David Vaile, Executive Director of the Baker & McKenzie
Cyberspace Law and Policy Centre
Welcome to this symposium on E-authentication, the third event
in a series which investigates aspects of cyberspace in the light of various
public interests.
One of the aims of these symposia is largely to dispense
with the conference style format consisting mostly of prepared lengthy speeches
where real discussion tends to happen on the sidelines. What we want to facilitate
instead is open-ended, wide ranging discussion of issues that are of interest
to experts and stakeholders in the field, and to disseminate the results of
these discussions to a broad audience. Accordingly, we’ll record most of what
is said with a view to making it available in slightly edited format on the
web.
Later on we also hope to publish a series of books which
the symposium proceedings will appear together with related papers, articles
and materials. We’ll also be taking some snapshots to record the event so
please tell us or the photographer if you don’t want to appear in any of these
photographs. Before I introduce the themes of the present symposium I’d like
to introduce you to the Baker
and McKenzie Cyberspace Law and Policy Centre where I am the new executive
director. My name’s David Vaile, if I haven’t met you yet.
The Centre has been up and running since late 2000, attached
to the Law Faculty of the University of New South Wales.
We are generously supported by our hosts tonight, Baker and
McKenzie. As well as providing the bulk of our funding Bakers also supports the
centre in other ways, such as allowing us to use its facilities for events like
this. I should emphasise that otherwise we are quite independent of Bakers, we
are not a mouthpiece for the views of the firm or its clients and we are free
to pursue our own academic and public policy interests under the watchful eye
of the law faculty at UNSW. That said, we are lucky to have at Bakers a number
of the most experience practitioners working in the area and this is often a
source of valuable ideas and feedback for the centre.
The Centre runs a variety of events in addition to this sort
of symposium. For instance it arranges conferences, events in the continuing
legal education program, and the centre itself has a relatively small secretariat
including Than, who’s the inaugural coordinator. He’s been doing a great job
to get us to where we are today.
Our activities are driven mainly though by our group of
research associates and collaborators, several of whom are here this afternoon.
I’m not sure it would make sense to name them all, but I’m sure you’ll find
them later on. In addition to these research associates, we are fortunate to
have participating in the symposium a large number of people from a broad range
of disciplines, government industry, academia, the legal profession, and public
interest advocacy. Fortunately we have
a mix of IT the people and lawyers; this should lighten up the proceedings!
So, we should continue the cross-cultural dialogue initiated
in our past symposia.
As we were planning this event, we discovered NOIE, the
National Office of the Information Economy, was intending to run a consultation
in Sydney as part of a national program seeking feedback on their recent
authentication discussion paper. We're
proud that NOIE chose to conduct their consultation session in Sydney jointly
with us as co-hosts of this event. No
doubt Catherine [Higgins]and Tom [Dale] will make sure that you all have a
chance to comment on some of the specific topics that they seek to address,
although I'm sure that the debate will inevitably cover much broader ground.
The first part of the symposium
will begin with a presentation from Catherine Higgins from NOIE. She'll focus
on the outline of their authentication discussion paper, of which many of
you may already be aware. The main
technologies covered in their paper include biometrics and the gatekeepers
scheme. I understand NOIE emphasizes their interest in seeking reactions to
a much broader range of the authentication options.
The second part of the symposium
will be started by a presentation from Roger Clark of the ANU. Roger will consider some fundamental technical,
and social limitations of some of the newer and more complex authentication
tools, and ask questions about what this means and where they might fit in
broader mosaic of online relationships.
The third part of the symposium
will consist of free-ranging discussions after dinner.
This symposium is aimed at discussing the implications of
e-authentication and the new environment in which it finds itself in the
interests of all the parties concerned, most notably the transaction
participants, service providers, and those who support the integrity of the
system.
So what do we mean by ‘e-authentication’? It's a fairly new term, covering a range of
tools including passwords, PKI, and biometrics. These systems attempt to identify, verify,
or otherwise raise trust in the participants in an online environment by the
use of technological, and to some extent organizational, mechanisms.
I note in passing that there are some complex legal, social,
and technological issues in this area, and we have a very diverse audience
here today, so I'd encourage anyone speaking to recognize that not everyone
may share the background knowledge and jargon that you may take for granted.
Please provide a little bit more context and explanation than you would if
you were just amongst your peers where you could perhaps take for granted
your audience’s level of knowledge.
Hopefully this symposium will cast a penetrating light on
the issues surrounding the authentication in general, specific implementations
of it, how well they match the needs of various users and stakeholders, and
what type of regulation may be needed. However,
I don't want to steal anyone's thunder, so I'll hand over to the joint chairs
of this session.
One of them was meant to be Chris Connolly, who many of you
may know. He’s a co-director of this Centre, but he has been called away to
help his wife in the birth of a new, currently unidentified, entity.
Luckily Professor Graham Greenleaf, another co-director,
on my right, has agreed to step in on short notice, and share the chair with
Tom Dale from NOIE. Welcome Graham
and Tom. And over to you Catherine.
[ back
to top ]
Catherine Higgins, NOIE
Thanks David. I'd like to talk today about the discussion
paper and some of the background
to where it comes from.
As pointed out I think some people have a depth of
knowledge in this subject and some people don't, and we've been discovering
that over the last two years at NOIE.
We really have been intending to educate a lot of audiences about the
authentication technology over the last couple of years and we've had an
industry and government council whose term had ended but they were called the
national electronic authentication council and Stephen Wilson was a member of
the council. So some of the thinking
that comes from this paper actually comes from the last two years and where
authentication technologies had evolved from.
I just like to go through the paper very quickly because
some people will have read it and talk about some of the questions that were
trying to answer. And also I'll talk
about the consultation process the little bit and the submissions we received
so far in response to our paper and the others we hope to receive in the next
two months. So those of you who have
read the paper will see that we have provided an introduction to the whole
subject and we've tried to set the context of authentication in terms of electronic
transactions, identity management.
We find it hard sometimes to talk about authentication as a
means to itself which I think is the wrong thing to do in Tom's terms of
Internet or e-commerce agenda. So
really authentication has enabling and protective security aspects to it and I
think this is important and probably hasn't been raised that much in the debate
in Australia to date.
In terms of enabling it enables e-transaction because it
identifies individuals online, and it also is an access control technology in
that it can be used to control access to remote computers, servers, and so one,
so it's a protective security concept in that sense, and I think in Australia
we need to talk more about that it in the industry because we have a lot of
unprotected systems. So that's the
other angle of authentication technology, the protective security elements.
Also I think we're going to talk quite a bit about
biometrics tonight, and it's getting a loss of play in Australia right now
because of the law-enforcement aspects of the use of biometrics or the
potential uses of biometric technologies, and that's an area which I think is
very interesting, and there's a lot of consumer issues and societal issues
surrounding the use of biometrics so hopefully we have quite a rigorous debate
about that tonight.
The paper is divided into three sections, and so as I said
the first is an introduction to why we have authentication technologies at all
and what they help us to achieve more broadly in the information economy. If you go through the Commonwealth government's
role to date in authentication and some of you will know that NOIE's been quite
involved in authentication in terms of digital signature certificates, and
particularly because we accredit IT members under our gatekeeper program so
that accredits those industries.
Members do go out and issue digital certificates.
So we look at trends in section 2 of the paper and really I
think, as was said the biggest trend and noticeable thing over the last two
years was that passwords, pins, and those more basic forms of authentication
technology are commonly known and used.
The more high-end areas such as biometrics and PKI, we have concluded
that those areas do need considerable regulatory and accreditation attention
and we would like to talk about those specific areas in depth tonight. And cross recognition, the whole concept of
recognizing other trusts schemes is another area which we have covered in this
paper. NOIE runs the gatekeeper schemes, we want to look at recognizing another
country's schemes, we have covered that in this paper as well.
I think that area has been a policy discussion for a number
of years, but I think it's still got a fair way to play in terms of making
international e commerce a reality and having the exchange of digital signature
certificates across economies. So that's currently being discussed in APEC, and
now the international forum, and we cover the foundations of our views about
cross recognition in this paper.
The whole area of standards and accreditation and so one is
covered in this paper as well on page 17.
And really we talk about PKI and the standards there simply because
there are standards in that area, and it's also a complex area of technology
which requires standards.
So we talk there about the original standards, the
Australian standards, and I see Alistair hasn't come along yet, but he's coming
from standards Australia, and those standards were named 4539. They were the precursors to the gatekeeper
schemes. So we have got some questions
in hear about whether standards will drive the take up of PKI digital
certificates in a private economy in Australia, we like to ask a series of
questions and try and have some debate and discussion around that tonight. But it also is if you that standards don't
drive the take up of technology either, so we would like to discuss that more
tonight.
One other big issues that NOIE is considering in this
discussion paper is our role in this process, NOIE's been very involved in
authentication, education, but also in a stronger role as the accreditor of the
gatekeeper schemes accreditor. We are
really seeking some comments from industry parties as to whether someone else
may be better placed to take on that role as the accreditor in future years and
we have a series of questions around that and it involves a range of
stakeholders including those vendors who are already accredited under the
gatekeeper, and we have to look at the business model surrounding, potentially
outsourcing gatekeeper from NOIE, and therefore what NOIE's role will be the
future.
So there is appendix C of this paper which I think has been
circulated before tonight, sets out a framework for the governance, a new
governance framework if you like, for PKI.
People like Stephen Wilson will have seen this before because we
discussed this at the end of last year so it has a governance structure which
has an industry government board and then it has a role for standards Australia
and it has to define which of those with exactly be in that third party
accrediting role. But we have put some
framework around that there.
We are really trying to get comments back from industry
users on whether they can see that national framework being necessary for the
rollout of PKI and therefore whether standards Australia and NOIE should really
investigate the feasibility of starting up that framework, how much time and
money we should invest in that. And
that's a big issue, and it's about demand drivers as well in the economy.
So just a little bit about the process so far, we have had
one workshop so far which was in Canberra and unsurprisingly that was dominated
by government agencies who have been quite strong users of authentication
technology particularly PKI, and also the IT security vendors, so it was quite
a good session, but it became apparent to us that people still don't really
understand authentication technology fully, and the way they are try to
implement them in government agencies, and that they are still seeking answers
to some questions.
There are some good PKI rollouts that happened from
Canberra, which has been government and business applications and tax, and the
health insurance commission of those two examples. They are seeking more sort of work and guidance in how reached
critical mass with those rollouts. So
we're hoping we have had four returns to our papers so far in terms of
submissions, and we're hoping to get a number of concerted submissions, from
industry consumers and governments over the next few months.
It's interesting, the ones we have received I just took a
note of them just let you know, that the variety of people who have responded
to our paper. Two of them are IT
security vendors, Gangooli and associates who have done a market stakeholder
analysis, and PKI Plus who are an e-security vendor firm.
The Australian consumers association made a submission which
was based along the lines of the submissions that Charles Britain made to the
private commission on PKI guidelines, so he was coming from the same angle as
when he saw our paper. The fourth one
that is forthcoming I think, is from Glen Turner Arnetts, so from the education
sector, his users of PKI technology.
So I'm quite looking forward to reading that one because it
comes from a user's perspective. We
have had a lot of e-mail traffic from IT-12 which is the standards Australia
committee which originally dealt with the first PKI standards 4539, and it is
good timing now that Alistair has just walked in the door.
And the sixth submission that we have had is from the New
Zealand government which is really interesting because they are still looking
at the whole framework at this point.
And their authentication strategy seems to focus on the consumer level
so they are looking at the government consumer issues and how they issued
identities to individuals within an economy which is quite good and timely at
this stage. We have also had a good
discussion with VISA and some of the credit card companies about what they are
doing and that was very useful as well because it is a real commercial perspective
to the authentication field and that's been very useful because I think that
the verified by VISA scheme is getting quite a lot of take up amongst the
retailers and the e-tailers.
So look we are hoping for more submissions and answers to
some of our questions, we are having another consultation session in Melbourne
on the sixth of August, and we are also having another consultation session
with the computer association in Adelaide on 30th July and perhaps one in
Brisbane as well. But anyway, we are
looking forward to your comments on the paper, and this next session we are
going to go into looks at some specific issues which outlined in the paper and
we stop all the about questions. So
that's all for now.
[ back
to top ]
Thanks Catherine. We have another formal presentation after
the break, and we are going to hear from Roger Clarke, about the question of
whether conventional PKI is a good idea. However before we deal with questions
like that, I think we can start with one of the broad issues on the agenda in
front of you, and deal with the question of what is the role of the government
in promoting and regulating e-authentication technology.
Would someone like to put a view on the future role of
government in authentication technology regulation generally, and just before
you do, a reminder that we would like each person before they speak, to
identify themselves, which of course I didn't do -- I am Graham Greenleaf --
and also for those of you sitting at the table could you please turn your name
card around so that it faces Tom or faces me so we know who we are getting
contributions from. Thanks. Okay, so who would like to start off the
discussion on the role government in future technology, future e-authentication
regulation?
I noticed the U.S. government is trying to make some
specifications for UV probability spectrum for cars, which they are currently
issuing. The really interesting thing for me is that the report, which came in
today, reported how airline crews in Europe are having troubles with their
uniforms and credentials being stolen.
From the transport workers' union in the U.S., there are
concerns for the safety of those crew members, and there has been a push for
better certification and authentication. My guess is that the role of the
government will probably be directly proportional to the perceived threat of
outside interference with your average Joe.
The political process will in many ways determine the
perception of threat rather than any technology as it goes forward. It's interesting to see, laypeople, in U.S.
transport workers, people looking after the aircraft, unloading the aircraft,
things like that, being very concerned about the issues, not because they
understand the technology, but because they think there has got to be at
technical way of making their operations safer.
So you think that at
the moment, a lot of the evolving perceptions that are around authentication
are made in terms of access and security, and that in itself might be a
political driver.
I think where
governments are involved in these things, people, in a situation where there's
no threat and where there's no real need for things to happen, governments
probably don't need to be involved.
As the risk gets
greater and we consider that our lives can be more affected physically and
virtually, then we may as a community want greater involvement. I think that governments will be involved as
much as the community wants them to be involved from the political process.
If I can just take
that last comment you made, put up one hypothesis, I would say that every form
of authentication is a potential threat to privacy by potential abuse, and
consequently, it's inevitable that governments will be more and more involved
in privacy regulation in the e-authentication era, and that we can expect a
much greater the level of legislation in relation to authentication than we
currently have in the Federal Privacy Act.
So I would throw that in that this is at least one area where government
regulation is unavoidable.
I observe that there are issues of trust. Governments have regulated in this area. You
can't get private inquiry agents in New South Wales, without being licensed by
the New South Wales government, because it's perceived as being an area which
the operatives must be trustworthy.
Therefore trustworthiness surely is an issue. Then maybe some people who perhaps until
quite recently have said "well, a reputable organization with a good brand
name is inherently trustworthy", I think that is now greeted with a
certain amount of mirth in many circles and I don't think it's politically
sustainable anymore. So I think the
need for trust may be in itself be a cause for a need to regulate licences.
Thanks Nigel.
Would anyone like to respond?
I would like to
contribute to the general discussion. We’ve heard the term identity and
authentication used here this afternoon, and we shouldn’t forget that
particularly in the commercial environment, it’s the authority associated with
a particular commercial relationship that is also of issue.
The identity and
the authority only really have relevance in a point-to-point customer to vendor
environment, and there’s a lot of good working models in the business community
today, where there hasn’t necessarily been any regulatory input by government,
In some cases there has been input by other bodies, including community, or
industry regulators.
It’s sometimes
slightly different of course with statutory or government bodies where there’s
inherently trust because they are part of the political, the governance process
of the culture. I do take forward, though, the comment that the large,
monolithic and sometimes self-regulatory environments like accountants and
auditors, do sometimes get it wrong. You must plan for failure in whatever
mechanism we have going for or have a multiplicity of mechanisms that suit
different commercial sectors.
I’ll raise another
of the topics that Catherine has flagged, and that’s the suggestion that NOIE
might move towards promoting some non-government authentication body to take
over a more generalised portion of the work the gatekeeper has been doing at
present, and ask for comments about that suggestion, and also the related
question of if there was sense in such a non-government body in the field,
would it only make sense for it to be dealing only with PKI or would it make
sense for it to be dealing with a wider range of authentication methods and
technologies. But before I do I think I’ll ask Tom or Catherine perhaps just to
clarify what NOIE’s view is on that second question, about what scope of
operations did you have in mind for that sort of body?
We did have some discussion about this last week in
Canberra, and our thinking has been narrower in that we have been looking at
the PKI area in particular and because the gatekeeper standards which are
listed in here are quite comprehensive in themselves.
But we did have a discussion last week in Canberra, and a
lot of people were a little bit concerned with this suggestion that the
management or governance council above this sort of structure would have to be
very representative of industry users’ views, and existing commercial standards
that are already operating, we didn’t want to overregulate in that sense.
But we really were looking at a narrower context of PKI
because we see that Jas Anson and Standards Australia have that kind of expertise,
so if we had a broader concept of authentication which included areas like
biometrics and existing authentication technologies in business it would have
to be a broader management council at the top of the structure, and it could
even be quite unwieldy, so it would be a matter of how you would get that input
from business and also whether it is required at that broader level or only for
certain technologies.
We have outlined the governance structures in this paper for
the PKI management council model, and it’s that diagram at C and some of the
earlier stuff on page 19 of the paper.
Can I just make an additional comment. I think it is
important to distinguish between the role the federal government has played
today in not so much the gatekeeper PKI framework but in its commitment to
utilisation of PKI for particular purposes.
Essentially the policies rollout of the federal government
has been confined pretty much to government businesses transaction component,
with a couple of exceptions. In general the Federal government has not been
focussing on PKI or any other particular forms of authentication, in terms of
government to individual transactions, and I think a lot of the policy issues
raised will likely be raised later on.
There's a distinction between the government trying to
establish a trust framework for some sort of transactions in business and
transacting electronically with governments. The gatekeeper structure has
evolved as a system of standing in governments for PKI, which is a different
issue again, and I guess we’re trying not to confuse them too much and there’s
no suggestion that the, well there’s no obvious reason why a change in the
government’s structures, I guess a fairly substantial legacy arrangement such
as gatekeeper needs to lead to any change at all in the government’s general
approach in promoting PKI for particular purposes.
That’s the issue with government online, the democracy, it
doesn’t necessarily mean the government is also in charge of its standards and
the accreditations.
I’m just taking a business point of view, and following on a
little bit from what Tom has said. From
an implementation point of view, I’m an electronic commerce practitioner,
whereas he’s been involved in implementing industry project. We would recommend
perhaps a light touch. We looked at implementing PKI into superannuation for
various transaction purposes.
We found that there were issues in the trading community,
like cost; how much is it going to cost us to set up things like CAs and RAs?
The actual cost of the products that we would need to implement, and the cost
of implementing the product we would have to put in front of our gateways.
The cost of managing keys was quite inhibitive, particularly
when talking about trading chains with
small businesses. I think there’s some issue here that needs to look at exactly
what kind of transactions governments want to introduce as requiring something
like PKI, and what are the transactions you would have trusted partners, people
who probably do businesses using telephone or fax or some other less secure
method.
If the government decides that they want to do PKI, I think
there needs to be a caution in making a lot of transactions have to use PKI
because it will slow down perhaps the implementation of electronic commerce
across Australian industries, and particularly between industries. I wonder
whether that could be two levels, the light touch or commerce which is
considered to have low risk and perhaps a higher touch if you want transactions
which need pure authentication and identification.
There are two issues that I see. The first one’s around a
body as a trusted third party, in particular, a PKI as a trusted third party or
anyone whose performing authentications on behalf of, say a customer through to
an agency. We find that that’s very hard to describe in a private contractual
framework, and there’s limits to what can be done or what I trust them to do
under current law.
What we see is the role in government trying to find those
areas difficult to describe in that relationship and perhaps smoothing out of
the way that that could be contained to what the authentication provider
actually does compare to what transaction is being authenticated. So it's first issue on the table.
The second issue is what is being authenticated ? There's a role by the registrar of
identities within the community and by that I mean civil identities, business
registration identities, communities of interest identities, in seizing what
they are identifying, and making sure that authenticators of those identifiers
are linked into a way that that identity is those granted so that the
government role in managing authenticators in the community also needs to
consider that same role in managing the registrars of those identities. I hope that wasn't a bit too cryptic.
I have some extended comments to make, if you do not
mind. We run the risk in all of this
debate in losing track of what people's certificates are really good for. If you do mind a bit of discourse on that,
my strong view is that a lot of people having preconceptions which is some
years old in terms of certificates already formed from liability, cost and
trust. The original view I think of
digital certificates was that it would be an electronic passport. And this is a metaphor that is very easy to
grasp, and I think that somebody cooked it up almost on the spur of the moment,
when they were just thinking about business opportunities. The trouble with it
is that comes up with a very interesting set of problems.
If you think of the digital certificate as an electronic
passport context to that relationship, you
wind up with issues where Alice has a relationship with Sydney authority, she's
holding a certificate, she's trying to convince Bob who she is, Bob has no
other relationship with Alice he has no of the context to see who she is, he's
got no prior relationship with her CAs. NEAC has indeed spent years on this
problem and had a look at two different very good legal analyses which have
wound up at being somewhat inclusive.
If you look at the NOIE’s website there is a diagram which
has all the relationships and has this rather alarming but correct phrase that
good legal standing of such and such between who the line pays and CAs is
indeterminable. Anybody that wants to get into this debate has looked at the
NOIE website has obviously been put off.
Now I'm not saying that what you said is wrong, but we are all trained over
years and years of going to presentations to think of Alice and Bob as having
no context, and we continue to be trained in PKI's because we have an e-mail,
we receive a little red seal on it and it's a signed e-mail, we click on the
signed e-mail and have a look at the certificate authority which it came from
and we're trained to think in terms of this certificate authority is trusted,
because I had no other way to trust Miss Alice.
The trend at the top of the agenda, the really important
trend, the use of PKI's is dramatically different from that. The technical reason to use PKI is twofold:
it gives you what's called the system identities, the origin and integrity of
the transaction, and it's persisted in so far as I can get a signed form from
Adrian, it hits my machine and I can log it and I can trust it on this machine,
and they can pass it on and they can log it halfway in six months, they can
come back with that form, which has gone from server to server, you can do that
using provisional technology which involves that going through audit trails and
all sort of things.
The other thing that's important about computer certificates
is that they are machine readable. And
this is something that gets insufficient attention. There's no real interest in
application when everybody's actually getting signed emails, it just doesn't
happen. You look at all the other
interesting applications of PKI and they have the same characteristics, the
servers that are processing forms automatically at high volume, and it's pretty
obvious because if we don't have high volumes, we don't have paper
savings.
So it's really important I think to understand the
interesting applications of PKI. Rich-context, Alice and Bob have a preordained
relationship of some sort, and what PKI's doing is automating the existing relationship. If you think about the context of the
submission, what indeed what the HIC's trying to do with the certificates is
purely context based. As a non-lawyer it's easy for me to say I don’t see there
being a lot of liability difficulty in trying to work out what happens when a
transaction goes wrong. I mean, the parties are presentable, a licensed medical
practitioner comes in, a signed form with the HIC.
Steve, if I could just finish that point: The liability of
these things is easy to understand, and the management of these things is easy
to understand. If we try and use PKI to automate these existing relationships
it help us understand what killer applications replaces customs and health –
customs overseas, stuff in Hong Kong is a very important application of how to.
It also helps us understand that PKI is an important trend in the future where
credit card companies are using chip cards now.
The chip cards contain very sophisticated PKI systems, and
yet nobody is being burdened to sign up. The reason for that is that PKI is
embedded in the relationships and the context of the transactions. So I guess
my fervent desire is that the policy agenda gets onto problems that have real
application, the ones that I have enunciated, and they are not Alice and Bob.
We should turn our attention to more problems, and to a much
clearer debate about who should be regulating these things. The question about
whether the government has a role is a question about grounding till you start
thinking, what is the government’s job in regulating registration roles.
Stephen, out of that very interesting set of comments, we
certainly get the point that a lot of the liability takes place through the
conflict of particular contexts in which particular PKI applications occur.
However, those particular contexts, those you were alluding to, I think were
also likely to involve other forms of authentication in conjunction with PKI as
part of that context. Where do those combinations of factors lead you in
answering our original question of what’s the future role of government in
relation to the regulation of this whole mix of authentication technologies?
Well, there’s two
sides to it. There’s the technological side and this is a government
understated, very clear role. With the technological role of IT, there’s an
enormously important library of this stuff for everyone to seek standards and
by and large it does it in a fairly useful way. [indistinct]. The other side
has got wrapped up in government in a very sort of complicated way, that is the
idea of personal transport and the issue of very strong identity checks.
The strong
identity checks are a national consequence, the idea that Alice and Bob have no
other context. If what we did on the other hand was not to identify people
personally but use the certificates to coordinate transactions, then we look to
the existing communities of interest and the existing authorities.
One example is the
existing authority structures that make me a doctor, a missionary or a
taxpayer. These are not good examples because the government has a will on us.
We all know the good examples, the government has a good understood role in
making taxpayers and in making doctors in that authority. I think the authority
ought to be delegated now to those sorts of things that we have already
charted.
So you’re saying
that there’s no real role for some overall non-government authentication body
here, and that what we should be looking for is industry specific or profession
specific or activity specific regulatory structures being augmented to deal
with the particular problems of authentication.
I think that there
is potentially a role for non-government or semi-government bodies to sit above
and it might be a good idea for somebody else to put up their hand and talk
about the issues around this. The issue, if I’m trying to rely on a
certificate, if I set up a server, and I’m processing forms for people, I want
to know if the certificates were issued properly, and I want to know the
certificate issued was done according to standards, and I want to know that
they’re going to be withdrawn properly. Now that ‘generically’ is a problem
across industry, in different areas, we want to make sure that information
systems are audited and secure.
DSD has a program
in conjunction with NATA… doing all sorts of things, they rely on technical
experts to be making instructions orbiting and the licensing (and I use the
word loosely) and the accreditation of those bodies to do an inspection does in
fact quite often converge in a very small number of accreditation bodies such
as NATA and [something] international.
So I think that
fundamental problem that we have in quality control, if you like, is that the
certificates themselves were generated in a trustworthy manner and are part of
the standards. NOIE right now will know what confers that sort of trust or that
word appears in all sorts of other issues because there are health checks that
NOIE does. Now you could look to other organisations to do those health checks.
I’d just like to
expand on some of Steve’s comments and I think that there’s a lot of synergy
between what I was saying and Stephen’s comments. I think there’s a requirement
for technology neutrality in a lot of this. There is a very strong need for
accountability in all of this, you have trusted third parties who allocate or
designate to be accredited doctors, for instance. We don’t actually ever go
back and check our credentials, but we do want to know that when something goes
wrong, we’ve got a plaque on the wall outside that we can go and hold that
individual or that company accountable.
That’s very
similar to Stephen’s comment about automating process of doing interactive, the
trust and confidence to deal with a particular individual occurs by
non-technology means. The light touch approach, in the superannuation context,
perhaps, is a really good example. The financial planner has a context of a
relationship with a fund manager, there is other processes around those other
forms of accreditation and they are good, working trust party models to date.
The cross
recognition probably, where government might provide some directions, or a
non-government regulatory body. The process by which a doctor gets a bank
account is a form of crude, and slightly esoteric form of cross recognition.
That there is an entity, it has a cross commercial practice, and therefore has
an ability to authenticate for a different type of commercial relationship with
different levels of liability specific to the type of service. So the cross
recognition at the very high level is an area where there could be some
contribution in there.
The Electronic
Transaction Act, just to move on a little bit, the Electronic Transaction Act and
its state derivatives or complementary legislation sets some basic criteria
about what a transaction and what an electronic signature can be. It’s
technology neutral, and there’s numbers of ways of achieving those. PKI is one
of them, I am a vendor promoting an alternate mechanism, and I am sure that
there are multiple other processes in place that will do that the same.
An open market
approach, letting the market decide, perhaps with some valued input from
government or appropriate technology and commercially astute bodies, may well
be the approach to go. It’s a little bit of a moot point whether it’s to be a
government or a non-government body as long as there’s appropriate funding, and
it can maintain the appropriate level of trust, just like the institute of
accountants and auditors do.
I am going to throw
this back to Catherine and Tom for the moment and ask are these contributions
we’re getting answering the questions that you thought you were asking?
I think so. I should note that we do have both Standards
Australia and NATA, and some perspective that they may wish to bring on. I
think that the government is certainly conscious of that distinction I made
earlier, and does not want to be particularly identified as a market leader or
a regulator across the board in all of the areas we’ve been talking about.
There’s been a number of people including Stephen who have
said that since the governments originally mould them in all of these matters 3
or 4 years ago, things have changed quite significantly in the marketplace, in
the expectations and strategic planning with a lot of federal government
agencies and in terms of the will more generally, I guess, and I think the
propositions about transactions in context, about fit for purpose approaches to
not technologies but for business solutions and the propositions I think that
we’ve heard about generally making sure that authentication is seen as a means
to an end, not an end in itself, the ones that are more fairly obvious, so all
those reasons, those are the sort of issues that we’ve locked in, that we
require a bit more detail on, but yes, we’re getting there.
I’ll just preface what I’m about to say by saying that this
is the first time that I’ve spoken on behalf of Standards Australia. There’s a
long history in the area, but a short history in Standards Australia’s
involvement. I guess from a starting perspective, if we keep the conversation
to PKI, Standards Australia has a long history, back to MP75 in ’94, and the
tech tree of the GPKA and running the national PKI committee IT 1241, and
developing the existing national standards in biometrics. I think that’s a
pretty separate subject and one that we’re probably not willing to enter any
arrangements about now but at the international level of debate of biometrics
is pretty fragmented.
There’s a recent proposal to the joint tech committee
between ISO and IEC to set up an international standardisation committee for
biometrics led by the USA that I think will probably be picked up in some form,
probably not as a separate committee at an international level but within the
work of one of the other committees. And I guess if that progresses, then we
would see some involvement for us in standardisation of biometric technologies
at the Australian levels.
That said, back to PKI, we’ve had a proposal on the table
for nearly a year or so saying that we could, based on the fact of that
experience, our position as a trusted third party (some people have got
different interpretations of what a trusted third party is) but as a national
trusted body, we could oversee the evaluation and accreditation procedures
based on that experience.
We’ve got a broad representation of stakeholders already,
and rigorous processes in place that we have for development of standards and
accreditation against standards, through certification through CLAWS, and I
guess with appropriate funding, somebody mentioned earlier, we could probably
take on that role, if it was judged to be appropriate by industry and
government, and if there was a perceived demand.
On that point about perceived demand, do members of IT 12
think there is perceived demand in industry sectors, do we need any more
standards, do we have enough? You know, we’ve got PKI coming in anyway, the
gatekeeper accreditors suppliers can issue PKI privately to any community
interest who can pay for it, and so there are cost issues there an so on. But
we need to update 4539 and some parts of that so that the registration authorities
can recognise for example, do that work quickly, does that make a difference to
the demand side of the economy?
I can’t answer straight out. There is probably a role for us
to develop a handbook based on the general risk management framework, which is
4360, I think. The specifics of PKI, looking at value of transactions, and that
would also sit within the existing information security management standards as
well. Draw on that.
I make a point that a handbook on authentication. We’ve got
to be careful that we don’t get [something] trying to reverse issues of
standards and process controls and so on in the absence of any context, and we
got unstuck in the standards group in trying to come to a standard for R8, and it’s
exactly the same as writing a standard for passports. So if you do that in the
absence of any transaction context, and can’t manage risk in the absence of
context, we know that now, we’re at the risk again of just chasing our tail,
coming up with standards that are addressing academic issues, not actually
addressing the real issues which have to do with the specific use of
certificates.
The format of a
handbook is a lower concern, which doesn’t necessarily mean that it’s not a
valid technical document, it means that perhaps that some of the very rigid
process is avoided, The handbook has guidelines, they’re not standards, but
they can carry a fair amount of weight, and I don’t think necessarily we could
get too bogged down thinking about the contextual issues of risk management in
PKI. The handbooks are a more open structure, and I think the emphasis would
have to be on context.
Thanks very much Graham. Maybe the first thing I should do
is explain a little bit about NATA, I was conscious of the comment made earlier
on in this meeting that there are people in this room with all sorts of
different levels of understanding of all different parts of this topic, and I
certainly confess that I am one of those, just blindly followed for a number of
years. I guess some people around this table know something about NATA so if
you’ll forgive me I thought it might help if I lead you through how we got
involved in part of this area, and that is with the Australasian Information
Security Evaluation Program, or AISEP, and the facilities, the AISEFs, that get
involved in this.
First of all, what is NATA? NATA is a laboratory
accreditation organisation. And for laboratory, you can read that very broadly,
it’s testing facilities, testing calibration measurement facilities. It started
in 1947, so we’ve got a pretty long history in this, in fact we can raise the
flag for this country in this one because NATA was the world’s first
comprehensive laboratory accreditation organisation, remains the worlds oldest
comprehensive laboratory accreditation, and the largest, so that’s one for
Australia.
I'll talk about some of our international partnerships in a
minute. We are endorsed by the
Australian government as the Australian authority in laboratory accreditation.
We're also a peak body in inspection accreditation which is another form of
accreditation for doing different things and two different standards and we’re
involved in other things as well. But I think it’s the accreditation side
that’s important here. I said I’d take you on a bit of a journey as to how we
became involved in the AISEP program because it’s a very good demonstration of
what we do.
Defence Signals Directorate (DSD) approached us mid-90s when
they were looking at outsourcing some of the work that they do in certifying
these AISEFS. They were doing a lot of the work themselves in testing products
to go on the EPL (the evaluated products list), there was more work than they
could handle and they needed to outsource. SO they came to us and said, you’re
the accreditation organisation, will you help us develop a program.
So we did, we sat down with a, we drew together a steering
committee, which is our usual way of developing these programs, and the
steering committee, it depends on what sort of program, but usually involves
technical people, business people, whatever’s interested in the area at stake,
stakeholders in the area. We drew those people together and they put together
the criteria which were required in order to tailor the standard that we use in
laboratory accreditation, the international standard that we use to accredit
testing facilities. So that was done, we called for interest in the
accreditation, well, in this case we didn’t have to call for interest because
it’s a closed community in the AISEF community, in others we call for interest
and get in applications.
Then the process is that we go out and we do the assessment,
we do the evaluation, we do that in association with technical experts in the
area. So it’s a peer group technical evaluation. If all goes well, then the
organisation that’s being assessed becomes accredited by NATA, that
accreditation process goes through an accreditation advisory committee, which
is one of the number of volunteer committees which we have within NATA, again
it contains people from within that industry that can make recommendations to
us about how that particular field should operate and through the chairman
whether or not that organisation should be accredited. So once that’s done,
they become accredited by NATA, that gives them national recognition,
particularly if they’re dealing with government.
The other important thing is it gives them international
recognition because NATA is one of a number of accreditation bodies of its type
around the world. There are something like 34 bodies in a mutual recognition
agreement, 34 economies in a mutual recognition agreement, with NATA, which
means that an organisation which produces a test certificate, a NATA-endorsed
test certificate in Australia, that test certificate is recognised in these
other countries as if that body were accredited in one of those other
countries.
Now I think this is a very important phase in the whole area
of e-authentication, because unlike some of the politicians in this country who
might have believed in the past, the internet ends at the border of Australia,
we all know that it doesn’t, and that one day, not very far away, we are going,
and indeed we do at the moment, we all trade internationally, and we’re going
to trade through an authenticated or agreed electronic system. And if there’s
going to be call for that system to be authenticated, to be accredited, then
it’s important that the bodies that accredit that system in the different
countries have some relationship with each other and are recognised one to the
other.
This has happened in the past in a number of areas with
which NATA deals. And the other important thing about this, and touching on the
earlier question about should NOIE remain involved, I believe that the clear
answer to that is yes, because in many of the other areas in which we were
involved, and where technical accreditation underpins trade, and indeed
prevents technical barriers to trade, it’s only because of that technical
recognition, the NATA or NATA-like body around the world, it’s only because
that exists that there can be government to government agreements in some of
these areas. They very much underpin those government to government agreements.
And government to government agreements, it is so obvious, can only be
undertaken by government.
And it seems to me therefore that there has to be a strong
involvement of NOIE or some part of government that’s got the understanding to
advise government on how to negotiate and take part in these agreements which
will undoubtedly become more and more important as we move forward in this
area. Sorry Graham, that was a very long answer, I just tried to lead people
through to what accreditation in this space is about and some thoughts on how
government might be involved.
We’re getting close, about 5 minutes away from having some
afternoon tea, but we don’t seem to be all that much closer to getting any
strong opinions about NOIE’s continuing role. We’ve certainly just heard one
interesting opinion about that, but I’d like to come back to that point: the
role of government in the continuing regulation in this area, and the need for
some alternative private sector body. Would anybody like to come in on that at
this stage?
I think the first point is that accreditation is one thing,
but to have any value, there’s got to be some mechanism to prevent unaccredited
operators. I guess there’s an element of buyer beware, but if the price is
right, there’ll be plenty of people who will use an unaccredited operator. So
that’s issue. The second point that comes out of that is of course, it’s
constitutionally mooted, whether that’s within the commonwealth or the realm of
other jurisdictions, and whether you see it as common, telecommunications or
whatever. But there is a constitutional issue there, it’s not necessarily in
NOIE’s court, and I think it’s presumptuous to think that it is.
That’s one point, the other point is that in terms of what
government normally regulates, what we normally do and when we license, which
is a form of regulation, to license businesses, professionals in various
domains, the criteria are normally pretty straight forward and simple, almost
on the yes/no and not many questions sort of vague. Whereas in this area it is
complex, it is difficult, there’s quite a lot of fuzziness, it’s subjective,
and there’s whole rafted issues of competence and who can technically do it,
and that may well mean that in effect, it is in terms of government
perspective, outsourced to some other body.
And so maybe there is a matter of accreditation, and
accreditation leads to a government regulation, it’s only one part of the
process, it’s not the whole picture, and I think that’s a point to bear in
mind.
I think you are right and you’re touching
on a point that I’ve made for myself. Authentication is a complex topic, and so
are some of the associated risks and liability, they’re topics that have come
up before. We don’t yet have enough experience in electronic authentication to
fully understand the syntax and semantics of what’s being discussed. We should
crawl before we walk. And the accounting industry’s fallen over in a couple of
example with several centuries of experience and background behind it.
NOIE’s role: I think is a good one, as long as the state
includes an educative role, particularly to spread the word about the syntax
and semantics of the issues. And focus on a single technology is a real
problem, as it puts all the eggs in one basket, in one framework, and it leads
to some trade practices issues.
The banking community has a problem if it standardizes on an
interest …forces, everybody to buy an interest can have equipment, for
instance. That may or may not be an issue everywhere but it also must be
whatever technology we choose, we adopt, it must be cost effective. It is a
problem throughout the private sector. We don’t have the budgets the government
does.
A simplistic set of questions. As a user, who is trying to
be authenticated? Is it me as an individual, is it a company, in which case who
should be looking after that?
I’m sort of wondering whether the question as to who looks
after the whole issue depends on strength perhaps of authentication whether
it’s a full PKI/gatekeeper type thing, or whether it’s more a Verisign, and
whether it’s an individual signing a document, or an individual needing to be
authenticated as a person, or in a role whether a secretary of a company or a
person who is authorised to undertake transactions for a company, or is it a
company that’s doing business say with a government organisation?
There is sort of a matrix that we’re trying to deal with
here, and perhaps the question of the role of government in this really depends
where we are on that matrix. A very sort of simplistic view but I think it’s a
little bit confusing because of the complexity and the need for some kind of
matrix. And that might help say, well government is involved, yes, in PKI for
government agencies and for large companies, but perhaps government doesn’t
need to be involved with things like Verisign for individuals, but there may
need to be some form of more legally stringent thing if you’re dealing with the
tax office, which of course is a hub and spoke model rather than a peer to
peer.
We are actually publishing 2 publications next week which
our minister is launching, and one is called “trusting the internet” and it
goes into some of these issues explaining to small business so I think it’s
very timely and that’s the next NEAC sort of product that we’ve got to the
market now. And the other is the “government manager’s guide to authentication
technologies” and it’s got a risk matrix in it so I think when you see some of
those things next week it may go towards solving some of these discussions but
they are very real educated issues that we need to work through in the
marketplace, and they are quite complex.
I confess to be a bit puzzled about this discussion so far,
taking up Julie’s point in a way, but in a sense turning it on its head, I’m
not sure that the level of regulation that’s needed is so much at the large end
of the players or their interests being protected rather than the individuals,
rather the other way round. I mean, my more general point is that it seems to
me there’s a lot of the discussion so far has almost proceeded on the
assumption that forms of authentication are uncontentious, but what we have to
do is try and ensure that there’s necessary degree of quality control, but
we’re not dealing in a field where what is being done is contentious in the
first place.
I mean I find that difficult at the moment because I’m
living in a jurisdiction where from next year everyone that’s likely to have a
digital signature with a PIN and a compulsory national identification number on
a smart card that contains 2 biometrics, a photo and a thumbprint. And to think
that any of these forms of authentication are non-contentious when you have the
potential of combinations like that.
Otherwise, I’m having a nice time in Hong Kong. But that as
I said is the ingredient that seems to be missing in some of this discussion
and I thought we were going to be in part be in the framework that NOIE’s
foreshadowing, going to have some discussion on whether there’s any overall
regulatory body for all types of authentication technologies that would also be
looking at the regulation of the contentious aspects and whether there was any
possibility of that moving outside the government sector.
So perhaps Tom could I throw that over to you and say,
what’s the breach of this framework you’ve been talking about?
It’s very
hard for people in these discussions, and the same goes for the one that we had
in Canberra last week. Inevitably as the discussion develops we all tend to
come round, I think about three quarters is coloured consciously or otherwise
by what particular form of authentication and that’s PKI, for all sorts of
reasons it’s interesting technologically, and in some ways it’s more a
sophisticated form of authentication, and it is out there, not to the extent
commercially people thought it 3 years ago, but there are digital certificates
in existence and they generally revolve around some sort of PKI structure.
So I think
that colours our views makes it very hard to talk in terms of policy
principles. I think that the fact that people haven’t expressed particular
views about models of authentication is in itself an answer to some extent,
obviously this will take the most extreme example of passwords to a network are
authentication, no-one has suggested as far as I know that there needs to be a
regulatory policy framework for instance.
Tom that is precisely what is happening in HK, where there
is the investigation of where the PINs should be brought into the
authentication legislation in Hong Kong, I know that’s up in the air of course.
Yes, I can’t see that catching on as a debate here somehow.
At the other end though in terms of emerging issues in biometrics, after
Roger’s presentation I suspect that the discussion around that certainly should
be unimpeded by the advantage that people are bringing to the discussion and
might be a little bit more contentious.
I’m going to give
Patrick the last comment, but other than that this is a good point to stop for
afternoon tea, because as Tom said it’s going to be Roger’s job after afternoon
tea to help drag us back to first principles and more general considerations.
I was just reflecting on whether the government has a role
going forward, and I think there’s a reasonable hypothesis you could defend,
that government has very little role, has needed very little in terms of
choosing and regulating the authentication in terms of individual instances of
certification authorities or the type of technology, but where the market isn’t
likely to work or where there’s likely to be problems is in cross recognition.
And the economic interest of government in the well being of
the country might dictate that cross recognition would be very good for
economic activity and for interaction and for efficiency, where the market left
to its own devices will have people carrying a number of keys which don’t cross
authenticate and therefore cause an extra cost and extra inefficiency which the
technology itself is able to overcome but the force of market and vested
interests and opportunistic, and the fact that when systems start and who uses
them and who chooses them might dictate against, and I’d be pretty comfortable
leaving it to the market as to whether or not I accept a particular certificate
or whether or not I choose to use a particular certificate to authenticate me,
I think I might want to have a number of them for different purposes, for some
purposes I might choose the very best and for others I might want to be
anonymous.
But whether or not those systems spoke to one another is a
much harder question and something where government really does have a role.
Let’s break for coffee, we’re right on time.
[ back
to top ]
Roger Clarke is going to get us started for this session
of the symposium, he needs little introduction, but I haven’t heard him introduced,
as David did for quite a long while, as Roger Clarke of the ANU, that’s a
while ago. While he keeps that affiliation still, as I would say almost all
of you know, Roger has principally been a consultant in the e-commerce and
information infrastructure and electronic publishing and related areas, including
privacy, of course, for quite a number of years now, but he is also one of
the most academically productive and prolific non-academics that I know.
We’ve asked Roger to talk about the public interest aspects
of all forms of e-authentication, to try to indicate the range of public
interest issues that in any further or regulatory or non-regulatory structures
for authentication will need to be factored in. Roger’s going to give a
slightly lengthier presentation than Catherine did, probably around the 25
minute zone I think, because there’s a lot of these public interest issues to
canvas, and that will help us to get off to a good discussion for the rest of
the afternoon.
Roger Clarke
Thanks Graham; evening, ladies and gentlemen. The first
thing I should do is apologise, because I’ve actually printed out a nice
overview set of my slides 9-up. One of the results of this is that the print
size is quite small. So I’m going to have to a Richard Alston from time to
time, and look down my nose at you so I can read what the hell the next point
is.
My background is as Graham said is e-business information
and infrastructure, data balance and privacy, and I do it from a strategic
perspective, I do it from a strategic perspective, a policy perspective, and
public interest perspective and I normally try to say to myself what the hell
am I trying to do tonight? And the
answer is the intersection of all those, because I've drawn slides through a
variety from perspectives here and a variety of slides sets and developed a few
specific to the needs of this evening.
So I will probably do some have to changing from time to time and you
may have to stay awake in order to work out which perspective I'm speaking from
at any given time.
The only other generic sort of point I would like to make before
I launch is I've argued for years and years and years now that a huge amount of
the time was spending on technology and applications of technology and we spend
the time on them in separation from the implications issues. That separation has been symbolized tonight
because we spend the first time until coffee looking at technology and
applications and covenants and those sorts of things and the implications is
that soppy wet pinko that comes after coffee.
And then the separate discussion we have on the implications
and it's all rot, we have got to get it back wound together so that we're
looking at technology applications and implications intertwined and feeding
back on one another. So that's the
attempt that I'm making here.
Now I'm going to lead off with some general points. You can see the structure in the summary
page sitting in front of you. I'm going
to start off by asking the question what authentication means. Here as in most circumstances it's
misinterpreted. The primary sense in
which it gets used and often the exclusive sense in which it is used is as
though it meant identity authentication.
And there are a couple of honourable exceptions during the discussion
earlier on this evening but most of the time that's what everybody implicitly
meant by its and I'm sorry but it's wrong.
Look up the dictionary and think about what it is that you are doing
when you are authenticated, what your focus is. Your focus is on some assertion, that assertion might be about
identity, but it might not.
We have to get back to the real question when we are
discussing authentication as to what the scope is. Now in order to address this what I would like to do is to get to
principles, get to taxonomies, and all those good things that a semi academic
and semi consultant type of person likes to do but it's always easier when we
start with a simple context and set an example. And I use one of my favourite aphorisms of the Internet.
This gets used interminably by everybody including me and of
course that's another $75 U.S. the cartoon bank on the screen for photocopying
it, probably $75 twice, we photocopied it as well. But he'll what I wanted do is to draw out some questions about
what is it that the people at the other end should be authenticated? Now the words their don't say on the
Internet, nobody knows I'm Fido.
The words say ‘on the Internet nobody knows you’re a dog’,
so it gives me a perfect entree to point out immediately that it's not
necessarily about identity. These are
the sorts of things that you might want to authenticate.
One is, which dog?
It's Fido, it's that particular identity.
Is it the same dog that I was talking to yesterday? Consider the typical example of a person who
is operating as a counsellor, an e-counsellor on the net who is dealing with
Wendy or Bob who has been in contact with them last night and has come back and
says it's Wendy again and the counsellor says yes I know, as long as it's the
same Wendy, does it matter to the heck Wendy is? Neither Wendy and all the counsellor want to have their actual
identityhood noted to the other party because it's dangerous for both of
them. The Internet is actually a very
good medium for those kinds of relationships.
So that's a second and quite different kind of assertion
which involves quite different kinds of authentication mechanisms. But sometimes its mind all those things,
it's simply what your qualifications or your pedigree, its attributes about the
entity or identity that masses. And
whether or not you know the identity of entity to go with it is quite
separate. And sometimes it's not even
the question of the attributes or general attributes about the person or dog,
it's about whether when you say I am speaking on behalf of another dog, whether
you really do. And that then is a legal
question.
And the agency here identity as in government agency, I mean
as in principle agent relationship.
That's one was alluded to once during the earlier discussion and I think
it's a very important facet in the B2B marketplace it's particularly
important. And a great deal of the time
all you're actually concerned about is where the what you're getting from the
other party is what it purports to be as distinct from the question of whether
the other party is food they may or may not want to be. So just using that simple little diagram, we
can draw out lots of these kinds of things.
And then of course we can do old dry boring taxonomies, now
these taxonomies, and there is the paper wrapped around this with all of the
points that I'm making here, there's drilled down slide six and drilled down
papers and his references here so you can see the deeper aspects that I'm
trying to argue. But let's look quickly
at the bottom left-hand corner and identity authentication which is what we
seem to be mostly focusing on, we seem to blur the human vs. organization has
been to things that I think most of the discussion so far has been about. That's 2 of 15 that I identified as being
important, approaches to authentication, or differently said, 2 of 15 classes
of assertion that are important in B2B, B2C, G2B and all those other kinds of
e-business. So we've got to shift our focus to look at a much broader
scope. I will talk briefly down the
four on the right, attributes authentication hopefully fairly clear, are you a
doctor or not a doctor, are you really a qualified counsellor, are you really a
member of this club, are you a member of the home forces who can actually open
a bank account with the defence forces credit union, being a fairly topical one
at the moment.
Agency authentication: do you really represent that
principle as you either claim to or as you appear to, not necessarily a claim
but an assertion isn't necessarily that I am Roger Clarke. You just as you I'm Roger Clarke because all
of the billing gave me as Roger Clarke.
I didn't necessarily assert it did I?
You always have to be careful about who's making the assertion.
The third one down the right hand side is the question of
the eye you? This can be quite
important old fashioned issues, is this person logged in from the terminal
that's in the appropriate spot of the building, not just the question of who
you are, but where you are and whether anybody might be looking over your
shoulder who hasn't got your privileges.
There is quite a long-standing question of location authentication but
there's going to be a few more mobile, or now we have to call it, ubiquitous
computing era, and the other one authentication that's already been mentioned,
credit card detail checking, e-cash, credential checking. There's a whole pile of these things that we
really need to look at.
Now, having established that our scope ought to be really
broad if we're talking about e-authentication, otherwise feel free Tom, to call
it identity authentication, but please don't muddy, please determine what this
purpose and use appropriate terms and define out of scope the things that are
out of scope. I much preferred to see
you doing the whole lot, hard and challenging though it's going to be. I will then make the same mistake that
everyone else's making, and all focus mainly on identity authentication, or is
it only identity authentication? I will
bury you back to the top left-hand corner because we are going to do a bit of
that as well.
So let's start with the simple diagram we all work with, and
thanks to Bill Gates, yet again, I cannot believe the number of variations of
bugs between different versions of PowerPoint.
This little thing here says 1, and that says n, and that
says record column. And it’s going to be like this on every one of the next
four slides.
That’s the model that most of us implicitly have most of the
time when we’re talking about identity authentication. Whatever the
epistemological and ontological assumption is, I can never remember,
phenomenology is it? We assume there’s a real world and there are entities out
there and they got attributes. There’s probably a philosopher in the audience
that can sort me out on the words. And we assume, well we’re pretty sure, if
there’s an abstract world there where we abstract things, well we don’t really,
we model the real world by creating some bits of data, some pieces of data
which represent, usually pretty imperfectly, that identity and those
attributes. And for any given identity, there could be multiple sets of
records, possibly using multiple sets of identifiers. That’s the pattern that
we normally think in terms of.
Now what we so often overlook is that underlying that
identity is an entity, a physical being, an identity is not a physical being,
an identity is best conceived of as things like a role or a person in a
situation, the expression being used by several people tonight about it’s the
context in which the person presents to a particular organisation that
determines the identity that they are presenting, so we use identity in that
sense, and there is an entity with attributes underlying it. And this here
points out that there is an m to n relationship between entities and
identities. Firstly you shouldn’t assume that each human being has only one
identity. We have squillions of them. Quick, open your wallet, count your
cards, think about all the numbers that aren’t on cards in your wallet, all of
those organisation-assigned identifiers correspond to an identity. So there’s
many of them. So there’s got to be at least one to many. But in practice there
are many circumstances in which more than one entity presents using a
particular identity. Sometimes with the approval, or perhaps connivance, of the
identity themselves, and sometimes because it’s “identity theft” in the many
senses in which that word gets used and abused.
So we have to at least get to that level of complexity
before we can make any sense at all of some of the questions of identity
authentication. And having done that, we then move to the next step, of
recognising that there’s some kinds of identifiers, if you want to call them
that, that are specialised and different from identifiers because they strike
directly through to the underlying identity. And clearly here we are talking
about biometrics in the case of human entities, but in the case of legal
persons, I challenge you to come up with some sensible entifiers for utterly
fictitious legal entities like trust companies, like One.Tel, no even some of
the existent ones. It’s very very challenging to think through what that means
in some of the B2B contexts, and indeed B2C where the consumer is trying to
reach the organisation and strike through to the entity underlying it. Some
interesting philosophical challenges. I use the term entifier because it makes
sense to strip the id off the front and relate it directly to the entity.
I’ve gone back by means of a classic scholar, but the
origins of the words identifier and identity and I’m sure they basically derive
from an ancient Greek verb “to be” and therefore it’s perfectly legitimate to
come up with a neologism like entifier. Interestingly, I don’t think the words
don’t ever existed, it’s like one of those funny things like ‘couth’ that
doesn’t actually exist but should. So I just suggest entifier, just to
distinguish it from identifier, just because it’s significantly different in
practice, and when we have our discussions, once again we need to think our way
through ramifications of this. And as you can see from the right hand side of
the diagram, having a lot of space left, that’s not quite the end of it.
Because there’s one further category which is very easily
overlooked.
In the discussion paper issued by NOIE, there is a mention,
one line, unfortunately not taken any further, but on page 4, this other bit
does get in there. And, my god they come up with another bug there, the words
in the box in the top right hand corner have disappeared. It’s a secret, I’m
not going to tell you what’s in there. Did it print? No? It says up there, NIM
and data items. And by a NIM, which I’ll define on the next slide, or you can
look ahead, I mean a particular kind of identifier. And the particular context
that I’m talking about here, is where we have an identity but it is very
difficult to strike through to the identity that underlies it. That’s meant to
be 2 bars, but for this version of Powerpoint they didn’t separate them enough.
It’s meant to be a blockage.
Now there’s 2 different contexts here, or 2 different
circumstances.
One is where it is not in practice in the circumstances not
feasible to break through, and you can never find out who the entity is
underlying the identity. Somebody emails you from hotdickety [at] hotmail.com, and
you are unlikely to ever break through unless they give you the information,
because you can’t issue search warrants, and you haven’t got the money to buy
people to trace through the layers you’d need to trace through to find out who
the hell is out there using that login ID at hotmail. Some organisations possibly
have, so then it may not be an absolute blockage. So in your context, that’s
anonymity, and that Nym is pretty solid. In the CIA’s context, to go to a
different extreme, perhaps not so, it may only be a pseudonym.
There are of course quite a few circumstances where people
think they’re anonymous and turn out not to be, and there’s been a couple of
expensive but effective criminal investigations which have struck through in
the context of child pornography especially, have struck through what those users
thought was anonymity and got through to the underlying entity, and quite
clearly many of us are very interested in being to achieve that, because the
accountability, the social responsibility aspects are very well served by that.
Couple of quick comments. Anonymity is, anonymity has always
been, and anonymity will be. Anonymity is also challenging as well as being
highly beneficial.
I have been trying to encourage much more discussion of
effective pseudonymity, with appropriate kinds of blockages built in that make
it genuinely hard for governments and powerful corporations to break through,
except when the right circumstances are satisfied. So it’s a combination of
legal and technological and organisational safeguards necessary to achieve it.
I don’t think that there has been much success in interesting people in
effective pseudonymity yet, but boy I’m continuing to work on it.
My essential point is that unless we have got that rich a
model when we talk about identity and entity authentication we aren’t going
anywhere. And that is my definition of Nym, perfectly negotiable, it’s been
published that way, but I’ve been known to gradually modify my definitions as
the years go by. Nym is used by smallish community around the world at the
moment, I originally published all this in 1994, using the term digital
persona, but that hasn’t particularly taken off, the concept is extremely
closely related to what I’m talking about with NIM, but others have taken up
Nym but it’s an extremely useful neologism because it’s not much used to mean
anything else, and the route is appropriate, so let’s use it. But when you look
at the number of different words that are around, that concept has been around
since time immemorial in many different contexts, so I’m heartened by that.
So, so much for the lecture, hectoring, about what
authentication really means. Let’s jump to the question of tools.
And here on this slide, I’ve tried on one slide to fire off
what’s in the NOIE discussion paper and refine it a little, because I think
there’s a couple of aspects that are useful to work on.
The first point that I’m trying to make is that there is a
considerable richness of alternative tools on the left hand side, even more
than is in the listed examples, they’re only listed as examples on the NOIE
discussion paper, there’s an even longer list depending on how you want to
break it down. The second generic point that I’m making on the right hand side
is that for any one of these to work, a whole pile of preconditions have to be
satisfied. The great deal of infrastructure necessary is not just PKI to
support these digital signatures, all these different kinds of tools require
quite a range of things in place.
The next couple of points that I ought to make would be to
draw a couple of these to your attention that might otherwise escape. The
writing of a signature is well established, that is a physical signature, and I
mean by that either the result or the behavioural pattern of writing a
signature, and I don’t believe we should lose that one because it is quite
feasible it may continue to play a role in e-authentication as well. The second
bullet on the left I’d like to generalise the username/password pair because it
is a specific instance of a particular piece of knowledge, password in any
case, if not the username, which is likely to be in the possession of a person
and not in the possession of others. There are many other instances.
There is also various other aspects like password arguments,
so I’d like to generalise that somewhat, and highlight that it’s dependent on a
reasonably well understood pattern of things and processes otherwise it won’t
work.
With the third bullet point, I’d like to highlight that with
PINs, we also have to recognise non-secure PINs. What do I mean by that? Some
are hashed in a secure manner, and the ATM EFTPOS example is up in most of our
minds. There are other instances of things called PINs that I don’t think
should be but they are. How many people have got a telecard or an Optus
equivalent? That PIN is known to the operators at the other end. And you are
then wide open to spoofing by the organisation or any of the individuals who
might move outside their agency relationship with their employer and take
home a whole bunch of PINs, knowing the
number that goes with it. It’s only 12 digits, it’s not very hard to memorise.
So I think something from a regulatory viewpoint that would be really really
handy would be to ban Telstra and Optus from referring to those as PINs. Get
another word, fellas. I’m not saying they shouldn’t do what they’re doing, I’m
saying they shouldn’t debase the concept of PIN, because the concept of PIN
carries with it an image of security. And I think there was one other one that
I wanted to highlight? No, I think that was all the points. Clearly there is an
awful lot of potential points for discussion here. Now let me divert to the
fifth bullet point, digital signature and PKI. I’m going to have to have my
ritual go at conventional go at PKI, because it just wouldn’t be fun if I didn’t.
The first point is that it’s dependent on a number of
things, it’s dependent on public key, it’s dependent on left put private key,
it’s dependent on a lot of software, it’s dependent on a lot of law, and it’s
dependent on a lot of faith. To take that a little further, and let me
underline conventional x509 based public key infrastructures basically don’t
work. There’s plenty of literature on this not only in my papers but much more
erudite cryptographers and lawyers have written on this. There are some things
that a digital signature can do for you, and there are some things that a
public key structure wrapped around it may or may not be able to do for you.
But it’s extraordinarily difficult to come up with a public key infrastructure
to do all the things that used to be claimed.
Now Steven Watts and I have had this out many times,
overread and not overread, and there are phrasings of this which Steve and I
could probably be happy with, not these phrasings, I underline, but some
aspects of this Steven would rephrase, it’s being used for the wrong things,
stop envisioning it as an e-passport, and I’m quoting him this afternoon. So
we’re somewhat apart, but not as far apart as might appear from the phraseology
here.
There’s a whole bunch of prerequisites if you’re going to
depend on public key infrastructure to give you assurance. There are many
possible kinds of public key infrastructure, remember I am reserving my
nastiest for the existing x509v3 based typical implementations of public key
infrastructure. There’s all those sorts of things that has to be done, for
god’s sake don’t think that I can do a tutorial on that slide right now, and
x509v3 we’ve got to recognise where it came from. It was a hammer lying around
when somebody picked up a nail, and somebody said, ooh, ooh I’ve got a hammer,
hit the nail quick!
It has a history, it comes from a history that is rather
separate from, totally unrelated, but rather disjunct from what it’s being
applied to, and it has bunches of features which may well have made a lot of
sense in the original directory context but don’t make a very good fit
especially in a B2C or a G2C context. Got some problems in the G2B and B2B as
well, but especially serious, I believe, are in the B2C context. And indeed
when you’re trying to represent agency relationships, principal/agent, what is
it that this employee can sign for on behalf of the company, there’s been a lot
of that reverberating around the B2B and G2B environments recently. And there’s
always been this problem about what the hell do you do about revocations?
There’s actually a logical philosophical conundrum in the
whole issue of revocation, and it’s basically insoluble, and there’s some
really poor approaches to solve it and some rather better ones which still
actually can’t totally solve the problem. And the invasiveness, not just
comments about e-authentication but to the public concerns about
e-authentication, the impact on the public if the registration authority was to
do its job in the most serious minded way, is very very substantial. I
continually paint the picture that Kerry Packer has got to stand alongside John
Howard has got to stand alongside Prue Goward, has got to stand alongside
Nicole Kidman, holding a sheath of documents, they have to do it in a queue.
I’ve always said that I want to be alongside Nicole Kidman,
but it is a fact of life that these things have all got to be done, and some of
them, adduced difficult, and a great deal of the population is going to have
trouble with it. Some of them because they’re going to have trouble finding the
documents, some of them because they’re just getting seriously upset, some of
them because they’re out bush, running around little territories and such like
places, with a lot of threatening things involved if we actually do it. I don’t
want to dwell much longer, actually I’ll tell you what I do want to do, I want
to slip in the slide that I should have put there and what I didn’t have when I
reviewed this was a rounding off slide on the PKI issue.
Firstly, I don’t want to be interpreted as saying that,
sorry Richard Alston, digital signatures and public key technology applied to
such purposes is totally dead in the water. There are applications and there
are potentially approaches that can be taken than the ones that have been taken
up until now.
And even with conventional PKI certificates there can be
some contexts, device authentication, which we haven’t really talked about, is
one, and closed communities, is the term I’d use for what several people
mentioned under various guises in earlier discussion, and Stephen Wilson’s
point earlier that it’s one of the big things about this in a closed community
is that it’s automated or automatable, and that can give you some considerable
comfort in a closed community environment. I’ve always used the example of the
strong hierarchical organisations, I’ve always talked about the department of
defence and the Catholic church because they’re the obvious examples.
And I suppose I’ll tell some of you this story that a couple
of years ago when I was mentioning that example somebody from the audience came
up to me afterwards, a Belgian, I gave the presentation in Europe, a Belgian
came up to me afterwards and he said, you do know that the Vatican actually
uses x509 v3 based PKI don’t you?
So I don’t want to be interpreted as saying, especially,
that public key technology cannot possibly be applied to a variety of
applications in e-authentication, but what we’ve got at the moment is not
something that enthuses many of us at all.
I’m now going to have my little swipe, and I am afraid it is
going to be a swipe, at biometrics. Once again there’s a bunch of slides
underneath here which are referred to in the paper which I gave Hong Kong
University recently at Graham’s invitation, to go into some depth on what
biometrics is and why it is giving us a lot of difficulties, the way in which
people are approaching it at the moment.
The essential idea
of a biometric process is that you start out by enrolling or registering some
form of measuring device, capturing something, what I would call a reference
measure, but the industry tends to call a master template, and then at some
later time, a measuring device, quite possibly quite a different measuring
device, captures what I would call a test measure, but is usually called a live
template, in the industry, and they are them matched and analysed in some way,
and thereby hang a few tales, which delivers some kind of result, and thereby
hangs a few tales as well. And appreciating that and how it’s applied and used
is very important in making further progress in analysing what biometrics is
and isn’t good for. There’s a bit of argumentation as to how the application
should be categorised, but I’m going to stick to the reasonably conventional
for the moment until I can improve on this, that James Weyman at San Jose is
trying hard to come up with a slightly different characterisation that this.
But you can either try to answer the question who the heck is this person, and
the standard situation in your airport is “who is this so that I can check them
against a list of stock people who I do not want through this barrier?” and
that is a frighteningly difficult thing to do because you’re searching for one
among many, and there’s enormous errors of commission and omission, type I,
type II errors, false positive, false negatives, whatever language you want to
use, there’s enormous difficulties in performing that process effectively.
The use for authentication of identities is a rather
different one because there is an assertion by someone, possibly by the person
themselves, possibly by someone else, possibly by you, because you are
proposing that you are this person and then testing whether it really is, and
that’s a one to one test and it assumes you have a reference measure available
to you for that person and the ability to capture the same biometric and the
same conditions in order to perform the test. I draw attention to the
possibility of using biometrics in such a manner that you do not disclose
identity but you in fact focus on attributes. There are ways of doing it, the
game I play is, have you ever stopped to think that the person who is at the
border who is inspecting passports currently, doesn’t actually need to know who
you are? 99.95% of the time they have no need to know who you are. And you can
design systems to ensure that they don’t. Clearly there’s a trick to it,
because if I were to propose that the American Immigration and Naturalisation
Service in amongst the many other mistakes that it makes, should not or does
not need to know who you are, well that’ll be a bit of a silly argument, I’m
not arguing that, I’m saying that the border person does not need to know who
you are. If a system is designed in order to perform the tests, and I haven’t got
the diagram here, that’s in the drill down set, if the system is done in such a
way that the testing is done in background mode without disclosure of any more
information than is necessary, the border guard merely needs to know the
answer: yes the person has checked out against their right thumbprint on this
red-headed person’s card, and that person is not on the stock list.
That’s all that the Immigration and Naturalisation Service
or the Hong Kong passports person when Graham arrives in Hong Kong actually
needs to know. It depends on how you design the system, biometrics can be used
in many different ways, and unfortunately so far, we’re only using it in a dumb
way. The concept of mythical annoys some people.
Feel free to interpret me as saying that biometrics
industries and biometric technologies are inept. But that’s not what I’m
saying. I’m saying there’s a whole flood of myths flowing around in the
biometrics industry, and about the biometrics industry, and to a considerable
extent encouraged by the biometrics industry. It is very hard to get serious
information, the rate of change in the marketplace is dramatic, the coming and
going of technologies, let alone individual suppliers, is frightening. The
number of pilots that gets announced go back through the newspapers and the
industry newspapers and count the pilots that have come forward. And then go
checking around amongst your friends who have had experiences of using and
being subjected biometric schemes, and there are some very embarrassing stories
to be told, and while there are one or two biometric suppliers who are quite
healthy, thank you very much, it’s because they’re small divisions of large
corporations with many other healthy divisions.
Try to find individual suppliers who are making a packet out
of biometrics right now is seriously challenging. This could mean a number
of things, very early phases of the industry and so forth, one of the things
it could mean is that they’ve ended up not getting very many sales, they keep
promising and not quite delivering in context. I suggest the latter, but I
don’t know enough about the industry to be sure. What I do know is, that if
you take the worst case, and please don’t think I’m tarring every biometric
technology with a brush, face recognition, but this has got to be one of the
biggest cons every perpetrated on mankind. It doesn’t work, and there’s sufficient
evidence to show that it doesn’t work, and there’s plenty of effort by the
organisations who provide the technologies to avoid the independent analyses
and information flowing about those independent analyses, it is fraudulent
misrepresentation, and feel free to quote me.
[ back to top ]
You’ve got some examples there that I’ve never heard of,
that you’re sort of assuming that you know what the examples are.
Oh sorry, beg your pardon, on that slide?
Okay, Tampa Superbowl was January 2001, and simply the town
in which the Superbowl was held, that’s the world championship of football.
Sorry, the American championship. And the crowd as they came through the
turnstiles, were submitted to video apparatus which it is claimed tested them
against the database of terrorists, troublemakers, pickpockets, I don’t think
we actually know. I don’t know whether it was used in Japan, it totally failed,
and that’s documented, there’s a couple of publications which are referenced in
the literature underneath here, that explain how the information has become
available. Eball city is a suburb of Tampa, is a city council of Tampa, which
got very enthusiastic about this and installed it quickly and it’s failed
utterly and dismally and once again it’s well documented. We’re still trying to
find information on the others, but the ACLU, were the people who’ve pieced
this together through a variety of probably fair means and foul, but the
information is very disappointing. What I need to stress here is that
irrespective of the effectiveness or ineffectiveness of biometrics, they have a
lot of implications.
I can suggest by the way some other examples, apart from
face recognition. It’s slightly unfair to suggest that face recognition is a
disaster therefore all biometrics are.
There are different kinds of experiences, if we take three
of the most common at the moment, hand geometry, I don’t have terribly good
anecdotal background on, but it has claimed and has made some progress in
testing in very constrained circumstances. It uses measures of the shape of
knuckles in a field, how you place the whole hand in a field, and there are
spaces to ensure that it’s meant to be a consistent space, and it’s used in
particular by INSPAS, the Immigration and Naturalisation Service, in the US,
for high fliers, in the sense of business class and above passing through
Heathrow, JFK, LAX. 2 anecdotes from my own experience is I have on a number of
occasions stood right alongside the INSPAS booth at LAX for periods of 10
minutes at a time.
And I’ve been waiting, I haven’t been standing there because
of I’ve been waiting for somebody to use it, I’ve been looking for the
opportunity, I’ve never seen anybody go past one. So I’ve got no idea, I guess
they get used.
The other anecdote that the only Australian who I know has
one, hasn’t got it anymore. He’s a senior public servant, Canberra Commonwealth
public servant, and he always chastises me and takes me on privacy and
surveillance matters and biometrics matters, and I said to him one day, but you
must have INSPAS surely, of course I’ve had INSPAS for bloody years, he’s been
in the Hague, he’s been in London, New York, on postings. I said, ‘well how
well does it work for you?’ He said, ‘oh, shithouse, I gave it back a few weeks
ago.’
I said, ‘what do you mean?’ He said, ‘well, I must’ve used
it 20 times, it’s only once worked for me.’ He said ‘I just couldn’t be
bothered and gave it back to them.’
So sorry, the anecdotal evidence ain’t real good, but it’s
used in nuclear power stations, it must be good. The second one is thumbprints,
I had an honours student work in the department of computer science, looking at
the possibility of masquerade based on conventional commercial products, and he
had no difficulty whatsoever in performing a masquerade based on the template
that’s stored and available, which is the proposition I put to him in the first
place, but I couldn’t believe how easily he did it, admittedly he’s a first
class honours student, but it’s not supposed to be that easy.
And iris recognition technology, now we’re starting to talk
about something that’s very interesting. Iris recognition technology I think is
the one to really watch out for. It’s extremely interesting maths and very
interesting physics, and it also requires very specific circumstances for it to
work effectively, which is one of the important messages, and which has indeed
floated around. Conditions, contexts. So I want to fly through four slides and
say that irrespective of whether biometric schemes work or don’t work, they
have enormous implications for people, some of those, I don’t know whether it’s
privacy, I don’t know whether it’s civil liberties, I don’t know whether it’s
plain convenience, call it what you will, everybody gets affected by some of
it, and people who get picked out as false positives get subjected to a huge
amount of it.
There’s also various kinds of privacy invasiveness, and I
want to underline here it is multidimensional. As a submission I don’t know
whether I’ve got time or money to write a seriously hard submission to you Tom
but you only talk about privacy in the context of data privacy in this document.
There are four dimensions, biometrics in particular strikes all of them. It’s
something of the person intrinsic to them, that is being used, it affects
personal behaviour, because it involves surveillance of various kinds, as well
as having to do with the privacy of personal data, and the third word of course
has to do with the point that you’re striking through to the entity, you are
not dealing with an identity. I wasn’t going to dwell on it here, there is an
argument, particularly as we move into the DNA context, that there may be
information exposed in various forms of biometric testing which may relate to
things that are close to predestination. The obvious is the meanings of
particular genes, or the import of particular genes, there have been arguments,
none of which have been terribly well established, that other kinds of
biometric might also contain information about the person.
The iris is the obvious one because of iridology. I don’t
want to stress that one too hard, but there have been arguments, the statement
is, and even possibly personal fate, it’s that kind of, I’d better not leave it
off. There’s also threats of personal
identity, I’ve mentioned the example of the ease of masquerade based on standard
templates of thumbprints, please distinguish masquerade from identity theft,
they’re very different things, and the US FTC doing stupid things with their
definitions with their national fraud centre in the US, absolutely criminal
incompetence in the way in which they’re describing things that are just single
instances of masquerading and calling them identity theft, really reports
they’re stupid.
There is a thing called ‘identity theft, and it’s serious,
and unfortunately biometrics will tend to worsen the situation as well as, not
instead of, improving it. It’s a double-edged sword. It obviously is designed
to provide access denial to various places and false positives are obviously
going to denied access to places that they shouldn’t have access to in
principle, and it could go so far as enabling identity denial, which you’ve got
to read, I’m not going to deal with that tonight. And there’s a much more
substantial things, my sole point with this slide is it is not just about
individual human beings and the privacy of each individual person, it is a
serious social, democratic and economic issue that we’re talking about here as
well. There are much broader implications. That’s what I work on in privacy. I
don’t work much on the impact on individuals, I work on the much more
substantial effects.
I have argued in the things I have written so far, and I
haven’t got the major paper out on this yet, I’ve argued that biometrics should
be banned. I don’t mean forever. Biometrics should be banned until they are
regulated. So here is an express message in the e-authentication context.
There’s a series of things that have to be done. Some of those things need to
be done for technical reasons, I got the social import, they will not work well
and they will open up the possibilities of insecurity unless they are done. And
certainly the standards kinds of things here links directly into the question.
Standards Australia and , how do you pronounce it, Chris? ‘natter’? NATA.
Natter’s what you do, NATA’s who you are. So NATA and Standards Australia must
surely have copout meetings, must surely have roles to play in that.
Last couple of concluding points, sorry Graham, we’re nearly
there.
11th of September did not change the world. It’s
a common misconception, it didn’t do it.
It’s what happened on the 12th that changed the
world.
What happened on the 11th of September was pretty
bloody chilling, we all know what that was. But on the 12th what
happened was exploitation of the opportunity.
And there has been very substantial change in balance of
discussion especially in the United States, remarkably so in the United
Kingdom, where Tony Blair has obviously had his ego played upon and been warned
that he’s under death thread from 46 different terrorist organisations, where
the UK has been turned amazingly, I must say Australia has been a little more
circumspect, but some of the disease has reached over here.
My personal position on this is that if I’ve got to choose
between a short life and a long life that’s got low quality, I’m not terribly
interested in the low quality life. Now I could be in a minority in this room,
I could be in a minority in the Australian population, judging by the image we
have, I’m definitely in the minority in the US population, oh my god I cannot
believe that this software can cock up so many things at once.
What it says in the bubble up the top is, hell I’m willing
to give up my civil rights in the fight against terrorists, whose sole aim is
to destroy our precious freedoms, there was some little cartoon from the Sydney
Morning Herald a little while back and it does appear to sum up, well firstly
the fact that Bin Laden’s won, whether he knows it or not, whether he’s still
alive and in fact whether he ever existed isn’t the issue, he appears to have
won.
Last points are I fear that there is a considerable lack of
public interest voice in these sorts of discussions. In government fora, I
don’t want to go back over painful history but I do trust that the approach
that was adopted with GPKA and GBACK and the lack of transparency of the gatekeeper
accreditation process, will not be regarded as a model, it should never be
repeated again. They were not happy times. We need much more effective models
than that. That’s in the government context.
In the standard setting processes, I manage to batter my way
on to a W3C working group for the platform for privacy preferences. I was the
first person who ever got a login ID and password into the W3C site who wasn’t
actually an employee of the companies who are paying US$50,000 to be members.
Since then that has been formalised and there has been a moderate number of
external public interest representatives on different working groups. And that
is a very positive direction.
We’ve had extraordinarily bad experiences with the
Australian Communications Industry forum. In Australia, the public interest
representatives who were involved asked for more information, explained the
need for more appropriate processes, got nowhere over an extended period of
time and walked out en masse. And the last I heard was that they’re still out
en masse. It has been an absolute disaster.
Standards Australia, I’ve worked on a number of working
parties over the years, it’s extremely difficult for the public interests to be
represented there. There are structural reasons, this isn’t a complaint at
Standards Australia, it’s the way these things work. It’s the same thing with
CCIT, IETF and a range of other standards organisations and the challenge is
right in front of the Biometrics Institute of Australia, I name them
specifically because they’re named in the report. They will be confronted with
the same difficulty of how the hell do we get the public voice in [?] the
public won’t be interested, and the public won’t be represented unless public
interest organisations get involved.
My apologies to public interest organisations that aren’t in
that list, but that is 60 seconds worth of reflection on the question, are they
public interest organisations that can be even invited into these fora and into
these committees? And the answer is yes, there’s plenty of them, I’ve left out
a few, I’ve thought of a couple more since. And that’s just one person in 60
seconds thinking of a few. Sorry that is not the Health Insurance Commission.
The health issues something or other. One of the problems is
the participation of such people as are invited is sometimes very limited, they
do not have full membership, the second is that representatives of the public
are either employees of someone or are self-employed. If they are employees,
they have to make the case to be allowed off work, if they’re self-employed as
a number of us are, we have to justify, somehow we’ve got to have a business
case to have a hell we are surviving. In many circumstances there’s no funding
for travel, particularly vicious internationally, but even within Australia,
and funding for participation, particularly when they’re substantial one and
two day events, it’s a really hard thing to achieve, so I am concerned that
public interest is not going to be sufficiently represented.
And I’m also concerned that Graham is going to hit me over
the head because I’ve taken too long.
Well, that gives us plenty of starting points for the rest
of the discussion. Since Roger has spent a lot of the time talking about
biometrics, I’ll ask in a second Isabelle Muller, from the Biometrics
Institute, if she’d like to say some things, and then anyone else, from the
biometrics area.
But first I’m going to throw another of Roger’s points at
Tom and Catherine about the history of public interest participation in GPKA
and GPAK, and ask why has history been rewritten in this report?
So that any mention of public interest participation in GPKA
and GPAK as completely excised from here, and they’re being represented as
bodies that only included government and industry representatives, just as an
instance of the problems of even getting any visibility of public interest
participation. So I’ll throw that one to you first while Isabella, and others
draw bread.
I guess firstly I should say that I don’t think we need to
open major reforms, taking in what you’ve given tonight with, which I think is
very clear, I mean I’m quite serious about that, and regard that as a useful
input. I don’t think there’s been any rewriting of history in the document, and
in fact in the best bureaucratic tradition, we’re not in the business of
producing documents with a particular historical focus, nobody would be
interested particularly if we did, and that’s not what we’re being paid for.
I think Roger’s point about disagreements and difficulties
over the early stages certainly of the gatekeeper process has dwelled and the
involvement of public interest groups and issues and views is not something I’m
going to disagree with but I guess it doesn’t help in terms of future debate
about policy. I think a lot of the issues about who we’re starting are being
not made up as we go along but being done from ground up.
For a tortuous time all the agencies and other people
involved, that’s not an excuse for when things went wrong, but I’m not so sure
that it has anything to do with the current situation which as we say is
opening a debate about government structures involved with rather than saying
the existing arrangements are great and should be continued. Quite the
opposite.
I think that’s quite an interesting starting point, Tom,
that there hasn’t been a history of public interest participation in the
e-authentication bodies up until now.
Except for NEAC, actually, Charles Britton [ACA?] was a
great representative of NEAC for over two years.
It was a subsequent development to the involvement of people
in the early stages of trying to work out what gatekeeper might be. NEAC as an
advisory body to the government came later, represented a different stage and
did try to involve, as Catherine said, a wider range of groups including
academic and experts, people from the retail area, the consumers’ association,
and a small number of government agencies.
Some of the work he did on liability and other matters that
we referred to earlier, some of the work on small business which is a group
overlooked in a lot of these debates, we try to pick up as Catherine mention in
publications, and so information work later on, but Roger’s points are relevant
I think to a lot of areas of public policy, I think as far as funding for
public participation goes, I think that most agencies try to treat a lot of
proposals that come forward for funding participation by non-government public
interest bodies on their merits, we treat things on their merits within real
life budgets.
I don’t think we would ever not undertake particular
proposals without thinking about them, and this is a good starting point. Sorry
that wasn’t really an answer but I’m very keen to hear about biometrics as
well.
We’ll get another NOIE perspective just before we get on.
I just wanted to add another couple of comments to what Tom
has said. We haven’t deliberately omitted or deliberately put in things in the
discussion paper for hidden agenda purposes. The purpose of the discussion
paper is precisely that triggered the discussion, and what we’re trying to do
with the discussion paper is trying to get enough information there and enough
ideas on the table to trigger this sort of discussion, and that’s as far as we
really wanted to take it and in fact we’ve left out some thoughts that some of
us had, we’ve left out some conclusions, that some people may have already in
part because we actually want to get a genuine open debate about some of these
things.
To respond to some of the things Roger has raised, NOIE is
going through this process in part because we don’t think we have all the
answers. We are looking for genuine input from a range of interest groups and I
really do want to emphasise that.
In my comment Keith was not to suggest any sort of
conspiracy but rather it’s so difficult for the public interest participation
to get into this process that it easily gets forgotten that it was there, which
seems to have happened in this case. So let’s move on to the biometrics thing,
now I don’t know Isabelle, I’m afraid. Over to you.
Well I’m not a biometrics specialist as such, I’m more
looking after, for those of you who don’t know me, after running the institute
and I certainly know there is great interest in biometrics and then we have
mainly users as our members, that’s really where the focus is, and like he said
we are really there as a forum to make discussion possible and to bring
everyone together who is interested in biometrics.
Most of our members at the moment are government departments
because they are the ones that are using biometrics and have great interest in
it but we are certainly also looking at having more members from financial
services, so the interest is certainly there and I can only stress something,
we’re not really the ones who will drive standards and anything like that, but
really to facilitate the communication and bring everyone together.
Isabelle, could I just ask in light of the sort of things
Roger was raising, has the institute given any thought yet to the type and
level of regulation that would be appropriate for biometric technologies used
for authentication, and secondly, is there as yet any public interest
participation or any structure that allows that in the biometrics institute?
Well again I’m probably a bit too new to answer that
question, I would need to get back to that, but I know there is a lot of
discussion that is brought to our attention around privacy and regulation in
regards to that. So there are things we are looking at and also some ideas of
setting up working groups who could be involved in getting things like that
going.
But it’s still a little bit early to say a lot more about
that, but I can certainly find out exactly a bit more about what is planned.
But at this stage nothing is happening as of yet, we’re only a year old, but
the interest is certainly there and it’s something that we’re looking at.
Thanks, well I’d like to ask now first if there is anyone
else who is actually working in the biometrics industry, who, mythical though
it might be, according to Roger, who would like to come in to the discussion
now and then secondly, anyone else who would like to add some comments
specifically about the biometrics issues.
I am a biometrics consultant. Unfortunately I’d agree with
near enough all of what was said. Most of the culls have been abject failures,
the systems aren’t as strong as things we’d like to claim they are, fortunately
we’ve focused on the face which is the weakest by a long way, I would hate to
be the person managing the face recognition technology and therefore dealing
with the angry people who are not terrorists, although the systems claim they
are.
There are some other systems based on fingerprints which
have been live for some number of years, I begin you’re aware of Connecticut,
and similar systems which are doing too much badly now. There are couple of
other projects which are newer, Stockholm Council in rolling out biometrics to
all of their schoolchildren in all of their schools, there’ve been a real
problem with students who are 7 or 8 years old and are not remembering passwords.
Now I can’t understand why that should be true, because
every child of 7 or 8 should remember an 8 character password!
So what they found was the teacher was spending half a
lesson changing passwords before anybody could get any work done. Now of course
the reason they knew the passwords is that the older kids were locking against
the younger kids, and looking in places they shouldn’t. And they needed some
accountability. So from what I’ve heard that’s been working and I believe it’s
real. I believe.
There are some hospitals in the US under the Hippo
legislation that are based in biometrics. I believe at least on hospital is
going live, not just trialling, that’s St Vincent’s, so there are trials that
are moving towards real life. I haven’t heard how they’re going on yet, but I
believe they’re moving on well, but a lot of what Roger has said I agree with.
Bar more than you would probably expect.
I’ve got two little anecdotes. I’ve been involved with,
actually once, the people I’ve worked with in once smart card trial, where they
were using biometrics in the US with the marines in fact, and the reason they
were using biometrics there was because these guys would just come in, and
they’re these 17-18 year olds, become Rambo in the army, and never had an
account in their life, and there’s no way they’re going to remember a PIN. And
it’s exactly the same scenario there as well.
It’s IQ as well, isn’t it?
Yeah, pretty much. So that’s an IQ issue there very very
much. And the other one is actually in an office I worked in for a lot of
years, a thing into biometrics for some time. We had very few problems with it,
I must say, as a direct user.
Which kind of technology?
I think it was called Fingerscan.
Yes, the same brand Woolworths employees use.
Yes, it was in fact exactly that.
From e-commerce security. I used to work for Fingerscan, and
Baudes [?] was certainly one of our products. However, I also agree with what
Roger has said. I think the biometrics industry here is entirely responsible,
really, for not getting itself off the ground. There are no basic standards,
there is only one internationally accepted biometric testing station in the
world, and that’s somewhere in Belgium or Holland, and the Sanyo laboratories
do it in the US. But they do it pretty
haphazardly, there is nothing with biometrics that you can actually measure
anything against. There’s no standard, there’s no nothing. And until we get to
that stage, it’s going to go on languishing.
However, that said, I think that it’s very easy to say the
system doesn’t work, or the technology doesn’t very well, and what Roger has
said is both true. But if you look at the other side, everything with something
that you have to do, like put a finger down, put a hand down, speak into a
system, have an iris scan, is something that you do voluntarily. Therefore,
when you are looking at a system where you say “it invades privacy”, you don’t
have to subject yourself to it, particularly if it is just part of another
system.
I think if one looks at biometrics as being the be all and
end all, that is absolutely wrong. It is simply yet another tool along with the
factor, P as a tool, your smart card or your swipe card or whatever it is.
Depends on the layers that you wish to put in to create authentication or
identification or verification.
But it needs a great deal more work on it, and I think
Isabelle’s got a lot of hard yakka ahead, because I tried for 2 years to run
the biometric subcommittee of standards Australia, and actually getting any
people along to the meetings, and secondly to really put together any
meaningful papers was extremely difficult. People are interested, yes, but
that’s about where it lies.
Your thing on privacy is a bit of economic naivety, it’s
like saying that I won’t utilities Microsoft operating system unless I accept
their EULA, and use a licence agreement, but I need the Microsoft operating
system to use everything else, so I’m actually economically forced to go down
that track. Now if I’m about to run for an aeroplane, and they’ve got a facial
scanning system, I don’t have a choice. If I want to get onto that aeroplane, I
have to go through that biometric system. The whole point of all this is access
– do I have access or don’t I have access? I don’t think it is to say from a
privacy perspective that I really have a choice. There are economic choices,
and if I want to get to this business meeting, I have to go through that
biometric.
I’m not expecting I’m going to have much choice when I try
to get back into Hong Kong next year, it’s a finger scan or nothing to get
through immigration in Hong Kong, and when a policeman or an immigration
officer stops me and says I want your card, and I want your fingerprint on this
device so that I can check that you’re the legitimate holder of this card, I
mean that just happens to be one leading example of where this compulsory production
of biometric samples is going to happen. But isn’t that the area that brings us
back to the role of regulation in relation to the biometrics industry because
this is such a sensitive area.
I think the role of
government is really to start relief by the point that there are no biometric
standards yet, because if there are no standards, then it is not possible for
someone to certify particular technology. And if it’s not possible to certify
anything, then there can be no organised governance model. And with no
organised governance model fundamentally possible, then the role of government
becomes moot, I think. That’s not to say that the government shouldn’t be
driving Standards Australia or be more aggressive about producing standards, but
my technical analysis suggests at this point that we must be fundamentally a
very long way away from standardising biometrics. So I think we’re faced with a
moot government role for a long time.
I think the
primary way for anybody initiating any new standardisation project is for
somebody from industry to request. Basically I’m not aware of the committee
that you’re talking about earlier, but if it’s proposed, we do our best to
survey the broader industry, build a community of interest, find the experts,
find the interests, to get standards off the ground. We don’t have it at the
moment as far as I know.
I just wanted to make two comments.
One is: the only biometric system I’ve had anything to do
with is signature recognition and one of the interesting characteristics of
that which I would assume is common to other biometric systems is that the
person controlling the system can set the parameters of the algorithm so that
it will accept different variations in the signature. And this is of course
extremely scary to the customer because they’re saying, well if I want
everybody to go through, your signature can change quite a lot and I’ll accept
that, but if I want to be really sure, I’ll tweak it right up so it’ll be 99% identical
to the copy template signature in which case it will reject you a few times
when it’s valid if you don’t do it right.
And that particular characteristic which when you’re reading
a biometric characteristic, I would have thought either a hand or an iris, you
would have to deal with means when you go back to say, ‘well, are we really
sure that this person is really who we authenticated them as?’ You’ve already
built in your degree of uncertainty into the end of the system, and that’s one
of the reasons why the customer that I was working with didn’t buy the system:
because they were just unable deal with having to make that decision as to the
degree of uncertainty that they would tolerate in authenticating people. That’s
my first point.
My second point is I think it’s assumed but nobody’s really
articulated it yet, and it hadn’t really occurred to me, and I think the key
difference with biometrics and probably more to this, is because it’s a
characteristic of yourself, you can’t get rid of it after it’s been captured.
So with a normal digital signature, you might just say, well I’m not going to
use that identity anymore, I’ll get a new card or a new key. But once
somebody’s captured a biometric of you, it would be highly personal information
that would be very powerful in an ongoing way for many years, and I think that
means it’s in the realm of personal information in the Privacy Act, and
probably in the realm of the higher standard of personal information, the
category of clubs and sexual preference and medical information and so on, that
might be captured. So we have a regulatory regime in place which is ready made
to deal with the issues that are associated with captured biometrics. And it
may be that using that regime you may want to set rules that would restrict the
extent to which it might be captured, used and reused.
My last point is that there’s a lot of activity in the city
at the moment, in new mobile phone technology, and one of the things which
mobile phone technology will do is locate you, and there are some very
interesting implications to do with real-time location of people by the phone
that they’re carrying. In Europe, as I understand it, the standard that’s being
set for that location based information is that the systems are allowed to
identify you in real time as to where you are, but they are not allowed to
capture where you have been and archive it as a matter of record. And it seems
to me that that’s a very kind of blunt instrument in order to crack a nut, in
order to guard your personal security, we just won’t capture information which
might be valuable to you to protect you or to prove where you were later.
And getting this authentication system right is not all the
way, that Roger puts it, with respect, that if these authentication systems
exist and they work they will lower our standard of life. In fact, getting
these things to work is very much about empowering people to control
information and to verify and to use it for their purposes, and the objective
ought to be to get them to work properly, not to be suspicious of them and say
that the technology’s bad because it could be used in a bad way, in fact
there’s a lot you can do once the user can control the information and the user
has keys and systems that are within their control.
Thanks Patrick, now Roger’s got the call next, and then
Nigel, and now we’ve got hands going up everywhere. This is good.
3 quick points:
First one, personal information is defined in various
privacy laws in different ways, sometimes information about a person versus
information of a person may mean that a biometric may not be covered under a
law. It’s one of those problems, it’s a change in technology law will get in
our way.
Secondly, AISEF MOLEY, Mobile location indicator, is the
Australian equivalent of the European approach, and you make my point
beautifully, what public interest involvement has there been in MOLEY
activities? It’s very hard to find out what on earth it is AISEF in that area.
However the main point I wanted to make was on testing
standards.
Talking to James Weyman from San Jose estate, he has some
guidelines of his own that he uses when he tries to form testing, and they’re
interesting ones, moderately public, neither he nor I, I’ll phrase it my way,
not his way, neither he nor I expect any sense to come out of the United States
for the next 18 months to two years because every government agency is
completely required to totally believe in biometrics technology, for god’s sake
don’t test it, it might fail. So we won’t see any decent testing standards
guidelines coming out of the States for a while.
But there is a rather good document, I think it’s directly
out of GCHQ Cheltenham, which explains in reasonable depth the approach that
they believe should be adopted, and while I can’t say I’m weathered to that
document, it is well and truly worth analysis, it’s really got some serious
thinking in there. So there is a little bit of progress emergent in the testing
standards area, that is how should you go about designing a test of a
particular biometric technology, or a particular application of biometric
technology.
Thanks Roger, Nigel next.
We’ve got 10 more minutes then we’re going to stop on time for dinner, so let’s
get as many quick contributions in as we can.
Just picking on one of Roger’s slides, on the use of
identification. I think the question actually is this person known to us?
Getting back to the issue of identification versus an
entity, and one of the tools we’re possibly using is dealing with the issue of
a person with several identities for nefarious purposes, and that is important,
and that is, I believe, an important use of the government and the issue of
private licences. There is a lot of fraud going on, lots of people want driving
licences and shouldn’t be with them, and if you think that people driving
around, not giving a damn because they’re alcoholics or perpetual drunks. My
second point was the issue of standards.
I think perhaps the reason that standards hasn’t really got
off the ground is that the people who participate in standards bodies tend
traditionally to have been on the whole about compatibility. In other words,
getting products from different vendors that work together, and that’s agreed as
a common ground to get them to work together.
The issue with biometrics is not compatibility, it’s about
what are we going to say is acceptable, and in the end comes down to false
accept/false reject. And that is a different community of interest to the
vendors. And it’s possible to argue, wrongly, that the vendors may well have a
positive interest in ensuring that that doesn’t happen. And therefore if
standards are going to get off the grounds in this area, it’s a different set
of stakeholders that have got to be involved, and how is that set of
stakeholders put together. I think that’s the issue.
I want to just say that I thought what Roger said very
effective, was very one-sided, it’s easy to criticise things that don’t work.
Very often things don’t work because they’ve been used in the wrong way, or the
technology is not mature. The Wright Brothers didn’t get off the ground at
first attempt, but it didn’t mean that the technology was hopeless and that it
didn’t have a future. And I think we have to bear in mind always the
suitability for purpose, the technology that’s being acquired in a given
instance against what it’s trying to achieve and what it costs.
And to get profound just for a moment, the history of
civilisation is a story of sacrificing freedom for security, standard of
living, what you might call quality of life. You can’t have it both ways, you
can either be an outlaw or you can be a civilised member of society and you can
subscribe to rule of law and the enforcement of the law. In a democracy we all
have the right to assist in formulating the law and deciding what it should be.
But once you have it all in place, whether it’s something trivial, relatively
simple, like speeding regulations, or something really major, like privacy
laws, then it’s up to everybody essentially to comply. And systems which aim to
enhance compliance, are not of themselves tyrannical. It’s not actually a bad
thing to find a way to ensure that people actually obey the law, if the law is
legitimate, and the constraints are there, and the regulation is there.
All the time we are confronted with the, I worked for a
regulator myself, and the pendulum swings back and forth all the time.
Sometimes we’re told there’s not enough regulation, look at what’s happened,
look at Enron, where were the regulators, look at HIH. Other times, Alan Fels
has got to have his wings clipped. He’s getting in people’s way. Commerce
should be free, businessmen should be free to do their thing, they don’t need
this kind of restraint. And so it goes.
I think it’s fair always to criticise a given technology,
but not simply to throw it away. It doesn’t mean to say that it can never work.
The examples that Graham gave earlier of his photograph and his thumbprint are
examples of biometrics which may actually be effective in that particular
situation – doesn’t mean that they’re always effective. Fingerprints generally
have done more good than harm I would suggest in the police environment, and
DNA testing has got more people out of jail when it’s put in. You have to look
at the technology in the context and the purpose for which it’s being used.
I think it’s pretty
important that we have this discussion. Most of my comments will focus on
perhaps on the discussion we had in the first half after the evening, and some
of the comments and issues raised by Roger, and indeed the question of
accountability that Brian raised. Identity isn’t really the problem. It’s a
part of the problem, and the legal identity question establish a commercial
relationship. I have a commercial relationship with one account in my bank, and
I have seven different ways of authenticating myself to act on that account.
The account identifier, or entifier to use Roger’s term, isn’t really the
issue, it’s what authority do I have to act on my account, and if somebody does
act on my account, is somebody accountable for those actions? Should a dispute
arise?
Putting impediments in the place of straight through process
that Stephen called for earlier in the evening, I had in complex set up processes is
counterproductive. Accountability for actions is a very strong issue that we’re
not discussing here at all and that nobody is discussing. If we have people
accountable for their actions, all the existing laws apply. If we have
accountability for actions in terms of commercial relationships or citizens to
government, business to government, we have one to one relationships, at least
one of those entities must have a privacy policy that must address those
interactions. There arguably isn’t really a privacy issue if we believe our
privacy regimes are appropriate. We need to look at a bigger picture more than
just identity.
There’s a long way to go in all of this process, some of the
discussion tonight and elements of the NOIE discussion paper, while very
useful, are saying things that are being discussed 5 years ago. We’ve got a
long way to go yet, I believe. Some parts of industry are running, and some
haven’t even thought about it. We need to see an ongoing fostering and
communication and education role, NOIE’s probably a good, well-placed entity
for that, and some others. But I think we need to raise the bar and look for
full commercial activity, not just identity or identity authentication. And
that’s I’d like to close the evening. We’re a long way from where we should be
discussing the issue.
I’m going to take one more biometrics comment to finish off
before dinner. So the last shot before dinner.
Let me preface what I want to say by commenting that if you
have been a customer I wouldn’t be saying what I’m about to say now. Can I
refer to a couple of the technical points raised earlier.
In terms of tuning signature systems, my general thought is
that if it needs to be tuned there’s something wrong with it. There is an
objective of letting people in easy, or it’s letting too many in that it
shouldn’t be and you need to make it harder. Either way, making it tuneable for
local circumstances simply means that you don’t have a robust biometric.
The second one was on non-verification, in other words, if
something happens, my left thumbprint is exposed to the world, I can’t do much
about it. The are moves now to make the only repository of biometric
information being something in the user’s own possession. In other words, I
will authenticate myself against something that I carry, and at no times,
assuming everything works, is my biometric released openly. It is not stored
anywhere, it is not kept anywhere, simply that I match what I carry with me and
that device will then say, yes the identity is confirmed. That I think is the
only way that biometrics will get a public display.
Well, it’s an interesting test case isn’t it, of all of
this, with the biometric or reversion of it being stored both as a token but
also in a central database, and six and a half million of them.
Graham, within a law firm, my days at the law society we
tried to implement PKI as a practising certificate for lawyers. And the problem
was you couldn’t give people signatures which would enable them to encrypt
information within the firms in a way that prevented the partners from seeing
what was there. You had to have an escort arrangement, otherwise the integrity
of the business internally was under threat. And once you then explained to
people the systems that needed to be put in place to make that work, they would
be unwilling to implement. That’s the other side of having a separate store of
the key, it’s a backup, it’s an administrative, it can be an emergency system.
It might be threatening, but it’s also entirely useful practically.
In response, I understand the logic of keeping the biometric
on a token in order to make it very difficult to have identity theft, but
Security 101 is that nothing is perfect, and the fundamental problem with
biometrics is that it is incapable of dealing with identity theft. If I have a
really really strong biometric in 15 years, and somebody does eventually steal
that, then I am disenfranchised from that community fundamentally forever. And
every other authentication technology can deal with identity theft by revoking,
revoking biometrics is fundamentally impossible and that’s what scares me about
it.
Isn’t it fundamentally impossible to steal a biometric?
[?]
Generally, No.
You might steal a token, but that’s not stealing your retina
or your fingerprint.
Steal’s an awkward word because of IP here, it is possible
to come up with an artefact which will enable a successful masquerade.
This is sounding more like the discussion that will happen
after. What we’ll do is take half an hour for dinner, and after we come back, I
think at least the first parts of the agenda where it’s compulsory to have a glass
of wine in front of you, where we’ll start is by looking particularly at
biometrics again for a minute, and the existing regulatory structure,
particularly privacy laws and the extent to which they do not or deal with
biometrics, and then move back to the topic that we started on Tom, which is
sort of our principal focus, that out of all of this, from everything we’ve
heard, what future regulatory structures, for biometrics, PKI and the whole
e-authentication package, both in terms of legislation and co-regulation,
sounds like might be the sorts of things that might be needed after all of this
discussion.
So that’s where we’ll go after everyone’s had some dinner.
Thanks very much for everyone for the contribution so far,
because I know some of you will have to go without coming back to the table
afterwards.
[ back
to top ]
There is a special after dinner rule in relation to the
transcript, that is, you have absolute discretion to edit anything you say
after dinner out of the transcript provided that at the time you say it, you
have a glass of wine in your hand. If you’re sober, Than’s taking notes, and
there’ll be no let-out. That’s right, if you make a mistake, you quickly drink something.
Now where we got to was at the point where we want to have a
look at, to what extent do existing privacy laws in particular can deal with
any of the biometrics issues and also on our agenda there’s a question of how
well PKI privacy issues are addressed in the current guidelines by the federal
commissioner and the current legislation. So the general question of
authentication and current privacy legislation, and then after we’ve had a look
at that, I think it’s back to the original question of what sort of regulatory
and co-regulatory structures may be sensible to be looked at from this point
onward.
So on the privacy, I think Nigel was going to have something
to say, and Chris, I think, is coming in. Now do I have anyone else who would
like to come in at the moment? Julie’s going to. Well, we’ll take Chris first,
then Nigel, then Julie, then we’ll take some more participants.
From the privacy commissioner’s office. I suppose I’m
responding to a few things that have been said around the table tonight and one
of the questions that was raised I think by Patrick was the question of whether
a biometric is of itself personal information in terms of the Privacy Act or is
it just a record about the biometric that’s personal information? I think
that’s still an open question, we think about the issue in the office and some
of us are inclined to think that it is, but it’s not tested so there’s no
definite answer there.
And something I was saying to a couple of people, I think in
this whole debate, there’s an issue about current privacy regulation that we
need to think about, which is in a sense, it’s passive, it doesn’t actually
help with the decisions about whether you actually introduce a biometric or
not, it does provide a framework for protection and accountability and so on
once you’ve made the decision to proceed with a biometric, but it isn’t a
decision-making framework as such. So it can give you a bit of false comfort to
say it’s ok, we’ve got privacy regulation, we’ve got a privacy framework around
this. If you haven’t actually done a proper risk analysis and you haven’t
thought about whether a biometric on balance is an ok thing to do, privacy
legislation does something but it doesn’t do the whole job.
The next thing I’ve got to mention is that the national
privacy principles are minimum standards, so they don’t necessarily do the
whole job for every particular possible intrusion into privacy, and possibly
biometrics is an area where some more specific rules are needed, and I think that
some of the discussion around identity theft in the context of biometrics
probably are actually worthy of quite a lot of detailed study and discussion. I
mean, it’s a real issue and it’s probably not one that should just be glossed
over as part of the risk analysis, it feels like there might be some real
threshold issues that we have to think about in that regard, and the privacy
commissioner did a presentation to the biometrics institute, I’ll refer you to
our website to have a look at that paper, it wasn’t a definitive statement, it
was basically an examination of risks, benefits, issues and so on, but it did
point to the fact that you need to think about choice, accountability and
openness when you’re setting up the biometric systems.
Probably something that the paper doesn’t talk about but
that I’ve been reflecting on in the discussion here is that if you’re making
important decisions about a person on basis of a biometric, you probably need
to make sure that you have some sort of review mechanism built in, you don’t
want to make a decision without having human intervention, and challenging the
false positives or false negatives. That was probably all that I was going to
say except in relation to the PKI guidelines, I think it’s important to know
there that they had a particular driver which was the possibility that PKI
might in someway become a de facto identifier for government use.
So the development process around those guidelines was about
PKI in a government context; they were never meant to cover the whole field. So
I think that that’s something we have to think about in those guidelines.
Could I ask for a clarification please? In the NPPs or
whoever they’re called these days, there’s some kind of obligation that the
system developers consider the possibility of anonymity. Is that relevant or
actionable in the context of biometrics system design? Because I can’t think
what force that particular principle has.
Well, it probably gives support to your concepts, Roger. I
mean, what it says is organisations must provide an opportunity for people to
interact anonymously if it’s legal and practical. I mean, you’ve got to pass
those hurdles first, then you have to consider anonymity.
But that creates the obligation to check whether it’s legal
and practical, by implication.
No, it’s a law. Where it is practicable to provide
anonymity, there is a requirement to do so. And some, a bridge toll operator,
is eventually come to grief, I hope, and have their whole billion dollar
investment undone, by a privacy commissioner ruling, that they did not provide
anonymity when it was perfectly feasible for them to do so.
But it brings up something to follow on that I wanted to say
to Chris, the problem which I thought you would have picked up on is that
principle’s completely defective in that it has no requirement in it for
pseudonymity to be considered and provided where reasonable and practicable.
And the reason for that is, when Moira was having her hot house series of
negotiations about drafting the NPPs, she just picked up the anonymity
principle out of the Australian Privacy Charter and dropped it into the NPP’s,
and at the time, I raised the question, ‘Moira, wouldn’t it be sensible if it
said anonymity or pseudonymity where reasonable and practicable?’ And the
answer was, I’m afraid, ‘Graham, most of the businesses there are going to try
and cope with these principles have enough trouble spelling anonymity, let
alone pseudonymity.’ And I’m not joking, but the way in which the privacy
principles were settled, that eventually ended up in the legislation, was
intended as a set of voluntary guidelines and there was nothing that passed for
reasonable policy analysis before the went in.
I suppose I can say that there is going to be a review of
the principles of the Act at the end of next year.
Just before I let Roger come in, can I just add there that
let’s hope it’s a rather better review of the principles than Kathy-Lee presided
over, some years ago, which was a complete an utter farce where no dissenting
views were even considered or put in the minutes. And when we talk about lack
of public interest participation, that round of consultations that led to the
private sector amendments were perhaps the greatest farce of all time, and
certainly left a bad taste in everyone’s mouth.
But can the private sector even cope with the privacy Act as
it is now? And I was just talking to Chris before about the compliance levels,
and you’ve had so many complaints and so on, but when you think about business
generally in Australia, they’re more American in their concepts than they are
European, so as you were saying, pseudonymity was a challenge to them, so how’s
it going generally with compliance and so on? Do you want to make a general
comment on that?
It’s a light touch project.
Now Roger what was guaranteed to be a 2 second comment then
it’s Nigel.
I distinguished earlier on anonymity from pseudonymity, I do
that in all of my papers, there are people in the world, lots more than there
are of me, who don’t distinguish them, and who use the term anonymity in a
quite vague sense to cover the whole area. And if we were to leverage off that,
if the privacy commissioner were to determine that’s what that principle means,
we’d be covered, but it would be really nice if we could all get the word
pseudonymity built in.
I just want to follow on from that, it is my view that we
should argue, until somebody tells us otherwise, that anonymity is not an
absolute concept, that it’s as anonymous as possible. The only thing I wanted
to say is on the ethics issue, because I think all of the other points I was
going to then raise is that there’s a nice interesting little issue is whether
biometrics is an identifier, in terms of NVP7, because if it is, if it is a
number that the commonwealth government assigns to individuals, then that has
implications for what other private sector organisations can do with that
biometric information.
Two things.
On the last one first, the biometrics. I’ve never taken very
much interest in biometrics, but listening to what’s being said tonight, it
seems clear to me that the value of biometrics, if there is any value in
biometrics, is in authenticating card. So as in the case of going through the
Hong Kong airport admissions, you have a card, and you have something which is
inherent which no-one can steal, which can be matched against something in the
card, to prove that it’s your card, then you’re half-way. Then the card has to
be authenticated or authorised to do whatever comes after that. Now it seems to
me whether it’s a voice print or a thumb print or a retina scan or something
even more sophisticated, that is very secure.
If your card will only work for you, nobody can steal the
card, nobody can used the card, then the card is then what you’d use to get
through the gate, or start your car or work telephone or whatever it may be.
That seems to be the first thing, but in a 2 step process, a biometric might be
very effective. Because it would mean something again that you never let go of.
Sure, you would have your own inherent characteristic, and you would have a
stored matching characteristic on the card, and nobody else would have it.
Coming back to anonymity, and this is a concept that
fascinates me because I started out thinking that what we’re talking about here
is certified identity of one client or another, authenticity, authentication,
and to certify that I am somebody that is nobody is semantically odd, as far as
I’m concerned. Do you need to be certified as nobody?
It’s the same nobody as yesterday. If I’m a nobody with a
particular attribute, not on a blacklist is actually a very important attribute
I’d like to keep having. And how can you have that anonymously? The border
guard doesn’t need to know.
The border guard doesn’t need to know, the system does.
Actually, when I cross a border, the system at the border
does not need to record, any more than the fact that a person who is not on a
blacklist can pass through. That’s all they need to do.
But it doesn’t need to know that you’re nobody. I agree with
you in that particular instance. All you are checking is that you’re not on
that blacklist, the holder of this card is not on the blacklist, it doesn’t
matter who the holder is, this card, if you like, is not on the blacklist.
You’ve surrendered your identity to this card, and if that
makes you feel more a person, fine, now this card is the one that is being
admitted, not you.
But in general, certified anonymity is a concept that I find
hard to deal with.
I think the point of it is the privacy regime or legal
regime that deals with identities puts people on the back foot because they
have to enforce the policies or principles that were the basis on which they
disclose their identity. And the point of being able to transact anonymously –
What did that mean?
Well, if I respond to an email from amazon.com, and decide
to buy a CD, then I’ve trusted amazon.com to observe its terms.
[tape change]
To try to do it, but I’d be in a much better position if I
just bought anonymously. I wouldn’t have that risk. All Amazon…
But then you wouldn’t use PKI would you? You would use web
dollars or something.
That’s right. That’s the point of transacting anonymously.
All they need to know is that I have the money or I happen
to be at this IP address or that I’m the person that they’ve dealt with five
other times before because that’s how they’ve profiled my taste of music and I
like them to guess what I want to listen to because that makes it easier for me
to not have to be up to date.
They send me stuff and say “that’s what you might like to
buy”. They don’t actually need to know who I am and because I can transact
pseudo-anonymously or anonymously, I’m in control.
It’s exactly like
going to the corner shop and the woman knows your face.
Yes, but you can be anonymous without being certified
without having any PKI identity or any other identity. All you need is some web
dollars.
You can, but you need, I mean those dollars use public key
technology anyway to provide e-cash so it’s another way of doing the same
thing.
But how can it be anonymous if they have to know where you
live?
Oh, you could have an address….
The broader examples have interesting timing implications.
You’re not on the black-list now but tomorrow you might be. You know, do you
want to destroy all that evidence trail in certain things.
[??]
Most people haven’t thought about all this. They just go on
the internet and shop and e-bank.
But many of them don’t shop and don’t bank, and that’s the
one from the trust viewpoint.
Yeah, but they probably don’t know why they don’t either
some of the time so it’s interesting. It’s a bit of both as you said.
Back to the privacy laws we were talking about. This
discussion just indicates how significant that anonymity principle in the NPPs
is. For the future operation of the authentication in any form in that that has
to be taken seriously. It’s part of the privacy legislation. Nobody knows what
it means. No-one has a clue at all.
But someone is going to get a very nasty surprise one day,
probably not because the Privacy Commissioner makes some adverse ruling against
them which would be hoping too much, but rather because some organisation uses
Section 92, the injunction section that enables anybody to go to the Federal
Court and seek an injunction against anybody who is breaching any of the
privacy principles. And just shut down some identification system that has
failed to properly advert that privacy principle. So…
Can that be done anonymously? [laughter]
In this sense, Australia is ahead of the rest of the world.
There is no national privacy legislation anywhere, that has, to the best of my
knowledge, any enforceable anonymity principle in it.
Do a search on ‘Nym’ on World law privacy collection.
Well, the only one’s the German Telecommunication Privacy
Act, the late 80s where we copied it from. But there isn’t anything else
around, so we’re ahead on this.
I was also going to ask whether anybody’s done what we’re
still able to do anonymously - has anybody seen the film ‘Minority Report’?
Please put your hands up. [About 4 hands go up]
Would anybody who’s gone to see it like to comment on its
likely impact on the biometrics debate?
I thought it was interesting to see that people just
accepted that they were being scanned.
I thought that it was accepted.
A general point I wanted to make is that obviously no-one is
interested in this issue because it comes out of the e-commerce arena but I
think it’s important that the whole debate about identification and
authentication actually takes account of a number of other initiatives that are
also happening in government.
Things like a proof of identity steering committee that
AUSTRAC is chairing that’s looking across the board at levels of proof of identity.
There’s the border control issues that have obviously taken on a new
significance. There’s issues to do with identification issues being brought up
in the context of the electoral roll, e-government and e-voting.
And there’s also a lot happening in relation to driving
licences and all of those really come together and if we’re not careful we’re
going to miss, things are going to sneak through on one or other of those
fronts which actually raise the bar or lower the bar.
It would be useful if somebody, the Privacy Commissioner is
the big candidate, tries to see the big picture, which I understand they’re
trying to do at this time.
Moving to the PKI issues, most of you will be aware that
they way that’s being dealt with is in two ways.
Firstly, the privacy commission’s guidelines on use of PKI
by government agencies and secondly, the privacy criteria in the accreditation
process by CAs and RAs under the gatekeeper scheme.
Taking the latter one first, now, that obviously needs
updating now because they were done at a time when they referred to the
voluntary national privacy principles. Those players, the CAs and the RAs are
now subject, most of them, to the National Privacy Principles in the Privacy
Act which are slightly different. So there is a need for somebody, whether
it’s NOIE or whoever, who takes of this process, to review and revise those
privacy criteria in the accreditation process.
The other thing to be said about that set of rules is that
it’s not clear to me that they’ve actually been applied in practice. Sorry if I
just rake over the history again. As one of the four people that successively
knocked off in an attempt to get through to the GPKI, it’s clear if those
criteria have ever actually been implemented in terms of the post-certification
audit that was meant to happen with the others. I don’t think it’s important
that that’s taken up again.
Moving to the other set of rules that are the Privacy
Commissioner’s guidelines. I think the problem is there’s actually not much
wrong with them, other than the fact that there’s not much evidence that
agencies are following them. They look good on paper, but I haven’t seen a
privacy in practice assessment as required by Guideline Five, Guideline Three,
and all of the choices required by those guidelines to be given to individuals
about levels of evidence of identity, about multiple or single certificates.
We’ve actually got no evidence at the moment that any of the agencies currently
implementing PKI are actually following those guidelines.
The other thing is that those guidelines are obviously
designed to influence the behaviour of the agencies that are implementing PKI,
and most of the issues that those of us who have been involved in PKI have been
raising about PKI are actually reside in the area of the infrastructure as a
whole and the role of CAs and RAs.
Which brings us back full circle to the need for revised
guidelines for those players, and to comply with the international Privacy
Principles. Also to hopefully get that privacy impact assessment process
entrenched somehow, as Chris as already recommended.
The other point I wanted to make is that there is a bit of a
problem at the moment - as Tom and Stephen indicated earlier, all the
applications at the moment are business to business or business to government,
so somehow the privacy criteria seem a bit irrelevant. They are in fact
relevant in that context, but the danger is they’re being put to one side and
systems and frameworks are being put in place to deal with the business to business
and business to government use of PKI, which will become de facto
standards that haven’t picked up on the proper privacy safeguards needed when
you move to individuals having certificates.
Thanks Nigel. Peter van Dyke is someone who knows a bit
about this area. Sorry to put you on the spot, Peter, but I wanted to ask
whether you thought there were any other aspects of the PKI guidelines that are
particularly important and should be observed or any additional things that, in
hindsight, might be added to the PKI guidelines.
I suppose in context we were consultants, we worked closely
with the OFPC and NOIE in drafting the guidelines, I suppose as a set of
consultant’s guidelines and a set of guidelines that came out from the
Commissioner. It’s difficult for us to say because we were a bit removed from
the process since then, so hearing this feedback in this forum is quite
interesting and relevant for us. I’d agree with what Nigel was saying,
especially a lot of the PKI implementations are really just business to
business, business to government, government to government. So in that whole
framework maybe consumers have not necessarily been thought of. There are the
same questions with what’s been happening with auditing, from a privacy
perspective, of CAs and RAs. Now what’s happened to that and the gatekeeper
process? I suppose we’re a bit curious as to what’s happened there.
…
I should declare that I was involved with Chris’ team in
reviewing privacy guidelines on PKI and I think one of the issues that we
tabled but never quite got to was the separation of the information of what
might be in a certificate from the information that might be gathered
subsequently on a per transaction basis in real time by the application that’s
using the certificate. I think this is a really rich area that I just want to
table.
I don’t have an answer or even a position to take,
except to go back over my view that we’re all overly obsessed with the idea of
the electronic passport and I think that what I saw of the work and what I see
of the deliverable now, meaning the guidelines, there is an expectation there
that the only contact between the people that are transacting is the
certificate. And we’ve got some tremendous privacy positive stuff and maybe
even some avenues that go to pseudonymity where a relatively diluted
certificate that has minimum identification information in it could be used to
initiate a transaction and then privacy invasive, potentially sensitive stuff
would be asked in real time.
The classic example is that people seem to have a de
facto expectation, thanks to a certain CA, that you’re birth-date goes in
your certificate. Now I can imagine plenty of government application where the
birth-date is an important thing to maybe do some statistical or sort of
stochastic verification. Whereas if a retail application asked me for my
birth-date then I would immediately decline.
So if we separate the legitimacy of some application from
gathering personal data on top of the data that’s present in the certificate, I
think that’s a really important framework to go forward with. And I’m just
tabling that might be an area to progress the idea of all sorts of things,
pseudonymity, less invasive information in certificates and so on. We’ve got to
separate out the information that’s gathered once and once only at
registration, versus the information that’s gathered transactionally.
Stephen, at risk of being accused of being heavily obsessed
with an electronic passport
You haven’t lost it, have you?
Well, I had my ID card stolen in China, that was bad enough.
But one of the issues that, as Peter and Nigel are suggesting, are outside the
PKI guideline framework, it’s always been a real concern to me, is the lack of
any type of guarantees in government to consumer or citizen use of PKI, that
guarantees that the use of certificates will not become compulsory in
transactions with government, that choice of methods of authentication will
survive. And it’s always struck me as really crucial to the citizen’s interest
in PKI to prevent the notion of an electronic passport emerging out of what
were initially disparate PKI government initiatives. There should be a
guarantee from the Australian government that the use of digital signatures
will not become compulsory in transactions with the Australian government.
Sorry, are you saying that the company seal is not dead.
I don’t think so. No, I’m talking about individuals, not
companies –
Well, even so, what’s the corresponding authentication,
whatever word you want to use–
NPC reported to be an identifier for a corporation.
Are you saying that you have to deal with paper, or there is
some alternative electronic authentication which you could choose?
Ideally that alternative electronic authentication methods
exist as well as the choice, if you want, to stick with paper-based
transactions, that the Australian government won’t go the way of the Australian
banks and attempt, whether they announce it or not, to de facto stop
anyone queuing up in a bank and doing a real live transaction and force
everyone to go electronic. Looking at the perspective I’m coming from at the
moment, I see the Hong Kong government instituting a series of very cunning
ploys to force everyone to accept a mandatory Hong Kong Post e-cert and to use
it in all sorts of contexts.
I’m not drawing any analogies, I’m just saying that in the
Australian context, I think the future of digital signatures would be much more
secure and safe in relation to government to citizen if there were real
guarantees that they would not become compulsory, that they wouldn’t become the
digital passport.
The NOIE paper is very good in philosophy in this respect,
it seems to really recognise and encourage a multiplicity of acceptable forms
of electronic authentication. Not just one flavour, but a genuine choice, and
Tom if you wanted to build into principle –
And you’ll see the piece that the minister releases next
week called the “Online guide to authentication” also reinforces that agencies
will choose that type of authentication … that doesn’t kind of guarantee from
the consumer perspective, but it does go through the whole range of
authentication technologies and their uses.
Well, I think the guarantees from the consumer perspective
is one of the real missing elements in the Australian picture.
I’d just like to deal with that issue, because I don’t think
it’s a major issue for deliberations here, but if people still want to talk
about it that’s fine.
As far as authentication goes, the government has never, as
far as I’m aware, has made specific, any mandating of particular forms of
transactions for individuals, and as far as PKI goes, as a particular form of
authentication goes, I am unaware of any current or planned transactions
between individuals and the government encouraging, let alone mandating, the
use of PKI.
As we all know, individual use of PKIs is pretty much
non-existent, and if it remains so for the foreseeable future, I don’t think
anyone in the industry or the government cares. That’s not an issue, it won’t
happen.
As far as government guarantees on government to citizen
transactions, I think it’s made clear, but maybe it could be made even more
clear, the government, in its targets for online transactions, that government
agencies were in no way expected to mandate particular forms of transactions,
and certainly were not intended to create two classes of transactions whereby
those involved in non-electronic dealings with their government were somehow at
a disadvantage.
That was always a concern I think, and it’s still a concern
to the government and it needs to be made more explicit, so much the better,
but I suspect you’re dealing with what I hope is a non-issue for the future. I
don’t think it’s going to count.
I don’t think there’s any question of government in the
foreseeable future saying that the only way that the only way you can deal with
the government is electronically.
They already do.
In respect of pension payouts and things like that, you’ve
got to have a bank account, it will pay into your bank account. That is not an
argument, it’s very efficient, there are good reasons for it. But to say they
will not force you to deal electronically, that’s not the same thing. They say,
we’re not going to post out cheques, we’re not going to hand out cash. We want
to put the money somewhere. How we get it there is a different issue.
My point is I don’t think there’s any question of government
saying that the only way you can talk to the government, have a dialog with the
government, whatever it’s about, is electronically. I really don’t think that’s
on the card. I don’t think the politicians will wear that. And so that there
will always be face to face transactions. However, where there are electronic
transactions, we do choose to do business with government electronically, then
I think governments will say we will of course require to use or include in the
process, methods that enable us to be confident that we are dealing with who we
think we’re dealing with. It depends on the risk.
The question is whether there is only one method, or whether
there is a choice of reasonable authentication.
You might have a choice of 3 or 4 distasteful methods –
The very process of choice stops the effective aggregation
of information. Choice in itself is valuable.
If the choice costs 10 times as much not having the
choice, if dealing electronically is 10 or 100 times as efficient, then surely
the people who want to have that choice, need to have a price differential.
Witness the success of e-tax as well, SSL, but huge success
in terms of individuals lodging their tax.
My question is in form of a clarification.
If we are in an environment that say you can only use PKI to
get to government, 1. the government’s picked a winner, and the second one is,
fundamentally with PKI, and we got a whole bunch around, then we’re no better
off than when we started the discussion earlier this evening.
The other element of that is that businesses and citizens
have no interest in PKIs at all, do they? Commercially, it’s about .0001%
interest in the marketplace.
Mandating one environment for dealing with government,
either with a business or a citizen, that is not used in the business to
business or person to business environment is doubling the cost, including
choice across the entire economy, rather than just government, has to happen to
make cost effective outcome for providers.
One of the concerns I have with the whole e-authentication
issue is we run the risk of creating two classes of citizen. Not everybody is
going to be able to use e-authentication. And somehow we have to make sure that
not only government makes it difficult for them and delays payment, tax refunds
or whatever, but also that industry is already starting denial of service, if
you like: if you don’t use Internet banking, you wait in a queue longer.
But worse than that, they will also use identification and
e-authentication to say whether or not they want to actually let you to have the
service. They may or may not allow you into the web site, or access for that
particular kind of service. You may not be profitable to them. And if we push
everybody down without anonymous, to do business anonymously, we run the risk
that there’s an unprofitable group in the community that won’t get access to
service or will be denied service.
So I really want to follow on quite a lot from about what
Nigel’s been saying and what Graham’s been saying about the importance of
having anonymous e-transactions; but also dealing with this issue of making it
illegal to deny service, because that is an issue which is coming in at the
moment.
It should. At the moment you have to have a pensioner’s card
to claim a pension basically. If that pensioner’s card works electronically,
fine. Same with Medicare. You’ve got to have a Medicare card to claim Medicare.
I’m talking about business practice.
You’re talking about private sector.
I’m talking about private sector business practice.
Ok, well, maybe in the private sector you have a case, but
from a government point of view, it probably makes sense, it’s cheaper from a
customer’s point of view, and more convenient, and better from a government’s
point of view to deal electronically, and there is very little additional
overhead, in providing a token which works on the Internet as well as it does
in one of these things.
But doesn’t it depend on whether they need to identify you
prior to giving you services?
Well, unfortunately it does, but that is there, that is a
given, they’re not just going to give me anything if I’m not entitled to it,
which is right. You’ve got to have entitlement to begin with.
After that, it becomes simply a question of ways and means,
and if the electronic method is better for me and them, then let’s go, that’s
fine.
Two comments that grow out of this short argument here,
which leads into my point that I was trying to make about 10 minutes ago.
If you had to use a bank to store your banking payment, what
if no banks think you’re not profitable?
Secondly, and very similarly, just how many certs can you
fit on one PC in a nursing home?
And the point I really want to make is why can’t we have a
zero information identities? You’re born, you start with zero, why can’t you
start another one? By the chain of transactions that that identity does, you
establish a level of trust, a level of proof. I’m throwing up a full
discussion, but it seems to me that you don’t have to start with anything.
Start with absolutely nothing.
…
It depends on what benefits flow to that identity.
If we can take 100 identities, and pick off 100 sets of
benefits… !
Can I say this is the fundamental difference between doing
business with government and doing business with private sector. The private
couldn’t give a rat’s hoof – governments are about rationing. Governments want
to know who they’re dealing with because many of the things they deliver are
rationed, in the sense that there is entitlement and so on and so forth. On the
whole, governments want to know who they’re dealing with, the private sector
couldn’t give a rat’s hoof. That is an important difference between the two.
Can I just go back 10 or 15 minutes and picking up on
privacy and connecting it to biometrics.
A quick one, because I then want to hand back to Tom to show
if he has any remaining questions left that he wants to ask everyone.
I’d observed that all the privacy principles they started
with are the ones from the OECD, and I’m not quite sure how much scope they’ve
got to tinker with those, whether the OECD agreements are under treaty –
No, they are not, they have no effect on anything.
One of the things we’ve done is to pick up the European
practice of identifying sensitive personal information, and that’s I think been
embodied in both the Commonwealth and NSW State legislation, Section 19, one of
the things in there is health, and this takes us to the biometrics of DNA and
so on.
The point to remember in biometrics is that it doesn’t
record the raw data. It records a digest, and that I think brings us to an
important principle: if that raw information is destroyed after processing at
capture time, who gives a stuff, and as long as that digest, that numeric
digest, which may be a fairly complicated number (I don’t use ‘complex’, the
difference between is a mathematician’s problem), as long as that cannot be
reverse engineered back to the raw data, and as I understand it, none of them
can, and someone correct me if I’m wrong –
Proper ones can’t.
Proper ones, what you then have is a number that can’t be
reverse engineered.
So there’s clearly no implications of some physical
characteristic of you. It is like a representation, a short hand
representation, but then you’ve got a number, and the number can be very easily
stolen. You’re not stealing a picture, you’re not stealing a fingerprint,
you’re stealing a number that is a digest of that characteristic.
The issue then is how easy is it to inject that number into
a system to represent somebody else? And that’s really what the issue has
become.
Yes, it gives you a number. But when you put your finger
down, or you get your face recognised, or your voice, or whatever it is, it
doesn’t give you an absolutely identical […], so there is no 100% match. So
what you’re saying is true is from the sheer point of view that yes, this is a
proper thing, and you want to look at it and identify it, but it isn’t as easy
than if I switched that number, and I can reproduce it.
Because any reasonable system will reject exact matches, in
an electronic context.
[ back to top ]
Graham Greenleaf
Well, we’re going to finish off by going back to Tom and
Catherine. The question I want to ask Tom is: what do you want to receive
submissions on? What are the questions that haven’t been answered tonight
as far as you’re concerned, but you want to get those cards and letters rolling
in.
Some concluding remarks. Those of you in the room who like
me are past the age of 45 years and have a plane to catch in the morning will
realise that we don’t want to drag out proceedings of these discussions. I
wouldn’t presume to try and summarise the discussions, for some of you rather
amusingly suggested before. So just some concluding remarks, Graham I do
appreciate the opportunity to have the last few words.
I’m very concerned about Stephen’s very loose use of the term
‘electronic passport’ in a room reasonably replete with legal practitioners.
As far as I’m aware, electronic Passport with a capital P is traded by a large
software company which will remain nameless, so don’t do it again. It’s not
that sort of Passport, OK? [laughter]
One consistent message coming through from people in the group
this afternoon and this evening is the need that the advice that the government
receives on this matter doesn’t make too many assumptions.
It does go back to what is usually termed first principles
- not first principles of how PKI works by any means, but first principles
about what authentication actually means. I agree with about 60% of Roger’s
views on that, but that’s a good start.
That’s the highest rating he’s ever had. [laughter]
Tom Dale
Can I say comparing the proceedings this evening with those
that we’ve had in Canberra a week or so ago, clearly in terms of that
discussion about first principles on authentication as opposed to particular
methods of authentication, I think the discussion here has been far more open
and in some ways far more useful, but to some extent that was no surprise.
People did bring a certain amount of baggage, history or whatever
to the discussions in Canberra, whether they worked for the government
or they were vendors of particular issues or solutions. And to some extent,
on this issue we can go digging up the past a little bit too much, and I don’t
know that it helps future debates on public policy to be quite honest. Some
of it is almost ancient history in Internet years, and really who cares.
The discussions about first principles that we’ve
taken away have been helpful, yes they will be part of our advice to the
government on the way we’re going at the moment, and no we’re not starting out
with too many preconceived views. I think there’s a clear message about
settling some of those fundamentals before worrying about fine details of
governance.
Governance structures for authentication only matter
when you’ve got a clear understanding both commercially and in public policy
terms what authentication is for, and that’s a long way, and therefore you get
to technologies and technology governance structures. So we’ve got a few things
to worry about before, if I recall right, Appendix C and the governance
structures are worried about too much.
PKI, some useful discussions. I think, Roger, the
point you’ve got to bear in mind from our point of view, there are a lot of
legacy structures we’ve got to deal with there, gatekeeper or no gatekeeper.
PKI exists, rightly or wrongly, and there are some digital certificates out
there, and decisions by the government have to take account of what’s there as
opposed to what ought to be there. I don’t know what the answer is, but I found
the contributions to be helpful.
Gatekeeper: we didn’t get a lot of guidance on that
one way or the other; I didn’t expect to. We had some specific questions about
the follow-up order process for CAs and RAs under gatekeeper. Yes that is
behind schedule, you’re right, I signed off earlier this week on an audit
tendering process to take that forward, and we should see some results on that
within about 3 months or so. It’s behind schedule but it’s a resources issue,
not a sinister policy choice, as is the usual case in governments.
Biometrics: I believe that the most interesting and
the more controversial and the more important area in the long term, not just
coming out of this evening’s discussions, but things that we quite consciously
put into our discussion paper relate to the biometrics issue. At the domestic
issue, I think that it’s clear that the full scope and potential of the
existing privacy act and the forthcoming review process need to be explored
fully before people start talking about reinventing regulatory structures that
may not exist at the moment. We have no particular mandate from the government
to become a focal point for a domestic policy debate, on biometrics regulation,
on the other hand we’re not afraid of it either. And we’ll certainly be putting
some fourth-rate advice to the government and taking some further views on that
issue, I hope, because as I said there
are concerns there that in my view make the PKI debate look academic, and I say
that in a non pejorative sense.
Couple of quick comments. At the international level
of biometrics, I think there is some scope for commissioning the OECD to do
some policy work on biometrics at a comparative level between countries. We
are involved with a number of OECD bodies, including the Working Party on
Information Security and Privacy, I would welcome people’s views on an Australian
government proposal, it has to be government proposal, to commissions and
further work on that over the next 12 months. The staff at the OECD are wholly
capable and professional in doing that work, but we need to into support in
some other countries.
In terms of public interest involvement in those processes,
it’s not quite a closed door Roger. Yes, you have to find your own way to
Paris, but some recent work of that working party has involved bodies with
fairly impeccable "soppy Pinko" credentials. The Electronic
Privacy Information Centre has been involved in some recent discussions
in security guidelines there as a full member of that working party, and we’d
be happy to provide more information to that to anybody, it’s not a secret.
We talked about the geographics of these seminars, we’ve got
a number to go, and if anybody has any unfinished business, we’ll see you in
Melbourne on the 6th. I guess I didn’t get my wish to hold one of
the seminars in my own home town which is Newscastle.
Thank you for your contributions, we found it a useful
exercise. I’ll ask Kate and Catherine to conclude in a moment, because they
have put a lot of work into not just the paper itself but in the follow up work
on the list server and in working with the Cyberspace Law and Policy Centre in
what I hope has been a successful joint function tonight. No, but if I had too
many unanswered questions Graham, there is still a period for further formal
submissions, we still have the proverbial open mind on the issue. And I thank
you again for your time and efforts.
Kate Boyle
With regard to follow up and what we’re doing next, I’ll
give you the web address, it’s www.noie.gov.au/authentication_policy/index
. We’ve got a list that you can sign up to and it’s low volume, we’re just
sending out information on an event or a paper that’s being put out for discussion
or comment, and we’ll be sending out the follow-up to these workshops so you
might be interested in signing up to that.
Graham Greenleaf
As a final comment, I’d just like to particularly thank
Baker & McKenzie for providing once again a very nice venue, all sorts of
assistance and providing a really good location for these events. I’d like to
thank David and Than for organising it so well once again, and I’d like to
thank all of you for being good long stayers, five and a half hours worth of
symposium, and I’d particularly like to thank NOIE for once again collaborating
with us on putting on one of these symposia.
Over the first year of the Centre’s operation, I think
perhaps the single most successful thing that we’ve managed to do is establish
such a good working relationship that’s
provided a lot of really helpful discussion and information to a lot of people
and involved a very considerable number of people with high levels of expertise
such as everyone around these tables in some high level discussions.
Before we started
the Centre, this was one of our sort of two or three benchmark things that
we wanted to do and we didn’t know if it’d work. It has probably turned out
to be, I think, the single most successful thing that we’ve been involved
in, these symposia. A lot of the credit for that goes to NOIE for their willing
participation. It’s a very nice example of a very open and participatory consultative
process.
So thanks Tom, thanks
Kate and Catherine. And thanks everyone here tonight for making this a successful
event.
[ back
to top ]
