NZ: avoiding the folly of absolutes

September 13, 2007 at 7:17 pm 3 comments

I gave a presentation yesterday “All-of-government Authentication and Privacy” at the Technology and Privacy Forum hosted by the Office of the Privacy Commissioner.

Ken Lewis wrote about it in m-net “Govt’s online authentication regime no guarantee against fraud“.

Unfortunately, the article has several factual errors and misinterpretations. Nevertheless, the basic point that he makes, “[the service] will not stop people defrauding the government”, is accurately reported.

As I’ve mentioned earlier in a post about the folly of absolutes, there is no point trying to set an expectation of a foolproof solution.

Whether a person’s identity is verified by an opt-in service using the Internet (the Identity Verification Service for example) or documents or national identity cards as in some countries, anyone who thinks that these completely root out identity fraud is kidding themselves.

People need to think about levels of confidence rather than absolutes.

Ken was probably accurate in quoting me saying, “The idea is to minimise ID fraud and to react quickly to it.” By not setting an expectation of an absolute, it is then possible to plan for it, design for it, and ensure that processes are in place to deal with it.

Entry filed under: authentication, fraud, government, igovt, NZ, personal_info, privacy, security, strategy.

What is two factor authentication? Liberty Alliance: NZ case study

3 Comments Add your own

  • 1. codetechnology  |  September 14, 2007 at 2:48 am

    I have had many conversations with my gov’t clients around this topic… what if someone steals a user’s password? what if they ‘borrow’ the fob, use it and return without the user knowing? These exchanges always seem to focus on electronic data theft.

    What if someone drives a truck thru a ground floor office window so they can steal a filing cabinet containing sensitive information? This possiblity (it actually happened once) doesn’t cause us to encase our offices in concrete…

    If someone wishes to commit a crime, they will, and the authentication service may only serve to slow them down.


  • 2. stephen revill  |  September 14, 2007 at 10:17 am

    I think Mike is comparing apples with pears.

    Neither a file cabinet or a computer is an authenticator. A password is. So is a signature. The problem is that a signature does not work well or easily in the digital world while a pasword is a particularly weak authenticator.

    The Banking Ombudsman said as long ago as 1999 (in her annual report):

    [A PIN as a series of numbers] “is an inherently risky identification device [when] compared to a signature. [The problem is that an EFTPOS or an ATM] terminal cannot tell whether the person entering the PIN is the true owner of the PIN.”

    Two factor authentication does of course help. But there are still problems with that technique. See Bruce Schneier’s views on this at

    Fraud can never be eliminated in either the physical world or the digital world. The question though is who of the two innocent parties is to accept liability, and if both – then on what basis and in what proportion. The law has largely required banks to accept liability for forged cheques. The banks however clearly feel more uncomfortable about assuming liability for fraudulent dealings when it comes to internet banking.

    I am not sure why – unless the real level of losses is much higher than publicly admitted. The latest version of the Banking Code could not be said to engender trust amongst customers given the things that a cutomer has to prove in order to ensure they cannot be said to be wholly or partly responsible for the loss.

    The same questions will arise in the context of government to citizen delaings on-line. Lets hope some real thought is given to the policy framework around these issues before government’s authentication programme is properly rolled out

    Stephen Revill

  • 3. Slarty  |  September 15, 2007 at 10:30 am

    … my experience in the law enforcement sector is that unified forms of ID and authentication systems increase the level of ID Fraud… e.g. the NZ Photo licence is one of the greatest enablers of ID based fraud now. Had it not been introduced I suspect our already excellent fraud rate would be even lower…


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

This blog is no longer updated. See the About page for more info. I'm currently active on Twitter.

Follow me on twitter


%d bloggers like this: