Copyright1988-2006

1

Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU

http://www.anu.edu.au/Roger.Clarke/......../DV/ ID-ACTSTL-0603 {.html,.ppt}

A.C.T. Society for Technology and the Law23 March 2006

Smart Cards and BiometricsIs a Nightmare-Free Australia Card

Feasible ??

Copyright1988-2006

2

1. National Id Schemes

2. Smart Cards

3. Biometrics

4. Politics

Is a Nightmare-Free Australia Card Feasible ??

Copyright1988-2006

3

Human (Id)entification and (Id)entifiers• Appearance how the person looks• Social Behaviour how the person interacts with others_________________________________________________________________________________________________________________

• Names what the person is calledby other people

• Codes what the person is calledby an organisation

_________________________________________________________________________________________________________________

• Bio-dynamics what the person does• Natural Physiography what the person is• Imposed Physical what the person is now

Characteristics

Copyright1988-2006

4

Entity and

Attributes

Real

World

Abstract

World

Record:

E ntifier + Data-Items

Record:

Identifier + Data-Items

Identity and

Attributes

Record:

Nym + Data-Items

Identity and

Attributes

m

n

m

n

1

1 1

nn n

Copyright1988-2006

5

Human Identity Authentication• What the Person Knows

e.g. mother’s maiden name, Password, PIN• What the Person Has

(‘Credentials’)e.g. a Token, such as an ‘ID-Card’, a Tickete.g. a Digital Token such as “a Digital Signature consistent with thePublic Key attested to by a Digital Certificate”

Human Entity Authentication• What the Person Is (Static Biometrics)

• What the Person Does (Dynamic Biometrics)

Copyright1988-2006

6

The Scope of an Identification Scheme

Specific-Purpose for individual organisations or programmes

Bounded Multi-Purposee.g. European Inhabitant Registration schemeslimited to tax, social welfare, health insurance(cf. the TFN – Australian politicians are liars)

General-Purpose National Identification Schemes

e.g. USSR, ZA under Apartheid, Malaysia, Singapore

Copyright1988-2006

7

Elements of a National ID Scheme

• A Database• centralised or hub

(i.e.virtually centralised)

• merged or new• A Unique Signifier

for Every Individual• A 'Unique Identifier'• A Biometric Entifier

• An (Id)entification Token (such as an ID Card)

• QA Mechanisms for:• (Id)entity Authentication• (Id)entification

• Obligations Imposed on:• Every Individual• Many Organisations

• Widepread:• Data Flows including

the (Id)entifier• Use of the (Id)entifier• Use of the Database

• Sanctions for Non-Compliance

http://www.anu.edu.au/Roger.Clarke/DV/NatIDSchemeElms.html

Copyright1988-2006

8

Claimed Benefits of a Nat’l Id Scheme

http://www.privacy.org.au/Campaigns/ID_cards/NatIDScheme.html#CaseFor

(aka ‘furphy-watch’)

• Reduction in Identity Fraud and Identity Theft(very limited – that’s already addressed in many other programs; and it entrenches false id’s)

• Enhanced National Security / Anti-Terrorism(zero impact, because terrorists are either foreign, or they’re ‘sleepers’ / ‘virgins’)

• Productivity / Service-Delivery Benefits(achievable with specific-purpose and at worst multi-purpose schemes, not general-purpose)

Copyright1988-2006

9

2. Smart Cards

Copyright1988-2006

10

Categories of SmartCards• 'memory cards'

with storage-only

• 'smart-cards'storage, processor, systems software, applications software, permanent data,variable data

• 'super-smart cards’smart-cards with a (very small) key-pad and display

• ‘contact-based cards’require controlled contact with a reader

• ‘contactless cards’may be read at short distance (or longer?)requires an aerial

• ‘hybrid cards’with both capabilities

Copyright1988-2006

11

Chip and Carrier

• credit-card sized plastic card• ‘tag’ (clothing-tag, RFID-tag)• ...• tin can• cardboard carton• pallet• ...• animal body• human body

Copyright1988-2006

12

Convenient Carriers for Chips

• Cards:• credit-card

sized• mobile (‘SIM’)• ...

• Tags:• clothing-tag• RFID-tag• bracelet, anklet• ...

• Things:• tin can• cardboard carton• pallet• car-body• engine-block• ...

• People:• neck of a pet, or

valuable livestock• wrist, gum or scrotum

of a human being

Copyright1988-2006

13

System Design Potentials

• Storage Capacity greater than other technologiessuch as embossing and mag-stripe

• Ability enhanced to provide services from a standalone unit, without connection to a host

• Storage segmentation ability• Use of the same card for multiple services• Use of the same card to link card-holders to

multiple service-providers

Copyright1988-2006

14

System Design Potentials – Security

• Non-Replicability of active elements of the card• Third-Party Access to data is more challenging• Authentication of devices with which the card

communicates• Application of different security measures

for each storage segment• Use of the same card for multiple services• Use of the same card to independently link

card-holders to multiple service-providers

Copyright1988-2006

15

SmartCards as (Id)entity Authenticators ?

• Stored Name, Identifier, other data ?

• Stored Photo ?• Stored Biometric ?• Stored One-Time Passwords ?• Stored Private Digital Signature Key ?

Copyright1988-2006

16

Basic Requirements of aSmartCard (Id)entity Authenticator (1 of

2)

• Restrict identified transaction trails to circumstances in which they are justified (because of the impossibility of alternatives)

• Sustain anonymity except where it is demonstrably inadequate• Make far greater use of pseudonymity, using protected indexes• Make far greater use of attribute authentication• Implement and authenticate role-ids rather than person-ids• Use (id)entity authentication only where it is essential• Sustain multiple specific-purpose ids, avoid multi-purpose ids• Ensure secure separation between applications

Copyright1988-2006

17

Basic Requirements of aSmartCard (Id)entity Authenticator (2 of

2)• Ownership of each card by the individual, not the State• Design of chip-based ID schemes transparent and certified• Issue and configuration of cards undertaken by multiple

organisations, including competing private sector corporations, within contexts set by standards bodies, in consultation with government and (critically) public interest representatives

• No central storage of private keys• No central storage of biometrics• Two-way device authentication, i.e. every personal chip must

verify the authenticity of devices that seek to transact with it, and must not merely respond to challenges by devices

Copyright1988-2006

18

3. Biometrics

Copyright1988-2006

19

Biometrics Technologies

• Variously Dormant or Extinct

• Cranial Measures• Face Thermograms• Veins (hands, earlobes)• Retinal Scan• Handprint• Written Signature• Keystroke Dynamics• Skin Optical Reflectance• ...

• Currently in Vogue• Iris• Thumb / Finger / Palm-

Print(s)• Hand Geometry• Voice• Face

• Special Case• DNA

• Promised• Body Odour• Multi-Attribute

Copyright1988-2006

20

Imposed Biometrics“imposed physical identifiers ... branding, tattooing, implanted micro-chips”

The [London] Financial Times, 6 Mar 06

Copyright1988-2006

21

Categories of Biometric Application

• Authentication1-to-1 / ref. measure from somewhere / tests an ‘entity assertion’

• Identification1-to-(very-)many / ref. measures from a database that contains data about population-members / generates an ‘entity assertion’

• Vetting against a Blacklist1-to-many / ref. measures and data of a small population of wanted or unwanted people / may create an ‘entity assertion’

• Duplicate Detection1-to-(very-)many / ref. measures of a large population / may create an assertion ‘person already enrolled’

Copyright1988-2006

22

The Biometric ProcessReferenceMeasure

or ‘MasterTemplate’

MeasuringDevice

Matchingand

Analysis

ResultTestMeasureor ‘Live

Template’

MeasuringDevice

1. Enrolment / Registration2. Testing

Copyright1988-2006

23

Privacy-Sensitive Architecturee.g. Authentication Against a

Block-List

BlockList

Test-MeasureSensorSecureProc’ingModule

ReferenceMeasure

RelevantData

Block ListMaintenanceResults (Y/N)Application

Copyright1988-2006

24

Fraudulent Misrepresentationof the Efficacy of Face

Recognition

• The Tampa SuperBowl was an utter failure• Ybor City FL was an utter failure• Not one person was correctly identified by

face recognition technology in public places• Independent testing results are not available• Evidence of effectiveness is all-but non-existent• Ample anecdotal evidence exists of the opposite

Copyright1988-2006

25

“Smartgate doesn’t enhance security.“It helps flow and efficiency in the limited space available in airports”

Murray HarrisonCIO, Aust Customs7 March 2006

Realistic Representationof the Efficacy of Face Recognition

Copyright1988-2006

26

Quality Factors in BiometricsReference-Measure Quality• The Person's Feature

(‘Enrolment’)• The Acquisition Device• The Environmental Conditions• The Manual Procedures• The Interaction between Subject

and Device• The Automated ProcessesAssociation Quality• Depends on a Pre-Authentication

Process• Subject to the Entry-Point

Paradox• Associates data with the ‘Person

Presenting’ and hence Entrenches Criminal IDs

• Risks capture and use for Masquerade

• Facilitates Identity Theft• Risk of an Artefact Substituted

for, or Interpolated over, the Feature

• Material Differences in:• the Processes• the Devices• the Environment• the Interactions

• An Artefact:• Substituted• Interpolated

Result-Computation Quality• Print Filtering and

Compression:• Arbitrary cf. Purpose-

Built• The Result-Generation Process• The Threshhold Setting:

• Arbitrary? Rational? Empirical? Pragmatic?

• Exception-Handling Procedures:

• Non-Enrolment• Non-Acquisition• ‘Hits’

Test-Measure Quality• The Person's Feature

(‘Acquisition’)• The Acquisition Device• The Environmental

Conditions• The Manual Procedures• The Interaction between

Subject and Device• The Automated ProcessesComparison Quality• Feature Uniqueness• Feature Change:

• Permanent• Temporary

• Ethnic/Cultural Bias“Our understanding of the demographic factors affecting biometric system performance is ... poor”(Mansfield & Wayman, 2002)

Copyright1988-2006

27

‘Factors Affecting Performance’(Mansfield & Wayman, 2002)

• Demographics (youth, aged, ethnic origin, gender, occupation)

• Template Age• Physiology (hair,

disability, illness, injury, height, features, time of day)

• Appearance (clothing, cosmetics, tattoos, adornments, hair-style, glasses, contact lenses, bandages)

• Behaviour (language, accent, intonation, expression, concentration, movement, pose, positioning, motivation, nervousness, distractions)

• Environment (background, stability, sound, lighting, temperature, humidity, rain)

• Device (wear, damage, dirt)• Use (interface design,

training, familiarity, supervision, assistance)

Copyright1988-2006

28

The Mythology of Identity Authentication

That’s Been Current Since 12 September 2001

• Mohammad Atta’s rights:• to be in the U.S.A.• to be in the airport• to be on the plane• to be within 4 feet of the cockpit

door• to use the aircraft’s controls

• Authentication of which assertion, in order to prevent the Twin Towers assault?

• Identity (1 among > 6 billion)?• Attribute (not 1 among half a dozen)?

Copyright1988-2006

29

Biometrics and Single-Mission Terrorists

• “Biometrics ... can’t reduce the threat of the suicide bomber or suicide hijacker on his virgin mission. The contemporary hazard is a terrorist who travels under his own name, his own passport, posing as an innocent student or visitor until the moment he ignites his shoe-bomb or pulls out his box-cutter” (Jonas G., National Post, 19 Jan 2004)

• “it is difficult to avoid the conclusion that the chief motivation for deploying biometrics is not so much to provide security, but to provide the appearance of security” (The Economist, 4 Dec 2003)

Copyright1988-2006

30

4. Politics

Copyright1988-2006

31

Threats of the Age

TerrorismReligious Extremism

Islamic Fundamentalism

Copyright1988-2006

32

Threats of the Age

TerrorismReligious Extremism

Islamic Fundamentalism

Law and Order ExtremismNational Security Fundamentalism

Copyright1988-2006

33

Mythologies of Identity Control• That the assertions that

need to be authenticated are assertions of identity(cf. fact, value, attribute, agency and location)

• That individuals only have one identity

• That identity and entity are the same thing

• That biometric identification:

• works• is inevitable• doesn’t threaten

freedoms• will help much• will help at all in

counter-terrorism• Every organisation is part

of the national security apparatus

Copyright1988-2006

34

Myth No. 2 – This is about ‘just another Card’

Characteristics of a National ID Scheme

• Destruction of protective ‘data silos’• Destruction of protective ‘identity silos’• Consolidation of individuals’ many identities

into a single general-purpose identity==> The Infrastructure of Dataveillance

• Consolidation of power in organisations that exercise social control functions

• Availability of that power to many organisations

Copyright1988-2006

35

Identity Managementof the Most Chilling KindThe Public-Private Partnership

for Social Control

With the Capacity to Perform• Cross-System Enforcement• Services Denial• Identity Denial

• Masquerade• Identity Theft

Copyright1988-2006

36

Myth No. 5

Strong Form:A national ID scheme is

essential to national security

Less Strong Form:A national ID scheme will contribute

significantly to national security

Copyright1988-2006

37

Terrorists, Organised Crime, Illegal Immigrants

Benefits Are Illusory• Mere assertions of benefits, no explanation:

‘it’s obvious’, ‘it’s intuitive’, ‘of course it will work’,all of which are partners to simplistic notions like ‘Zero-Tolerance’ and ‘we need to do anything that might help us wage the war on terrorism’

• Lack of detail on systems design• Continual drift in features

• Analyses undermine the assertions• Proponents avoid discussing the analyses

Copyright1988-2006

38

Miscreants (Benefits Recipients, Fine-Avoiders, ...)

Benefits May Arise, But Are Seriously Exaggerated

• Lack of detail on systems design• Continual drift in features• Double-counting of benefits from

the ID Scheme and the many existing programs

• Analyses undermine the assertions• Proponents avoid discussing the

analyses

Copyright1988-2006

39

Myth No. 7

A National ID Scheme can be devised so as to preclude abuse by:• Unelected Governments

• Invaders• Military Putsch

• Elected Governments• that act outside the law • that arrange the law as they wish

Copyright1988-2006

40

Myth No. 8The public accepts that

‘the world changed on 11? (12!) September 2001’

• Privacy valuations are highly situational

• The gloss has gone• People are becoming

inured / bored / realistic about ‘the threat of terrorism’

• People know that a national ID scheme won’t prevent terrorism

Zogby Poll 2 Feb 2006 ‘01-‘05Support Collapses % - %Luggage Search 63 - 44Car Search 60 - 37Roadblock Search 59 - 33Mail Search 55 - 25Tel Monitoring 38 - 28

http://www.zogby.com/news/ReadNews.dbm?ID=1068

Copyright1988-2006

41

Conclusion

• PETs can address some PITs, but a nightmare-free Australia Card is not feasible

• Any intellectual, and any regulator, who accommodates a national identification scheme, is selling-out liberty, and derogating their duties as human beings

• We must not be cowed by either of the twin terrors of Islamic Fundamentalism and National Security Fundamentalism

Copyright1988-2006

42

Roger Clarke, Xamax Consultancy, Canberra Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU

http://www.anu.edu.au/Roger.Clarke/......../DV/ ID-ACTSCL-0603 {.html,.ppt}

A.C.T. Society for Technology and the Law23 March 2006

Smart Cards and BiometricsIs a Nightmare-Free Australia Card

Feasible ??