ID-ACTSTL-0603 by niusheng11

VIEWS: 6 PAGES: 42

									        Smart Cards and Biometrics
Is a Nightmare-Free Australia Card Feasible
                    ??
            Roger Clarke, Xamax Consultancy, Canberra
        Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU

               http://www.anu.edu.au/Roger.Clarke/....
                ..../DV/ ID-ACTSTL-0603 {.html,.ppt}
             A.C.T. Society for Technology and the Law
                          23 March 2006


Copyright
                                                                1
1988-2006
Is a Nightmare-Free Australia Card Feasible
                    ??
            1.   National Id Schemes
            2.   Smart Cards
            3.   Biometrics
            4.   Politics


Copyright
                                              2
1988-2006
        Human (Id)entification and (Id)entifiers
  •   Appearance                             how the person looks
  •   Social Behaviour                       how the person interacts with others
  ________________________________________________________________________________________________________
      _________

  •   Names                                  what the person is called
                                             by other people
  •   Codes                                  what the person is called
                                             by an organisation
  ________________________________________________________________________________________________________
      _________

  •   Bio-dynamics                           what the person does
  •   Natural Physiography                   what the person is
  •   Imposed Physical                       what the person is now
      Characteristics
Copyright
                                                                                                             3
1988-2006
Copyright
            4
1988-2006
                 Human Identity Authentication
            •   What the Person Knows
                e.g. mother‟s maiden name, Password, PIN
            •   What the Person Has (‘Credentials’)
                e.g. a Token, such as an „ID-Card‟, a Ticket
                e.g. a Digital Token such as
                “a Digital Signature consistent with the
                Public Key attested to by a Digital Certificate”

                  Human Entity Authentication
            •   What the Person Is (Static Biometrics)
            •   What the Person Does (Dynamic
                Biometrics)
Copyright
                                                                   5
1988-2006
       The Scope of an Identification Scheme
                      Specific-Purpose
            for individual organisations or programmes
                  Bounded Multi-Purpose
       e.g. European Inhabitant Registration schemes
        limited to tax, social welfare, health insurance
         (cf. the TFN – Australian politicians are liars)
                      General-Purpose
            National Identification Schemes
  e.g. USSR, ZA under Apartheid, Malaysia, Singapore
Copyright
                                                            6
1988-2006
            Elements of a National ID Scheme
      http://www.anu.edu.au/Roger.Clarke/DV/NatIDSchemeElms.html

•   A Database                      •   QA Mechanisms for:
      •  centralised or hub (i.e.        •  (Id)entity Authentication
         virtually centralised)          •  (Id)entification
      •  merged or new              •   Obligations Imposed on:
•   A Unique Signifier                   •  Every Individual
    for Every Individual                 •  Many Organisations
      •  A 'Unique Identifier'      •   Widepread:
      •  A Biometric Entifier            •  Data Flows including
•   An (Id)entification Token               the (Id)entifier
    (such as an ID Card)                 •  Use of the (Id)entifier
                                         •  Use of the Database
Copyright                           •   Sanctions for Non-Compliance
                                                                    7
1988-2006
            Claimed Benefits of a Nat’l Id Scheme
   http://www.privacy.org.au/Campaigns/ID_cards/NatIDScheme.html#CaseFor
                              (aka „furphy-watch‟)

    •       Reduction in Identity Fraud and Identity Theft
            (very limited – that‟s already addressed in many
            other programs; and it entrenches false id‟s)
    •       Enhanced National Security / Anti-Terrorism
            (zero impact, because terrorists are either
            foreign, or they‟re „sleepers‟ / „virgins‟)
    •       Productivity / Service-Delivery Benefits
            (achievable with specific-purpose and at worst
            multi-purpose schemes, not general-purpose)
Copyright
                                                                           8
1988-2006
            2.   Smart Cards




Copyright
                               9
1988-2006
               Categories of SmartCards
 •    'memory cards'               •   ‘contact-based cards’
      with storage-only                require controlled
                                       contact with a reader
 •    'smart-cards'
      storage, processor,          •   ‘contactless cards’
      systems software,                may be read at short
      applications software,           distance (or longer?)
      permanent data,                  requires an aerial
      variable data
                                   •   ‘hybrid cards’
 •    'super-smart cards’
                                       with both capabilities
      smart-cards with a (very
      small) key-pad and display
Copyright
                                                                10
1988-2006
                    Chip and Carrier
            •   credit-card sized plastic card
            •   „tag‟ (clothing-tag, RFID-tag)
            •   ...
            •   tin can
            •   cardboard carton
            •   pallet
            •   ...
            •   animal body
            •   human body

Copyright
                                                 11
1988-2006
                 Convenient Carriers for Chips
    •       Cards:                  •   Things:
             •  credit-card sized        •  tin can
             •  mobile („SIM‟)           •  cardboard carton
             •  ...                      •  pallet
    •       Tags:                        •  car-body
                                         •  engine-block
             •  clothing-tag
                                         •  ...
             •  RFID-tag
                                    •   People:
             •  bracelet, anklet
                                         •  neck of a pet, or
             •  ...                         valuable livestock
                                         •  wrist, gum or scrotum
                                            of a human being
Copyright
                                                                    12
1988-2006
                 System Design Potentials

      •     Storage Capacity greater than other
            technologies
            such as embossing and mag-stripe
      •     Ability enhanced to provide services from a
            standalone unit, without connection to a host
      •     Storage segmentation ability
      •     Use of the same card for multiple services
      •     Use of the same card to link card-holders to
            multiple service-providers

Copyright
                                                            13
1988-2006
            System Design Potentials – Security
    •       Non-Replicability of active elements of the card
    •       Third-Party Access to data is more challenging
    •       Authentication of devices with which the card
            communicates
    •       Application of different security measures
            for each storage segment
    •       Use of the same card for multiple services
    •       Use of the same card to independently link
            card-holders to multiple service-providers

Copyright
                                                               14
1988-2006
     SmartCards as (Id)entity Authenticators ?

            •   Stored Name, Identifier, other data ?

            •   Stored Photo ?
            •   Stored Biometric ?
            •   Stored One-Time Passwords ?
            •   Stored Private Digital Signature Key ?



Copyright
                                                         15
1988-2006
            Basic Requirements of a
     SmartCard (Id)entity Authenticator (1 of 2)
•   Restrict identified transaction trails to circumstances in which
    they are justified (because of the impossibility of alternatives)
•   Sustain anonymity except where it is demonstrably inadequate
•   Make far greater use of pseudonymity, using protected indexes
•   Make far greater use of attribute authentication
•   Implement and authenticate role-ids rather than person-ids
•   Use (id)entity authentication only where it is essential
•   Sustain multiple specific-purpose ids, avoid multi-purpose ids
•   Ensure secure separation between applications


Copyright
                                                                    16
1988-2006
                Basic Requirements of a
         SmartCard (Id)entity Authenticator (2 of 2)
•       Ownership of each card by the individual, not the State
•       Design of chip-based ID schemes transparent and certified
•       Issue and configuration of cards undertaken by multiple
        organisations, including competing private sector corporations,
        within contexts set by standards bodies, in consultation with
        government and (critically) public interest representatives
•       No central storage of private keys
•       No central storage of biometrics
•       Two-way device authentication, i.e. every personal chip must
        verify the authenticity of devices that seek to transact with it, and
        must not merely respond to challenges by devices
    Copyright
                                                                            17
    1988-2006
            3.   Biometrics




Copyright
                              18
1988-2006
               Biometrics Technologies
                                     •   Currently in Vogue
•    Variously Dormant or                 •  Iris
     Extinct
                                          •  Thumb / Finger /
      •   Cranial Measures                   Palm-Print(s)
      •   Face Thermograms                •  Hand Geometry
      •   Veins (hands, earlobes)         •  Voice
      •   Retinal Scan                    •  Face
      •   Handprint
      •   Written Signature          •   Special Case
      •   Keystroke Dynamics              •  DNA
      •   Skin Optical Reflectance   •   Promised
      •   ...                             •  Body Odour
Copyright
                                                                19
1988-2006                                 •  Multi-Attribute
                      Imposed Biometrics
“imposed physical identifiers ... branding, tattooing, implanted micro-chips”




 Copyright                            The [London] Financial Times, 6 Mar 06
                                                                               20
 1988-2006
                Categories of Biometric Application
•     Authentication
      1-to-1 / ref. measure from somewhere / tests an „entity assertion‟
•     Identification
      1-to-(very-)many / ref. measures from a database that contains
      data about population-members / generates an „entity assertion‟
•     Vetting against a Blacklist
      1-to-many / ref. measures and data of a small population of wanted
      or unwanted people / may create an „entity assertion‟
•     Duplicate Detection
      1-to-(very-)many / ref. measures of a large population /
      may create an assertion „person already enrolled‟
    Copyright
                                                                           21
    1988-2006
                 The Biometric Process
            1. Enrolment / Registration
                                          Reference
                    Measuring              Measure
                     Device               or ‘Master
                                          Template’


                                          Matching
                                            and        Result
                                          Analysis


                                            Test
                    Measuring             Measure
                     Device                or ‘Live
                                          Template’

                   2. Testing

Copyright
                                                                22
1988-2006
               Privacy-Sensitive Architecture
            e.g. Authentication Against a Block-
                             List

                          Sensor
                           Test-
                         Measure
             Reference
              Measure    Secure     Block
                         Proc’ing            Block List
                                     List   Maintenance
                         Module
              Relevant
                Data                   Results (Y/N)
                                                          Application




Copyright
                                                                   23
1988-2006
                Fraudulent Misrepresentation
             of the Efficacy of Face Recognition

    •       The Tampa SuperBowl was an utter failure
    •       Ybor City FL was an utter failure
    •       Not one person was correctly identified by
            face recognition technology in public places
    •       Independent testing results are not available
    •       Evidence of effectiveness is all-but non-existent
    •       Ample anecdotal evidence exists of the opposite

Copyright
                                                                24
1988-2006
                  Realistic Representation
            of the Efficacy of Face Recognition
            “Smartgate doesn‟t enhance security.
            “It helps flow and efficiency in the
              limited space available in airports”

                                Murray Harrison
                                CIO, Aust Customs
                                7 March 2006


Copyright
                                                     25
1988-2006
                       Quality Factors in Biometrics
Reference-Measure Quality               Test-Measure Quality               •  Material Differences in:
•  The Person's Feature („Enrolment‟)   •  The Person's Feature                 •    the Processes
•  The Acquisition Device                  („Acquisition‟)                      •    the Devices
•  The Environmental Conditions         •  The Acquisition Device               •    the Environment
•  The Manual Procedures                •  The Environmental Conditions         •    the Interactions
•  The Interaction between Subject and • The Manual Procedures             •  An Artefact:
   Device                               •  The Interaction between              •    Substituted
•  The Automated Processes                 Subject and Device
                                                                                •    Interpolated
Association Quality                     •  The Automated Processes
                                                                           Result-Computation Quality
•  Depends on a Pre-Authentication      Comparison Quality
                                                                           •  Print Filtering and
   Process                              •  Feature Uniqueness                 Compression:
•  Subject to the Entry-Point Paradox   •  Feature Change:                      •    Arbitrary cf. Purpose-
•  Associates data with the „Person           •    Permanent                         Built
   Presenting‟ and hence Entrenches           •    Temporary               •  The Result-Generation
   Criminal IDs                         •  Ethnic/Cultural Bias               Process
•  Risks capture and use for               “Our understanding of the       •  The Threshhold Setting:
   Masquerade                              demographic factors affecting        •    Arbitrary? Rational?
•  Facilitates Identity Theft              biometric system performance              Empirical? Pragmatic?
•  Risk of an Artefact Substituted for,    is ... poor”                    •  Exception-Handling
   or Interpolated over, the Feature       (Mansfield & Wayman, 2002)         Procedures:
                                                                                •    Non-Enrolment
 Copyright                                                                      •    Non-Acquisition
                                                                                •    „Hits‟                   26
 1988-2006
                ‘Factors Affecting Performance’
                          (Mansfield & Wayman, 2002)
•       Demographics                     • Behaviour (language, accent,
        (youth, aged, ethnic origin,       intonation, expression,
        gender, occupation)                concentration, movement,
•       Template Age                       pose, positioning, motivation,
•       Physiology (hair, disability,      nervousness, distractions)
        illness, injury, height,         • Environment (background,
        features, time of day)             stability, sound, lighting,
•       Appearance                         temperature, humidity, rain)
        (clothing, cosmetics,            • Device (wear, damage, dirt)
        tattoos, adornments,             • Use (interface design,
        hair-style, glasses,               training, familiarity,
        contact lenses, bandages)          supervision, assistance)
    Copyright
                                                                      27
    1988-2006
     The Mythology of Identity Authentication
     That’s Been Current Since 12 September
                      2001
       •    Mohammad Atta’s rights:
             • to be in the U.S.A.
             • to be in the airport
             • to be on the plane
             • to be within 4 feet of the cockpit door
             • to use the aircraft’s controls
       •    Authentication of which assertion, in order to
            prevent the Twin Towers assault?
             • Identity (1 among > 6 billion)?
             • Attribute (not 1 among half a dozen)?

Copyright
                                                             28
1988-2006
      Biometrics and Single-Mission Terrorists
•   “Biometrics ... can’t reduce the threat of the
    suicide bomber or suicide hijacker on his virgin
    mission. The contemporary hazard is a terrorist who
    travels under his own name, his own passport, posing
    as an innocent student or visitor until the moment he
    ignites his shoe-bomb or pulls out his box-cutter”
    (Jonas G., National Post, 19 Jan 2004)
•   “it is difficult to avoid the conclusion that the chief
    motivation for deploying biometrics is not so much
    to provide security, but to provide the appearance of
    security” (The Economist, 4 Dec 2003)

Copyright
                                                          29
1988-2006
            4.   Politics




Copyright
                            30
1988-2006
              Threats of the Age


                    Terrorism
              Religious Extremism
            Islamic Fundamentalism




Copyright
                                     31
1988-2006
                   Threats of the Age


                        Terrorism
                  Religious Extremism
                Islamic Fundamentalism


                Law and Order Extremism
            National Security Fundamentalism

Copyright
                                               32
1988-2006
            Mythologies of Identity Control
•   That the assertions that       •   That biometric
    need to be authenticated           identification:
    are assertions of identity           • works
    (cf. fact, value, attribute,         • is inevitable
    agency and location)                 • doesn‟t threaten
                                            freedoms
•   That individuals only
                                         • will help much
    have one identity
                                         • will help at all in
•   That identity and entity                counter-terrorism
    are the same thing             •   Every organisation is
                                       part of the national
                                       security apparatus
Copyright
                                                                 33
1988-2006
Myth No. 2 – This is about ‘just another Card’
   Characteristics of a National ID Scheme
    • Destruction of protective „data silos‟
    • Destruction of protective „identity silos‟
    • Consolidation of individuals‟ many identities into
      a single general-purpose identity
    ==> The Infrastructure of Dataveillance

    •       Consolidation of power in organisations
            that exercise social control functions
    •       Availability of that power to many organisations
Copyright
                                                               34
1988-2006
              Identity Management
            of the Most Chilling Kind
            The Public-Private Partnership
                  for Social Control
             With the Capacity to Perform
             • Cross-System Enforcement
             • Services Denial
             • Identity Denial

             •   Masquerade
             •   Identity Theft
Copyright
                                             35
1988-2006
                        Myth No. 5

                      Strong Form:
                 A national ID scheme is
               essential to national security

                      Less Strong Form:
            A national ID scheme will contribute
              significantly to national security

Copyright
                                                   36
1988-2006
Terrorists, Organised Crime, Illegal Immigrants
                       Benefits Are Illusory
        •   Mere assertions of benefits, no explanation:
            „it‟s obvious‟, „it‟s intuitive‟, „of course it will work‟,
            all of which are partners to simplistic notions like
            „Zero-Tolerance‟ and „we need to do anything
            that might help us wage the war on terrorism‟
        •   Lack of detail on systems design
        •   Continual drift in features
        •   Analyses undermine the assertions
        •   Proponents avoid discussing the analyses
Copyright
                                                                          37
1988-2006
Miscreants (Benefits Recipients, Fine-Avoiders,
                      ...)
            Benefits May Arise, But Are Seriously
                        Exaggerated

        •    Lack of detail on systems design
        •    Continual drift in features
        •    Double-counting of benefits from the ID
             Scheme and the many existing programs

        •    Analyses undermine the assertions
        •    Proponents avoid discussing the analyses

Copyright
                                                        38
1988-2006
                            Myth No. 7
            A National ID Scheme can be devised
            so as to preclude abuse by:
            •   Unelected Governments
                •    Invaders
                •    Military Putsch
            •       Elected Governments
                •    that act outside the law
                •    that arrange the law as they wish

Copyright
                                                         39
1988-2006
                      Myth No. 8
                The public accepts that
     ‘the world changed on 11? (12!) September
                        2001’
 •    Privacy valuations                   Zogby Poll 2 Feb 2006
      are highly situational                                 „01-
 •    The gloss has gone                    „05
 •    People are becoming inured        Support Collapses % - %
      / bored / realistic about         Luggage Search     63 - 44
      „the threat of terrorism‟         Car Search         60 - 37
 •    People know that                  Roadblock Search 59 - 33
      a national ID scheme
      won‟t prevent terrorism           Mail Search        55 - 25
                                        Tel Monitoring     38
                http://www.zogby.com/news/ReadNews.dbm?ID=1068- 28
Copyright
                                                                     40
1988-2006
                          Conclusion
       •    PETs can address some PITs, but a
            nightmare-free Australia Card is not
            feasible
       •    Any intellectual, and any regulator, who
            accommodates a national identification
            scheme, is selling-out liberty, and
            derogating their duties as human beings
       •    We must not be cowed by either of the
            twin terrors of Islamic Fundamentalism
            and National Security Fundamentalism
Copyright
                                                       41
1988-2006
        Smart Cards and Biometrics
Is a Nightmare-Free Australia Card Feasible
                    ??
            Roger Clarke, Xamax Consultancy, Canberra
        Visiting Professor, Unis. of Hong Kong, U.N.S.W., ANU

               http://www.anu.edu.au/Roger.Clarke/....
                ..../DV/ ID-ACTSCL-0603 {.html,.ppt}
             A.C.T. Society for Technology and the Law
                          23 March 2006


Copyright
                                                                42
1988-2006

								
To top