1. Smart Cards and Biometrics
Is a Nightmare-Free Australia Card Feasible ??
Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU /DV/ ID-ACTSTL-0603 {.html,.ppt} A.C.T. Society for Technology and the Law 23 March 2006

2. 1. National Id Schemes 2. Smart Cards 3. Biometrics 4. Politics
Is a Nightmare-Free Australia Card Feasible ??
1. National Id Schemes Smart Cards 3. Biometrics 4. Politics

3. Human (Id)entification and (Id)entifiers
Appearance how the person looks
Social Behaviour how the person interacts with others
_________________________________________________________________________________________________________________
Names what the person is called
by other people
Codes what the person is called
by an organisation
Bio-dynamics what the person does
Natural Physiography what the person is
Imposed Physical what the person is now
Characteristics

5. Human Identity Authentication
What the Person Knows e.g. mother’s maiden name, Password, PIN
What the Person Has (‘Credentials’) e.g. a Token, such as an ‘ID-Card’, a Ticket e.g. a Digital Token such as “a Digital Signature consistent with the Public Key attested to by a Digital Certificate”
Human Entity Authentication
What the Person Is (Static Biometrics)
What the Person Does (Dynamic Biometrics)

6. The Scope of an Identification Scheme Specific-Purpose for individual organisations or programmes Bounded Multi-Purpose e.g. European Inhabitant Registration schemes limited to tax, social welfare, health insurance (cf. the TFN – Australian politicians are liars) General-Purpose National Identification Schemes e.g. USSR, ZA under Apartheid, Malaysia, Singapore

7. Elements of a National ID Scheme
A Database
centralised or hub (i.e. virtually centralised)
merged or new
A Unique Signifier for Every Individual
A 'Unique Identifier'
A Biometric Entifier
An (Id)entification Token (such as an ID Card)
QA Mechanisms for:
(Id)entity Authentication
(Id)entification
Obligations Imposed on:
Every Individual
Many Organisations
Widepread:
Data Flows including the (Id)entifier
Use of the (Id)entifier
Use of the Database
Sanctions for Non-Compliance

8. Claimed Benefits of a Nat’l Id Scheme http://www. privacy. org
Claimed Benefits of a Nat’l Id Scheme (aka ‘furphy-watch’)
Reduction in Identity Fraud and Identity Theft (very limited – that’s already addressed in many other programs; and it entrenches false id’s)
Enhanced National Security / Anti-Terrorism (zero impact, because terrorists are either foreign, or they’re ‘sleepers’ / ‘virgins’)
Productivity / Service-Delivery Benefits (achievable with specific-purpose and at worst multi-purpose schemes, not general-purpose)

9. 2. Smart Cards

10. Categories of SmartCards
'memory cards' with storage-only
'smart-cards' storage, processor, systems software, applications software, permanent data, variable data
'super-smart cards’ smart-cards with a (very small) key-pad and display
‘contact-based cards’ require controlled contact with a reader
‘contactless cards’ may be read at short distance (or longer?) requires an aerial
‘hybrid cards’ with both capabilities

11. Chip and Carrier credit-card sized plastic card
‘tag’ (clothing-tag, RFID-tag)
...
tin can
cardboard carton
pallet
animal body
human body

12. Convenient Carriers for Chips
Cards:
credit-card sized
mobile (‘SIM’)
...
Tags:
clothing-tag
RFID-tag
bracelet, anklet
Things:
tin can
cardboard carton
pallet
car-body
engine-block
...
People:
neck of a pet, or valuable livestock
wrist, gum or scrotum of a human being

13. System Design Potentials
Storage Capacity greater than other technologies such as embossing and mag-stripe
Ability enhanced to provide services from a standalone unit, without connection to a host
Storage segmentation ability
Use of the same card for multiple services
Use of the same card to link card-holders to multiple service-providers

14. System Design Potentials – Security
Non-Replicability of active elements of the card
Third-Party Access to data is more challenging
Authentication of devices with which the card communicates
Application of different security measures for each storage segment
Use of the same card for multiple services
Use of the same card to independently link card-holders to multiple service-providers

15. SmartCards as (Id)entity Authenticators ?
Stored Name, Identifier, other data ?
Stored Photo ?
Stored Biometric ?
Stored One-Time Passwords ?
Stored Private Digital Signature Key ?

16. Basic Requirements of a SmartCard (Id)entity Authenticator (1 of 2)
Restrict identified transaction trails to circumstances in which they are justified (because of the impossibility of alternatives)
Sustain anonymity except where it is demonstrably inadequate
Make far greater use of pseudonymity, using protected indexes
Make far greater use of attribute authentication
Implement and authenticate role-ids rather than person-ids
Use (id)entity authentication only where it is essential
Sustain multiple specific-purpose ids, avoid multi-purpose ids
Ensure secure separation between applications

17. Basic Requirements of a SmartCard (Id)entity Authenticator (2 of 2)
Ownership of each card by the individual, not the State
Design of chip-based ID schemes transparent and certified
Issue and configuration of cards undertaken by multiple organisations, including competing private sector corporations, within contexts set by standards bodies, in consultation with government and (critically) public interest representatives
No central storage of private keys
No central storage of biometrics
Two-way device authentication, i.e. every personal chip must verify the authenticity of devices that seek to transact with it, and must not merely respond to challenges by devices

18. 3. Biometrics

19. Biometrics Technologies
Currently in Vogue
Iris
Thumb / Finger / Palm-Print(s)
Hand Geometry
Voice
Face
Special Case
DNA
Promised
Body Odour
Multi-Attribute
Variously Dormant or Extinct
Cranial Measures
Face Thermograms
Veins (hands, earlobes)
Retinal Scan
Handprint
Written Signature
Keystroke Dynamics
Skin Optical Reflectance
...

20. Imposed Biometrics
“imposed physical identifiers ... branding, tattooing, implanted micro-chips”
The [London] Financial Times, 6 Mar 06

21. Categories of Biometric Application
Authentication
1-to-1 / ref. measure from somewhere / tests an ‘entity assertion’
Identification
1-to-(very-)many / ref. measures from a database that contains data about population-members / generates an ‘entity assertion’
Vetting against a Blacklist
1-to-many / ref. measures and data of a small population of wanted or unwanted people / may create an ‘entity assertion’
Duplicate Detection
1-to-(very-)many / ref. measures of a large population / may create an assertion ‘person already enrolled’

22. The Biometric Process

23. Privacy-Sensitive Architecture e. g
Privacy-Sensitive Architecture e.g. Authentication Against a Block-List

24. Fraudulent Misrepresentation of the Efficacy of Face Recognition
The Tampa SuperBowl was an utter failure
Ybor City FL was an utter failure
Not one person was correctly identified by face recognition technology in public places
Independent testing results are not available
Evidence of effectiveness is all-but non-existent
Ample anecdotal evidence exists of the opposite

25. Realistic Representation of the Efficacy of Face Recognition
“Smartgate doesn’t enhance security.
“It helps flow and efficiency in the limited space available in airports”
Murray Harrison
CIO, Aust Customs
7 March 2006

26. Quality Factors in Biometrics
Reference-Measure Quality
The Person's Feature (‘Enrolment’)
The Acquisition Device
The Environmental Conditions
The Manual Procedures
The Interaction between Subject and Device
The Automated Processes
Association Quality
Depends on a Pre-Authentication Process
Subject to the Entry-Point Paradox
Associates data with the ‘Person Presenting’ and hence Entrenches Criminal IDs
Risks capture and use for Masquerade
Facilitates Identity Theft
Risk of an Artefact Substituted for, or Interpolated over, the Feature
Test-Measure Quality
The Person's Feature (‘Acquisition’)
The Acquisition Device
The Environmental Conditions
The Manual Procedures
The Interaction between Subject and Device
The Automated Processes
Comparison Quality
Feature Uniqueness
Feature Change:
Permanent
Temporary
Ethnic/Cultural Bias
“Our understanding of the demographic factors affecting biometric system performance is ... poor” (Mansfield & Wayman, 2002)
Material Differences in:
the Processes
the Devices
the Environment
the Interactions
An Artefact:
Substituted
Interpolated
Result-Computation Quality
Print Filtering and Compression:
Arbitrary cf. Purpose-Built
The Result-Generation Process
The Threshhold Setting:
Arbitrary? Rational? Empirical? Pragmatic?
Exception-Handling Procedures:
Non-Enrolment
Non-Acquisition
‘Hits’

27. ‘Factors Affecting Performance’ (Mansfield & Wayman, 2002)
Demographics (youth, aged, ethnic origin, gender, occupation)
Template Age
Physiology (hair, disability, illness, injury, height, features, time of day)
Appearance (clothing, cosmetics, tattoos, adornments, hair-style, glasses, contact lenses, bandages)
Behaviour (language, accent, intonation, expression, concentration, movement, pose, positioning, motivation, nervousness, distractions)
Environment (background, stability, sound, lighting, temperature, humidity, rain)
Device (wear, damage, dirt)
Use (interface design, training, familiarity, supervision, assistance)

28. The Mythology of Identity Authentication That’s Been Current Since 12 September 2001
Mohammad Atta’s rights:
to be in the U.S.A.
to be in the airport
to be on the plane
to be within 4 feet of the cockpit door
to use the aircraft’s controls
Authentication of which assertion, in order to prevent the Twin Towers assault?
Identity (1 among > 6 billion)?
Attribute (not 1 among half a dozen)?

29. Biometrics and Single-Mission Terrorists
“Biometrics ... can’t reduce the threat of the suicide bomber or suicide hijacker on his virgin mission. The contemporary hazard is a terrorist who travels under his own name, his own passport, posing as an innocent student or visitor until the moment he ignites his shoe-bomb or pulls out his box-cutter” (Jonas G., National Post, 19 Jan 2004)
“it is difficult to avoid the conclusion that the chief motivation for deploying biometrics is not so much to provide security, but to provide the appearance of security” (The Economist, 4 Dec 2003)

30. 4. Politics

31. Threats of the Age Terrorism Religious Extremism Islamic Fundamentalism

32. Threats of the Age Terrorism Religious Extremism Islamic Fundamentalism Law and Order Extremism National Security Fundamentalism

33. Mythologies of Identity Control
That the assertions that need to be authenticated are assertions of identity (cf. fact, value, attribute, agency and location)
That individuals only have one identity
That identity and entity are the same thing
That biometric identification:
works
is inevitable
doesn’t threaten freedoms
will help much
will help at all in counter-terrorism
Every organisation is part of the national security apparatus

34. Myth No. 2 – This is about ‘just another Card’ Characteristics of a National ID Scheme
Destruction of protective ‘data silos’
Destruction of protective ‘identity silos’
Consolidation of individuals’ many identities into a single general-purpose identity
==> The Infrastructure of Dataveillance
Consolidation of power in organisations that exercise social control functions
Availability of that power to many organisations

35. Identity Management of the Most Chilling Kind The Public-Private Partnership for Social Control
With the Capacity to Perform
Cross-System Enforcement
Services Denial
Identity Denial
Masquerade
Identity Theft

36. Myth No. 5 Strong Form: A national ID scheme is essential to national security Less Strong Form: A national ID scheme will contribute significantly to national security

37. Terrorists, Organised Crime, Illegal Immigrants Benefits Are Illusory
Mere assertions of benefits, no explanation: ‘it’s obvious’, ‘it’s intuitive’, ‘of course it will work’, all of which are partners to simplistic notions like ‘Zero-Tolerance’ and ‘we need to do anything that might help us wage the war on terrorism’
Lack of detail on systems design
Continual drift in features
Analyses undermine the assertions
Proponents avoid discussing the analyses

38. Miscreants (Benefits Recipients, Fine-Avoiders,
Miscreants (Benefits Recipients, Fine-Avoiders, ...) Benefits May Arise, But Are Seriously Exaggerated
Lack of detail on systems design
Continual drift in features
Double-counting of benefits from the ID Scheme and the many existing programs
Analyses undermine the assertions
Proponents avoid discussing the analyses

39. A National ID Scheme can be devised so as to preclude abuse by:
Myth No. 7
A National ID Scheme can be devised so as to preclude abuse by:
Unelected Governments
Invaders
Military Putsch
Elected Governments
that act outside the law
that arrange the law as they wish

40. Myth No. 8 The public accepts that ‘the world changed on 11. (12
Myth No. 8 The public accepts that ‘the world changed on 11? (12!) September 2001’
Privacy valuations are highly situational
The gloss has gone
People are becoming inured / bored / realistic about ‘the threat of terrorism’
People know that a national ID scheme won’t prevent terrorism
Zogby Poll 2 Feb 2006
‘01-‘05
Support Collapses % - %
Luggage Search
Car Search
Roadblock Search
Mail Search
Tel Monitoring

41. Conclusion
PETs can address some PITs, but a nightmare-free Australia Card is not feasible
Any intellectual, and any regulator, who accommodates a national identification scheme, is selling-out liberty, and derogating their duties as human beings
We must not be cowed by either of the twin terrors of Islamic Fundamentalism and National Security Fundamentalism

42. Smart Cards and Biometrics
Is a Nightmare-Free Australia Card Feasible ??
Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU /DV/ ID-ACTSCL-0603 {.html,.ppt} A.C.T. Society for Technology and the Law 23 March 2006