Commissioner Marie Shroff says her office has been in discussion with Snapper over its policy and she understands it is being revised and an improved version will be available shortly.
Users who register online with Snapper are deemed to have accepted the policy, which appears to be a catch-all for collecting personal information.
Computerworld questioned the policy with the Privacy Commissioner following concerns expressed about it by a user who wrote to the Dominion Post.
A Snapper spokeswoman says the policy is in line with the Privacy Act 1993.
But Shroff says in a statement to Computerworld her office has concerns about the potential for the Snapper card to track an individual’s movements and spending, and the indefinite retention of this information.
“Snapper cards have been on sale for several weeks, and the leaflet that is handed out with the card encourages people to register their card,” she says. “Registration of the card requires that individuals provide a great deal of personal information. Once a card is registered, the card holder’s information will then be associated with other information that is collected when the card is used, such as purchases and travel.”
She says card holders have the option of choosing not to register their card but by exercising that option, they also lose the chance to request a refund if the card is lost or stolen.
Wellington’s bus fleet has been fitted out with Snapper card readers. Snapper, which is owned by Infratil, is understood to be the front-end in Infratil’s bid for the big integrated ticketing project in Auckland.
A decision on short-listed candidates for that is expected around October.
Last week, Computerworld reported that independent security researcher Peter Gutmann, of the University of Auckland, had agreed with Snapper’s claims that its smartcard is more secure than the related MiFare and Oyster cards recently cracked in Europe.
Snapper is based on a later-generation chip than the version of the card that was cracked and has more secure encryption, a spokeswoman for Snapper Services said.
“Snapper is a new generation smart card, based on NXP’s Infineon, Smart MX and is highly secure,” she said.
“Snapper uses a triple DES encryption with a 168-bit key, compared to the MiFare Classic card that was cracked. This uses a single 48-bit key.
“The triple DES security is standard in financial cards and has been approved in New Zealand as a secure mechanism for connection through to the Eftpos network.”