Posts filed under ‘ID_cards’
There have been some negative reports around Snapper and its approach to privacy so I decided to take a look.
Snapper is a stored-value contactless smartcard that can be used in Wellington’s buses and as an alternative to cash/EFTPOS for low value purchases. It’s similar to Oyster, Octopus, etc. but with a more secure chip.
Losing a Snapper card is like losing cash. So people will soon be able to register their cards online. If a registered card is lost, the person can transfer the balance to a new card.
After that, it’s all downhill. A very slippery, steep decline at that.
For example, to set up an online account, Snapper says “we will collect personal information from you, including your name, title, email address, password, gender, date of birth, telephone numbers, postal or physical addresses, preferences, demographic information, and other personal information.”
Why? What possible justification can they have to collect this information? Incidentally, this probably makes it downright illegal.
Not being satisfied with that, they go on to say that “the information we collect when that Card is used will be associated with any personal information about the card holder that you supply.” So, they want both personal information plus profiling information. Wow! Considering the range of uses for the Snapper card outlined- everyday purchases, loyalty card, building access control, ticketing and event access- they seem more intent on being a datamart than a smartcard company.
Still not satisfied with that, they go on further to envisage Snapper being used as an identity card. They will then “collect additional information about you, which may include:
- your date of birth
- any relevant licences or endorsements that you hold
- other attributes relevant for identification purposes (for example, which school or university you attend)”
I’m left shaking my head in wonder. Did a dinosaur somehow survive the Ice Age?
I can’t see how they can verify the information people give. So, despite their warnings of giving incorrect personal information, I’m willing to bet that a lot of people will do just that.
And yet, the solution for the most part is actually quite simple. Snapper could use pseudonymous identity rather than real identity. Leaving aside tracking usage or their notion of becoming an identity card (which I can’t even begin to imagine as even remotely realistic), using pseudonymous identity could keep everyone happy.
Otherwise, I’ll just stick to good old anonymous cash, thank you.
I’m just back from attending eGovernment 2008 in Canberra. For me, the big draw was an opportunity to attend a three hour workshop focussed on the UK’s Government Gateway. I sure wasn’t disappointed- the insights into the Government Gateway were quite an eye opener.
Attending the conference also led me to reflect on how online authentication is working for the Queen’s subjects in the UK, Australia, and New Zealand. It’s quite fascinating how each of them reflect diverse approaches and are also very much a product of their times.
First, Australia. Still very PKI focussed, as in standard X.509 certs in the user’s computer. There are some good intentions from the federal policy body AGIMO (Australian Government Information Management Office) to move on to solutions that work for people (not computers) but the mindset of the average government official is definitely digital certs.
A good example of this focus is the success of VANguard. VANguard’s authentication service is probably best described as an authentication broker whose main function is to allow for interoperability of digital certs issued by various CAs. This is a good step so that businesses (it’s mostly business-focussed) can use the same digital cert with multiple RPs. It’s a back-end hub so that various front-ends and portals, such as bizgate in South Australia, can draw on its functionality. Still, it has all the limitations inherent in the old PKI designs.
It’ll be interesting to see how AGIMO’s proposed National e-Authentication Framework will differ from their existing AGAF (Australian Government e-Authentication Framework) which is separate for businesses and individuals.
Back to the UK’s Government Gateway. From the outside, so much of the focus has been on the UK’s plans for a national identity card that people, including me, can’t distinguish the good stuff they have done and are continuing to do in the online authentication space from the bad. Jim Purves, Head of Product Strategy in the Cabinet Office gave terrific insights into the chequered history of the Gateway as well as plans going forward.
The Gateway is very privacy-protective, very focussed on providing authentication and SSO for the UK Government’s online services. They are introducing SAML 2 soon but that also has the downside of continued support for all the current protocols. They’ve had some significant funding challenges in the past but now have “strategic investors” from within government so the future is bright. Trust and confidence in the Gateway is at an all-time high.
Purely speculative on my part but I think they’ve got a big cloud on the horizon- when the national identity card folks come calling. That could potentially lead to a fundamental change in approach. That’s the unfortunate steamrolling impact of the national identity card. Also interesting how they handle pan-European interoperability but, with a strong Liberty Alliance foundation, I imagine they are well placed to handle that.
So, how does NZ stack up? The proper comparison is with the GLS or Government Logon Service (which will be re-branded igovt later this year). There’s no doubt that the GLS is the most privacy-protective of the lot and has all the right moving bits.
But, there is clearly one area that the GLS should look at- adding a web services (ID-WSF) capability in addition to the current browser re-direct (ID-FF). That will provide many new opportunities off the same infrastructure, such as acting as an authenticating receiver for XML messages. The UK’s Government Gateway currently does that for all electronic tax filings direct from standard tax and accounting packages.
All in all, interesting times and much thinking…
Bruce Schneier approvingly calls it “political activism.”
I think it’s a stark reminder that some biometrics- such as a person’s fingerprints- are reasonably easy to get. And, once compromised, the person can’t ring up a help desk and get a new one (like they can passwords).
The current story revolves around Germany’s interior minister, Wolfgang Schauble. He is apparently quite vocal about collecting and using biometrics to fight terrorism, including storing them in ePassports.
In the most recent issue of Die Datenschleuder, activists under the name of Chaos Computer Club (“Europe’s largest hacker group”) printed the image of, what they claim, is the fingerprint of his index finger.
The fingerprint, on a plastic foil that leaves fingerprints when it is pressed against biometric readers, is included in the 4,000 copies of the latest issue of the magazine. Schauble’s fingerprint was said to be captured off a water glass he used last summer while participating in a public discussion at a University in Berlin.
If a person’s fingerprints are “in the wild” then they are a far less reliable way to authenticate the person for his/her whole life. If enough fingerprints are similarly widely available- whether by accident or deliberately- it will be enough to make fingerprinting almost useless.
It’s interesting to see how booze seems to bring up great questions of identity and privacy. Or maybe it’s just the Canadians?
Canadian Dick Hardt uses buying booze as an example in his famous Identity 2.0 presentation and makes very interesting points about using ID, such as a drivers licence, to buy booze.
Now comes another angle from Canada involving booze: if your ID is scanned when entering a bar, would that make you behave? That was one of the issues at the heart of a case decided by the Information and Privacy Commissioner of Alberta.
The Tantra Nightclub in Calgary had a practice of scanning driver licences before allowing people in. Clearly it is collecting and storing personal information as it includes an individual’s photograph, license number, birth date, address, and bar codes with embedded information unique to the individual driver’s license.
The club says that “We’ve got hard data that it works, we have inthat says crime and violence is down in our venues by over 77%.” On the other hand, the Information and Privacy Commissioner described ID scanning as a deterrent to violent behaviour “conjecture” not backed up by hard data and ordered the club to stop the practice.
In terms of consent, the only thing that the complainant agreed to was the club confirming his date of birth off the licence.
This is precisely the kind of situation that the Laws of Identity frowns upon in digital identity systems, in particular User Control and Consent; Minimal Disclosure for a Constrained Use; and Directed Identity. And another example of unjustified expectations from ID cards that knowing a person’s identity somehow magically solves most societal problems.
One of the problems with a compulsory national ID system- including a de facto one like REAL ID- is “identity inflation” or sometimes also referred to as “identity creep.”
Since everyone has a gold standard ID, government and businesses find it easier and easier to require one. Soon, situations that previously required only lower quality proof of identity or no identity at all, now require an ID card. Government and businesses find that they have an increasing number of problems that the ID card can “solve.”
There are certainly examples of this happening before. The British ID cards went from 3 functions during World War II to 39 by the time it was abolished.
There are certainly examples of this happening now. In the final regulations, the Department of Homeland Security limited the required use of REAL ID to just three situations: boarding commercial airplanes, entering federal buildings, and entering nuclear power plants. However, only five days later, a senior official from that agency floated the idea of making customers show a REAL ID-compliant driver’s license to purchase over-the-counter cold medicine containing pseudoephedrine to combat illegal drug production.
The senior official went on to say, “The last thing I want to talk about, and very briefly, is the civil liberties objections to REAL ID, because I don’t understand them.” What a gem. He probably doesn’t realise just how accurate his words were! In any case, irony is hardly a strong suite for most government types.
Interestingly, in a generally pro-REAL ID article in Time, this was the one issue over which some concern was expressed, “The great leap forward from a longer arm for the law to “1984″ will have to be made by the private sector. How well a watchful federal government will actually be able to track its citizens will depend on how many places demand to see your driver’s license. Airports already do. So do some supermarkets, if you’re buying beer. But what about malls? Movie theaters? Sports stadiums?”
A final perspective of identity inflation comes from, where else, the UK. Identity inflation is also about having more and more information held about people. Currently, the law specifies 50 categories of information that the National Identity Register can hold on each citizen. Why not, gradually, increase that? After all, what’s a few more pieces of information? All for the greater good, the public interest, and all the right stuff. Government’s got a problem to solve? Let’s store that one piece more of information that will “solve” the problem.
As I’ve said before, my opinion is that the REAL problem is more Franz Kafka than George Orwell.
There is nothing like re-learning privacy lessons from personal experience. Recently, for a financial transaction I had to find out my Indian tax identifier and in the process discovered just how easy it was for almost anyone to get that information online.
Indian tax authorities are focussed on reducing tax evasion and issue a unique static national identifier- called the Permanent Account Number (PAN) – after verifying the person’s identity. Providing a PAN is compulsory in most financial transactions. It is also compulsory in such diverse things as getting a phone or paying a hotel bill of approx. US$ 660 or more.
This makes sense from the perspective of the Indian tax authorities in a situation where only 2% of the country’s population pays taxes. Pulling together a person’s profile based on a unique key across multiple databases is easy and automated. A visit from the tax man soon follows.
However, from a protection of privacy angle, that’s terrible. That’s why in countries like New Zealand, the Privacy Act (Principle 12) specifically controls the usage of unique identifiers.
It would therefore be logical that there would be great barriers in finding out a person’s PAN in India. On the contrary, the Indian authorities obligingly provide an online service that provides the PAN to anyone who knows the name and date of birth of a person. It also gives the tax office of the person and therefore a good idea of where the person lives.
The next steps? Indian tax authorities plan to introduce biometric PAN cards. Again, something that makes sense for the government but little for the people.
Coming soon is a compulsory national identity card in a smartcard format which will provide a further network of linked unique identifiers.
Reports from across the Tasman say that Australia’s new government has pulled the plug on the Access Card. The ID card that wasn’t supposed to be an ID card has been controversial and Labour seems to have decided that former Prime Minister John Howard’s baby should be aborted.
The official website has already been changed so clearly the government wants to move on.
The Access Card saga is a classic tale of how not to implement a major government initiative. Lack of consistent and clear messages compounded by a lack of transparency and trust has always made it difficult to separate fact from political noise.
As David Vaile of the Australian Privacy Foundation once put it, “The problem with the Access Card project is that it involves collecting the data first, connecting systems, and then deciding what to use it for.”
Privacy and civil liberties advocates are apprehensive that the reports of the death of the Access Card have been greatly exaggerated. They are keeping a watch out for any proposal to re-introduce the card in a new form, as was the case with the Australia Card.
I don’t think they need to worry. As the UK has shown, ID cards for countries that traditionally haven’t had them are now so passé.
Talk about timing.
Just hours before UK’s Chancellor Alistair Darling revealed to MPs the loss of 25 million personal records, Government CIO John Suffolk gave a blunt warning about the danger of creating more giant government databases. He said, “To put more eggs in single basket is a foolhardy approach. The best way to protect data is to say: this data is for specific purpose, put protection around [it].”
He went on to say, “There is a balance to be struck. It’s nonsense to assume or even think about a central database or central clearing house.”
As Kim Cameron said in his blog post, “To me this is the equivalent of assembling a vast pile of dynamite in the middle of a city on the assumption that excellent procedures would therefore be put in place, so no one would ever set it off.”
“There is no need to store all of society’s dynamite in one place, and no need to run the risk of the colossal explosion that an error in procedure might produce.”
In my first post about the data loss, I mused, “Perhaps the time has come when identity systems are based on an assumption that peoples’ personal information is not secure.” On the same lines, Kim said “the information that is the subject of HMRC’s identity catastrophe should have been partitioned – broken up both in terms of the number of records and the information components… no official (A.K.A insider) should ever have been able to get at enough of it that a significant breach could occur.”
That got me to do a mental check about the online identity and authentication systems being put into place in New Zealand. Though the service is presented to people as a single, integrated service (igovt), under the hood there are two separate services (Government Logon Service and Identity Verification Service) run by two separate government agencies with two separate databases.
This ensures that in the unlikely event that a breach does occur, even then no single database has all the information. The check provides a measure of confidence that the NZ services are designed right from a breach perspective.
The Sunday Mirror claims that the UK Prime Minister, Gordon Brown, will abandon plans to introduce a universal national identity card. This was immediately picked up and gleefully reported by ID card opponents such as The Register.
The Sunday Mirror says, “…their introduction next year for foreign nationals will go ahead as planned. But the proposed roll-out to force all Britons to carry them will be shelved indefinitely.”
However, as The Register points out, “The Identity & Passports Service (IPS) has moved the focus of the old Passport Service from the document to the individual, and will continue down that road, meaning that it will eventually build up a form of identity register covering the bulk of UK citizens under its own steam. And via the General Registry Office land-grab it picks up the rest of them (except for the Scots).”
“This leaves you with a population-wide database of personal information, and all of the questions about security, privacy and access that have [always] existed…”
Therefore, whether or not UK goes ahead with a universal national identity card or not, the privacy genie is out of the bottle. And no amount of spin can wish that away.
Last week I presented “Government As A Privacy-Protective Identity Provider: The New Zealand Case” at RSA Conference Europe.
At the start, I asked the audience to take one of two extreme positions on privacy. The first one was along the lines of privacy being over-hyped; privacy is dead so get over it. The other extreme was to regard privacy as the hallmark of a civilised society, a cherished goal worth fighting for. Perhaps unsurprisingly, the large majority of the audience were in the latter camp. The natives were friendly!
The timing of the presentation was fortuitous as the two sessions that I attended before mine turned out to be part of my problem statements.
The first was a panel discussion “Pandora’s Box: Youth and the Internet” which saw the panel call on governments and/or others to provide a reliable way for social networking sites (such as Bebo and MySpace) to verify peoples’ age online so that they could better protect kids. Overall, sounded reasonably like my A solution for Web 2.0 identity angle.
The second one “Making Policy Popular: Security, Privacy, Trust and Consumer Confidence in Government Systems” by Toby Stevens used UK’s national identity card project as an example of the problems faced by governments in conceptualising and implementing major IT projects.
On both accounts, the work being done in NZ was on the mark.