The Mondex Electronic Cash system franchised by 10 major banks in Australia and New Zealand is not as private as Mondex publicity claims. A complaint under British consumer law, describing the company's privacy claims as "an outright lie", has already been mounted in the UK, where the cards are being trialled.
Banks, which maintain ownership of the smart cards, will be able to track their use and and construct audit trails. The key lies in the 16-digit ID code built into each card. Mondex says the ID number can be used to return lost cards to their rightful users--but the card readers issued to retailers will also be able to capture up to 500 transaction records at a time and relay those and the ID numbers to banks.
A British law professor has described Mondex's claim that only a cardholder will have access to details of recent transactions stored on the cards as "an outright lie".
Simon Davies of Essex University states in a complaint under the Trade Descriptions Act that he interviewed Rob Jameson, the manager of Mondex's trial in the town of Swindon, "and was told without equivocation that Mondex uses a full audit trail of all transactions. Jameson told me all retailers have a card-linked record of all transactions which are available to the bank."
Jameson later admitted in Network Week, a trade publication, that "we can certainly trace where cards have been used".
The claim that transaction records are private to customers is repeated in a list of frequently asked questions on Mondex's recently launched Website. But a similar "backgrounder" distributed in New Zealand by the Mondex Steering Committee uses a differently worded paragraph, stating only that customers have access to a transaction log stored on their cards.
An address to the US House of Representatives two weeks ago by Mondex spokesman Tim Jones confirmed that the Mondex system is able to "capture and analyse data in a way which is not feasible with suspect currency and coins". Jones said retailers' terminals and bank cashpoints provided "many opportunities for Mondex to capture transaction data".
Jones described the system as having "extensive audit capability available for online transcations". He explained that value redemption from "unexplained sources" or "for example, an individual's card behaving as if it was handling the amounts appropriate to a shopkeeper's card" would show up on tracking and trigger an investigation. Individual cards could be "de-linked immediately from the banking system", he said.
Mondex franchise holders also had the option of applying the "purse class structure", said Jones. This placed the card "purse" in a hierarchy which dictated which other cards it could transact with.
Privacy Commissioner Bruce Slane said he had been invited to discuss Mondex two days before the franchise was announced, "but I don't comment on product releases. From my understanding of concerns raised overseas it would seem to be a matter of whether the company's representations of the product were accurate--more of a consumer issue. From our point of view, we would want the public to be very clear about what the system is and how it works".
The spokesman for the New Zealand Mondex steering committee, Ian Murgatroyd, did not return Computerworld's calls, but in a media release on the purchase of the Mondex franchise, he said the system "retains customer privacy" and "totally emulates cash". The five New Zealand banks--ANZ, ASB, BNZ, Countrywide, National and Trust Bank/Westpac--are expected to begin a pilot scheme similar to that in Swindon within the next 18 months.