Consequently, the potential conflict between commercial/government interests and personal rights of privacy might not be unique at all. All over the world, information technology companies are engaged in researching on and looking for more efficient and effective ways for data mining and data processing every day. Although the debate on technology and privacy has been transformed since 1970s  and we were brought to a new landscape that is more variegated and hopeful than before, it seems few efforts have ever been made to consider the issue of online privacy in a global sense---how digital technologies would affect the very nature of privacy and whether regional and cultural factors would come into play in the discourse on the technological transformation of privacy.
One of the primary dangers stemming from the smart card based national ID card system is the mass datasurveillance made possible by the comprehensive database of integrated personal information of the whole population. From the perspective of privacy protection, it is unacceptable to have a national central databank supported by the smart card based national ID card system.
It is true that smart card technology is one of the most secure devices in the digital age,  however, it is also undeniable that techniques now unknown may be used to break into what we consider secure now. In addition, a smart card itself might be only one component of security in a system, the possibility of breaches in other system areas could not be excluded. Moreover, non-technological factors, such as social, economical, and cultural ones, which vary significantly from society to society might determine how secure a smart card system would be to a great degree.
Despite it has been claimed that advanced computer security technologies would be utilized in the proposed project in Taiwan to avoid the misuse and abuse of personal information, the project has received harsh public criticism for potential violation of privacy since mid-1998. Some civil libertarians and academic groups have relentlessly raised security and privacy concerns on the one-card-does-all "citizen card" scenario, which has been described by the government authority in charge of the smart card based national ID project as the most efficient way to create a wired country.  Furthermore, just as the question of individual consent, that is, under what kind of legal and technical architecture would an information subject not only have a say over how his or her information is used, but also have the right to withdraw it completely if they wish, is a tricky one in the policy debate in Iceland, civil libertarians in Taiwan and South Korea have questioned whether the ultimate truth about the proposed smart card based national ID card schemes is they are bringing us a Big Brother era of electronic surveillance.
Given the complexity to predict the possible subsequent uses and processing on personal information both by the public and private sector, it seems citizens in Taiwan and South Korea would be forced to live under the smart card based national ID regime without being fully informed of the influences the schemes might have on them (and possibly their descendants). Furthermore, as there are only very loose and out-of-dated personal information privacy protection laws in Taiwan and South Korea, it is also widely questioned how the consenting rights of information subjects would be fully realized under the partnership of the government and the private sector investors. By the same token, as it has been unresolved whether smart card readers, an indispensable hardware in the age of smart card technology, would be universally present and easily accessible for the general citizens in countries like Taiwan and South Korea at this stage of technological development, whether a citizen would have any local control on his or her own personal information seems a legitimate worry.
As digital information allows perfect duplication, quick searching and efficient data transfer, introducing a national electronic ID might be quite equal to a privacy nightmare. Under the scheme, huge electronic databases which would include almost all kinds of personal information could easily be copied, stored, searched, transferred and even manipulated. Looked at in this way, digitized fingerprints stored in the IC card, as proposed in the Taiwanese project, for example, could become a real danger. For many people, furthermore, biometrics are highly intrusive and considered a typical violation of privacy which also became an issue in Taiwan's IC card debate.
It sounds reasonable that smart card is a convenient and safe device to store digital signature and there would be no security threats if you lose it. However, the fact that many corporations and government agencies do not let their subjects have secrets and thus the smart card might not be yours alone  has become a genuine source of suspicion for privacy advocates. On balance, it is hard to say whether the revised Taiwanese project would survive in terms of its being introduced without any regulations on the use of digital signature and related issues such as contractual liabilities and certificate authorities. In other words, the smart card itself turned out to be a two-edge sword as it was introduced in a wrong way and during a wrong time in Taiwan and South Korea. This strategic mistake made the technological guarantee of privacy provided by smart card completely overlooked.
The authority in charge of implementing Taiwan's all-in-one smart card based ID card system explained that the multi-purpose national ID scheme is attractive because it has the advantage of sharing costs across government agencies and even commercial organizations. However, as noted by an ID card expert, multi-purpose national identification schemes represents the most substantial threat of information technologies to individual liberties.  The fact that the government is completely ignorant of the public policy implications of the multi-purpose smart card based national ID scheme is fatal to the legitimacy of the project.
Consider just another possibility the smart card could do to a citizen in Taiwan under the future smart card based national ID regime. While with the help of smart cards people would be able to carry their money around in "electronic wallets", it is also ironically true that the advantages of anonymity  would not be brought to us by the convenient electronic wallets under the national ID regime. Theoretically, every detail of your daily lives would be easily recorded coordinately by the private and public sectors under the commercialized one-card-does-all national ID regime. Under this context, the mandatory nature of the smart card based national ID card implies that nobody would be able to choose to be anonymous, both in the real world and in the virtual world, any more. It would be unimaginable and unbearable for many people to have their lives governed by such a perfect technological architecture under which, more important, they have no escape at all.
Conclusion: How Smart Would the Smart Card Regime Be?
It is nearly unquestionable that an electronic national databank has the tremendous potential to improve the effectiveness and efficiency of government administrations. However, my sense is before we have a better solution for the rule of law and individual rights problems which increasingly arise in Asian countries fascinated by electronic commerce, creating a smart card based national ID system might be a solution looking for new problems.
This paper does not argue that digital technologies or smart card schemes should not be adopted in Asian countries. The thesis of this paper is we should be more cautious about how to use smart card technologies. It might prove to be a ridiculous myth if we choose to focus only on the efficiency of digital technology, its potential in contributing to a more effective government, and thus a modern or better society. Unfortunately, it seems that decision-makers in both Taiwan and South Korea were not inspired or informed at all by the debates on the increasing dangers computerized national ID schemes pose to personal privacy. In addition, the governments might underestimate the fact that their educated and illuminated citizens have learned to appreciate and fight to protect the public value of personal privacy. Viewed in this way, rather than trying to introduce a sensible regulatory framework as their very first step, the governments seem a bit simple-minded to believe that collective values such as efficiency, commercial interest and technological innovation could be created in their emergent electronic commerce society simply by putting the smart card based national ID card scheme under the name of "citizen card".
It seems the interests of the governments are compatible with that of the commerce. The cases described in this paper has shown not only some Asian governments are captive of the potential interests of electronic commerce, but also the lack of deliberations by their technocracies on the social, economic and legal implications of the information technology boom. It seems smart card technology is great for our electronic future, and my prediction at this point is it would prove to be great only when its applications are cautious enough to stimulate wide acceptance. Particularly in countries like Taiwan and South Korea, the short-term opportunity of success for smart card technologies and their related uses in electronic commerce lies in the private sector applications, not public sector schemes like the national ID card system. In other words, more alternatives about feasible and sensible market models of electronic commerce should be more carefully considered for Asian countries. On the one hand, private sector applications of smart card technology are commercially attractive. On the other hand, in the long run this private sector applications approach has more potential to help the private sector win general confidence than a controversial multi-purpose mandatory smart card in every citizen's pocket. Moreover, even if the governments decided to introduce the smart card based national ID scheme, its mandatory nature should be questioned and reconsidered so that an individual could exercise minimum local control and decide what information about him or her should be made known to others. Otherwise, it might become a very disturbing and controversial issue under the test of the European Union Directive on Data Privacy, one of the most important movement addressing privacy as a global matter  and put these Asian countries in the danger of turning themselves into isolated islands in the ocean of global information flow.
In other words, my sense is that if we want to create a marketplace for electronic commerce, we need to think over as to under what kind of architecture the marketplace of electronic commerce would work better, if not best. By the same token, if we want to argue that we should leave technological innovations alone, we need an argument about why it is right to leave technological innovations alone. Before we have a great argument about the future technological and legal architecture of electronic commerce, my suggestion is that public values such as privacy protection should be preserved in constitutional democracies, no matter how immature they are now. Moreover, it will soon be proved to the governments in Asia that preserving these public values contributes to electronic commerce significantly in the long run. To achieve the aims, a sensible regulatory framework is indispensable and the law should regulate in public interests.
Information about the Author
Professor Ching-Yi Liu received her J.S.D. from the University of Chicago Law School in 1997 and LL.M. from Harvard Law School in 1994. Before her legal education in the United States, she studied both in college and graduate school at the Law School of National Taiwan University. In 1997 she began the pursuit of her academic career in Taiwan. She teaches and researches about The Regulation of Cyberspace, Information Law, Telecommunications Law, and Constitutional Law.