autumn 2008 revıew the - gemalto world leader in digital ... as an fsc mixed sources product,...
TRANSCRIPT
Switched on?Our new survey shows how consumers really feel about security in the digital domain
Revıew Banking on the move
E-citizen cards in Portugal
Modernizing healthcare
The story of Java Card
the
Autumn 2008
�
4 Digital Digest_What’s new in digital security
8 research_Switched on or turned off?Gemalto’s survey found that consumers’ fears about security are holding back the growth of online shopping and banking
12 trenDs_The Java Card fileRamanuj Banerjee of Sun Microsystems talks about the past, present and future of Java Card
14 the big picture_Organized chaosHow a smart card based vehicle registration program is transforming driving in India
16 society_The rise of the digital citizenSmart card technology is helping to change Portuguese citizens’ relationship with the government – and making Mexico’s roads safer
20 global snapshot_Significant facts and figures from around the digital world
22 solutions_Taking care of patients’ dataSecure electronic storage of patient records is a hot topic in healthcare services around the world. We investigate the issues
28 technology_The mobile banking revolutionMobile phone companies and banks in Colombia have collaborated to enable people to do their banking on the move
32 news_News updates and success stories from around the world
34 column_Safety netContributing editor Davey Winder explains why the Internet has nothing to fear from terrorists
Howdoconsumers–theendusersofthetechnologywedevelopandoffer–feelaboutdigitalsecurity?Tofindout,wecommissionedasurvey.Youcanreadananalysisoftheresultsonpage8.Whilemoreandmorepeopleareembracingthefreedomandconvenienceofdigitalsolutionsinareassuchasshopping,bankingandtravel,thesurveyresultsshowthatimprovingtheeaseofuseandsecurityofthosesolutionswouldincreaseadoption.
Weusetheresultsofresearchlikethistoinformourthinkingaswedevelopnewproducts–because,ultimately,digitalsecurityisallabouttheenduser’sexperience.Themoreweunderstandtheirneedsandconcerns,themorewecandotohelpensurethatdigitalinteractionsaresaferandsimpler.
Alsointhisissue,youcanreadabouthowdigitalsecuritytechnologyishelpingtomodernizegovernmentservicesinPortugalandmobilebankinginColombia.There’sanin-depthlookatdatasecurityinthehealthcareindustryandweexaminethepast,presentandfutureofJavaCard,theremarkabletechnologyweinventedthatistransformingallkindsofmobileapplications.
Finally,asaconsumerofthismagazine,you’llnoticethatwe’vegivenitanewlookandfeel.Wehopeyoulikeit!
PaulBeverlyExecutiveVice-President,CorporateMarketingandPresident,NorthAmerica,Gemalto
The Review is published by Gemalto Corporate Communications – www.gemalto.com
© 2008 Gemalto – www.gemalto.com. All rights reserved. Gemalto, the Gemalto logo and product and/or service names are trademarks and service marks of Gemalto NV and are registered in certain countries. The views expressed by contributors and correspondents are their own. Reproduction in whole or in part without written permission is strictly prohibited. Editorial opinions expressed in this magazine are not necessarily those of Gemalto or the publisher. Neither the publisher nor Gemalto accepts responsibility for advertising content.
For further information on The Review, please email [email protected]
The Review is printed on 9Lives 55 Gloss & Silk paper. Certified as an FSC mixed sources product, 9Lives 55 is produced with 55% recycled fibre from both pre- and post-consumer sources, together with 45% FSC certified virgin fibre from well managed forest.
simon bisson
Matthew is a British journalist who lives and works in Colombia, where he reports on a wide range of topics and writes the Colombia News blog.
contributorsDavey winder
matthew bristow
Welcome
TheReview �
Upfront_ 34 “WidespreaddamagetotheInternetisextremelyrareandextremelyshort-lived”DaveyWinder
Contents
A technology journalist and consultant who writes about enterprise IT issues, Simon has real world experience of designing and building large-scale loosely coupled systems.
www.gemalto.com
A freelance technology journalist for 17 years, Davey won the 2008 Information Security Journalist of the Year award. He is the author of Being Virtual: Who You Really Are Online.
16
2812
8
14 22
The Review is produced for Gemalto by Wardour, Walmar House, 296 Regent Street, London W1B 3AW, UK Telephone: +44 (0)20 7016 2555Website: www.wardour.co.uk
consulting eDitor Davey WindereDitor Tim Turnergroup art Director Ben Barrettpicture eDitor Johanna Wardpublisher Mick HurrellproDuction manager John FaulknereDitorial Director Sharon Gethingscreative Director Richard Wise
Cove
r im
age:
Tim
othy
Alle
n/Ax
iom
� www.gemalto.com �
Digest_ industry updatecontinues >
creatures of habitA group of academics has spent six months studying the trajectory of some 100,000 anonymous cellphone users in order to understand the nature of human population dynamics better.
So where does a typical day take a typical human? It’s neither as straightforward nor as boring a question as you might imagine. In their study, ‘Understanding Individual Human Mobility Patterns’ (published in Nature), the researchers reveal that, rather than moving in a random manner, human trajectories display a high degree of “temporal and spatial regularity”. What’s more, after correcting for differences in distance and the like, it was possible to conclude that “humans follow simple, reproducible patterns”.
And why should this be of any interest to anyone? Because the results could affect everything from urban planning to the control of epidemics – and it was all made possible by the humble cellphone.
Digital digest
Fixing a holeIt will go down in history as the biggest Internet security compromise that hardly anyone knew about – until it had been fixed.
Security researcher Dan Kaminsky stumbled across the glitch within the heart of the Internet’s Domain Name System almost by accident earlier this year. He realized that a fundamental flaw in the way Internet addressing technology worked meant that, if it was exploited, criminals could effectively redirect web users to faked web pages in order to harvest their logins and data – even if they had typed the correct URL into their browser to begin with.
Fortunately, Kaminsky did not ‘go public’ with the news. Instead he contacted Cisco, Microsoft and Sun (among others), the main players behind the infrastructure of the Internet. Together they worked secretly for months to engineer a fix. It took the form of a patch, which all parties released simultaneously to minimize the window of opportunity for any would-be thief.
2billionPCsby2012According to analyst firm Gartner, the number of PCs in existence now exceeds 1 billion. This means that there is a PC for every seven people on the planet. Better news yet for those who look forward to the nirvana of ‘a computer for everyone’ is that Gartner estimates there will be 2 billion PCs by 2012.
events calendarGemalto regularly participates in trade shows, seminars and events around the world. Here’s a list of those taking place over the next few months:
Date
3–7 Nov 2008
4–6 Nov 2008
18–19 Nov 2008
15–16 Dec 2008
20-21 Jan 2009
27-29 Jan 2009
event
Tech-Ed IT Professionals Forum
CARTES
AfricaCom
GSM 3G Middle East
Nordic Card Market 2009
Security Printing & Alternative Solutions
sectors
Security
All
Telecoms
Telecoms
Financial Services
Security
location
Barcelona, Spain
Paris Nord Villepinte, France
Cape Town, South Africa
Dubai, UAE
Stockholm, Sweden
Vilnius, Lithuania
40%Google, IBM and the Swiss Federal Institute of Technology have been researching how safely people surf the web. Unfortunately, the figures are not encouraging: 40% of those surveyed are not using the latest version of their web browser, leaving them vulnerable to remote exploitation as they surf.
6%A recent Trend Micro poll shows that 6% of end users admit to leaking proprietary company data, while 16% suspect other employees of doing so. Worryingly, some 46% of companies do not have any policy in place to prevent exactly this kind of data leak.
340,282,366,920, 938,463,463,374, 607,431,768,211,456The Internet will run out of Internet addresses in 2011, according to a prediction by the Organization for Economic Cooperation and Development. Under the current Internet Protocol version 4 (IPv4) addressing scheme, there are 4 billion addresses available – but they have nearly all gone. The good news is that IPv6 is already being installed and will provide a total of 340,282,366,920,938,463, 463,374,607,431,768,211,456 addresses!
TheReview
Social networking has already made its mark on the technology market. The likes of MySpace and Facebook have gone from being mere consumer playthings to becoming important drivers of corporate branding and enablers of truly global product marketing reach.
However, analyst firm iSuppli suspects that this is just the tip of a very large iceberg. It predicts that the wireless social networking value chain will generate US$2.5 trillion in revenue by 2020. It says that, within 10 years, smartphones will become the de facto Internet access channel, which will create a demand for collaborative work and leisure applications. Given the consumer demand for, and commercial success of, the Apple iPhone, it’s hard to argue with this vision of the near future.
by the numbers
Youain’tseennothingyet
Digital digest>
a view too far?Google’s Street View application has been criticized by privacy watchdogs in several countries for breaching privacy and data protection laws.
Street View consists of photographs that match locations on Google Maps. The images are captured by fleets of cars fitted with cameras, and they can include passers-by who may not wish their image to be made available on the Internet. In the US, Google has already removed some images on request. In other cases, it has used recognition software to automatically blur any faces that appear.
A Google spokesperson said that Street View will not launch in any country until the company is confident that it can comply with local laws, including those that relate specifically to the display of images of individuals.
“sleepwalking into a surveillance society”Those are the very words used by Jonathan Bamford, the Assistant Information Commissioner in the UK, to describe proposed changes to the Communications Data Bill in that country. The government argues that the legislation needs to be changed to allow the authorities to counter criminal and terrorist activity by properly keeping up to date with new technologies.
However, privacy campaigners fear that the new law would effectively result in the creation of a new, centralized ‘super-database’ containing the details of every telephone call made, every email sent and every text message received within the UK. Currently the law dictates that communications providers must retain specific usage data for a year and make it available to the authorities on the production of a court order. The proposed changes would require them to collect the data and immediately pass it over to a centralized government database.
The government says a court order would still be required to access the data, but opponents point to numerous high-profile government database security and privacy breaches as good reasons why the risk far outweighs the procedural reward. Indeed, far from helping to prevent crime, it has been suggested that such a national database could become a one-stop shop for identity thieves.
“Thenewlawwouldeffectivelyresultinthecreationofanew,centralized‘super-database’containingthedetailsofeverytelephonecallmade”
� TheReview
Imag
es: Ju
pite
r, Get
ty, Is
tock
Job #: MAQ_COR_M89015 Mission Print Ad
McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054, 888.847.8766, www.mcafee.com. McAfee is a registered trademark of McAfee, Inc., and/or its affi liates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. © 2008 McAfee, Inc. All rights reserved.
SECURITY SOFTWARE SHOULD BE
MISSION CRITICAL, NOT MISSION IMPOSSIBLE.
Multiple threats. Multiple software solutions. Multiple vendors. Why is something so important so impossibly diffi cult tomanage? It’s not with McAfee. Our comprehensive security solutions help businesses of any size fend off more threats, more easily.
All managed through a single console. To see how we easily beat our competitors, visit McAfee.com
Total Protection Security
McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054, 888.847.8766, www.mcafee.com. McAfee is a registered trademark of McAfee, Inc., McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054, 888.847.8766, www.mcafee.com. McAfee is a registered trademark of McAfee, Inc., McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054, 888.847.8766, www.mcafee.com. McAfee is a registered trademark of McAfee, Inc., McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054, 888.847.8766, www.mcafee.com. McAfee is a registered trademark of McAfee, Inc., and/or its affi liates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. © 2008 McAfee, Inc. All rights reserved.
McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054, 888.847.8766, www.mcafee.com. McAfee is a registered trademark of McAfee, Inc., and/or its affi liates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. © 2008 McAfee, Inc. All rights reserved.and/or its affi liates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. © 2008 McAfee, Inc. All rights reserved.and/or its affi liates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. © 2008 McAfee, Inc. All rights reserved.and/or its affi liates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. © 2008 McAfee, Inc. All rights reserved.and/or its affi liates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. © 2008 McAfee, Inc. All rights reserved.
� TheReview www.gemalto.com �
Switchedonorturnedoff?
Fearsofidentitytheft,theimproperuseofInternetbankaccounts,virusesandmisuseofpersonaldatabygovernmentsorcorporationsloomlargeinthemindsofdigitalconsumers.Ifpeoplewerereassuredthatproperprotectivemeasureswereinplace,itcouldsignificantlyincreasetheirwillingnesstoshopandcarryoutothertransactionsonline.
TheseinsightsemergedfromanewsurveybyGemalto.ItcommissionedresearchintheUSandFrance,via2,000telephoneinterviewsandtwoin-depthfocusgroups,tofindouthowconsumers’attitudeshaveevolvedtokeeppacewiththedigitalrevolution.
PaulBeverly,ExecutiveVice-President,CorporateMarketingandPresident,NorthAmerica,explainsthatGemaltocommissionedtheresearchaftermanyofitsmajorcustomersaskedforguidanceonwhatendusersneededtomakedigitallifemoreconvenientandsecure.
“Ourcustomersexpectustocometothemwithadeep
understandingoftheirendusers’concerns,sowe’redoingmoreandmoretoinvestigatewhat’sgoingonatstreetlevel,”hesays.
Thefindingsrevealedthatnoonecompanywasconsistentlymentionedasbeingatrustedsourceofadviceondigitalsecurity.“Lackofchoicesandfeelingsofconcernaboutsecurityarehinderinggrowth,”saysBeverly.Andthat’sanissueGemaltoaimstoaddress.
the digital revolutionOnlyadecadeago,shoppingandbankingmeantatriptoyourlocalmallorhighstreetandtelephonecallshadtobemadefromhome,theofficeorphonebooths.Todayit’sadifferentstory,withanincreasingnumberofusembracingthefreedomandconvenienceofdigitalsolutions:managingourbankaccountsontheInternet,shoppingandpayingourbillsonline,usingelectronicpasscardswhenwetravelbytrainorbusandrelyingonourcellphonesratherthanusinglandlines.
ButGemalto’sresearch
Guaranteeing optimum security conditions could give a huge boost to online traffic and purchases, according to the results of a recent survey
author JILL HOPPERillustration JONATHAN TRAN
research_ Attitudes to digital security
>
My b
ank
Stat
e an
d fe
dera
l au
thor
ities
eBay
, Pay
Pal
Don’
t kno
w
Franc
e 17%
US 8
%
Franc
e 14%
US 2%
Fran
ce 3
%
US 7
3%
Fran
ce 6
0%
revealedthatconsumershavedeeplyambivalentfeelingstowardsthedigitalworld.Ontheonehand,itbringsfreedom,savingbothtimeandeffort.Ontheother,itmeansthatweareincreasinglydependentontechnology,forcedtotrustothersnottoabusethepersonalinformationwerevealwhenwecarryoutourday-to-daytransactions,dealingwithmachinesorautomatedservicesratherthanhumanbeings.
AquarterofthosesurveyedintheUSsaidtheyregularly
What companies or organizations would you trust on digital security issues?
56%of the French consumers surveyed said they would make more online purchasesif security were improved
US 8
%
10 TheReview www.gemalto.com 11
confirmationemails–helpedconsumerstovisualizetheprocessandfeelconfidentthatsafeguardswereinplace.
Endorsementbycrediblethirdpartiesismorereassuringthancomplicatedsafetyproceduressuchassecretcodesandmultipledataverificationsteps.Andmostconsumersdonotwanttoseestepsaddedtothepaymentprocedure,asthiswouldmakethewholeprocessmorecumbersomeandtime-consuming,cancelingoutthebenefitsofonlinetransactions.
Takingactivestepstomakesurethatconsumersfeelconfidentaboutsecuritycouldhaveanenormousimpact,thesurveyrevealed:56%oftheFrenchand36%oftheAmericanssaidthattheywouldmakemoreonlinepurchasesifsecuritywereimproved.
Fears of identity fraudOneofthemainworriesofthosequestionedwasthattheirpersonaldata,particularlyfinancialinformation,wouldnotbesafefromcriminalsandidentityfraudsters.Identitytheftwascitedasaworryby74%ofAmericansand58%ofFrenchpeople;56%oftheFrenchfearedtheironlinebankaccountscouldbeaccessedandmisusedbyunauthorizedthirdparties,whileamongAmericansthefigurewas44%.
Justhowwellfoundedarethesefears?TheFederalTradeCommissionstatesinits2006
IdentityTheftSurveyReportthattherewere8.3millionAmericanvictimsin2005,withtotallossesestimatedatUS$15.6billion.AndaccordingtoareportbytheUSfinancialresearchcompanyJavelin,thenumberofIDtheftvictimsintheUShasincreasedby16%since2006.
TheUSDepartmentofJusticeadvisesconsumerstobeontheirguard,particularlywhentransactingonline.Itsays:“Inrecentyears,theInternethasbecomeanappealingplaceforcriminalstoobtainidentifyingdata,suchaspasswordsorevenbankinginformation.Withenoughidentifyinginformationaboutanindividual,acriminalcantakeoverthatindividual’sidentitytoconductawiderangeofcrimes:forexample,falseapplicationsforloansandcreditcards,fraudulentwithdrawalsfrombankaccounts,fraudulentuseoftelephonecallingcards,orobtainingothergoodsorprivilegesthatthecriminalmightbedeniedifheweretousehisrealname.”
Meanwhile,theUK’sfraudpreventionservice,CIFAS,identifiedandprotectedmorethan65,000victimsofidentitytheftin2007,andCabinetOfficefiguresindicatethatthecrimecosttheUKeconomy£1.5billionin2005(themostrecentyearforwhichfiguresareavailable).Althoughreliablestatisticsaren’tavailablefortheEU,theEuropeanConsumers’
Organisationisconcernedabouttheissueandcallsforgreatereffortsbyfirmsofferingonlineservices:“CompaniesoperatingontheInternetshouldberequiredtostrengthenthesecurityoftheirdigitalproductsandservices[byusingdataencryptiontools,authenticationsystemsandsecurepaymentmethods]sothatconsumerprivacyandpersonalinformationarewellprotected.”
time-consuming complexityThesurveyhighlightedsomemoremundaneheadaches,too:68%ofFrenchpeopleand41%ofAmericanshadlosttimewithcomplicatedproceduresonwebsites,whileviruseshadposedproblemsfor60%.
Manyconsumersbelievedtherewasaninherentlackofsecurityinthedigitalworld,butfeltuninformedaboutspecificrisksandhowtoprotectthemselves.HalfoftheFrenchconsumersfeltconfusedaboutwhotoaskforadvice:mostwouldaskafriendorfamilymemberratherthansearchingtheweborreadingthepress.
It’snotallbadnews,though:
85%ofFrenchconsumersand76%ofAmericansagreedthateaseofusewasamajorbenefitofdigitaltechnology,while90%oftheFrenchand75%oftheAmericanssaidithelpedthemtosavetime.
Downloadingwasembracedby15%ofAmericansand5%oftheFrench.RespondentsfeltcomfortableaboutusinganelectronicIDbadgeforaccesstotheworkplace,usinganelectronicpasscardforpublictransport,makingcallsonacellphoneandusingapasswordtoaccessacomputernetwork.Over75%ofthosequestionedviewedthecellphoneasasecureandtrusteddevice.
a proactive partnershipTheresearchhasgivenimpetustoGemalto’sbrandbuildingstrategy.Thefirststageistoraiseawarenessofthebrandamongbusinessesviaanadvertisingcampaign.Thesecondistoinitiateadynamicdialoguewithconsumersaboutwhatspecificservicestheyneedtomakedigitallifemoreconvenientandsecure.
Todothis,Gemaltohas
createdawebsite(www.gemalto.com/digitalsecurity)thatithopeswillbecomethefirstportofcallforendusers.Itanswersquestionsaboutallaspectsofdigitalsecurity–fromwhattodoifyouloseyourcreditcardtohowtomakesureyourpasswordsaresecure.
“Ouraimisforthewebsitetobethe‘go-to’spottohavequestionsanswered,”saysBeverly.“Inadditiontoturningtofriendsandfamilyforadvice,peoplewillbeabletogetreliableinformationabouteveryaspectoftheirdigitallife–IDcards,drivers’licenses,cellphones,passwords,creditcards,etc.”
ThefinalstageofthestrategyisforGemaltotogobacktoitscustomers,equippedwiththisunderstanding,andcollaboratewiththemmoredeeplyindevelopingandlaunchingnewsolutions.AsBeverlyconcludes:“Wewanttomakesurethatwecanacceleratethedevelopmentofthisgreatdigitalrevolutionsothatwecanallhavebetterexperienceswithcommunication,travelandpurchasing.”.
“We’retryingtoknockdownthebarriersthatarepreventingpeoplefromtransactingmoreonline”PaulBeverly,Gemalto
the five services giving rise to the most frequent fearsin France: Online payment via the Internet Downloading Payment by credit card Sending encrypted documents via the Internet Managing bank accounts via the Internet
in the us: Payment by credit card Sales service online Paying by contactless bank card Online payment via the Internet Downloading
research_ Attitudes to digital security
>
If you would like to find out more about the survey, please email [email protected]
When paying on the Internet, I am reassured by…
Payi
ng o
n a
site
I kno
wUS
87%
Fran
ce 8
7%
A sp
ecia
lized
com
pany
en
surin
g a
secu
re tr
ansa
ctio
nUS
84%
Fran
ce 8
6%
A ba
nk e
nsur
ing
a se
cure
tran
sact
ion
US 8
3%
Fran
ce 8
1%
madeonlinepaymentsviatheInternet,whileinFrancethefigurewas9%.AlmostathirdofAmericansandmorethanafifthofFrenchpeoplesaidtheymanagedtheirbankaccountsovertheInternet.InFrance,however,ahefty68%haddecidednottomakepurchasesonawebsitebecausetheydidn’ttrustthesite;intheUS,thefigurewas54%.
relying on trusted brandsMostInternetuserssaidtheyadoptedapragmaticapproachandusedfinancialservicesonlyundercertainconditions;namely,thepresenceofawell-knownbrandorinstitutionthatofferedproofofprotectivemeasures.Tangiblesignsduringthepaymentprocedure–suchaspasswords,padlockiconsand
75%of those questioned said they viewed the cellphone as a secure and trusted device
1� TheReview www.gemalto.com 1�
trends_ Java Card
SunMicrosystemscallsJavaCard“thelargestcomputingplatformintheworldtoday”.Backin1995,however,itwasjustanideathatsparkedinseveraldifferentplaces.TheforerunnersofGemaltowerethinkingaboutputtingJavaonasmartcard,andthisledtothedevelopmentofJavaCard1.0.
AsRamanujBanerjeeofSunMicrosystemsrecalls:“PeopleatSunwerethinkingalongsimilarlinesandthecompanybecameveryinterested.ItpurchasedIntegrityArts,aCaliforniansmartcardcompany,puttingasmartcardteaminsideSunforthefirsttime.”
In1997,JavaCard2.0arrivedand,withit,achangeinthewaytheJavaCardspecificationsweredeveloped.SunbeganhostingtheJavaCardForum,anindependentindustrybody.Banerjeeexplainsthattheresultwasgoodfortheentiresmartcardindustrybecause“wehaveatechnologywherethespecificationscomefromSun,butSundoesn’tmakeorsellthecards”.Thekeyto
theForum’ssuccesswasthecreationofasetofteststhatneededtobepassedbeforeacardcouldbecertified,whichmeantthatdifferentcardscouldbecomparedagainsteachotherforthefirsttime.
Intheyearsthatfollowed,JavaCardwentfromanideatoanenvironment,makingupthemajorityofallsmartcardsissued.Banerjeequotessomeimpressivenumbers.“Justinthepastyear,1.2billionunitswereshippedandtherearenowmorethan4billionincirculation.Infact,JavaCardisnowconsideredthelargestcomputingplatformbaseintheworld.”Gemaltohasplayedabigpartinthatstory;todayitisthebiggestlicenseeandlargestsupplierofJavaCards.
In2006,thingschanged.“Thenumberofcardsouttherewasgettingtoolargetomanage,”saysBanerjee.“Therecouldbetensofmillionsofcardsinphonesforasingleoperator.”JavaCardsneededamanagementsystemandInternettechnologiesweretheonlysustainable
TheJavaCardfile With more than a billion units shipped in
2007 alone, Java Card is transforming all kinds of mobile applications. The Review spoke to Ramanuj Banerjee of Sun Microsystems to trace its history and find out what’s on the cards for Java
way ofmanaging that size of application base.
“The way the silicon was getting faster and having more memory meant we could think about putting a web server on the card,” he continues. “That, combined with using USB to replace Java Card’s old, slow communications protocol, means that the latest iteration of Java Card actually changes the way in which applications are developed.”
looking to the futureOn 31 March 2008, Java Card 3.0 specifications were issued. Banerjee is enthusiastic about it, because “it’s opening up Java Card to a wider range of programmers. The built-in web server even includes a servlet engine.”
So why will the market want to switch to the new version? Continuity is a big reason. Take a government that wants to implement ID cards, for example. “Card supplies need to last at least 10 years, with continuity of the applications through many generations of silicon.”
Another reason is the shift to cloud computing. Java Cards are a tool that can help verify users to Internet services. Banerjee describes it as “a way of verifying outside of the system – to the systems outside of me. It’s no longer device-centric, instead it’s data-centric and control is with the data”.
Sun is investing significantly in cloud computing. Banerjee says that its Sun Ray terminal is “the culmination of the idea, where the smart card provides ID. We prove ourselves to the card, the card proves itself to
the system and the result is an end-to-end system of trust.”
Sun’s vision for the next generation of cards doesn’t stop at cellphones. With increased computing power in the card and greater bandwidth, there’s scope for a whole new range of applications. Banerjee suggests a few: “Cards will control Wi-Fi printers and turn cameras into web servers for sharing pictures. You could even have a search engine for your photographs.”
As Java Card evolves, larger amounts of memory can be added, mixing Flash with the smart card. There’s also added security here, allowing manufacturers to deliver trusted Flash.
But Banerjee expects the real future to come out of the mobile world. “Phones will be the major users of Java Card, with uses in every device that has connectivity. Smart card technologies will help to reduce security risks, adding a level of control that can help stop systems being hacked.”
Ultimately, Java Card has the potential to change the way mobile applications are deployed, making them more secure. Banerjee suggests one option: “It’s worthwhile for the phone to handle the user experience, so you separate the application and use the smart card for security, with the secure part of the application on the card.”
There’ll be plenty of power there, after all. “The phone may have more performance now, but card silicon is only two years behind,” he says.
One thing is for sure: the story of Java Card is one that will run and run.
“JavaCardhasthepotentialtochangethewaymobileapplicationsaredeployed,makingthemmoresecure”
4bnThe estimated number of devices in the world today that contain Java Card technology
author: SIMON BISSONportrait: ANTONIO OLMOS
www.gemalto.com 1�
OrganizedchaosDrivinginIndiaisnotoriouslychaotic:trafficrulesandbasicroadsafetyarewidelyignoredanddrivershavetocontendwithajumbleofbicycles,scooters,rickshawsandothervehicles.Nowonderthecountryisresponsiblefor10%oftheworld’strafficaccidents.That’sonereasonwhy,in2001,theIndiangovernmentdecidedtosetupasmartcardbasedvehicleregistrationprogram–tomakevehicleownersmoreaccountablefortheiractions.
The technologyGemalto’s smart card technology is an integral part of India’s vehicle registration program, launched in the state of New Delhi in 2004. The program is expected to be the largest of its kind in the world, with the potential for more than 100 million cards to be issued.
the big picture_ Transport
Imag
es: M
artin
Roe
mer
s/Pan
os
TheReview1� www.gemalto.com 17
society_ The digital citizen
Therıseofthedıgıtalcıtızen
Itcouldbeariddle:whatlookslikeabankcardbutcanbeusedtoregisteracar–and,inthenearfuture,acow?TheanswerisPortugal’snewCitizen’sCard,whichisbecomingmorewidelyavailablenationwidethisyearasthecountrytakesaboldsteptowardse-government.
Replacingthewallet-fatteningclutchofdocumentsthatPortuguesecitizenscurrentlycarry,thecardispartoftheadministration’sfar-sightedstrategytocutbureaucracyand
projectin2006.GemaltohassupplieditsSealyseIDcard,includingthesecureoperatingsystem,thepersonalizationsystem(usingtheCoesysIssuancesolution)andalltheapplicationsandmiddleware.High-securityprintingtechniquesareusedonthecarditself,augmentingthephysicalsecurityofthedocument.
It’sbypromisingtocutoutthefussinvolvedinhavingtoshuffleahandfulofimportantdocumentsthatthecardhaswonoverthePortuguesepublic.MiguelGanhão,executiveeditorofPortuguesedailypaperCorreio da Manhã,says:“Overall,peopleareenthusiasticaboutthis.It’smuchbettertohaveonecardthathasyoursocialsecuritynumber,yourfiscalnumberandyourhealthservicenumber,thantohave10cards.Peoplecanseethatit’sgoingtohelplessenday-to-dayproblems.”
online applicationsThegovernmentisconfidentthatPortuguesecitizenswillalsocometovaluethecard’sabilitytocutdownonhasslewhenit’susedonline.Thecardallowsholderstologonanddoimportantbusinessquickly,efficientlyandsecurely,withouttheneedtoleavetheirhomeoroffice.Likeabankcard,ithasachiponthe
left-handsidethatcanbereadwhenit’sslottedintoanelectronicreader.Cardholdersalsohaveafour-digitPIN.Thecardstoresadigitalsignatureanddigitalcertificatesforthepurposeofauthentication,aswellasotherdata,includingtheholder’sfingerprint–whichisalreadycustomarywiththecurrentIdentityCard.
Usedonlineinconjunctionwithanelectronicreader,theCitizen’sCardcancurrentlyfacilitatesiximportantactions.TheseincludecreatingacompanyusingthePortalDaEmpresa(BusinessPortal),registeringacar(atwww.automovelonline.mj.pt),andchangingaresidentialaddressbyloggingonatthePortalDoCidadão(Citizen’sPortal).Inaddition,thecard’sdigitalsignaturecanbeusedtosigndocuments,acapabilitythatisalreadybeingputtouseinternallybyprivatecompaniesandgovernmentbodies.
Infuture,itwillalsobepossibletousethecardbyphone,ensuringthatthosewhoareInternet-shy,orwhosimplydon’thaveaccesstotheweb,arenotexcludedfromtakingadvantageofitstime-savingcapabilities.Ofcourse,thecardcanbealsoproducedforthepurposesofidentificationwhileinteracting
Portugal is introducing a digital Citizen’s Card that replaces a host of paper documents – and it has a host of useful applications, too
author MARCUS TROWER >
heraldsaboldneweraofonlineinteractionwithgovernment.
TheCitizen’sCardreplacesthecurrentIdentityCard,Taxpayer’sCard,HealthServiceCardandSocialSecurityCard–andinthefutureitwillalsobeusedforvoting,thusreplacingtheVoter’sCardaswell.Thegovernmenthopesthisapplicationwillcommenceatnextyear’selection.
ThePortugueseNationalPrintingOfficechoseGemaltoastheprimecontractorforthe
1� TheReview www.gemalto.com
withgovernmentbodiesinpersoninthenormalway.
FurtherusesfortheCitizen’sCardarepromisedastheprojectgainsmomentum.AnabelaPedroso,presidentofAMA(theAgencyforPublicServicesModernization),thepublicbodyresponsiblefortheproject,explainsthatthegovernment’sstrategyhasbeentocreatethecardfirstandthenengineerusefulapplicationsarounditafterwards.
“Inthefirstplace,it’simportanttohavethecardandforeveryonetounderstandit,”shesays.“Then,atthesametimeasrollingitout,wearecreatingapplications.Weneedtohavemoreonlineservices–thekillerapplicationseveryonewilluse.Wearetryingtounderstandwhattypewillbeusefulforcitizens.”
remote originsOneprojectAMAhasinthepipelinewillenablepeopletoapplyforsocialsecuritybenefitsonline.AnotherverydifferentprojectwillallowinhabitantsoftheAzorestoregistercattlethroughtheInternet.“It’soneofthemainprojectsthere,becausedairyfarmingistheircorebusiness,”saysPedroso.“It’sourgoaltodeliverapplicationslikethisthatmeetcitizenneeds.”
ItwasintheAzores–thePortuguese-ownedgroupofislandsinthemiddleoftheAtlanticOcean,1,500kmfromLisbon–that
theCitizen’sCardbeganitsjourneyintothewalletsofthePortuguesepeopleduringapilotprojectthatbeganontheislandofFaialinFebruarylastyear.An86-year-oldmananda15-year-oldfemalestudentwerechosentobethefirsttwopeoplewhosefaceswouldgracethedocument.ItwaslaunchedbyJoseSocrates,Portugal’sPrimeMinister,ataceremonyinHorta,themainportofFaial.
“ThePortuguesepeoplehavetoseethattheyhaveacompetentpublicadministration,”saidSocratesatthelaunch,addingthatthecarddemonstratedthatPortugalhadapublicadministrationthatwas“modern,rigorousandambitious”.HesaidthefactthatitslaunchhadoccurredinalocationrightontheedgeofbothPortugueseandEuropeanterritorydemonstratedthatthecardwasmeantforeveryone.
nationwide roll-outToday,theAzoreshasthelargestconcentrationofcardholderswithinthecountry.Nearly50,000Azoreans,orroughlyafifthoftheislands’population,havepickeduptheircard,whichcosts€12.Roll-outofthecardsonthemainlandbeganinJuly2007withtheirintroductiontothedistrictofPortalegre.BythebeginningofAugustthisyear,morethan140,000Portuguesecitizens–about1%ofthepopulation–possessedthenewidentitydocument,whichwasavailableat248centersacrossthenation.Thenetworkofcenters
issuingthecardisexpectedtorisedramaticallybytheendof2008asthegovernmentmakesthedocumentavailableinallmunicipalitiesthroughoutthecountry.
Portuguesecitizensareundernocompulsiontoapplyforthecard.Instead,theycaneitherchoosetogettheirsvoluntarilynow,ortheyareissuedwithitwhenoneoftheexistingdocumentsitreplacesrunsoutorislost.
Withnationwideroll-outstillinitsearlystages,it’snotyetclearjusthowfarPortuguesecitizenswillembracenewformsofelectronicinteractionwiththeadministration.However,Pedrosoisconfidentthattheywillbeattractedbyitsbenefits–andsheseessomepromisingearlyindicators.
“SinceweintroducedtheCitizen’sCard,thenumberofenterprisescreatedthroughtheBusinessPortalontheInternethasincreasedalot.That’sastrongindicatorthatwewillhavealotofpeopleusingtheInternetinthefuture,despitehavingotherchannelsattheirdisposal.”
Aspartofthegovernmentstrategytodematerializeservices,AMAisnowlookingtocreateportalsthatmakepeople’sliveseasier.“Forinstance,wewanttocreateaone-stopshopforseniorcitizens,whichtheycanuseontheInternetorinperson,”saysPedroso.“Imaginetheservice:theywillbeabletogotoaLojaDoCidadão[Citizen’sShop]wheretherewillbeauniqueplaceforthemtotakecareoftheirpensionorgetinformationormakeaholidayreservation.
“WewanttoputthissortofportalontheInternet,too,sotheycanhavethesameservicethere–and,inthefuture,bytelephone.Thiskindofmultichannelone-stopshopisourideaofthefutureofe-government.”
The smart card driver’s license scheme that was piloted in one Mexican state last year has proved so beneficial in reducing traffic accidents, insurance costs, identity theft and even fraud in the administration that the project is set to expand further into the country.
In partnership with its local partner, Cosmocolor, Gemalto supplied the Instituto de Control Vehicular de Nuevo León with the Sealys eDriver license, which contains biometric and personal information on a microprocessor chip. Data from the cards can be scanned into a portable card reader using secure, dynamic technology that saves time and eliminates the need for piles of official paperwork.
The card’s efficiency in storing extensive driver information, such as details of previous accidents and traffic violations, is a big draw for licensing authorities and police alike. It is playing a vital role in reducing the number of accidents on Mexico’s roads, too. Since the scheme’s launch in Nuevo León in January 2007, the number of road accidents in the state’s three major municipalities has fallen dramatically, from 41,993 in 2006 to just 4,575 in the first third of 2008. The numbers of fatalities and incidents of drink driving have also been significantly reduced.
Mexico is the first Latin American country to introduce the eDriver license. Following the success of the cards in Nuevo León, the states of Veracruz, Sonora and México are now switching to eDriver licenses as well.
As well as proving useful for traffic authorities in the country, the
smart card licenses are benefiting drivers in the fight against identity theft. Because it stores its owner’s photograph and fingerprints, the license is a watertight credential, and people who want to obtain credit, cash checks or open bank accounts are using it as ID. Banks are able to read the cards using their existing POS payment terminals.
Another advantage for drivers is lower insurance costs, as swift and reliable access to drivers’ histories enables insurance companies to issue more accurate premiums.
The state of Nuevo León’s Board for Transport and Roads is delighted with the scheme. “The electronic licenses allow us to collect information about drivers and their vehicles instantly, whereas before this process would take a lot of time, especially when data had to travel across municipality borders,” says Dr Hernán Villareal, the department’s executive director.
He adds that the eDriver licenses also serve an additional purpose in protecting the public from one of Mexico’s more controversial driving issues – bribe-taking by unscrupulous officials. “With this technology, we know that tickets for traffic offenses can be issued remotely, which enables us to fight corruption.”
making the roads safer down Mexico way
“PeopleareenthusiasticabouttheCitizen’sCard.Theycanseeitisgoingtohelplessenday-to-dayproblems”MiguelGanhão,Editor,Correio da Manhã
140,000The number of Portuguese citizens who already have one of the new digital Citizen’s Cards
The Portuguese Citizen’s Card and the Mexican eDriver license are both examples of Gemalto’s range of fully compliant smart card based solutions for the public sector.
society_ The digital citizen
1�
>
Portuguese people can use their Citizen’s Card at Citizen’s Shops to do everything from changing their pension payments to booking a holiday
4,575The number of road accidents in Nuevo León’s three major municipalities in the first three months of 2008 – compared to a total of 41,993 in 2006
Imag
es: N
ichola
s Pitt
/Pho
tolib
rary,
Alam
y
global snapshot_ Statistics
�0 TheReview www.gemalto.com �1
Theworld_ by numbers
43mıllion
The latest forecasts predict that there will be as many as 43 million WiMax subscribers in the Asia-Pacific region by the end of 2013, producing revenues of approximately US$11 million a year for local operators.
The mobile Internet has reached a critical mass of users in 2008, according to analysts Nielsen Mobile. Take-up is highest in the USA, where 40 million people – 16% of cellphone users – use their handset to browse on the move. The UK and Italy are second and third in the table. The survey found that the most popular activities among mobile Internet users were checking email, visiting social networking sites and banking.
A recent report claims that 23% of the world’s smartphones will have a Linux operating system by 2013. Two frameworks, LiMo and Android, are competing for market share, both with the aim of eliminating some of the costs associated with developing mobile applications for multiple operating systems by using Linux’s open source code.
AustralianslostalmostAus$1billionin2007asaresultofInternet-basedpersonalfraud.Morethan800,000peoplefellvictimtoatleastonefraud,representing5%ofthoseaged15oroverinthecountry.
40m
A vulnerability in a web server contributed to attacks on 300 websites in Lithuania by Russian nationalists in early July, after the government passed a law prohibiting the public display of symbols from the Soviet era. Most of the sites were hosted on a single server, and experts think the vulnerability was either in the server’s software or its Linux operating system.
23%
A massive 79% of UK consumers are concerned about the methods used by banks and telecoms companies to confirm a user’s identity over the phone, according to a survey carried out in June. Only 21% said they were not worried about the possibility of fraudulent access to their telecoms accounts, and just 9% had no concerns about criminals gaining access to their bank accounts.
79%
300
7,400In the first 10 days after restrictions on the ownership of mobile phones in Cuba were relaxed, Cuban citizens took out 7,400 new mobile phone contracts. Previously, only government officials and people working for foreign firms were allowed to own a mobile phone.
50%Mobile phone penetration in pakistan passed 50% in the second quarter of 2008. By the end of June, the total number of connections had reached 88.02 million.
$1bn
Imag
es: G
etty,
Istco
k, Al
amy
TheReview�� www.gemalto.com ��
solutions_ Modernizing healthcare
Takingcareofpatients’data
In a world where you can Twitter instantly with friends on another continent, watch their antics on YouTube and even speak to them online without using a phone, it seems bizarre that the local hospital may still be keeping your sensitive medical information in a filing cabinet. This situation is starting to change, however, as healthcare providers around the world introduce increasingly sophisticated IT systems to store and share patient data.
“There will be an enormous move to electronic systems in the next few years,” says Bonnie Michelman, President of the US-based International Association for Healthcare Security and Safety (IAHSS). “The accuracy, efficiency and convenience that they bring all have a huge impact.”
Each country’s requirements are different, but every e-healthcare project features one or both of these two elements:Secure electronic storage of patient data in
a format that can be accessed and updated as necessary by healthcare professionalsThe distribution to patients of smart cards that
can be used for storing medical information (such as blood group, allergies and treatment history), verifying their identity, carrying prescriptions and making health insurance claims
the benefitsEither of these elements can be implemented in isolation, but it’s the integration of secure data storage with its safe transportation that brings the greatest benefits in terms of security, efficiency and cost-effectiveness.
For example, a fully integrated e-healthcare system makes it possible for a doctor to upload a prescription onto a national database and the patient’s personal smart card at the same time. The patient then takes the smart card to a drugstore, where the pharmacist can insert it
into a reader to confirm the details of the prescription. Meanwhile, those details are now on the database so that other medical professionals can view them as necessary.
Enabling electronic patient data to be shared and updated by clinicians involved in different phases of a patient’s healthcare process is a key benefit of e-healthcare. It helps to eliminate the possibility of clinical or administrative errors such as those that led to the 2001 Lipobay scandal in Germany. Lipobay was a drug that was used to lower cholesterol and prevent cardiovascular disease, but a number of patients died because of the effects of combining Lipobay with other medicines.
This was able to happen because data was not exchanged between the various doctors treating each patient; electronic storage of patient records allows doctors to cross-check the medicines used to treat each individual.
the challengesThere are two key challenges facing the administrators of e-healthcare projects – and the first has nothing to do with technology and everything to do with the people who use it.
The problem is that the weakest link in any security chain is staff behavior. Marjan Suselj, director of the HIC System Sector at the Health Insurance Institute of Slovenia, explains: “It’s important to ensure the highest level of data privacy, which needs to be incorporated not just into a new IT infrastructure, but also into new ways of working.
“It’s not just about technology issues – it’s about changing organizational processes. This requires staff training and ensuring that the necessary documentation is there. It’s a big change management project.”
So it is vital for hospitals and other healthcare providers to develop carefully thought-out security procedures backed up by clear, written user policies in order to ensure
One of the biggest challenges facing healthcare providers around the world is ensuring the protection of sensitive patient data. The Review investigates the key issues and looks at how they are being addressed in different countriesauthor CATH EVERETT
>
25mThe number of eHealth cards that Gemalto is providing and personalizing for customers of AOK in Germany
“Electronicstorageofpatientrecordsallowsdoctorstocross-checkthemedicinesusedtotreateachindividual”
www.gemalto.com
thateachmemberoftheorganizationisawareoftheirdutiesandresponsibilitiesastheyrelatetosecurity.
“It’scritical,”Michelmanconfirms.“Hospitalsneedtomandatethattheiremployeesandphysiciansmanagetheirinformation.Thatinformationmightresideonanythingfromlaptopstoharddrivesthataremovedaround,sothereispotentiallyahugeriskofIDtheftandbreachesofmedicaldata.”
Theriskofidentitytheftisthesecondkeychallengefore-healthcareadministrators.Thedownsideofautomationisthatopeningupsensitivepersonaldatatogreaternumbersofpeoplecanincreasetheriskofitbeingviewedbyunauthorizedparties.
DaveMarcus,DirectorofSecurityResearchandCommunicationsatMcAfee’sAvertLabs
unit,saysthatthehealthcaresector’smoveintoelectronictransactionsiscurrrentlybeingmatchedbythecriminalunderworld’sdevelopmentofmeasurestostealprivateinformation–includingidentitydata–thatcanbeusedforprofit.
Thetaskofsafeguardingsuchdataisthusanongoingprocess.“That’sjustthenatureofcomputersecurity–it’sdynamicandpronetoastateofflux,”saysPaulJudd,RegionalDirectorfortheUKandIrelandatFortinet,aunifiedthreatmanagementvendor.“Ican’ttellyouwhatwe’llneedtoaddnext,butIknowit’sgoingtocome,andfast.”
Soultimately,thekeychallengeforhealthcareorganizationsliesinstrikingabalancebetweenmakingasystemeasytouseandensuringthatwatertightsecuritycontrolsareinplace.
>
>
�� ��
world records
AlgeriaAzerbaijan
sloveniaSlovenia is in the process of introducing a national IT infrastructure to enable medical professionals to share patients’ health information on a nationwide basis and ensure that patients can access their health insurance data online.
The country rolled out a health insurance system based on Gemalto smart cards in 2000, in a move that helped to free up clinicians’ time in order to spend more time with patients. However, the initiative was not sufficiently coordinated at the national level initially. This meant that, while healthcare insurance companies were able to exchange medical data electronically, the same was not true of healthcare providers, where activities were often paper-based and processes were not standardised. A lack of central IT funding was also leading to a growing gap between requirements and practice on the ground.
As a result, all participants in the local healthcare market, including the Health Ministry, the Health Insurance Institute and the National Council for Healthcare Informatics, came together in 2006 in order to create the eHealth 2010 project.
The aim of the scheme is to enable 30,000 healthcare professionals and pharmacists to exchange information electronically and securely in real time using e-signature based
documents, in order to ensure joined-up patient healthcare.
Marjan Suselj, director of the HIC System Sector at the Health Insurance Institute of Slovenia, explains one of the benefits of the new system. “Pharmacists, for example, will be able to issue drugs electronically and link the data with patient records. This means they can see what other drugs have been prescribed and check how they interact, to prevent complications.”
Healthcare professionals will also be able to use the same network to share health insurance data with insurance companies. The increased transparency this will bring is expected to reduce misuse and fraud.
All parties will be able to securely authenticate themselves to the system using Gemalto’s digital certificate based smart cards, both for identification purposes and in order to provide an audit trail.
Suselj says: “Security is a key issue for the entire system because
this is sensitive patient data, so the entire project has been developed with this in mind.”
In the past, patient data was held on each citizen’s health insurance card, which was updated to include any changes in the available data. In future, however, individuals will be provided with new digital certificate based smart cards – again from Gemalto – for identification purposes. The cards will enable them to securely access their insurance data, which will be held in back-end databases but accessed via an eHealth portal.
Over time, other goals include enabling citizens to book an appointment online to see a specialist, which should improve waiting list times.
A field trial of the new online system was due to take place in October among 100,000 people in the western region of Slovenia. Roll-out will start in March 2009 and is scheduled to be completed by the end of that year.
germanyGermany is currently in the throes of implementing a national IT infrastructure to support the transformation of patients’ existing health insurance cards into fully functional eHealth cards.
One of the goals of the project is to ensure that practitioners can exchange electronic patient data more effectively, in order to improve the quality of patient care – and prevent the recurrence of a
Countries around the world are facing their own unique challenges as they modernize their healthcare systems and the way they manage patient records. Over the next three pages we look at four examples
480bcIt’s said that, during the Greek and Persian war of 480BC, an emissary was sent with a hidden message urging Aristagoras of Miletus to revolt against the Persian king. The message was tattooed on his shaved scalp and his hair was then allowed to grow back to full length. This is perhaps the first recorded example of steganography, or covered writing.
But what of cryptography – literally, hidden writing? The conversion of text (or computer code) into a cipher or code – encryption, in
other words – is nothing new. However, you may be surprised at just how far back in history the obfuscation of information using a secret key actually stretches.
3rd century bcThe oldest known encryption device is the scytale, or Spartan Stick. The sender would wrap a parchment belt around a stick, or scytale, and then write the message along its length. Unwrapped, the result was gibberish. Only when a stick of exactly the same diameter
was used to re-wrap the belt would the message become legible once more.
44bcYou need to jump forward to 44BC and the Roman Emperor Julius Caesar to get a true cipher in real-world use. Caesar used a substitution cipher technique, shifting letters by a known set amount (for instance, A becomes E, B becomes F, C becomes G, and so on), to good effect during the Gallic wars, sending secret messages to his generals.
9th centuryWherever there are code makers there will be code breakers, and this has been true throughout history. Take the 9th-century code breakers of Baghdad, who worked out that in a monoalphabetic cipher that replaces a letter with a symbol, there is a flaw, in that frequency stays constant. For example, if the number five appears in a message more often than any other character, it is probably hiding an E – the most commonly used letter in the English language.
1467Leon Battista Alberti probably had the biggest impact upon cryptography for centuries when, in 1467, he invented the polyalphabetic cipher disk. The use of separate alphabets on concentric rings was a revelation, not least because they hide those frequency patterns, so an E might still be represented as five if it appears as an even letter, but could be a seven if it is an odd one. The World War Two Enigma machine is perhaps the most famous example of a polyalphabetic cipher.
18th centuryThomas Jefferson further developed the cipher wheel concept when he built one consisting of no fewer than 36 wooden wheels on a central rod, each engraved with a scrambled alphabet. This could create a 36-letter message on one row and be encoded simply by writing the letters from another row. Recreate that jumbled text and the message reveals itself. In fact, this simple idea was so efficient that the US Navy successfully used a variation on the strip cipher in World War Two.
solutions_ Modernizing healthcare
TheReview
the history of encryption
30,000The number of healthcare professionals and pharmacists in Slovenia who will be connected by the eHealth 2010 project
Germany
Slovenia
TheReview�� www.gemalto.com �7
solutions_ Modernizing healthcare
“Theintegrationofsecuredatastoragewithitssafetransportationbringsthegreatestbenefits”
>
algeriaAlgeria’s healthcare organization, CNAS, has spent the past two years introducing a smart card based national healthcare system.
CNAS sits within the Ministry of Work and Social Security and works with 10 regional health bodies, which cooperate in turn with the health boards of each of Algeria’s 48 departments. These boards are responsible for supporting the country’s 185 health centers.
Algeria’s healthcare network is complex and widely dispersed, so the aim of the initiative is to introduce a standardized national system. This will cut administration costs and boost efficiency by improving information collection and trends analysis. Other goals include increasing the speed of reimbursement following patient claims, automating prescription provision and reducing fraud.
Gemalto is the prime contractor and has been involved in the project from the outset; a successful pilot
project saw 700,000 smart cards deployed across the country and claim reimbursement times cut from 30 days to just five. Gemalto provided consultancy on systems architecture, security mechanisms and underlying business processes. It also customized its PC-based Coesys Issuance, Enrolment and eGovernment applications and the Sealys smart card system to fit CNAS’s own unique requirements.
Patients are now issued with a PIN code-protected smart card for identity and security purposes, while health professionals use a USB key. This gives them a quick and simple means of authenticating themselves to the system online so that they can sign prescriptions electronically and ensure that all data is fed into a central repository for subsequent trend analysis.
A total of seven million smart cards will be rolled out by the end of 2008 to those workers and their dependents who are covered by the scheme.
azerbaijanAzerbaijan has just started implementing a national eHealthcare program, the first large-scale eGovernment project in this biggest and most populous country of the South Caucasus.
The Ministry of Health is driving the initiative, which will enable Azeri citizens to submit electronic rather than paper-based insurance claims after having accessed social security services, speeding up the reimbursement process. Gemalto will provide its eGovernment middleware as well as three million Sealys smart cards for identification and security purposes, while its local partner Bestcomp will act as systems integrator for the project.
The pilot phase began in February 2008 and a progressive rollout of the smart cards will take place over the next two years. Over time, however, the cards will also act as a foundation for the entire population to access a wider range of social security benefits.
pharmaceutical disaster similar to the Lipobay scandal that occurred in 2001. Then, the interaction of different types of prescribed medication resulted in a number of accidental deaths. This led to legislation being passed in 2004 requiring that all citizens carry an eHealth card, to guard against this type of situation.
Pablo Mentzinis at Bitkom, the industry body representing companies operating in the IT, telecoms and new media fields, explains the rationale behind the move. “It’s all about the exchange of patient histories and cross-checking the medicines used,” he says. “This means ensuring that a single file holds a patient’s entire medical history, rather than several that originate from different points, are not interlinked and haven’t been exchanged between different doctors or hospitals. Having one file ensures that dangerous ‘pharmaceutical conflicts’ simply cannot happen.”
Other goals are to prevent misuse of the healthcare system and to cut costs. The German Ministry of Health stated in a 2004 report that the country spent €200 million each year on employing staff at different agencies to manually transcribe medical records and prescriptions, and pass them back and forth between one another, making such activity prone to administrative errors.
An umbrella organization called Gematik was set up in 2005 to coordinate the project. It will also operate the new IT infrastructure, which will connect 123,000 GPs, 21,000 pharmacies, 65,000 dentists, 2,200 hospitals and 300 public and private health insurance companies, to enable them to exchange information.
As a key part of the project, AOK, Germany’s largest health insurance provider, has commissioned Gemalto to provide and personalize 25 million eHealth cards for its customers. Gemalto is
also supplying medical practitioners with eHealth terminals – its next generation of card readers.
The electronic health cards, which include digital certificates for identification purposes in order to reduce fraud, will initially be used to hold insurance data, but in due course they are also expected to incorporate emergency information such as blood group, allergies, ongoing treatment and insurance details. Further into the future, it is anticipated that the scope of the cards will broaden to hold all types of patient data.
Medical professionals will likewise be issued with their own digital certificate based cards to enable them to securely access electronic medical files. The move will also reduce administrative and operational costs for insurance providers, not least by preventing duplicate examinations, which should cut the unnecessary use of healthcare services.
Rolf Hoberg, Chairman of AOK Baden-Württemberg, says: “Gemalto won the Europe-wide pitch, as it was able to demonstrate the best offer in terms of both cost and benefits. It has supported AOK Baden-Württemberg in its tests in Heilbronn, contributing both test cards and knowhow.
“Together, we introduced and
7mThe number of smart cards that will be distributed to Algerian citizens by the end of 2008
“Hospitalsneedtomandatethattheiremployeesandphysiciansmustmanagetheirinformation”BonnieMichelman,InternationalAssociationforHealthcareSecurityandSafety
tested the personalization process, the cards’ look and feel and mechanisms for secure data communication. Gemalto really proved themselves here, thanks to their strong solution focus and their ability to deal proactively with our requirements.”
Pilot projects have already taken place in seven regions of Germany. The nationwide rollout is expected to take place in 2009, starting in a single region of North Rhine-Westphalia and spreading out from there.
>
Imag
es: Je
an-M
ichel
Clajo
ut/R
epor
ters/
Redu
x, Gi
ulio S
arch
iola/
Cont
rasto
/Eye
vine,
Jupite
r, Ben
jamin
Lowy
/VII
Netw
ork,
Robi
n Ham
mon
d/Pa
nos,
Istoc
k
TheReview
technology_ Banking on the move
Themobilebankingrevolutıon
MobilebankingbycellphoneisboominginColombiafollowinganadvertisingblitzbythreeofthecountry’slargestbanks(Bancolombia,AVVillasandDavivienda).TheserviceusesGemalto’ssecuresoftwareapplicationinSIMcards,whichallowscustomerstomakesecuretransactionsonthemove.Theycanaccessbankingservices,transfermoney,checkaccountbalances,rechargemobilephones,paybillsandmore.
MobilebankingisexpectedtotakeoffinabigwayinLatinAmericancountries,whichhavehighlevelsofcellphonepenetrationbutlowlevelsofInternetaccess.
“Morethan85%ofColombianshavecellphones,”saysGermanMartinez,Gemalto’sSolutionManagerLeaderinBogota.“InVenezuelathefigureisabout90%andinArgentinait’sabout95%,whereasonlya
minorityhaveInternetaccess.[Amere12%ofColombiansareinternetusers,accordingtoofficialfiguresfrom2007.]Butpeopleatalleconomiclevelswillhaveaccesstomobilebanking.Thephoneissomethingthatyoualwayshavewithyou.”
AllthreeofColombia’scellphonenetworksareofferingtheservice,anditworksovertheSMSchannel–somethingallcellphoneshave.Onekeyfactorofitssuccessfullaunchwasthatitisfreeforcustomers,withthecostsbeingabsorbedbythebanksandthecellphonecompanies.
Banksarehopingtheservicewillallowthemtocutcosts.TheaveragetransactioncarriedoutbycellphonecostsCOL$0.08,comparedwithCOL$0.27foranATMmachineandCOL$1.07foratransactioninabranch.
Customersliketheservicebecauseitcanbeused24/7andallowsthemto
An unprecedented collaboration between Colombia’s cellphone operating companies and banks has made it possible for people to do their banking on the moveauthor MATTHEW BRISTOW illustration PAUL JACKSON
�� www.gemalto.com
>
��
TheReview www.gemalto.com �1
avoidlonglinesinbankbranches.“SofarI’veonlyusedittorechargemyphone,butitworksreallywell,”saysCarolinaSanchez,anofficeworkerinBogota.“It’sveryconvenient,especiallycomparedwiththerestofthechannelsofferedbythebanks.Youdon’thavetowasteyourlunchhourstandinginline.”
banking with one handTheapplicationisdesignedtobeuser-friendly.Toemphasizetheservice’seaseofuse,televisionadsforBancolombiashowpeoplebankingwithonlyonehandwhileatpartiesandoncampingtrips.
“Thebasicpremiseisthatitisintuitiveanduser-friendly,”Martinezconfirms.“Asacustomer,youdon’tneedanytrainingtouseit.”
ThechallengeforGemaltowastodesignasystemthat,aswellasbeinguser-friendly,wascompletelysecureandwouldworkonanycellphone–eventhemostbasicmodels.What’smore,thewholesoftwareapplicationhadtobecrammedinto20KbsothatitcouldfitontheSIMcard.
Eachtransactionisencryptedbyapplyingaunique3DESkeyand,inthefirst12monthsaftertheservicewasintroduced,therewasnotasinglereportedcaseoffraud.
Bancolombia,Colombia’slargestbank,wasthefirsttointroducethe
service,inJanuary2007.Forfourmonths,mobilebankingtransactionshoveredaround10,000amonthforthewholeofColombia.Then,inMaylastyear,BancolombiastartedtheirTVadvertisingcampaign,andmobiletransactionshadshotuptomorethan200,000amonthbySeptember.InOctober,afterasecondbank,AVVillas,startedpromotingtheservice,transactionsdoubledtomorethan400,000amonth.
Sincethentheservicehascontinuedtoincreaseinpopularity.ByJune2008,monthlymobiletransactionswererunningat550,332,withtheaverageusermakingsixtransactionsamonth.
“Ithassurpassedourexpectations,”saysMartinez.“Itisanewsystem.Peoplehadnoexperienceofusingit,butit’salreadygeneratingmorethanhalfamilliontransactionsamonth.”
On1August,Davivienda,thethirdmajorColombianbank,introducedtheservice,whichitbeganactivelypromotingafewweekslater.FurtherspikesinusernumbersareexpectedinthecomingmonthsasmoreColombianbanksjumponthebandwagon.
Becauseofthesuccessofthissolution,mobilebankinginColombiaisnowevolvingtoprovidenewservicessuchasmobilepaymentsandmobilemoneytransfers–bothofwhicharecomingsoon.
“It’sveryconvenient.Youdon’thavetowasteyourlunchhourstandinginline”CarolinaSanchez,officeworker
While mobile contactless payment is starting to gain traction around the world, Europe is perceived by some commentators to be lagging behind. That may all be about to change if the results of the ‘Payez Mobile’ trial in France are as positive as expected.
The trial, which began in November 2007, is the result of a collaboration between numerous organizations under the umbrella of the Pegasus group: six major French banks, four mobile operators and several key technical suppliers, including Gemalto, which is providing SIM cards and its Allynis secure application management systems. These are being used to ensure that
the various applications installed on the user’s SIM card are isolated from each other – an essential security consideration for the financial institutions involved.
speed, simplicity and securityThe participants in the trial are 1,000 customers and 200 sales outlets in the cities of Caen and Strasbourg. They’re testing a mobile contactless system that uses existing bank card infrastructure and NFC technology. One or more payment applications (one for each bank) are installed on the customer’s SIM card, and they can then use their cellphone to make payments in participating shops. For payments of more than €20, customers have to enter a PIN on their cellphone keypad; for smaller amounts they can choose to pay without using a PIN.
The key benefits for the customers are speed, simplicity and security. The stores enjoy quicker checkout lines, the savings that result from the
reduced need to handle cash, and the positive associations they reap by being seen to be using technical innovations that benefit customers. An interim study by the Pegasus group found that the customer satisfaction rate was over 90%, with the ‘all-in-one’ approach and ease of use standing out as the most popular features.
With positive results like this, it seems highly likely that Payez Mobile will be rolled out across the country in the near future. The organizers of the trial believe that by 2012, several million French consumers will be using contactless mobile payment.
Beyond that, the work done in setting up Payez Mobile is also contributing to the definition of an international standard for contactless mobile payment. To that end, international organizations such as Visa and MasterCard have been involved from an early stage to ensure compatibility with their systems.
Going shopping?Don’t forget your cellphone!
A major trial in two French cities could help to define the international standards for mobile contactless payment
90%The overall customer satisfaction rate with the Payez Mobile trial so far
technology_ Banking on the move
>
�0
news
�� TheReview www.gemalto.com
Digest_ In brief
��
asia and oceania
3GcomestoBrazilGemaltoprovideditsUSIMcardstoBrasilTelecomforthelaunchofits3GnetworkinJune.TheUSIMtechnology–advancedsoftwareadaptedfor3GnetworksandloadedinSIMcards–willallowBrasilTelecom’suserstoaccessuniquevalue-addedservicesandbenefitfromhigherlevelsofsecurityonelectronictransactionsperformedwiththeircellphones.
The number of OTA (over the air) updates for cellphone subscribers in china that Gemalto has successfully carried out. This involved sending 6.3 billion text messages to GSM and CDMA cellphone customers in eight provinces.
53million
smart iD cards for alien residents in taiwanThe National Immigration Agency (NIA) in Taiwan has chosen Gemalto to supply it with electronic Alien Resident Certificate cards. Compared with the existing paper documents, the credit card-sized Gemalto Sealys microprocessor version reinforces security by drastically improving resistance to forgery and counterfeiting. Gemalto has already delivered 300,000 of the cards, and the NIA plans to replace all remaining paper cards by 2009.
italians use their cellphones to take the busTIM (Telecom Italia Mobile) has chosen Gemalto to support the launch of an unprecedented NFC program in Trento. Gemalto is providing TIM with transport applications embedded in SIM cards, allowing TIM customers to use their cellphone as a convenient access device to take public transport. Users can buy tickets from anywhere at any time through their cellphone and use it as a transport pass – even when the battery isn’t charged.
north and south america
europe and africa
an nFc mobile contactless world firstTaiwan’s leading telecoms company, Taiwan Mobile, has chosen Gemalto to provide the world’s first commercial NFC (Near Field Communication) SIM-based mobile contactless system. It’s designed to remotely manage the life cycle of any type of contactless service within a cellphone environment – especially payment applications, where high levels of security are essential. Taiwan Mobile will be able to register, issue, manage and terminate mobile NFC services over the air, while its subscribers will be free to purchase goods securely, top up their transport passes and manage coupons using their cellphone in contactless mode.
Multimedia SIMs come to ChinaThe first large-scale multimedia SIM deployment in Asia is taking place in the Chinese provinces of Guangdong, Shanxi, Beijing, Jiangsu and Shanghai, where Gemalto is deploying FullMultimedia SIM cards for China Mobile. The project was launched with four different Windows Mobile 6.0 handsets from leading Asian manufacturers, and Gemalto was able to integrate multimedia SIM-based content and applications into the high-functionality handsets without any problems. The FullMultimedia SIM is being distributed to China Mobile’s premium subscribers and features a multimedia phonebook and advanced SMS management – two applications the telecoms company has identified as critical.
Gemalto has received the 2008 Tomorrow’s Technology Today Award for its Smart Enterprise Guardian (SEG). Silicon Valley-based Info Security Products Guide named Gemalto the winner in the Personal Portable Security Devices (PPSD) category. The SEG is a unique, multi-function USB device jointly developed by Gemalto and Lexar. “To get this recognition in the new PPSD category is exciting,” said Jerome Denis, Marketing Director for Identity Access Management at Gemalto. “The SEG is an ideal example of a PPSD. It takes advantage of the highest levels of security that smart cards provide, delivering email encryption, two-factor authentication, digital signature, portable encrypted Flash and hard disk encryption.”
credit cards get personal in canadaGemalto is providing its CardLikeMe service to Canadian company PlasticNow, giving consumers the ability to customize their PlasticNow prepaid MasterCard with a personalized photo of their choice. Allynis CardLikeMe is completely web-based; cardholders can simply connect to the PlasticNow website, upload an image from their computer and order their card instantly online.
Data protection is a priority for Virchow KrauseVirchow Krause & Company LLP, a major accounting firm in the United States, is using Gemalto technology to protect its client data. This includes accounting and financial reporting as well as information on mergers, acquisitions and private investment banking. The new strong authentication solution combines Gemalto .NET card technology with one-time password (OTP) in a single convenient USB device.
A badge you can trustGemalto’s Instant Badge Issuance (IBI) is a new smart card identity badge creation system that complements Microsoft’s Identity and Access solutions and enables enterprises to produce employee IDs locally in minutes. IBI prints graphics and personalizing applications on a magnetic stripe or ISO 14443-compatible contactless chip, and works with Microsoft Active Directory and Identity Lifecycle Manager to load digital certificates directly onto the smart card. The result is a badge that gives employees secure access to facilities, networks and applications.
seg is a winner
Barclays PINsentry passes 1 million usersMore than 1 million customers of Barclays Bank in the UK are now using its cryptographic smart card reader for online banking transactions. The reader, which Barclays has named PINsentry, is supplied by Gemalto and offers extremely strong authentication – so much so that not a single PINsentry online customer has been a victim of fraud since it was introduced in July 2007. User feedback has been extremely positive and Barclays says customer acceptance of the device is 30% higher than it anticipated.
Polish students go electronicGemalto has supplied 1 million electronic identity cards to students in Poland. The card provides far more than just proof of ID, though. Students can use it to gain access to university premises, including libraries, dormitories and sports facilities; to pay for public transport in major Polish cities; to pay for car parking; and to claim student discounts wherever they are available. More than 100 universities and high schools in Poland are currently issuing the e-student card, and a further 300 institutions are expected to follow suit.
Orange Business Services (OBS) has selected Gemalto’s Upteq Smart Dongle to field test the USB-Connect service in the French business market. USB-Connect allows OBS customers to use their PC as a business line wherever broadband Internet access is available, keeping their Orange phone number, voicemail and contacts. The service is aimed at nomadic workforces, home workers and travelers.
gemalto buys multosGemalto has acquired Keycorp’s smart card business and Multos Ltd, a leading supplier of smart card operating systems to the financial services and government sectors. The MULTOS smart card operating system was the first to receive the highest security certification possible – ITSEC E6 High/EAL6+.
orange is quick on the upteq
Imag
es: G
etty,
Pan
os, Ju
pite
r
��
column_ Cyberterrorism
It’shardtoimagineaworldwithouttheInternet.ForgetaboutemailforamomentandthinkinsteadintermsofobtainingcashfromanATM,gettingtreatmentinahospital,thedistributionofelectricityfromapowerstation.Allwouldfalterifitweren’tforthenetworkinfrastructurethatdrivesthem.
It’sequallydifficulttoimaginethatthe21st-centuryterroristhasn’tconsideredthecombinedpropagandavalueandreal-worldchaosthatbringingdowntheInternetwouldprovide.
Cyberterrorismshouldberife,giventheongoingglobalwaronterror.Afterall,it’scheapertoengageincyber-warfarethantraditionalwarfare,ascomputerscostalotlessthangunsandexplosives.Thenumberandvarietyofelectronictargetsarehuge,theInternethasnogeographicalboundariesandthere’snoshortageofsuitablymotivated,skilledoperatives.
SoifweagreethattheInternetoughttobeaprimeterrortarget,thenextlogical
portrait: BERNIE REID
Fears that the world could be thrown into chaos by a terrorist attack on the Internet are groundless. Davey Winder explains why
questiontoaskis:whyhasn’titbeenattackedalready?Theanswer,ofcourse,isthatithas,buttheimpactwasminimalbecausetheInternetitselfishugelyresilienttodisruptionofitsunderlyinginfrastructure.
JohnGilmore,oneofthefoundersoftheElectronicFrontierFoundation,wasfamouslyquotedbyTIMEmagazinein1993assaying:“TheNetinterpretscensorshipasdamageandroutesaroundit.”ThishighlightsthemainreasontheInternetisrelativelysafefromseriousharm:thepacketswitchingconceptdictatesthat,ifpartofthenetworkisdamaged,datawillcontinuetoflowbychoosinganalternativepathtothesamedestination.
Therealproblemfacingcyberterroristsisthattheycaneithercausewidespreaddisruptionforaminimalamountoftimeusinganelectronicattack,orhighlylocalizeddisruptionforalongerperiodusingphysicalattack.Achievingbothgoalssimultaneouslyisallbutimpossible.
TheexampleoftheSQLslammerwormofJanuary2003
illustrateshowquicklyanelectronicattackcanspread:itinfected75,000globalserverswithin10minutes,withthenumberofcomputersinfecteddoublingevery8.5seconds.Yetitsimpactwasshort-lived.Some13,000BankofAmericaATMsdidn’tdispensecash,severalContinentalAirlinesflightswerecanceledwhenthebookingsystemwentdownandsomeSouthKoreanISPswereclosedforafewhours.Mostoftheworldcarriedonasusual,blissfullyignorantthattheslammerhadslammed.
ThetruthisthatwidespreaddamagetotheInternetisextremelyrareandextremelyshort-lived.Morerecentincidents,suchastheFebruary2007attacksontheDNSservers(themachinesthattranslatewebaddressesintothenumericalcodeunderstoodbytheInternet)bybotnetscomprisingmillionsofzombiePCs,hadlittleeffect.NoneoftheserverscrashedandtheInternetcontinuedtofunction
moreorlessnormally.Eveniftheterroristswere
tofocustheirattentiononthephysicalinfrastructureofthenetwork–thecablesinsteadofthecodes–thingswouldn’tbeanyworse.WhentheprimaryInternetbackboneservingSouth-EastAsia,IndiaandtheMiddleEastwasaccidentallyseveredoffthecoastofEgyptinJanuarythisyear–anincidentthatwascompoundedbyfaultswithseveralothermajorroutingcables–theendresultwashardlydevastating:a60-70%reductioninbandwidthtoswathesofIndia,PakistanandEgypt.Notatotaldisconnection,justlessbandwidth.TheInternetdidn’tbreak;itjustwentabitslowerforacoupleofweeks.
SoI’mnottooworriedbythethreatposedbyso-calledcyberterrorists.Indeed,I’mmoreconcernedaboutbandwidth-hoggingstreamingvideoentertainmentsuckingthelifeoutoftheInternet–butthat’sanotherstory….
TheReview
“WidespreaddamagetotheInternetisextremelyrareandextremelyshort-lived”
Safetynet
Moisten gummed edge, seal and post
Moi
sten
gum
med
edg
e, s
eal a
nd p
ost M
oisten gumm
ed edge, seal and post
We hope you have enjoyed this issue of The Review. To help us make it even better, please take a few minutes to answer the questions below; then simply moisten the gummed area, fold and seal the page where indicated, and put it in the post (you don’t need a stamp).
Don’t forget to tick the boxes at the bottom of the page if you would like to take out a free subscription to The Review and/or our regular e-Newsletter – and if you hurry, you could receive a free 2GB biometric USB key as well!
1. Which technology/security business magazines do you read?
2. How do you rate the design of The Review?
❑ Very good ❑ Good ❑ OK ❑ Poor ❑ Very poor ❑ Don’t know
3. How do you rate the quality of the written articles?
❑ Very good ❑ Good ❑ OK ❑ Poor ❑ Very poor ❑ Don’t know
4. What do you intend to do with your copy of The Review?
❑ Retain it for future reference ❑ Pass it on to a friend or colleague ❑ Discard it/recycle it
5. What subjects would you like to see covered in future issues?
6. How did you obtain your copy of The Review?
❑ By mail ❑ At an event ❑ Given to me by a colleague ❑ Other
The Review is published three times year, bringing you news, views and insight about the digital security industry around the world. Subscriptions are free and we deliver the magazine directly to you. What’s more, the first 50 people to subscribe using this form will each receive a 2GB biometric USB key. Simply tick the box (right), fill in your details and return this form to the address overleaf
Full name
Company
Address
Email address
❑ Yes, I would like to receive a free subscription to The Review. Please tick here
❑ Yes, I would like to receive Gemalto’s e-Newsletter, a regular publication with our latest news, offers and resources. Please tick here
Fold here
Subscribe to The Review for free
Tell us what you think
Terms and conditions: the USB memory stick will be sent to the senders of the first 50 correctly completed forms received by Gemalto. No correspondence will be entered into. There is no cash alternative.
Revıewthe
Revıewthe
Gemalto Review Research
Wardour
Walmar House
296 Regent Street
London
W1E 3BR
United Kingdom
IBRS/CCRI NUMBER:Your Licence Number Here
BY AIR MAIL par avion
Royal Mail
NE PAS AFFRANCHIR
NO STAMP REQUIRED
Your Address Here
REPONSE PAYEEGRANDE-BRETAGNE
IBRS/CCRI NUMBER:Your Licence Number Here
BY AIR MAIL par avion
Royal Mail
NE PAS AFFRANCHIR
NO STAMP REQUIRED
Your Address Here
REPONSE PAYEEGRANDE-BRETAGNE
IBRS/CCRI NUMBER:Your Licence Number Here
BY AIR MAIL par avion
Royal Mail
NE PAS AFFRANCHIR
NO STAMP REQUIRED
Your Address Here
REPONSE PAYEEGRANDE-BRETAGNE
PHQ-D/10538/W
Revıewthe
The International Civil Aviation Organisation (ICAO) TechnicalAdvisory Group on Machine-Readable Travel Documents (TAG MRTD), the ICAO Secretariat expert body in this area, is responsible for the development of specifications for traveldocuments with the goal of achieving global interoperability in this field.
In addition, the TAG MRTD seeks to advise ICAO Secretariaton technological issues related to the issuance and use ofmachine-readable travel documents.
Last May, during its 18th Meeting, the TAG/MRTD approved thework done by its working group and the work program to be putforward for the coming year. During the last year, an extensive,thorough and complex programme has been achieved by thisremarkable group of experts, which represents over 50 States.
Work achieved and recently approved by this group includes theTransliteration of Arabic Names for use in MRTDs and approvalfor the creation of a new working group, the Implementation andCapacity Building Working Group, (ICBWG). This group will,among other activities, increase the ICAO Secretariat’s focus onproviding field-proven assistance and expertise to nations thatare now in the process of converting or modernizing their traveldocuments issuance process and, more importantly, updatingtheir issuance systems.
What it is perhaps most remarkable about this ICAO Secretariatexpert group is its uniqueness: this is the only forum in theworld able to research, discuss, draft and establish a commonunderstanding on standards and specifications for MRTDs ande-MRTDs. There is no other.
This group has its foundations in an international convention(the Chicago Convention) adopted by 190 Contracting States,which provides the mandate and the ability to enforce suchstandards and specifications. The group also benefits from aunique cooperative agreement achieved with the InternationalOrganization for Standardization (ISO), which provides for thetechnical support and integrity required to achieve soundinternational standards.
Moreover, the work of the group and its success in implementinginternational standards relies on the cooperation and coordina-tion with other International organizations such as INTERPOL,
the United Nations Counter-terrorism Committee (UN CTC), the European Union (EU), the Organization for Security and Co-operation in Europe (OSCE), the Inter-American CommitteeAgainst Terrorism of the Organization of American States (OASCICTE), the International Air Transport Association (IATA) theInternational Organization for Migration (IOM), and AirportsCouncil International (ACI).
Thus, the ICAO TAG/MRTD is the only international forum thatcan truly propose and achieve the global interoperability requi-red for the standards and specifications in this field, and it hassuccessfully done so for over 30 years. Whether the initiatives or proposals come from a singular State, a small group ofStates or a region, the ICAO TAG/MRTD is the only rightful forum to which any such proposals shall be elevated to, in order to achieve any meaningful and significant internationalcommon understanding and standards.
Finally, the group also provides a forum for all ICAO ContractingStates to establish and consider, in a “vendor-free” environ-ment, their present and future needs for MRTDs and eMRTDs.Once these needs are established, the TAG MRTD, through itsNew Technologies Working Group (NTWG), issues a Request forInformation (RFI) every three years in order to keep abreast ofnew and improving technologies from the vendor community.Relevant information gathered during the RFI process is summa-rised and shared among the 190 ICAO Contracting States, which is further considered when international standards andspecifi-cations are developed (thus, assisting States to put the “horses before the chariot” when it comes to adoptingtechnology in this field.)
With the support of the Contracting States, the ICAO Assemblyand the ICAO Council, the Secretariat and the TAG/MRTD willcontinue to be the unparalleled fulcrum on which this progresswill revolve, and provide an unbiased and appropriate forum tocontinue and enhance it in the years to come—for the greatergood of all the ICAO Contracting States.
Mauricio SicilianoManaging EditorICAO MRTD Report
The ICAO TAG/MRTDThe only international forum to achieve global interoperability on MRTDs and eMRTDs
International Civil Aviation Organization
COMMUNIQUÉ FROM ICAO MRTD REPORT
3724_ICAO_pub_Mauricio_v2.qx:Layout 2 10/7/08 12:10 PM Page 1