AP Online: Sunday, September 15, 1996 Card Raises Privacy Issues By PATRICIA LAMIELL Big Brother is not watching. Or is he? Fears resembling those of the omniscient machine that spies on people in their homes in George Orwell's novel, ''1984,'' have found their way into a new technology entering the marketplace -- smart cards. These credit cards embedded with computer chips can store information from shoe size to credit history. But critics claim these cards will be used to compile dossiers on the people who use them. And now it's up to the Smart Card Forum, a family of companies driving development of smart card technology, to convince the public that Big Brother isn't watching, for smart cards are protected and confidential. ''There's a huge amount of misunderstanding, and that creates a huge amount of fear, about whether these products are going to decrease people's privacy or otherwise leave them unprotected,'' said John Burke, the forum's attorney and a partner at the law firm of Foley, Hoag & Eliot in Washington, D.C. Starting Monday in San Francisco, members of the Smart Card Forum will meet to discuss the latest technology and marketing programs necessary to put a smart card in every household. In many ways, smart cards resemble credit and debit cards that the market has grown accustomed to using. With a simple swipe, they too can substitute cash when buying everything from subway tokens to clothing and the purchase price is electronically deducted from the card using a special machine. But the smart card takes the technology further, embedding a computer chip into the card. that gives it much more memory and enables it to do simple math and process information, like keeping a bank balance or tracking frequent flier miles. The huge potential scope of the smart card has prompted some concerns about the privacy rights of users. By tracking small purchases, telephone and transportation records, they can document a person's everyday movements. That information could be useful to everyone from employers and family members to law enforcement officials and banks. Marketers might be very interested in records of purchases made with smart cards. But privacy experts question whether third parties should gain access to see such information. The American Civil Liberties Union of New Jersey is fighting a state proposal to encode fingerprints on smart card drivers licenses on the premise that it would treat as criminals people who are not suspected of a crime. ''We also oppose the requirement that other data be included'' on New Jersey drivers licenses, said David Rocah, an ACLU staff attorney in Newark, ''unless precautions are made to insure that third parties will not have access to that data.'' Others, however, counter the questions of privacy, claiming that owners can control what information goes onto them and with whom it is shared. They also point out that the information is electronically scrambled, or ''encrypted, '' making it very difficult to steal. The Smart Card Forum is working to create privacy guidelines that can keep pace with the fast-developing industry. Federal regulators, such as the Office of the Comptroller of the Currency, the Federal Reserve and the Federal Deposit Insurance Corp., are all considering whether and how to regulate smart cards. Smart cards are a huge business for companies like Texas Instruments Inc. and Motorola Inc., which make the chip. They could also be a boon for banks and other financial institutions that issue the cards for a fee, and for payments-systems networks like Visa and MasterCard, which earn a percentage of each transaction. ''This is a huge, huge market,'' said Peter Hill, executive vice president for technology at Visa International, one of the 225 corporate members of the forum. ''Cash transactions world-wide total about $8 trillion a year, of which 80 percent are for $10 or less.'' A number of big banks have run pilot programs to test consumers' acceptance of the cards. Some have teamed up with Visa and MasterCard to do market tests in Swindon, England, Canberra, Australia, and at the 1996 Summer Olympic Games in Atlanta. A test is planned by MasterCard, Visa, Chase Manhattan Corp. and Citicorp, in New York's Upper West Side later this year. So far the pilot projects, which have put about 50,000 smart cards in circulation worldwide, have had mixed results. Many worry consumers will not incorporate the cards into purchases they now make with cash, and that has left merchants wary about the cards also. To move beyond the arena of small purchases, members of the Smart Card Forum are developing technology to allow people to use home computers to pay for Internet purchases with these cards, and to download cash onto a smart card. Personal-computer makers have begun including chip readers in PCs for these purposes. Also in development are scores of non-financial applications, such as keeping drivers license and medical information, transferring government welfare or medical benefits, and making airline and hotel reservations. To Diane Wetherington, MasterCard's senior vice president for smart cards, the Forum's biggest task is not the social and legal issues surrounding the smart card, but getting consumers to use it for any and all financial transactions down to the 10-year-old's weekly allowance and merchants to accept it. ''The technology works, the product works,'' she said. ''Now it is up to the marketing associations and companies to really try to create global products from these.'' American Banker: Monday, September 16, 1996 FUTUREBANKING SET a Big Win for the Card Associations By JEFFREY KUTLER Whether for superstitious reasons or just to avoid the inevitable groans, experts in data security were long reluctant to use a certain, pertinent pun. But now it can be officially uttered: SET is set. Secure Electronic Transactions, the Internet payment protocol hashed out by MasterCard, Visa, and a sometimes unruly bunch of technology providers, went up on the card associations' Web sites in June in what was labeled as its final form. In other words, the standard was ready for prime time. Software developers could begin incorporating it in systems being designed for electronic transactions. And thus began something of a race to make SET-- secured card payments a reality, at least in a test mode, by yearend. The principals were too busy and running too fast to celebrate their hard-won accomplishment. There was far more work to be done, and in their haste to get to it they may never have adequately explained the document's true significance. The SET advocates met their objective. Getting past their internal divisions, they wrote specifications for on-line credit card transactions and were unanimous in their endorsement. Relying on data encryption and digital certification of buyers, sellers, and bank processors, they erected several barriers to electronic thievery. They did not make the Net safe for all commercial and monetary activity. Nor did they silence a number of critics who still raise warning-flags about the Internet's inherent vulnerabilities, even those addressed by SET. The development of the protocol was well-chronicled. Probably too well from the standpoint of MasterCard and Visa, which had hoped that their mid- 1995 move to cooperate -- on the assumption that payment security should not be a competitive venue -- would lead to a rapid conclusion of amicable, low-profile deliberations. The diplomatic initiative derailed in the fall of 1995 when Microsoft Corp., sitting on Visa's side of the table, failed to reconcile with the opposing camp that included two of Microsoft's market adversaries, International Business Machines Corp. and Netscape Communications Corp. After a couple of months of fence-mending, the negotiations were declared back on track Feb. 1. Within a month the working draft of SET was completed, supposedly drawing the best features from the initially separate MasterCard and Microsoft-Visa proposals. As the June deadline approached, most of the organizations directly involved in SET -- they included GTE Corp., Science Applications International Corp. (SAIC), and companies associated with the data encryption leader RSA Data Security Inc. -- announced they would provide products and services implementing the protocol. Verifone Inc. hit the ground running June 18 with a comprehensive electronic commerce package that it said would be the "first implementation" of SET, supported by numerous strategic allies from the SET circle and beyond. Said Verifone's Internet commerce division chief Roger B. Bertman, "This will help the industry benefit more quickly from increased Internet transaction volumes and allow us all to begin learning by doing." Verifone had reportedly pressed to join the SET team, only to run up against the members' desire to stay small. But Verifone was very plugged in, and Mr. Bertman's "learning by doing" could have been their motto. By implication, publication of SET was just one more beginning. At the heart of SET is data encryption technology, specifically that provided and championed by RSA of Redwood City, Calif. In the encryption field, science meets commerce. The plodding of the scientific method tempers businesses' drive to get products to the market. Further complicating any venture into encryption -- the mathematical technique for scrambling messages to prevent unauthorized reading -- is the overhang of public policy. RSA and its progeny have chafed at federally imposed limits on cryptographic systems, particularly on the length of the code-defining keys they can export. While most financial activities are not hindered by the government's concern about "strong encryption," any banking or payment-related activity is surely to be scrutinized by that industry's regulatory establishment. It is only 20 years since the advent of public key cryptography. Improvements have been continuous, at least theoretically enabling the guardians of secure data to stay a step ahead of criminal pursuers. That SET could come together in a few months of concentrated effort is testimony to the strength and durability of the concept. As in academic tradition, what is tested and proven wins out. MasterCard's and Visa's pre-SET attempts, Secure Electronic Payment Protocol and Secure Transaction Technology, "didn't incorporate enough of preexisting security standards," said Allan M. Schiffman, chief technology officer of Terisa Systems Inc., a Los Altos, Calif., company formed in 1995 by RSA and several other investors to develop secure systems for Internet commerce. "In dealing with crypto, it's nice for stuff to be out and analysts to take a shot at it," said Mr. Schiffman, whose company was intimately involved in SET and said back in April that it would build the protocol into its client and server toolkits. "Older standards that aren't broken are what crypto-developers want." SET's reliance on the proven didn't stop the sniping. Lee H. Stein, chairman of First Virtual Holdings Inc. in San Diego, designed his Internet commerce system such that payment data flow via a private communications channel rather than the World Wide Web. First Virtual is not yet ready to bank on encryption. SET may be a step in the right direction, but it didn't sway Mr. Stein. "Sensitive financial information is never to be on the Internet," Mr. Stein said at the Cyberpayments '96 conference in Dallas in June. "Has anyone here yet seen a hierarchical, encryption-based certification authority working at the consumer level?" Jerome Svigals, a California-based consultant and long-time advocate of smart cards, criticized the lack of portability of the customer certificates required for an SET transaction. Designed to be embedded in a personal computer, the certificates, or digital signatures, might better comport with the credit card transaction model by being stored on smart cards. Aharon Friedman, chairman and chief product developer of Digital Secured Networks Technology Inc. in Englewood Cliffs, N.J., has expressed concern about the software-only nature of SET. He said it requires a hardware component to be fully secure. Mr. Friedman, a one-time SAIC research physicist who founded his network security company last year, also said too much of an SET message is in clear text or subjected to "hash functions" that do not provide the high security levels of encryption. "Unlike hardware, software can be bypassed using a computer," Mr. Friedman said. He has suggested that a hardware-based approach be incorporated into SET at "a more elementary level" so that all the text can be encrypted. "He put it aggressively," Mr. Schiffman said of Mr. Friedman. "What he says is not wrong, but it was not unaccounted for" in SET revisions. Other SET defenders have pointed out that the three aforementioned critics have vested interests in, respectively, off-Internet payments, smart cards, and hardware. Mr. Friedman said he is a few months away from a hardware-software solution that would be economical for PCs and even laptop computers, but he was not ready to talk about specific pricing. More fundamentally, the SET group had to grapple with classic questions of appropriateness. The security measures had to fit the potential crimes, at a reasonable cost. As new electronic payment media develop, "people are going to realize that they can't guarantee 100% security," Geoffrey Baehr, a top network technology official at Sun Microsystems Inc., said at a banking conference earlier this year. "Instead, they will aim their development work at 100% acceptance of risk, and assume there is always some amount of fraud. "It happens, and there isn't much you can do about it other than best efforts." Focusing on the framework for card payments, the SET group put its best efforts toward standards for transaction software and the ever-critical authentication of cardholders, merchants, and banks, based on the digital certificates issued and maintained by "trusted parties." A big selling point is that merchants don't see buyers' credit card numbers; the system transparently validates them. RSA Data Security has a central, commercial interest in how SET develops and has taken on an associated, almost public-service responsibility for coordination. "SET is definitely the way to go to secure bank card transactions," said Kurt Stammberger, RSA's director of technology marketing. "We believe it will be huge. Otherwise we wouldn't have built a toolkit around it." Indeed, the "RSA Encryption Engine" brand will be on Verifone's software products -- vGate, vPOS, and vWallet -- the first of what should be many SET-related licenses. Because there will be a proliferation of on-line products, especially the virtual wallets at the consumer level, Mr. Stammberger said "RSA's role will be to make sure all the wallet implementations talk to all the merchant implementations and the banks." "Building cryptography is not trivial, but getting all the right people talking to each other can be even more of a challenge," Mr. Stammberger said. Meanwhile, Verisign Inc., spun off by RSA 17 months ago, is going after the certification piece of the business. In July it announced it was chosen by Visa International to provide Internet authentication through the member banks. Building a global infrastructure for the encryption-based certification product it calls Digital ID, Verisign views the Visa deal as a big mass-market opening for digital signatures. "The financial services industry is leading the charge in bringing Internet commerce to the consumer," said Verisign president and chief executive officer Stratton Sclavos, who has also signed breakthrough licensing pacts with Microsoft and Netscape. He expects market availability of his "high-volume, scalable-to-the-millions" product "as soon as SET is ready," by early next year. MasterCard designated the CyberTrust unit of GTE Corp., one of its partners in the SET project, as its private-label certificate provider. The announcement, within days of Visa-Verisign in late July, prompted some one- upmanship. MasterCard senior vice president Steve Mott predicted GTE would be "bigger, better, and faster" in the market. Visa U.S.A. president Carl Pascarella wanted to underscore that the Verisign-GTE face off means healthy competition, not a return to the earlier SET dissension. He said the card associations rejected the idea of a single certification authority because it could have been monopolistic. And while Visa members can now choose Verisign, and MasterCard members GTE, they could also be their own "CA" or pick from other suppliers. "Visa and MasterCard agreed to pursue different certification options," he said. "The technology will be more robust, and it will minimize the impact on issuers and acquirers. "Things are changing so fast, we don't want to be in the position of driving stakes into the ground. Our concern right now is to protect the banks, and SET does that." The Miami Herald: Monday, September 16, 1996 Firm Hopes Facial "Signature" to be Foolproof Don't look for twenty-something computer nerds at Identification Technologies International in Coral Gables. ITI, a high-tech firm founded in 1993, is run by David Bendel Hertz, an energetic septuagenarian. Hertz has held executive engineering positions at RCA and Celanese, has been a partner at the consulting firm McKinsey & Co. in New York and has taught business and law at the University of Miami. His latest venture focuses on a facial recognition system, with applications from building access to internet banking. "We are a start-up business, a research and development company," says Hertz, 77. "And now we're becoming an operative company." Hertz saw an opportunity in 1994. Conventional facial recognitions systems "were too slow and took too much computer memory," he says. And stored on a hard drive, the data were vulnerable to hackers. Hertz calls his solution One-to-One. It uses a camera to take a person's photo and compares it to a facial "pixel signature." The signature uses only 96 bytes of memory -- as opposed to 500 to 2,000 bytes in conventional systems -- and can be easily stored on a smart card. Hertz insists that even the most intelligent hacker won't be able to break into the system because the data is not available on a central computer system and a stolen smart card will not match the thief's facial characteristics. Hertz allows that ITI has spent more than $1 million so far, half from him and half from Peipers, a New York investment company. ITI offers its system in the form of a small black box, containing the camera and connected to a computer. One-to-One uses little memory because it focuses on specific characteristics, such as the position of the eyes and the form of the mouth, while older systems store a photo-like image of the face. "When we started," Hertz says from a University of Miami test lab, "the first thing we did was ask a plastic surgeon if there are sufficient differences between faces. "'Every face is different,' he answered. But what about identical twins, we wanted to know. "The surgeon said there are enough differences in their faces that some people -- like their mother -- always can recognize them." Using biometrics, the branch of biology that deals with data statistically and by mathematical analysis, One-to-One can recognize these differences as well as a mother. A niggling problem, however, is that the system may not recognize a characteristic that is not part of your signature, such as a new haircut or even a smile. So far, ITI has made 50 units, mostly for testing and evaluation. Priced at $2,000-$3,000, two of the units have been sold to Westinghouse Security Electronics, which does not manufacture facial recognition systems. Jorge Sousa, director of product development at Westinghouse's systems division, based in Santa Clara, Calif., says he is "convinced that biometrics has a future," and that his company is keenly interested in ITI's product. Citicorp is currently testing Hertz's system on its ATMs, and AktivNet, a Miami company, has agreed to try out 400 units in 1997 on its communications kiosks in airports and hotels geared to business travelers. Hertz has also presented One-to-One to the National Security Agency, which he says "exhibited high-level interest." ITI is being marketed in Europe, South Africa and the Middle East by a Dutch company, Digistration. Hertz sees customers ranging from airports to welfare agencies to sports arenas. "The market is large and growing every day," he says. David Leibowitz, managing director and analyst at Burnham Securities in New York, also sees a rising interest in sophisticated security systems. "There is every likelihood that more creative devices will be needed," said Leibowitz, who added that with the rise in crime and theft, "The security market is growing at a dramatic pace." Leibowitz points out that the security market can include everything from barbed-wire fences to combination locks to the high-tech devices manufactured by such companies as Sensormatic, Checkpoint and Knogo . "Should ITI's product prove itself in tests and go on to succeed in real-world applications," he said, "there is a good chance there would be a market for it." But he cautioned that between now and then, competitors may have developed similar or more innovative systems that affect ITI's potential to market its product. Hertz plans to hire 10 additional employees to market and distribute ITI products. They will join the 12 people currently on staff, an international group including a computer programmer, biomedical scientist and mathematical analyst. Their work has far-reaching implications: Hertz envisions a day when ITI develops systems and products that, for example, has the capability to "detect people in a crowd," to catch fugitives or help find missing persons. Retail Banker International: August 22, 1996 Chase Builds "Best Biometric" CHASE MANHATTAN is currently testing biometric voice printing for retail banking applications in two pilots in the New York area. The bank said these tests will be concluded before year-end, and could lead to the introduction of biometric voice printing in several retail channels as early as 1997. The two pilots now in progress are testing voice printing at branch offices, the most challenging environment for voice printing, due to ambient noise and distortion. Branch customers pick up a phone on the teller line and verify their identities instantly, saving the teller the time needed to check the validity of each customer's bank card. But the system's most dynamic application will be in remote delivery, and especially in phone banking, where customers' identities can be automatically verified as soon as they speak, allowing phone reps to call up all account data instantaneously. The bank expects to roll out voice printing first in high-risk wholesale operations, like funds transfer and treasury services, before introducing it to the retail side of the bank. "Voice is the best biometric," said Elizabeth Boyle, Chase VP for strategic implementation in New York. First, voice printing offers security in all channels, an advantage that techniques like fingerprinting and dynamic signature analysis do not enjoy. This means that customers can use the system for remote transactions and can open accounts without visiting a branch, for example. Second, customers are most comfortable with voice printing, which is considered far less intrusive that fingerprinting, for instance, and is completely invisible over the phone. Lastly, voice printing is the most effective security system, yielding the lowest percentage of false positives, and just as important, the lowest rate of false negatives. "We do not want to be in the position of telling customers that they are not who they are," Boyle explained. Chase's voice printing pilots use technology developed by Votan of Pleasantville, California, a firm currently under registration for an initial public offering valued at $30 million. Direct mutual funds provider Fidelity Investments is also working on the implementation of voice printing technology, and Citibank is currently running voice pilots by four separate vendors. Boyle said that twelve months ago, Chase decided against multiple- vendor pilots, believing the technology was changing too rapidly to make this approach economical. New York Times: Monday, September 16, 1996 Testing Whether Internet Readers Will Pay By MIKE ALLEN After extending its grace periods four times, The Wall Street Journal Interactive Edition says it will bar freeloaders from its World Wide Web site beginning Saturday. The results are being watched as a bellwether for prospects of charging for access to Web sites. Because of The Journal's fame and its high proportion of business users, founders of other sites figure that if The Journal does not succeed, they may have no chance of charging in the foreseeable future. Today's Web is a money pit, with sites getting some revenue from advertisers but virtually none from users. Nick Donatiello, a market researcher who surveys consumer attitudes about new technologies, said subscription fees might work in a special case like The Journal, but would remain rare. ``Consumers can surf the whole Web for less than $20 a month, so it's hard to convince them that they should pay for one little slice out of this enormous pie,'' said Donatiello, the president of Odyssey LP, a research firm in San Francisco. ``Paying for content is going to be dwarfed by having advertisers pay, not because the Web has a culture of free content, but because television has a culture of advertising-supported content.'' A message on the Journal's site (http://www.wsj.com) says, ``Avoid the rush and convert now to a paid subscription.'' The interactive Journal is charging $49 a year, or $29 to those who take the print Journal, which runs $164 a year. Neil F. Budde, the editor of the interactive edition, said many people were philosophically opposed to paying for information on the Web. But he said others would subscribe because of the site's features like Briefing Book, which offers news about a company, charts of stock performance and five years of financial data. ``These are not the people who have been on the Internet since Day One,'' he said. ``These are newer people, people who are in business, who say it's worth it not to have to look four different places on the Internet'' to find information that the Journal site pulls together. About 650,000 people registered during the interactive Journal's trial period. Thomas Baker, the business director of the interactive edition, said surveys of those users indicated 10 to 30 percent were willing to pay. ``If, at the end of the year, we had 20,000 to 25,000, that would be good,'' Baker said. ``We're realists. Our expectations are fairly modest. We look at this as a magazine start-up, and even successful magazines take a while to ramp up.'' Baker said only 20 to 25 percent of those surveyed subscribed to the print Journal. ``That helped allay people's fear of the cannibalization of the print readership,'' he said. When the site opened in April, it offered free access through July 31. That was extended to Aug. 31, then Sept. 21. The deadline to register was May 31, then June 30, then Aug. 1. There is still a loophole: Access to the on-line Journal is free through Dec. 31 to those who download the Microsoft Corp.'s Web browser, Internet Explorer. Also free: two-week trials of the Journal site. Barron's, a weekly that like the Journal is published by Dow Jones & Co., thought big when it announced its Web site in May, saying it planned to charge $99 a year for basic access, and even more for premium areas like an Investors Workstation. That would have made it the most expensive mass-market site on the Web. The plan has been rethought. Barron's Online (http://www.barrons.com) has remained free, and a spokesman said the future subscription price had not been determined. The Web site of The New York Times requires users to register but does not charge. About 600,000 have signed up since the site (http://www.nytimes.com) opened in January. ``Our view is that market share is a more important criterion for success than whether you can get a few people to pay for the service,'' said Martin A. Nisenholtz, the president of The New York Times Electronic Media Co. ``But we continue to evaluate our users' willingness to pay for information on line.'' The other best-known news sites, including those from CNN, USA Today, The Washington Post and The Los Angeles Times, are open to all. ESPN's site (http://espnet.sportszone.com) charges $39.95 a year for access to premium areas, including columnists. But that service, too, is free until the end of the year through Microsoft Explorer. Microsoft, meanwhile, has found an old-fashioned way to get some income from its on-line magazine, Slate: sell paper copies. Slate on Paper went on sale this month in many Starbucks coffee boutiques, and mail subscriptions are available. The 62-page digest of the on-line version is produced in Microsoft's print shop. The paper Slate is $29.95 a year. That's $10 more than the on-line version will be when it starts charging for access on Nov. 1. The site (http://www.slate.com) was started in June with great fanfare from traditional media, but it continues to be skewered in the on-line world. The September issue of Wired magazine inaugurated the Kinsley Deathwatch, a pool to predict when Michael Kinsley, Slate's editor, will return from Redmond, Wash., to the other Washington. Slate on Paper, which includes about one-third of the Web version, includes an editors' note heralding ``the transmutation of all-digital Slate to the fusty comfort of analog paper and ink.'' ``To the best of our knowledge, Slate on Paper is the first Webzine to reverse the process,'' the note says. ``Some say it is fitting for two companies so closely associated with the image of Seattle - Microsoft and Starbucks - to be be joining forces. Others say it is beyond parody.'' A parody site, Stale (http://www.stale.com), pretends to offer a printed version, ``thereby defeating the purpose of being on the Web.'' Rogers Weed, Slate's publisher, said the print edition was ``a bridge to the people that aren't on the Internet today.'' But how many Starbucks customers want Chechnya with their frappuccino? Even some of the chain's employees are puzzled. ``This is Starbucks coffee,'' said Carol Hensler, who worked at a store in Richmond, Va. ``We only have coffee and coffee products.'' --- Dr.Dimitri Vulis KOTM Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps