Posts filed under ‘ID_cards’

Snapping at privacy

There have been some negative reports around Snapper and its approach to privacy so I decided to take a look.

Snapper is a stored-value contactless smartcard that can be used in Wellington’s buses and as an alternative to cash/EFTPOS for low value purchases. It’s similar to Oyster, Octopus, etc. but with a more secure chip.

Losing a Snapper card is like losing cash. So people will soon be able to register their cards online. If a registered card is lost, the person can transfer the balance to a new card.

That’s a good feature but the personal information Snapper collects has reportedly got the Privacy Commissioner “concerned” and “is asking the company to rewrite its privacy policy.” The concerns are around “the potential for the Snapper card to track an individual’s movements and spending, and the indefinite retention of this information.”

Next stop then, a look at its privacy policy.

As expected, Snapper’s privacy policy declares that “We are committed to protecting your privacy” which is a good start. One would hardly have expected them to say anything else.

After that, it’s all downhill. A very slippery, steep decline at that.

Part 4 of the privacy policy provides details of what and when personal information is collected. Over twelve sections, it then lays out the absolutely amazing jaw-dropping amount of personal information it will collect. For a company that has pretty slick marketing and advertising, it’s as if they’ve given Mr Hyde (the evil side of Dr Jekyll) the job of developing the most privacy-invasive approach possible.

For example, to set up an online account, Snapper says “we will collect personal information from you, including your name, title, email address, password, gender, date of birth, telephone numbers, postal or physical addresses, preferences, demographic information, and other personal information.”

Why? What possible justification can they have to collect this information? Incidentally, this probably makes it downright illegal.

Not being satisfied with that, they go on to say that “the information we collect when that Card is used will be associated with any personal information about the card holder that you supply.” So, they want both personal information plus profiling information. Wow! Considering the range of uses for the Snapper card outlined- everyday purchases, loyalty card, building access control, ticketing and event access- they seem more intent on being a datamart than a smartcard company.

Still not satisfied with that, they go on further to envisage Snapper being used as an identity card. They will then “collect additional information about you, which may include:

  • your date of birth
  • any relevant licences or endorsements that you hold
  • other attributes relevant for identification purposes (for example, which school or university you attend)”

I’m left shaking my head in wonder. Did a dinosaur somehow survive the Ice Age?

I can’t see how they can verify the information people give. So, despite their warnings of giving incorrect personal information, I’m willing to bet that a lot of people will do just that.

And yet, the solution for the most part is actually quite simple. Snapper could use pseudonymous identity rather than real identity. Leaving aside tracking usage or their notion of becoming an identity card (which I can’t even begin to imagine as even remotely realistic), using pseudonymous identity could keep everyone happy.

Otherwise, I’ll just stick to good old anonymous cash, thank you.


August 20, 2008 at 12:33 am 2 comments

Authenticating the Queen’s subjects

I’m just back from attending eGovernment 2008 in Canberra. For me, the big draw was an opportunity to attend a three hour workshop focussed on the UK’s Government Gateway. I sure wasn’t disappointed- the insights into the Government Gateway were quite an eye opener.

Attending the conference also led me to reflect on how online authentication is working for the Queen’s subjects in the UK, Australia, and New Zealand. It’s quite fascinating how each of them reflect diverse approaches and are also very much a product of their times.

First, Australia. Still very PKI focussed, as in standard X.509 certs in the user’s computer. There are some good intentions from the federal policy body AGIMO (Australian Government Information Management Office) to move on to solutions that work for people (not computers) but the mindset of the average government official is definitely digital certs.

A good example of this focus is the success of VANguard. VANguard’s authentication service is probably best described as an authentication broker whose main function is to allow for interoperability of digital certs issued by various CAs. This is a good step so that businesses (it’s mostly business-focussed) can use the same digital cert with multiple RPs. It’s a back-end hub so that various front-ends and portals, such as bizgate in South Australia, can draw on its functionality. Still, it has all the limitations inherent in the old PKI designs.

It’ll be interesting to see how AGIMO’s proposed National e-Authentication Framework will differ from their existing AGAF (Australian Government e-Authentication Framework) which is separate for businesses and individuals.

Back to the UK’s Government Gateway. From the outside, so much of the focus has been on the UK’s plans for a national identity card that people, including me, can’t distinguish the good stuff they have done and are continuing to do in the online authentication space from the bad. Jim Purves, Head of Product Strategy in the Cabinet Office gave terrific insights into the chequered history of the Gateway as well as plans going forward.

The Gateway is very privacy-protective, very focussed on providing authentication and SSO for the UK Government’s online services. They are introducing SAML 2 soon but that also has the downside of continued support for all the current protocols. They’ve had some significant funding challenges in the past but now have “strategic investors” from within government so the future is bright. Trust and confidence in the Gateway is at an all-time high.

Purely speculative on my part but I think they’ve got a big cloud on the horizon- when the national identity card folks come calling. That could potentially lead to a fundamental change in approach. That’s the unfortunate steamrolling impact of the national identity card. Also interesting how they handle pan-European interoperability but, with a strong Liberty Alliance foundation, I imagine they are well placed to handle that.

So, how does NZ stack up? The proper comparison is with the GLS or Government Logon Service (which will be re-branded igovt later this year). There’s no doubt that the GLS is the most privacy-protective of the lot and has all the right moving bits.

Once the IVS or Identity Verification Service and then GOAAMS or Government Online Attribute Assertion Meta System is added to igovt, then it’s a whole new ballgame for NZ.

But, there is clearly one area that the GLS should look at- adding a web services (ID-WSF) capability in addition to the current browser re-direct (ID-FF). That will provide many new opportunities off the same infrastructure, such as acting as an authenticating receiver for XML messages. The UK’s Government Gateway currently does that for all electronic tax filings direct from standard tax and accounting packages.

All in all, interesting times and much thinking…

July 2, 2008 at 11:45 pm 1 comment

Making fingerprints less useful

Bruce Schneier approvingly calls it “political activism.”

I think it’s a stark reminder that some biometrics- such as a person’s fingerprints- are reasonably easy to get. And, once compromised, the person can’t ring up a help desk and get a new one (like they can passwords).

The current story revolves around Germany’s interior minister, Wolfgang Schauble. He is apparently quite vocal about collecting and using biometrics to fight terrorism, including storing them in ePassports.

In the most recent issue of Die Datenschleuder, activists under the name of Chaos Computer Club (“Europe’s largest hacker group”) printed the image of, what they claim, is the fingerprint of his index finger.

The fingerprint, on a plastic foil that leaves fingerprints when it is pressed against biometric readers, is included in the 4,000 copies of the latest issue of the magazine. Schauble’s fingerprint was said to be captured off a water glass he used last summer while participating in a public discussion at a University in Berlin.

If a person’s fingerprints are “in the wild” then they are a far less reliable way to authenticate the person for his/her whole life. If enough fingerprints are similarly widely available- whether by accident or deliberately- it will be enough to make fingerprinting almost useless.

March 31, 2008 at 10:56 pm 4 comments

Booze and privacy

It’s interesting to see how booze seems to bring up great questions of identity and privacy. Or maybe it’s just the Canadians?

Canadian Dick Hardt uses buying booze as an example in his famous Identity 2.0 presentation and makes very interesting points about using ID, such as a drivers licence, to buy booze.

Now comes another angle from Canada involving booze: if your ID is scanned when entering a bar, would that make you behave? That was one of the issues at the heart of a case decided by the Information and Privacy Commissioner of Alberta.

The Tantra Nightclub in Calgary had a practice of scanning driver licences before allowing people in. Clearly it is collecting and storing personal information as it includes an individual’s photograph, license number, birth date, address, and bar codes with embedded information unique to the individual driver’s license.

The club says that “We’ve got hard data that it works, we have inthat says crime and violence is down in our venues by over 77%.” On the other hand, the Information and Privacy Commissioner described ID scanning as a deterrent to violent behaviour “conjecture” not backed up by hard data and ordered the club to stop the practice.

In terms of consent, the only thing that the complainant agreed to was the club confirming his date of birth off the licence.

This is precisely the kind of situation that the Laws of Identity frowns upon in digital identity systems, in particular User Control and Consent; Minimal Disclosure for a Constrained Use; and Directed Identity. And another example of unjustified expectations from ID cards that knowing a person’s identity somehow magically solves most societal problems.

February 22, 2008 at 10:41 pm 3 comments

The REAL problem: identity inflation

One of the problems with a compulsory national ID system- including a de facto one like REAL ID- is “identity inflation” or sometimes also referred to as “identity creep.”

Since everyone has a gold standard ID, government and businesses find it easier and easier to require one. Soon, situations that previously required only lower quality proof of identity or no identity at all, now require an ID card. Government and businesses find that they have an increasing number of problems that the ID card can “solve.”

There are certainly examples of this happening before. The British ID cards went from 3 functions during World War II to 39 by the time it was abolished.

There are certainly examples of this happening now. In the final regulations, the Department of Homeland Security limited the required use of REAL ID to just three situations: boarding commercial airplanes, entering federal buildings, and entering nuclear power plants. However, only five days later, a senior official from that agency floated the idea of making customers show a REAL ID-compliant driver’s license to purchase over-the-counter cold medicine containing pseudoephedrine to combat illegal drug production.

The senior official went on to say, “The last thing I want to talk about, and very briefly, is the civil liberties objections to REAL ID, because I don’t understand them.” What a gem. He probably doesn’t realise just how accurate his words were! In any case, irony is hardly a strong suite for most government types.

Interestingly, in a generally pro-REAL ID article in Time, this was the one issue over which some concern was expressed, “The great leap forward from a longer arm for the law to “1984” will have to be made by the private sector. How well a watchful federal government will actually be able to track its citizens will depend on how many places demand to see your driver’s license. Airports already do. So do some supermarkets, if you’re buying beer. But what about malls? Movie theaters? Sports stadiums?”

A final perspective of identity inflation comes from, where else, the UK. Identity inflation is also about having more and more information held about people. Currently, the law specifies 50 categories of information that the National Identity Register can hold on each citizen. Why not, gradually, increase that? After all, what’s a few more pieces of information? All for the greater good, the public interest, and all the right stuff. Government’s got a problem to solve? Let’s store that one piece more of information that will “solve” the problem.

As I’ve said before, my opinion is that the REAL problem is more Franz Kafka than George Orwell.

February 6, 2008 at 9:46 pm 3 comments

India: Re-learning privacy lessons

There is nothing like re-learning privacy lessons from personal experience. Recently, for a financial transaction I had to find out my Indian tax identifier and in the process discovered just how easy it was for almost anyone to get that information online.

Indian tax authorities are focussed on reducing tax evasion and issue a unique static national identifier- called the Permanent Account Number (PAN) – after verifying the person’s identity. Providing a PAN is compulsory in most financial transactions. It is also compulsory in such diverse things as getting a phone or paying a hotel bill of approx. US$ 660 or more.

This makes sense from the perspective of the Indian tax authorities in a situation where only 2% of the country’s population pays taxes. Pulling together a person’s profile based on a unique key across multiple databases is easy and automated. A visit from the tax man soon follows.

However, from a protection of privacy angle, that’s terrible. That’s why in countries like New Zealand, the Privacy Act (Principle 12) specifically controls the usage of unique identifiers.

It would therefore be logical that there would be great barriers in finding out a person’s PAN in India. On the contrary, the Indian authorities obligingly provide an online service that provides the PAN to anyone who knows the name and date of birth of a person. It also gives the tax office of the person and therefore a good idea of where the person lives.

The next steps? Indian tax authorities plan to introduce biometric PAN cards. Again, something that makes sense for the government but little for the people.

Coming soon is a compulsory national identity card in a smartcard format which will provide a further network of linked unique identifiers.

Privacy anyone?

January 25, 2008 at 11:38 pm 1 comment

Demise of the Access Card

Reports from across the Tasman say that Australia’s new government has pulled the plug on the Access Card. The ID card that wasn’t supposed to be an ID card has been controversial and Labour seems to have decided that former Prime Minister John Howard’s baby should be aborted.

The official website has already been changed so clearly the government wants to move on.

The Access Card saga is a classic tale of how not to implement a major government initiative. Lack of consistent and clear messages compounded by a lack of transparency and trust has always made it difficult to separate fact from political noise.

As David Vaile of the Australian Privacy Foundation once put it, “The problem with the Access Card project is that it involves collecting the data first, connecting systems, and then deciding what to use it for.”

Privacy and civil liberties advocates are apprehensive that the reports of the death of the Access Card have been greatly exaggerated. They are keeping a watch out for any proposal to re-introduce the card in a new form, as was the case with the Australia Card.

I don’t think they need to worry. As the UK has shown, ID cards for countries that traditionally haven’t had them are now so passé.

December 6, 2007 at 9:58 pm Leave a comment

Older Posts

This blog is no longer updated. See the About page for more info. I'm currently active on Twitter.

Follow me on twitter