Copyright Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU ID-ACTSTL-0603 {.html,.ppt} A.C.T. Society for Technology and the Law 23 March 2006 Smart Cards and Biometrics Is a Nightmare-Free Australia Card Feasible ??

Copyright National Id Schemes 2.Smart Cards 3.Biometrics 4.Politics Is a Nightmare-Free Australia Card Feasible ??

Copyright Human (Id)entification and (Id)entifiers Appearancehow the person looks Social Behaviourhow the person interacts with others ________________________________________________________________________________________________________ _________ Nameswhat the person is called by other people Codeswhat the person is called by an organisation ________________________________________________________________________________________________________ _________ Bio-dynamicswhat the person does Natural Physiographywhat the person is Imposed Physicalwhat the person is now Characteristics

Copyright

Copyright Human Identity Authentication What the Person Knows e.g. mothers maiden name, Password, PIN What the Person Has (Credentials) e.g. a Token, such as an ID-Card, a Ticket e.g. a Digital Token such as a Digital Signature consistent with the Public Key attested to by a Digital Certificate Human Entity Authentication What the Person Is (Static Biometrics) What the Person Does (Dynamic Biometrics)

Copyright The Scope of an Identification Scheme Specific-Purpose for individual organisations or programmes Bounded Multi-Purpose e.g. European Inhabitant Registration schemes limited to tax, social welfare, health insurance (cf. the TFN – Australian politicians are liars) General-Purpose National Identification Schemes e.g. USSR, ZA under Apartheid, Malaysia, Singapore

Copyright Elements of a National ID Scheme A Database centralised or hub (i.e. virtually centralised) merged or new A Unique Signifier for Every Individual A 'Unique Identifier' A Biometric Entifier An (Id)entification Token (such as an ID Card) QA Mechanisms for: (Id)entity Authentication (Id)entification Obligations Imposed on: Every Individual Many Organisations Widepread: Data Flows including the (Id)entifier Use of the (Id)entifier Use of the Database Sanctions for Non-Compliance

Copyright Claimed Benefits of a Natl Id Scheme (aka furphy-watch) Reduction in Identity Fraud and Identity Theft (very limited – thats already addressed in many other programs; and it entrenches false ids) Enhanced National Security / Anti-Terrorism (zero impact, because terrorists are either foreign, or theyre sleepers / virgins) Productivity / Service-Delivery Benefits (achievable with specific-purpose and at worst multi-purpose schemes, not general-purpose)

Copyright Smart Cards

Copyright Categories of SmartCards 'memory cards' with storage-only 'smart-cards' storage, processor, systems software, applications software, permanent data, variable data 'super-smart cards smart-cards with a (very small) key-pad and display contact-based cards require controlled contact with a reader contactless cards may be read at short distance (or longer?) requires an aerial hybrid cards with both capabilities

Copyright Chip and Carrier credit-card sized plastic card tag (clothing-tag, RFID-tag)... tin can cardboard carton pallet... animal body human body

Copyright Convenient Carriers for Chips Cards: credit-card sized mobile (SIM)... Tags: clothing-tag RFID-tag bracelet, anklet... Things: tin can cardboard carton pallet car-body engine-block... People: neck of a pet, or valuable livestock wrist, gum or scrotum of a human being

Copyright System Design Potentials Storage Capacity greater than other technologies such as embossing and mag-stripe Ability enhanced to provide services from a standalone unit, without connection to a host Storage segmentation ability Use of the same card for multiple services Use of the same card to link card-holders to multiple service-providers

Copyright System Design Potentials – Security Non-Replicability of active elements of the card Third-Party Access to data is more challenging Authentication of devices with which the card communicates Application of different security measures for each storage segment Use of the same card for multiple services Use of the same card to independently link card-holders to multiple service-providers

Copyright SmartCards as (Id)entity Authenticators ? Stored Name, Identifier, other data ? Stored Photo ? Stored Biometric ? Stored One-Time Passwords ? Stored Private Digital Signature Key ?

Copyright Basic Requirements of a SmartCard (Id)entity Authenticator (1 of 2) Restrict identified transaction trails to circumstances in which they are justified (because of the impossibility of alternatives) Sustain anonymity except where it is demonstrably inadequate Make far greater use of pseudonymity, using protected indexes Make far greater use of attribute authentication Implement and authenticate role-ids rather than person-ids Use (id)entity authentication only where it is essential Sustain multiple specific-purpose ids, avoid multi-purpose ids Ensure secure separation between applications

Copyright Basic Requirements of a SmartCard (Id)entity Authenticator (2 of 2) Ownership of each card by the individual, not the State Design of chip-based ID schemes transparent and certified Issue and configuration of cards undertaken by multiple organisations, including competing private sector corporations, within contexts set by standards bodies, in consultation with government and (critically) public interest representatives No central storage of private keys No central storage of biometrics Two-way device authentication, i.e. every personal chip must verify the authenticity of devices that seek to transact with it, and must not merely respond to challenges by devices

Copyright Biometrics

Copyright Biometrics Technologies Variously Dormant or Extinct Cranial Measures Face Thermograms Veins (hands, earlobes) Retinal Scan Handprint Written Signature Keystroke Dynamics Skin Optical Reflectance... Currently in Vogue Iris Thumb / Finger / Palm-Print(s) Hand Geometry Voice Face Special Case DNA Promised Body Odour Multi-Attribute

Copyright Imposed Biometrics imposed physical identifiers... branding, tattooing, implanted micro-chips The [London] Financial Times, 6 Mar 06

Copyright Categories of Biometric Application Authentication 1-to-1 / ref. measure from somewhere / tests an entity assertion Identification 1-to-(very-)many / ref. measures from a database that contains data about population-members / generates an entity assertion Vetting against a Blacklist 1-to-many / ref. measures and data of a small population of wanted or unwanted people / may create an entity assertion Duplicate Detection 1-to-(very-)many / ref. measures of a large population / may create an assertion person already enrolled

Copyright The Biometric Process

Copyright Privacy-Sensitive Architecture e.g. Authentication Against a Block- List

Copyright Fraudulent Misrepresentation of the Efficacy of Face Recognition The Tampa SuperBowl was an utter failure Ybor City FL was an utter failure Not one person was correctly identified by face recognition technology in public places Independent testing results are not available Evidence of effectiveness is all-but non-existent Ample anecdotal evidence exists of the opposite

Copyright Smartgate doesnt enhance security. It helps flow and efficiency in the limited space available in airports Murray Harrison CIO, Aust Customs 7 March 2006 Realistic Representation of the Efficacy of Face Recognition

Copyright Quality Factors in Biometrics Reference-Measure Quality The Person's Feature (Enrolment) The Acquisition Device The Environmental Conditions The Manual Procedures The Interaction between Subject and Device The Automated Processes Association Quality Depends on a Pre-Authentication Process Subject to the Entry-Point Paradox Associates data with the Person Presenting and hence Entrenches Criminal IDs Risks capture and use for Masquerade Facilitates Identity Theft Risk of an Artefact Substituted for, or Interpolated over, the Feature Material Differences in: the Processes the Devices the Environment the Interactions An Artefact: Substituted Interpolated Result-Computation Quality Print Filtering and Compression: Arbitrary cf. Purpose- Built The Result-Generation Process The Threshhold Setting: Arbitrary? Rational? Empirical? Pragmatic? Exception-Handling Procedures: Non-Enrolment Non-Acquisition Hits Test-Measure Quality The Person's Feature (Acquisition) The Acquisition Device The Environmental Conditions The Manual Procedures The Interaction between Subject and Device The Automated Processes Comparison Quality Feature Uniqueness Feature Change: Permanent Temporary Ethnic/Cultural Bias Our understanding of the demographic factors affecting biometric system performance is... poor (Mansfield & Wayman, 2002)

Copyright Factors Affecting Performance (Mansfield & Wayman, 2002) Demographics (youth, aged, ethnic origin, gender, occupation) Template Age Physiology (hair, disability, illness, injury, height, features, time of day) Appearance (clothing, cosmetics, tattoos, adornments, hair-style, glasses, contact lenses, bandages) Behaviour (language, accent, intonation, expression, concentration, movement, pose, positioning, motivation, nervousness, distractions) Environment (background, stability, sound, lighting, temperature, humidity, rain) Device (wear, damage, dirt) Use (interface design, training, familiarity, supervision, assistance)

Copyright The Mythology of Identity Authentication Thats Been Current Since 12 September 2001 Mohammad Attas rights: to be in the U.S.A. to be in the airport to be on the plane to be within 4 feet of the cockpit door to use the aircrafts controls Authentication of which assertion, in order to prevent the Twin Towers assault? Identity (1 among > 6 billion)? Attribute (not 1 among half a dozen)?

Copyright Biometrics and Single-Mission Terrorists Biometrics... cant reduce the threat of the suicide bomber or suicide hijacker on his virgin mission. The contemporary hazard is a terrorist who travels under his own name, his own passport, posing as an innocent student or visitor until the moment he ignites his shoe-bomb or pulls out his box-cutter (Jonas G., National Post, 19 Jan 2004) it is difficult to avoid the conclusion that the chief motivation for deploying biometrics is not so much to provide security, but to provide the appearance of security (The Economist, 4 Dec 2003)

Copyright Politics

Copyright Threats of the Age Terrorism Religious Extremism Islamic Fundamentalism

Copyright Threats of the Age Terrorism Religious Extremism Islamic Fundamentalism Law and Order Extremism National Security Fundamentalism

Copyright Mythologies of Identity Control That the assertions that need to be authenticated are assertions of identity (cf. fact, value, attribute, agency and location) That individuals only have one identity That identity and entity are the same thing That biometric identification: works is inevitable doesnt threaten freedoms will help much will help at all in counter-terrorism Every organisation is part of the national security apparatus

Copyright Myth No. 2 – This is about just another Card Characteristics of a National ID Scheme Destruction of protective data silos Destruction of protective identity silos Consolidation of individuals many identities into a single general-purpose identity ==>The Infrastructure of Dataveillance Consolidation of power in organisations that exercise social control functions Availability of that power to many organisations

Copyright Identity Management of the Most Chilling Kind The Public-Private Partnership for Social Control With the Capacity to Perform Cross-System Enforcement Services Denial Identity Denial Masquerade Identity Theft

Copyright Myth No. 5 Strong Form: A national ID scheme is essential to national security Less Strong Form: A national ID scheme will contribute significantly to national security

Copyright Terrorists, Organised Crime, Illegal Immigrants Benefits Are Illusory Mere assertions of benefits, no explanation: its obvious, its intuitive, of course it will work, all of which are partners to simplistic notions like Zero-Tolerance and we need to do anything that might help us wage the war on terrorism Lack of detail on systems design Continual drift in features Analyses undermine the assertions Proponents avoid discussing the analyses

Copyright Miscreants (Benefits Recipients, Fine-Avoiders,...) Benefits May Arise, But Are Seriously Exaggerated Lack of detail on systems design Continual drift in features Double-counting of benefits from the ID Scheme and the many existing programs Analyses undermine the assertions Proponents avoid discussing the analyses

Copyright Myth No. 7 A National ID Scheme can be devised so as to preclude abuse by: Unelected Governments Invaders Military Putsch Elected Governments that act outside the law that arrange the law as they wish

Copyright Myth No. 8 The public accepts that the world changed on 11? (12!) September 2001 Privacy valuations are highly situational The gloss has gone People are becoming inured / bored / realistic about the threat of terrorism People know that a national ID scheme wont prevent terrorism Zogby Poll 2 Feb Support Collapses % - % Luggage Search Car Search Roadblock Search Mail Search Tel Monitoring

Copyright Conclusion PETs can address some PITs, but a nightmare-free Australia Card is not feasible Any intellectual, and any regulator, who accommodates a national identification scheme, is selling-out liberty, and derogating their duties as human beings We must not be cowed by either of the twin terrors of Islamic Fundamentalism and National Security Fundamentalism

Copyright Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU ID-ACTSCL-0603 {.html,.ppt} A.C.T. Society for Technology and the Law 23 March 2006 Smart Cards and Biometrics Is a Nightmare-Free Australia Card Feasible ??