Smart Cards, which have proliferated across the world mainly as a form of electronic payment for public transportation. Earlier this week we profiled Japan's cutting edge Suica Card and London's Oyster Card. Today we look at a widely used smart card that has been in service since 1997: the Octopus Card in Hong Kong.This week we're looking at
Similar to Oyster and Suica, the Octopus card is powered by RFID. Octopus is used as a form of electronic payment in a wide variety of public transport, shops, restaurants, car parks and more. Indeed the Octopus has become an all-purpose identification system in Hong Kong - it's even used as an access control mechanism at certain offices, apartment buildings and schools. So do Hong Kong citizens have concerns about their privacy? It appears not...
via Twitter that he uses the Octopus card for buying "fast food, public transport, vending machines, supermarkets - even paying late fees at library or buying ice cream from the mobile mr. Softees!"The Octopus card can be used at more than 1,000 merchants in Hong Kong, including 7-Eleven, Starbucks and McDonald's. Hong Kong resident Kiran Denniz told us
There are more than 19 million Octopus cards in circulation, over twice Hong Kong's population of 7 million. Over 95% of Hong Kong citizens between the ages of 10 to 65 use Octopus and there are over 10 million transactions each day. Also note that Octopus needn't necessarily be on a card - a variety of devices can house an anonymous Octopus RFID chip, including watches and mobile phone covers.
It's Interesting to note that the the Hong Kong government (and thus China) is the biggest shareholder in the company that operates the Octopus card, Octopus Cards Limited.
The type of personal data collected includes name, contact details, identification type and number, age and date of birth, Card number and - most critically - "your Card usage data."
Point 7, how the data is or potentially "may be used," is where privacy advocates will focus their attention:
a. processing an application for one of our services;
b. the normal management, operation and maintenance of the Octopus payment system, including audit;
c. designing new or improving existing services provided by us, our subsidiaries and our affiliates (that is, any other entity which directly or indirectly controls us, is controlled by us, or is under common control with us) for customers' use;
d. marketing of goods and/or services by us, our subsidiaries, our affiliates or any of our selected business partners. We, our subsidiaries, our affiliates or any of our selected business partners may need to carry out matching procedure (as defined in the Ordinance) to enable us to better understand your characteristics and to provide other services better tailored to your needs (such as offering special birthday promotions to you), to assist us in selecting goods and services that are likely to be of interest to you and to establish whether you already have a relationship with our selected business partners;
e. communication by us to you;
f. investigation of complaints, suspected suspicious transactions and research for service improvement;
g. prevention or detection of crime;
h. disclosure as required by law;
i. as a source of information and data for transport and other services in general; and
j. other related purposes.
As you can see, that's a very wide-ranging remit - and point 7.j. is basically a catch-all for any scenario not specifically mentioned. Also bear in mind that Octopus cards can be linked to the user's credit card, which adds another organization collecting all of that data.
On the flip side, Oyster may be used anonymously - so there isn't a requirement to link it to your identity, at least for its payment uses.
A local Hong Kong blogger remarked earlier this year that "Hong Kong residents do not seem overly concerned with Octopus related privacy issues". Most apparently feel that the benefits of Octopus outweigh the potential privacy issues. One wonders if the same attitude to smart cards will happen any time soon in the U.S. and U.K., where fear of RFID is rife.