What Might A Privacy Friendly Access Card Look Like?

In this short article I try to suggest there is a way to achieve the benefits of Smartcard technology and at the same time improve the service delivery and efficiency of the Commonwealth Human Services Department while avoiding much, if not all, of the present concerns regarding privacy and function creep.

The approach would involve the following:

1. Having an Access Card that has nothing more visible on it than its name (A Commonwealth Access Card) and a strip where the citizen can write their chosen ID (that could be their name but does not need to have anything to do with their actual name, address etc). (The card face has no photo, no name, no date of birth, no number etc).

An option, if required, for those who need to deal with services by phone, and need to quote a number might be to allow the ID number to be printed on the card at the specific request of the citizen. Normally most would not need this option as they would be obtaining a benefit at a point of service in person with their card.

2. The Access Card holds only four pieces of information electronically.

a> The card’s ID Number and

b> A quality photo of the card owner and

c> The unique biometric identifier code created from the photo and

d> A card expiry date.

3. The Commonwealth Secure Customer Database only holding the ID number, the citizen’s name and the biometric identifier derived from the photo (not the photo itself).

4. The Access Card being secured electronically so it is only usable by Commonwealth Government services authorised by legislation to utilise the Access Card using Commonwealth Government Access Card Readers.

5. The Access Card held information not being accessible by standard PC equipment or card readers.

6. Having the Access Card do nothing but act as a ‘key holder’ for Government services and nothing else (not a “mini-iPod”, e-Health Card, credit card etc)

How should the system be used?

First, when enrolling for an Access Card, high quality (“100 point”) ID is provided and temporarily stored against the ID Number that is to be allocated. At the same time the photo is taken, converted into a biometric, coded biometrically and also stored.

Next, once appropriate verification of the documentation is undertaken, the card is issued with the data mentioned above being stored on it. All information other than the name, the other data used by the electoral commission, the biometric ID code and the ID number are then removed from the secure database and destroyed. (This is necessary to prevent multiple cards being issued for the same person)

Internal Human Services Department systems use the ID number as their key and each collects all the other information they require for their operations when the card is first presented at say a Medicare, Veteran’s Affairs or CentreLink office. Each benefit thus has its own data-base to manage each benefit and linkage of these data-bases would be only permitted for reasons the public are content with.

All Government card readers will be photo display-enabled to facilitate display of the stored image of the customer, which is only held on the card and no-where else, and the name associated with the card. The ID Number is made available only electronically to Government systems and to no other requesters – even if they gain access to a Government card reader. Thus people delivering services can verify an individual’s ID and determine their ID number, but the card is useless to anyone else who is not an identical twin with the same name who can access a Government card reader and persuade the supporting system to provide its ID number. Still better, even if an ID number is known, it cannot be used without a matching card or specific consent from citizens who desire to access services over the phone and who are happy with the risks this involves.

If desired a PIN could be also used to maximise the security of access, even to the photo.

The benefits of this approach are:

1. There is no database created of every Australian Citizen that holds any more information than the electoral role with an ID number and a biometric ID (Note: no photographic image is held by government).

2. No photographic database of citizens is developed.

3. The card, having only a hand written “name” on it, cannot be used by anyone if lost. If use is attempted the embedded picture and the correct name will be displayed by the reader and this will disclose any attempted fraud to the Government operator.

4. If a citizen chooses to apply a PIN the card will be virtually useless if lost.

5. No one is going to ask anyone to produce a blank card to confirm their ID – especially when no useful information is available without a special Government reader. It will not become an instrument of control and oppression as the present proposal risks.

6. Function creep cannot happen except if the network of Government readers is extended and the citizen chooses to use the service that the Access Card enables.

7. The risk of a numbered card causing identity fraud disappears - there is no number on the card.

With this approach the Commonwealth has a strong link between the key it uses to deliver services and the presenting citizen seeking to use those services, thus it can control fraud etc but the card is – still as it should be – just an Access enabler.

The only downside of this approach is that, if the card is lost, full re-identification is required. That dis-incentive of itself should make most people pretty careful with their card!

The point of this commentary is to show it would be possible to design an Access Card system that would be privacy friendly and meet the Government’s objectives.

Why this has not been done is a mystery to me.

David.

Late Note:

In the Financial Review of the 13 Feb 2007 we now learn function creep is running on apace with, among other things, disputes breaking out with the banking sector of the recording of the Access Card ID in banking records and the rules for how such ID can be asked for. The banks say that having to get written consent to record and use the ID is too onerous. My position would be that an Access Card ID is no business of the banks whatsoever, consent or no! Extra function creep number two is that it seems a ‘voluntary’ Aboriginality flag is to be added – as requested by Medicare Australia. Will it never stop!

D.