Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong...
-
Upload
alyssa-bradford -
Category
Documents
-
view
212 -
download
0
Transcript of Copyright 1988-2006 1 Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong...
Copyright1988-2006
1
Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU
http://www.anu.edu.au/Roger.Clarke/......../DV/ ID-ACTSTL-0603 {.html,.ppt}
A.C.T. Society for Technology and the Law23 March 2006
Smart Cards and BiometricsIs a Nightmare-Free Australia Card
Feasible ??
Copyright1988-2006
2
1. National Id Schemes
2. Smart Cards
3. Biometrics
4. Politics
Is a Nightmare-Free Australia Card Feasible ??
Copyright1988-2006
3
Human (Id)entification and (Id)entifiers• Appearance how the person looks• Social Behaviour how the person interacts with others_________________________________________________________________________________________________________________
• Names what the person is calledby other people
• Codes what the person is calledby an organisation
_________________________________________________________________________________________________________________
• Bio-dynamics what the person does• Natural Physiography what the person is• Imposed Physical what the person is now
Characteristics
Copyright1988-2006
4
Entity and
Attributes
Real
World
Abstract
World
Record:
E ntifier + Data-Items
Record:
Identifier + Data-Items
Identity and
Attributes
Record:
Nym + Data-Items
Identity and
Attributes
m
n
m
n
1
1 1
nn n
Copyright1988-2006
5
Human Identity Authentication• What the Person Knows
e.g. mother’s maiden name, Password, PIN• What the Person Has
(‘Credentials’)e.g. a Token, such as an ‘ID-Card’, a Tickete.g. a Digital Token such as “a Digital Signature consistent with thePublic Key attested to by a Digital Certificate”
Human Entity Authentication• What the Person Is (Static Biometrics)
• What the Person Does (Dynamic Biometrics)
Copyright1988-2006
6
The Scope of an Identification Scheme
Specific-Purpose for individual organisations or programmes
Bounded Multi-Purposee.g. European Inhabitant Registration schemeslimited to tax, social welfare, health insurance(cf. the TFN – Australian politicians are liars)
General-Purpose National Identification Schemes
e.g. USSR, ZA under Apartheid, Malaysia, Singapore
Copyright1988-2006
7
Elements of a National ID Scheme
• A Database• centralised or hub
(i.e.virtually centralised)
• merged or new• A Unique Signifier
for Every Individual• A 'Unique Identifier'• A Biometric Entifier
• An (Id)entification Token (such as an ID Card)
• QA Mechanisms for:• (Id)entity Authentication• (Id)entification
• Obligations Imposed on:• Every Individual• Many Organisations
• Widepread:• Data Flows including
the (Id)entifier• Use of the (Id)entifier• Use of the Database
• Sanctions for Non-Compliance
http://www.anu.edu.au/Roger.Clarke/DV/NatIDSchemeElms.html
Copyright1988-2006
8
Claimed Benefits of a Nat’l Id Scheme
http://www.privacy.org.au/Campaigns/ID_cards/NatIDScheme.html#CaseFor
(aka ‘furphy-watch’)
• Reduction in Identity Fraud and Identity Theft(very limited – that’s already addressed in many other programs; and it entrenches false id’s)
• Enhanced National Security / Anti-Terrorism(zero impact, because terrorists are either foreign, or they’re ‘sleepers’ / ‘virgins’)
• Productivity / Service-Delivery Benefits(achievable with specific-purpose and at worst multi-purpose schemes, not general-purpose)
Copyright1988-2006
9
2. Smart Cards
Copyright1988-2006
10
Categories of SmartCards• 'memory cards'
with storage-only
• 'smart-cards'storage, processor, systems software, applications software, permanent data,variable data
• 'super-smart cards’smart-cards with a (very small) key-pad and display
• ‘contact-based cards’require controlled contact with a reader
• ‘contactless cards’may be read at short distance (or longer?)requires an aerial
• ‘hybrid cards’with both capabilities
Copyright1988-2006
11
Chip and Carrier
• credit-card sized plastic card• ‘tag’ (clothing-tag, RFID-tag)• ...• tin can• cardboard carton• pallet• ...• animal body• human body
Copyright1988-2006
12
Convenient Carriers for Chips
• Cards:• credit-card
sized• mobile (‘SIM’)• ...
• Tags:• clothing-tag• RFID-tag• bracelet, anklet• ...
• Things:• tin can• cardboard carton• pallet• car-body• engine-block• ...
• People:• neck of a pet, or
valuable livestock• wrist, gum or scrotum
of a human being
Copyright1988-2006
13
System Design Potentials
• Storage Capacity greater than other technologiessuch as embossing and mag-stripe
• Ability enhanced to provide services from a standalone unit, without connection to a host
• Storage segmentation ability• Use of the same card for multiple services• Use of the same card to link card-holders to
multiple service-providers
Copyright1988-2006
14
System Design Potentials – Security
• Non-Replicability of active elements of the card• Third-Party Access to data is more challenging• Authentication of devices with which the card
communicates• Application of different security measures
for each storage segment• Use of the same card for multiple services• Use of the same card to independently link
card-holders to multiple service-providers
Copyright1988-2006
15
SmartCards as (Id)entity Authenticators ?
• Stored Name, Identifier, other data ?
• Stored Photo ?• Stored Biometric ?• Stored One-Time Passwords ?• Stored Private Digital Signature Key ?
Copyright1988-2006
16
Basic Requirements of aSmartCard (Id)entity Authenticator (1 of
2)
• Restrict identified transaction trails to circumstances in which they are justified (because of the impossibility of alternatives)
• Sustain anonymity except where it is demonstrably inadequate• Make far greater use of pseudonymity, using protected indexes• Make far greater use of attribute authentication• Implement and authenticate role-ids rather than person-ids• Use (id)entity authentication only where it is essential• Sustain multiple specific-purpose ids, avoid multi-purpose ids• Ensure secure separation between applications
Copyright1988-2006
17
Basic Requirements of aSmartCard (Id)entity Authenticator (2 of
2)• Ownership of each card by the individual, not the State• Design of chip-based ID schemes transparent and certified• Issue and configuration of cards undertaken by multiple
organisations, including competing private sector corporations, within contexts set by standards bodies, in consultation with government and (critically) public interest representatives
• No central storage of private keys• No central storage of biometrics• Two-way device authentication, i.e. every personal chip must
verify the authenticity of devices that seek to transact with it, and must not merely respond to challenges by devices
Copyright1988-2006
18
3. Biometrics
Copyright1988-2006
19
Biometrics Technologies
• Variously Dormant or Extinct
• Cranial Measures• Face Thermograms• Veins (hands, earlobes)• Retinal Scan• Handprint• Written Signature• Keystroke Dynamics• Skin Optical Reflectance• ...
• Currently in Vogue• Iris• Thumb / Finger / Palm-
Print(s)• Hand Geometry• Voice• Face
• Special Case• DNA
• Promised• Body Odour• Multi-Attribute
Copyright1988-2006
20
Imposed Biometrics“imposed physical identifiers ... branding, tattooing, implanted micro-chips”
The [London] Financial Times, 6 Mar 06
Copyright1988-2006
21
Categories of Biometric Application
• Authentication1-to-1 / ref. measure from somewhere / tests an ‘entity assertion’
• Identification1-to-(very-)many / ref. measures from a database that contains data about population-members / generates an ‘entity assertion’
• Vetting against a Blacklist1-to-many / ref. measures and data of a small population of wanted or unwanted people / may create an ‘entity assertion’
• Duplicate Detection1-to-(very-)many / ref. measures of a large population / may create an assertion ‘person already enrolled’
Copyright1988-2006
22
The Biometric ProcessReferenceMeasure
or ‘MasterTemplate’
MeasuringDevice
Matchingand
Analysis
ResultTestMeasureor ‘Live
Template’
MeasuringDevice
1. Enrolment / Registration2. Testing
Copyright1988-2006
23
Privacy-Sensitive Architecturee.g. Authentication Against a
Block-List
BlockList
Test-MeasureSensorSecureProc’ingModule
ReferenceMeasure
RelevantData
Block ListMaintenanceResults (Y/N)Application
Copyright1988-2006
24
Fraudulent Misrepresentationof the Efficacy of Face
Recognition
• The Tampa SuperBowl was an utter failure• Ybor City FL was an utter failure• Not one person was correctly identified by
face recognition technology in public places• Independent testing results are not available• Evidence of effectiveness is all-but non-existent• Ample anecdotal evidence exists of the opposite
Copyright1988-2006
25
“Smartgate doesn’t enhance security.“It helps flow and efficiency in the limited space available in airports”
Murray HarrisonCIO, Aust Customs7 March 2006
Realistic Representationof the Efficacy of Face Recognition
Copyright1988-2006
26
Quality Factors in BiometricsReference-Measure Quality• The Person's Feature
(‘Enrolment’)• The Acquisition Device• The Environmental Conditions• The Manual Procedures• The Interaction between Subject
and Device• The Automated ProcessesAssociation Quality• Depends on a Pre-Authentication
Process• Subject to the Entry-Point
Paradox• Associates data with the ‘Person
Presenting’ and hence Entrenches Criminal IDs
• Risks capture and use for Masquerade
• Facilitates Identity Theft• Risk of an Artefact Substituted
for, or Interpolated over, the Feature
• Material Differences in:• the Processes• the Devices• the Environment• the Interactions
• An Artefact:• Substituted• Interpolated
Result-Computation Quality• Print Filtering and
Compression:• Arbitrary cf. Purpose-
Built• The Result-Generation Process• The Threshhold Setting:
• Arbitrary? Rational? Empirical? Pragmatic?
• Exception-Handling Procedures:
• Non-Enrolment• Non-Acquisition• ‘Hits’
Test-Measure Quality• The Person's Feature
(‘Acquisition’)• The Acquisition Device• The Environmental
Conditions• The Manual Procedures• The Interaction between
Subject and Device• The Automated ProcessesComparison Quality• Feature Uniqueness• Feature Change:
• Permanent• Temporary
• Ethnic/Cultural Bias“Our understanding of the demographic factors affecting biometric system performance is ... poor”(Mansfield & Wayman, 2002)
Copyright1988-2006
27
‘Factors Affecting Performance’(Mansfield & Wayman, 2002)
• Demographics (youth, aged, ethnic origin, gender, occupation)
• Template Age• Physiology (hair,
disability, illness, injury, height, features, time of day)
• Appearance (clothing, cosmetics, tattoos, adornments, hair-style, glasses, contact lenses, bandages)
• Behaviour (language, accent, intonation, expression, concentration, movement, pose, positioning, motivation, nervousness, distractions)
• Environment (background, stability, sound, lighting, temperature, humidity, rain)
• Device (wear, damage, dirt)• Use (interface design,
training, familiarity, supervision, assistance)
Copyright1988-2006
28
The Mythology of Identity Authentication
That’s Been Current Since 12 September 2001
• Mohammad Atta’s rights:• to be in the U.S.A.• to be in the airport• to be on the plane• to be within 4 feet of the cockpit
door• to use the aircraft’s controls
• Authentication of which assertion, in order to prevent the Twin Towers assault?
• Identity (1 among > 6 billion)?• Attribute (not 1 among half a dozen)?
Copyright1988-2006
29
Biometrics and Single-Mission Terrorists
• “Biometrics ... can’t reduce the threat of the suicide bomber or suicide hijacker on his virgin mission. The contemporary hazard is a terrorist who travels under his own name, his own passport, posing as an innocent student or visitor until the moment he ignites his shoe-bomb or pulls out his box-cutter” (Jonas G., National Post, 19 Jan 2004)
• “it is difficult to avoid the conclusion that the chief motivation for deploying biometrics is not so much to provide security, but to provide the appearance of security” (The Economist, 4 Dec 2003)
Copyright1988-2006
30
4. Politics
Copyright1988-2006
31
Threats of the Age
TerrorismReligious Extremism
Islamic Fundamentalism
Copyright1988-2006
32
Threats of the Age
TerrorismReligious Extremism
Islamic Fundamentalism
Law and Order ExtremismNational Security Fundamentalism
Copyright1988-2006
33
Mythologies of Identity Control• That the assertions that
need to be authenticated are assertions of identity(cf. fact, value, attribute, agency and location)
• That individuals only have one identity
• That identity and entity are the same thing
• That biometric identification:
• works• is inevitable• doesn’t threaten
freedoms• will help much• will help at all in
counter-terrorism• Every organisation is part
of the national security apparatus
Copyright1988-2006
34
Myth No. 2 – This is about ‘just another Card’
Characteristics of a National ID Scheme
• Destruction of protective ‘data silos’• Destruction of protective ‘identity silos’• Consolidation of individuals’ many identities
into a single general-purpose identity==> The Infrastructure of Dataveillance
• Consolidation of power in organisations that exercise social control functions
• Availability of that power to many organisations
Copyright1988-2006
35
Identity Managementof the Most Chilling KindThe Public-Private Partnership
for Social Control
With the Capacity to Perform• Cross-System Enforcement• Services Denial• Identity Denial
• Masquerade• Identity Theft
Copyright1988-2006
36
Myth No. 5
Strong Form:A national ID scheme is
essential to national security
Less Strong Form:A national ID scheme will contribute
significantly to national security
Copyright1988-2006
37
Terrorists, Organised Crime, Illegal Immigrants
Benefits Are Illusory• Mere assertions of benefits, no explanation:
‘it’s obvious’, ‘it’s intuitive’, ‘of course it will work’,all of which are partners to simplistic notions like ‘Zero-Tolerance’ and ‘we need to do anything that might help us wage the war on terrorism’
• Lack of detail on systems design• Continual drift in features
• Analyses undermine the assertions• Proponents avoid discussing the analyses
Copyright1988-2006
38
Miscreants (Benefits Recipients, Fine-Avoiders, ...)
Benefits May Arise, But Are Seriously Exaggerated
• Lack of detail on systems design• Continual drift in features• Double-counting of benefits from
the ID Scheme and the many existing programs
• Analyses undermine the assertions• Proponents avoid discussing the
analyses
Copyright1988-2006
39
Myth No. 7
A National ID Scheme can be devised so as to preclude abuse by:• Unelected Governments
• Invaders• Military Putsch
• Elected Governments• that act outside the law • that arrange the law as they wish
Copyright1988-2006
40
Myth No. 8The public accepts that
‘the world changed on 11? (12!) September 2001’
• Privacy valuations are highly situational
• The gloss has gone• People are becoming
inured / bored / realistic about ‘the threat of terrorism’
• People know that a national ID scheme won’t prevent terrorism
Zogby Poll 2 Feb 2006 ‘01-‘05Support Collapses % - %Luggage Search 63 - 44Car Search 60 - 37Roadblock Search 59 - 33Mail Search 55 - 25Tel Monitoring 38 - 28
http://www.zogby.com/news/ReadNews.dbm?ID=1068
Copyright1988-2006
41
Conclusion
• PETs can address some PITs, but a nightmare-free Australia Card is not feasible
• Any intellectual, and any regulator, who accommodates a national identification scheme, is selling-out liberty, and derogating their duties as human beings
• We must not be cowed by either of the twin terrors of Islamic Fundamentalism and National Security Fundamentalism
Copyright1988-2006
42
Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU
http://www.anu.edu.au/Roger.Clarke/......../DV/ ID-ACTSCL-0603 {.html,.ppt}
A.C.T. Society for Technology and the Law23 March 2006
Smart Cards and BiometricsIs a Nightmare-Free Australia Card
Feasible ??