Smart Cards and Biometrics Is a Nightmare-Free Australia Card Feasible ?? Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU http://www.anu.edu.au/Roger.Clarke/.... ..../DV/ ID-ACTSTL-0603 {.html,.ppt} A.C.T. Society for Technology and the Law 23 March 2006

1. National Id Schemes 2. Smart Cards 3. Biometrics 4. Politics Is a Nightmare-Free Australia Card Feasible ?? 1. National Id Schemes 2. Smart Cards 3. Biometrics 4. Politics

Human (Id)entification and (Id)entifiers Appearance how the person looks Social Behaviour how the person interacts with others _________________________________________________________________________________________________________________ Names what the person is called by other people Codes what the person is called by an organisation Bio-dynamics what the person does Natural Physiography what the person is Imposed Physical what the person is now Characteristics

Human Identity Authentication What the Person Knows e.g. mother’s maiden name, Password, PIN What the Person Has (‘Credentials’) e.g. a Token, such as an ‘ID-Card’, a Ticket e.g. a Digital Token such as “a Digital Signature consistent with the Public Key attested to by a Digital Certificate” Human Entity Authentication What the Person Is (Static Biometrics) What the Person Does (Dynamic Biometrics)

The Scope of an Identification Scheme Specific-Purpose for individual organisations or programmes Bounded Multi-Purpose e.g. European Inhabitant Registration schemes limited to tax, social welfare, health insurance (cf. the TFN – Australian politicians are liars) General-Purpose National Identification Schemes e.g. USSR, ZA under Apartheid, Malaysia, Singapore

Elements of a National ID Scheme http://www.anu.edu.au/Roger.Clarke/DV/NatIDSchemeElms.html A Database centralised or hub (i.e. virtually centralised) merged or new A Unique Signifier for Every Individual A 'Unique Identifier' A Biometric Entifier An (Id)entification Token (such as an ID Card) QA Mechanisms for: (Id)entity Authentication (Id)entification Obligations Imposed on: Every Individual Many Organisations Widepread: Data Flows including the (Id)entifier Use of the (Id)entifier Use of the Database Sanctions for Non-Compliance

Claimed Benefits of a Nat’l Id Scheme http://www. privacy. org Claimed Benefits of a Nat’l Id Scheme http://www.privacy.org.au/Campaigns/ID_cards/NatIDScheme.html#CaseFor (aka ‘furphy-watch’) Reduction in Identity Fraud and Identity Theft (very limited – that’s already addressed in many other programs; and it entrenches false id’s) Enhanced National Security / Anti-Terrorism (zero impact, because terrorists are either foreign, or they’re ‘sleepers’ / ‘virgins’) Productivity / Service-Delivery Benefits (achievable with specific-purpose and at worst multi-purpose schemes, not general-purpose)

2. Smart Cards

Categories of SmartCards 'memory cards' with storage-only 'smart-cards' storage, processor, systems software, applications software, permanent data, variable data 'super-smart cards’ smart-cards with a (very small) key-pad and display ‘contact-based cards’ require controlled contact with a reader ‘contactless cards’ may be read at short distance (or longer?) requires an aerial ‘hybrid cards’ with both capabilities

Chip and Carrier credit-card sized plastic card ‘tag’ (clothing-tag, RFID-tag) ... tin can cardboard carton pallet animal body human body

Convenient Carriers for Chips Cards: credit-card sized mobile (‘SIM’) ... Tags: clothing-tag RFID-tag bracelet, anklet Things: tin can cardboard carton pallet car-body engine-block ... People: neck of a pet, or valuable livestock wrist, gum or scrotum of a human being

System Design Potentials Storage Capacity greater than other technologies such as embossing and mag-stripe Ability enhanced to provide services from a standalone unit, without connection to a host Storage segmentation ability Use of the same card for multiple services Use of the same card to link card-holders to multiple service-providers

System Design Potentials – Security Non-Replicability of active elements of the card Third-Party Access to data is more challenging Authentication of devices with which the card communicates Application of different security measures for each storage segment Use of the same card for multiple services Use of the same card to independently link card-holders to multiple service-providers

SmartCards as (Id)entity Authenticators ? Stored Name, Identifier, other data ? Stored Photo ? Stored Biometric ? Stored One-Time Passwords ? Stored Private Digital Signature Key ?

Basic Requirements of a SmartCard (Id)entity Authenticator (1 of 2) Restrict identified transaction trails to circumstances in which they are justified (because of the impossibility of alternatives) Sustain anonymity except where it is demonstrably inadequate Make far greater use of pseudonymity, using protected indexes Make far greater use of attribute authentication Implement and authenticate role-ids rather than person-ids Use (id)entity authentication only where it is essential Sustain multiple specific-purpose ids, avoid multi-purpose ids Ensure secure separation between applications

Basic Requirements of a SmartCard (Id)entity Authenticator (2 of 2) Ownership of each card by the individual, not the State Design of chip-based ID schemes transparent and certified Issue and configuration of cards undertaken by multiple organisations, including competing private sector corporations, within contexts set by standards bodies, in consultation with government and (critically) public interest representatives No central storage of private keys No central storage of biometrics Two-way device authentication, i.e. every personal chip must verify the authenticity of devices that seek to transact with it, and must not merely respond to challenges by devices

3. Biometrics

Biometrics Technologies Currently in Vogue Iris Thumb / Finger / Palm-Print(s) Hand Geometry Voice Face Special Case DNA Promised Body Odour Multi-Attribute Variously Dormant or Extinct Cranial Measures Face Thermograms Veins (hands, earlobes) Retinal Scan Handprint Written Signature Keystroke Dynamics Skin Optical Reflectance ...

Imposed Biometrics “imposed physical identifiers ... branding, tattooing, implanted micro-chips” The [London] Financial Times, 6 Mar 06

Categories of Biometric Application Authentication 1-to-1 / ref. measure from somewhere / tests an ‘entity assertion’ Identification 1-to-(very-)many / ref. measures from a database that contains data about population-members / generates an ‘entity assertion’ Vetting against a Blacklist 1-to-many / ref. measures and data of a small population of wanted or unwanted people / may create an ‘entity assertion’ Duplicate Detection 1-to-(very-)many / ref. measures of a large population / may create an assertion ‘person already enrolled’

The Biometric Process

Privacy-Sensitive Architecture e. g Privacy-Sensitive Architecture e.g. Authentication Against a Block-List

Fraudulent Misrepresentation of the Efficacy of Face Recognition The Tampa SuperBowl was an utter failure Ybor City FL was an utter failure Not one person was correctly identified by face recognition technology in public places Independent testing results are not available Evidence of effectiveness is all-but non-existent Ample anecdotal evidence exists of the opposite

Realistic Representation of the Efficacy of Face Recognition “Smartgate doesn’t enhance security. “It helps flow and efficiency in the limited space available in airports” Murray Harrison CIO, Aust Customs 7 March 2006

Quality Factors in Biometrics Reference-Measure Quality The Person's Feature (‘Enrolment’) The Acquisition Device The Environmental Conditions The Manual Procedures The Interaction between Subject and Device The Automated Processes Association Quality Depends on a Pre-Authentication Process Subject to the Entry-Point Paradox Associates data with the ‘Person Presenting’ and hence Entrenches Criminal IDs Risks capture and use for Masquerade Facilitates Identity Theft Risk of an Artefact Substituted for, or Interpolated over, the Feature Test-Measure Quality The Person's Feature (‘Acquisition’) The Acquisition Device The Environmental Conditions The Manual Procedures The Interaction between Subject and Device The Automated Processes Comparison Quality Feature Uniqueness Feature Change: Permanent Temporary Ethnic/Cultural Bias “Our understanding of the demographic factors affecting biometric system performance is ... poor” (Mansfield & Wayman, 2002) Material Differences in: the Processes the Devices the Environment the Interactions An Artefact: Substituted Interpolated Result-Computation Quality Print Filtering and Compression: Arbitrary cf. Purpose-Built The Result-Generation Process The Threshhold Setting: Arbitrary? Rational? Empirical? Pragmatic? Exception-Handling Procedures: Non-Enrolment Non-Acquisition ‘Hits’

‘Factors Affecting Performance’ (Mansfield & Wayman, 2002) Demographics (youth, aged, ethnic origin, gender, occupation) Template Age Physiology (hair, disability, illness, injury, height, features, time of day) Appearance (clothing, cosmetics, tattoos, adornments, hair-style, glasses, contact lenses, bandages) Behaviour (language, accent, intonation, expression, concentration, movement, pose, positioning, motivation, nervousness, distractions) Environment (background, stability, sound, lighting, temperature, humidity, rain) Device (wear, damage, dirt) Use (interface design, training, familiarity, supervision, assistance)

The Mythology of Identity Authentication That’s Been Current Since 12 September 2001 Mohammad Atta’s rights: to be in the U.S.A. to be in the airport to be on the plane to be within 4 feet of the cockpit door to use the aircraft’s controls Authentication of which assertion, in order to prevent the Twin Towers assault? Identity (1 among > 6 billion)? Attribute (not 1 among half a dozen)?

Biometrics and Single-Mission Terrorists “Biometrics ... can’t reduce the threat of the suicide bomber or suicide hijacker on his virgin mission. The contemporary hazard is a terrorist who travels under his own name, his own passport, posing as an innocent student or visitor until the moment he ignites his shoe-bomb or pulls out his box-cutter” (Jonas G., National Post, 19 Jan 2004) “it is difficult to avoid the conclusion that the chief motivation for deploying biometrics is not so much to provide security, but to provide the appearance of security” (The Economist, 4 Dec 2003)

4. Politics

Threats of the Age Terrorism Religious Extremism Islamic Fundamentalism

Threats of the Age Terrorism Religious Extremism Islamic Fundamentalism Law and Order Extremism National Security Fundamentalism

Mythologies of Identity Control That the assertions that need to be authenticated are assertions of identity (cf. fact, value, attribute, agency and location) That individuals only have one identity That identity and entity are the same thing That biometric identification: works is inevitable doesn’t threaten freedoms will help much will help at all in counter-terrorism Every organisation is part of the national security apparatus

Myth No. 2 – This is about ‘just another Card’ Characteristics of a National ID Scheme Destruction of protective ‘data silos’ Destruction of protective ‘identity silos’ Consolidation of individuals’ many identities into a single general-purpose identity ==> The Infrastructure of Dataveillance Consolidation of power in organisations that exercise social control functions Availability of that power to many organisations

Identity Management of the Most Chilling Kind The Public-Private Partnership for Social Control With the Capacity to Perform Cross-System Enforcement Services Denial Identity Denial Masquerade Identity Theft

Myth No. 5 Strong Form: A national ID scheme is essential to national security Less Strong Form: A national ID scheme will contribute significantly to national security

Terrorists, Organised Crime, Illegal Immigrants Benefits Are Illusory Mere assertions of benefits, no explanation: ‘it’s obvious’, ‘it’s intuitive’, ‘of course it will work’, all of which are partners to simplistic notions like ‘Zero-Tolerance’ and ‘we need to do anything that might help us wage the war on terrorism’ Lack of detail on systems design Continual drift in features Analyses undermine the assertions Proponents avoid discussing the analyses

Miscreants (Benefits Recipients, Fine-Avoiders, Miscreants (Benefits Recipients, Fine-Avoiders, ...) Benefits May Arise, But Are Seriously Exaggerated Lack of detail on systems design Continual drift in features Double-counting of benefits from the ID Scheme and the many existing programs Analyses undermine the assertions Proponents avoid discussing the analyses

A National ID Scheme can be devised so as to preclude abuse by: Myth No. 7 A National ID Scheme can be devised so as to preclude abuse by: Unelected Governments Invaders Military Putsch Elected Governments that act outside the law that arrange the law as they wish

Myth No. 8 The public accepts that ‘the world changed on 11. (12 Myth No. 8 The public accepts that ‘the world changed on 11? (12!) September 2001’ Privacy valuations are highly situational The gloss has gone People are becoming inured / bored / realistic about ‘the threat of terrorism’ People know that a national ID scheme won’t prevent terrorism Zogby Poll 2 Feb 2006 ‘01-‘05 Support Collapses % - % Luggage Search 63 - 44 Car Search 60 - 37 Roadblock Search 59 - 33 Mail Search 55 - 25 Tel Monitoring 38 - 28 http://www.zogby.com/news/ReadNews.dbm?ID=1068

Conclusion PETs can address some PITs, but a nightmare-free Australia Card is not feasible Any intellectual, and any regulator, who accommodates a national identification scheme, is selling-out liberty, and derogating their duties as human beings We must not be cowed by either of the twin terrors of Islamic Fundamentalism and National Security Fundamentalism

Smart Cards and Biometrics Is a Nightmare-Free Australia Card Feasible ?? Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU http://www.anu.edu.au/Roger.Clarke/.... ..../DV/ ID-ACTSCL-0603 {.html,.ppt} A.C.T. Society for Technology and the Law 23 March 2006