Home - Cyberspace Law and Policy Centre log
Cyberspace law and Policy Centre logo text
Home | The Centre | Events | Publications | Site Map | Contact Us
You are here: Home >> Events >>2002 >> E-Authentication >> EAuthentication_Transcript.htm

 


 

Transcript of Symposium and Consultation on
E-Authentication

Held on 11 July 2002

[Draft - corrections welcome]

 

Hosted by
Baker & McKenzie Cyberspace Law and Policy Centre (at UNSW Law Faculty)
and
the National Office of the Information Economy

 

At the offices of Baker & McKenzie Sydney, Australia

Transcript prepared by Nick Chen, edited by Than Yeng.

(Please go back to the main E-Authentication Symposium page for the background papers.)

 


Contents

Introduction

Presentation 1: NOIEís e-Authentication discussion paper

Discussion on the NOIE presentation

Session 2: Roger Clarkeís paper

Discussion on Roger Clarkeís paper

General discussion after the break

Conclusion

 



Introduction

David Vaile, Executive Director of the Baker & McKenzie Cyberspace Law and Policy Centre

Welcome to this symposium on E-authentication, the third event in a series which investigates aspects of cyberspace in the light of various public interests.

One of the aims of these symposia is largely to dispense with the conference style format consisting mostly of prepared lengthy speeches where real discussion tends to happen on the sidelines. What we want to facilitate instead is open-ended, wide ranging discussion of issues that are of interest to experts and stakeholders in the field, and to disseminate the results of these discussions to a broad audience. Accordingly, weíll record most of what is said with a view to making it available in slightly edited format on the web.

Later on we also hope to publish a series of books which the symposium proceedings will appear together with related papers, articles and materials. Weíll also be taking some snapshots to record the event so please tell us or the photographer if you donít want to appear in any of these photographs. Before I introduce the themes of the present symposium Iíd like to introduce you to the Baker and McKenzie Cyberspace Law and Policy Centre where I am the new executive director. My nameís David Vaile, if I havenít met you yet.

The Centre has been up and running since late 2000, attached to the Law Faculty of the University of New South Wales.

We are generously supported by our hosts tonight, Baker and McKenzie. As well as providing the bulk of our funding Bakers also supports the centre in other ways, such as allowing us to use its facilities for events like this. I should emphasise that otherwise we are quite independent of Bakers, we are not a mouthpiece for the views of the firm or its clients and we are free to pursue our own academic and public policy interests under the watchful eye of the law faculty at UNSW. That said, we are lucky to have at Bakers a number of the most experience practitioners working in the area and this is often a source of valuable ideas and feedback for the centre.

The Centre runs a variety of events in addition to this sort of symposium. For instance it arranges conferences, events in the continuing legal education program, and the centre itself has a relatively small secretariat including Than, whoís the inaugural coordinator. Heís been doing a great job to get us to where we are today.

Our activities are driven mainly though by our group of research associates and collaborators, several of whom are here this afternoon. Iím not sure it would make sense to name them all, but Iím sure youíll find them later on. In addition to these research associates, we are fortunate to have participating in the symposium a large number of people from a broad range of disciplines, government industry, academia, the legal profession, and public interest advocacy.Fortunately we have a mix of IT the people and lawyers; this should lighten up the proceedings!

So, we should continue the cross-cultural dialogue initiated in our past symposia.

As we were planning this event, we discovered NOIE, the National Office of the Information Economy, was intending to run a consultation in Sydney as part of a national program seeking feedback on their recent authentication discussion paper.We're proud that NOIE chose to conduct their consultation session in Sydney jointly with us as co-hosts of this event.No doubt Catherine [Higgins]and Tom [Dale] will make sure that you all have a chance to comment on some of the specific topics that they seek to address, although I'm sure that the debate will inevitably cover much broader ground.

The first part of the symposium will begin with a presentation from Catherine Higgins from NOIE. She'll focus on the outline of their authentication discussion paper, of which many of you may already be aware.The main technologies covered in their paper include biometrics and the gatekeepers scheme. I understand NOIE emphasizes their interest in seeking reactions to a much broader range of the authentication options.

The second part of the symposium will be started by a presentation from Roger Clark of the ANU. Roger will consider some fundamental technical, and social limitations of some of the newer and more complex authentication tools, and ask questions about what this means and where they might fit in broader mosaic of online relationships.

The third part of the symposium will consist of free-ranging discussions after dinner.

This symposium is aimed at discussing the implications of e-authentication and the new environment in which it finds itself in the interests of all the parties concerned, most notably the transaction participants, service providers, and those who support the integrity of the system.

So what do we mean by Ďe-authenticationí?It's a fairly new term, covering a range of tools including passwords, PKI, and biometrics.These systems attempt to identify, verify, or otherwise raise trust in the participants in an online environment by the use of technological, and to some extent organizational, mechanisms.

I note in passing that there are some complex legal, social, and technological issues in this area, and we have a very diverse audience here today, so I'd encourage anyone speaking to recognize that not everyone may share the background knowledge and jargon that you may take for granted. Please provide a little bit more context and explanation than you would if you were just amongst your peers where you could perhaps take for granted your audienceís level of knowledge.

Hopefully this symposium will cast a penetrating light on the issues surrounding the authentication in general, specific implementations of it, how well they match the needs of various users and stakeholders, and what type of regulation may be needed. However, I don't want to steal anyone's thunder, so I'll hand over to the joint chairs of this session.

One of them was meant to be Chris Connolly, who many of you may know. Heís a co-director of this Centre, but he has been called away to help his wife in the birth of a new, currently unidentified, entity.

Luckily Professor Graham Greenleaf, another co-director, on my right, has agreed to step in on short notice, and share the chair with Tom Dale from NOIE.Welcome Graham and Tom. And over to you Catherine.

[ back to top ]

Presentation 1: NOIEís E-Authentication Framework discussion paper

Catherine Higgins, NOIE

Thanks David. I'd like to talk today about the discussion paper and some of the background to where it comes from.

As pointed out I think some people have a depth of knowledge in this subject and some people don't, and we've been discovering that over the last two years at NOIE.We really have been intending to educate a lot of audiences about the authentication technology over the last couple of years and we've had an industry and government council whose term had ended but they were called the national electronic authentication council and Stephen Wilson was a member of the council.So some of the thinking that comes from this paper actually comes from the last two years and where authentication technologies had evolved from.

I just like to go through the paper very quickly because some people will have read it and talk about some of the questions that were trying to answer.And also I'll talk about the consultation process the little bit and the submissions we received so far in response to our paper and the others we hope to receive in the next two months.So those of you who have read the paper will see that we have provided an introduction to the whole subject and we've tried to set the context of authentication in terms of electronic transactions, identity management.

We find it hard sometimes to talk about authentication as a means to itself which I think is the wrong thing to do in Tom's terms of Internet or e-commerce agenda.So really authentication has enabling and protective security aspects to it and I think this is important and probably hasn't been raised that much in the debate in Australia to date.

In terms of enabling it enables e-transaction because it identifies individuals online, and it also is an access control technology in that it can be used to control access to remote computers, servers, and so one, so it's a protective security concept in that sense, and I think in Australia we need to talk more about that it in the industry because we have a lot of unprotected systems.So that's the other angle of authentication technology, the protective security elements.

Also I think we're going to talk quite a bit about biometrics tonight, and it's getting a loss of play in Australia right now because of the law-enforcement aspects of the use of biometrics or the potential uses of biometric technologies, and that's an area which I think is very interesting, and there's a lot of consumer issues and societal issues surrounding the use of biometrics so hopefully we have quite a rigorous debate about that tonight.

The paper is divided into three sections, and so as I said the first is an introduction to why we have authentication technologies at all and what they help us to achieve more broadly in the information economy.If you go through the Commonwealth government's role to date in authentication and some of you will know that NOIE's been quite involved in authentication in terms of digital signature certificates, and particularly because we accredit IT members under our gatekeeper program so that accredits those industries.Members do go out and issue digital certificates.

So we look at trends in section 2 of the paper and really I think, as was said the biggest trend and noticeable thing over the last two years was that passwords, pins, and those more basic forms of authentication technology are commonly known and used.The more high-end areas such as biometrics and PKI, we have concluded that those areas do need considerable regulatory and accreditation attention and we would like to talk about those specific areas in depth tonight.And cross recognition, the whole concept of recognizing other trusts schemes is another area which we have covered in this paper. NOIE runs the gatekeeper schemes, we want to look at recognizing another country's schemes, we have covered that in this paper as well.

I think that area has been a policy discussion for a number of years, but I think it's still got a fair way to play in terms of making international e commerce a reality and having the exchange of digital signature certificates across economies. So that's currently being discussed in APEC, and now the international forum, and we cover the foundations of our views about cross recognition in this paper.

The whole area of standards and accreditation and so one is covered in this paper as well on page 17.And really we talk about PKI and the standards there simply because there are standards in that area, and it's also a complex area of technology which requires standards.

So we talk there about the original standards, the Australian standards, and I see Alistair hasn't come along yet, but he's coming from standards Australia, and those standards were named 4539.They were the precursors to the gatekeeper schemes.So we have got some questions in hear about whether standards will drive the take up of PKI digital certificates in a private economy in Australia, we like to ask a series of questions and try and have some debate and discussion around that tonight.But it also is if you that standards don't drive the take up of technology either, so we would like to discuss that more tonight.

One other big issues that NOIE is considering in this discussion paper is our role in this process, NOIE's been very involved in authentication, education, but also in a stronger role as the accreditor of the gatekeeper schemes accreditor.We are really seeking some comments from industry parties as to whether someone else may be better placed to take on that role as the accreditor in future years and we have a series of questions around that and it involves a range of stakeholders including those vendors who are already accredited under the gatekeeper, and we have to look at the business model surrounding, potentially outsourcing gatekeeper from NOIE, and therefore what NOIE's role will be the future.

So there is appendix C of this paper which I think has been circulated before tonight, sets out a framework for the governance, a new governance framework if you like, for PKI.People like Stephen Wilson will have seen this before because we discussed this at the end of last year so it has a governance structure which has an industry government board and then it has a role for standards Australia and it has to define which of those with exactly be in that third party accrediting role.But we have put some framework around that there.

We are really trying to get comments back from industry users on whether they can see that national framework being necessary for the rollout of PKI and therefore whether standards Australia and NOIE should really investigate the feasibility of starting up that framework, how much time and money we should invest in that.And that's a big issue, and it's about demand drivers as well in the economy.

So just a little bit about the process so far, we have had one workshop so far which was in Canberra and unsurprisingly that was dominated by government agencies who have been quite strong users of authentication technology particularly PKI, and also the IT security vendors, so it was quite a good session, but it became apparent to us that people still don't really understand authentication technology fully, and the way they are try to implement them in government agencies, and that they are still seeking answers to some questions.

There are some good PKI rollouts that happened from Canberra, which has been government and business applications and tax, and the health insurance commission of those two examples.They are seeking more sort of work and guidance in how reached critical mass with those rollouts.So we're hoping we have had four returns to our papers so far in terms of submissions, and we're hoping to get a number of concerted submissions, from industry consumers and governments over the next few months.

It's interesting, the ones we have received I just took a note of them just let you know, that the variety of people who have responded to our paper.Two of them are IT security vendors, Gangooli and associates who have done a market stakeholder analysis, and PKI Plus who are an e-security vendor firm.

The Australian consumers association made a submission which was based along the lines of the submissions that Charles Britain made to the private commission on PKI guidelines, so he was coming from the same angle as when he saw our paper.The fourth one that is forthcoming I think, is from Glen Turner Arnetts, so from the education sector, his users of PKI technology.

So I'm quite looking forward to reading that one because it comes from a user's perspective.We have had a lot of e-mail traffic from IT-12 which is the standards Australia committee which originally dealt with the first PKI standards 4539, and it is good timing now that Alistair has just walked in the door.

And the sixth submission that we have had is from the New Zealand government which is really interesting because they are still looking at the whole framework at this point.And their authentication strategy seems to focus on the consumer level so they are looking at the government consumer issues and how they issued identities to individuals within an economy which is quite good and timely at this stage.We have also had a good discussion with VISA and some of the credit card companies about what they are doing and that was very useful as well because it is a real commercial perspective to the authentication field and that's been very useful because I think that the verified by VISA scheme is getting quite a lot of take up amongst the retailers and the e-tailers.

So look we are hoping for more submissions and answers to some of our questions, we are having another consultation session in Melbourne on the sixth of August, and we are also having another consultation session with the computer association in Adelaide on 30th July and perhaps one in Brisbane as well.But anyway, we are looking forward to your comments on the paper, and this next session we are going to go into looks at some specific issues which outlined in the paper and we stop all the about questions.So that's all for now.

[ back to top ]

Discussion on the NOIE presentation

Professor Graham Greenleaf, UNSW Law Faculty

Thanks Catherine. We have another formal presentation after the break, and we are going to hear from Roger Clarke, about the question of whether conventional PKI is a good idea. However before we deal with questions like that, I think we can start with one of the broad issues on the agenda in front of you, and deal with the question of what is the role of the government in promoting and regulating e-authentication technology.

Would someone like to put a view on the future role of government in authentication technology regulation generally, and just before you do, a reminder that we would like each person before they speak, to identify themselves, which of course I didn't do -- I am Graham Greenleaf -- and also for those of you sitting at the table could you please turn your name card around so that it faces Tom or faces me so we know who we are getting contributions from.Thanks.Okay, so who would like to start off the discussion on the role government in future technology, future e-authentication regulation?

Graeme Freedman

I noticed the U.S. government is trying to make some specifications for UV probability spectrum for cars, which they are currently issuing. The really interesting thing for me is that the report, which came in today, reported how airline crews in Europe are having troubles with their uniforms and credentials being stolen.

From the transport workers' union in the U.S., there are concerns for the safety of those crew members, and there has been a push for better certification and authentication. My guess is that the role of the government will probably be directly proportional to the perceived threat of outside interference with your average Joe.

The political process will in many ways determine the perception of threat rather than any technology as it goes forward.It's interesting to see, laypeople, in U.S. transport workers, people looking after the aircraft, unloading the aircraft, things like that, being very concerned about the issues, not because they understand the technology, but because they think there has got to be at technical way of making their operations safer.

Tom Dale

So you think that at the moment, a lot of the evolving perceptions that are around authentication are made in terms of access and security, and that in itself might be a political driver.

Graeme Freedman

I think where governments are involved in these things, people, in a situation where there's no threat and where there's no real need for things to happen, governments probably don't need to be involved.

As the risk gets greater and we consider that our lives can be more affected physically and virtually, then we may as a community want greater involvement.I think that governments will be involved as much as the community wants them to be involved from the political process.

Graham Greenleaf

If I can just take that last comment you made, put up one hypothesis, I would say that every form of authentication is a potential threat to privacy by potential abuse, and consequently, it's inevitable that governments will be more and more involved in privacy regulation in the e-authentication era, and that we can expect a much greater the level of legislation in relation to authentication than we currently have in the Federal Privacy Act.So I would throw that in that this is at least one area where government regulation is unavoidable.

Nigel Evans

I observe that there are issues of trust.Governments have regulated in this area. You can't get private inquiry agents in New South Wales, without being licensed by the New South Wales government, because it's perceived as being an area which the operatives must be trustworthy.

Therefore trustworthiness surely is an issue.Then maybe some people who perhaps until quite recently have said "well, a reputable organization with a good brand name is inherently trustworthy", I think that is now greeted with a certain amount of mirth in many circles and I don't think it's politically sustainable anymore.So I think the need for trust may be in itself be a cause for a need to regulate licences.

Graham Greenleaf

Thanks Nigel. Would anyone like to respond?

Lyal Collins

I would like to contribute to the general discussion. Weíve heard the term identity and authentication used here this afternoon, and we shouldnít forget that particularly in the commercial environment, itís the authority associated with a particular commercial relationship that is also of issue.

The identity and the authority only really have relevance in a point-to-point customer to vendor environment, and thereís a lot of good working models in the business community today, where there hasnít necessarily been any regulatory input by government, In some cases there has been input by other bodies, including community, or industry regulators.

Itís sometimes slightly different of course with statutory or government bodies where thereís inherently trust because they are part of the political, the governance process of the culture. I do take forward, though, the comment that the large, monolithic and sometimes self-regulatory environments like accountants and auditors, do sometimes get it wrong. You must plan for failure in whatever mechanism we have going for or have a multiplicity of mechanisms that suit different commercial sectors.

Graham Greenleaf

Iíll raise another of the topics that Catherine has flagged, and thatís the suggestion that NOIE might move towards promoting some non-government authentication body to take over a more generalised portion of the work the gatekeeper has been doing at present, and ask for comments about that suggestion, and also the related question of if there was sense in such a non-government body in the field, would it only make sense for it to be dealing only with PKI or would it make sense for it to be dealing with a wider range of authentication methods and technologies. But before I do I think Iíll ask Tom or Catherine perhaps just to clarify what NOIEís view is on that second question, about what scope of operations did you have in mind for that sort of body?

Catherine Higgins

We did have some discussion about this last week in Canberra, and our thinking has been narrower in that we have been looking at the PKI area in particular and because the gatekeeper standards which are listed in here are quite comprehensive in themselves.

But we did have a discussion last week in Canberra, and a lot of people were a little bit concerned with this suggestion that the management or governance council above this sort of structure would have to be very representative of industry usersí views, and existing commercial standards that are already operating, we didnít want to overregulate in that sense.

But we really were looking at a narrower context of PKI because we see that Jas Anson and Standards Australia have that kind of expertise, so if we had a broader concept of authentication which included areas like biometrics and existing authentication technologies in business it would have to be a broader management council at the top of the structure, and it could even be quite unwieldy, so it would be a matter of how you would get that input from business and also whether it is required at that broader level or only for certain technologies.

We have outlined the governance structures in this paper for the PKI management council model, and itís that diagram at C and some of the earlier stuff on page 19 of the paper.

Tom Dale

Can I just make an additional comment. I think it is important to distinguish between the role the federal government has played today in not so much the gatekeeper PKI framework but in its commitment to utilisation of PKI for particular purposes.

Essentially the policies rollout of the federal government has been confined pretty much to government businesses transaction component, with a couple of exceptions. In general the Federal government has not been focussing on PKI or any other particular forms of authentication, in terms of government to individual transactions, and I think a lot of the policy issues raised will likely be raised later on.

There's a distinction between the government trying to establish a trust framework for some sort of transactions in business and transacting electronically with governments. The gatekeeper structure has evolved as a system of standing in governments for PKI, which is a different issue again, and I guess weíre trying not to confuse them too much and thereís no suggestion that the, well thereís no obvious reason why a change in the governmentís structures, I guess a fairly substantial legacy arrangement such as gatekeeper needs to lead to any change at all in the governmentís general approach in promoting PKI for particular purposes.

Thatís the issue with government online, the democracy, it doesnít necessarily mean the government is also in charge of its standards and the accreditations.

Julie Cameron

Iím just taking a business point of view, and following on a little bit from what Tom has said.From an implementation point of view, Iím an electronic commerce practitioner, whereas heís been involved in implementing industry project. We would recommend perhaps a light touch. We looked at implementing PKI into superannuation for various transaction purposes.

We found that there were issues in the trading community, like cost; how much is it going to cost us to set up things like CAs and RAs? The actual cost of the products that we would need to implement, and the cost of implementing the product we would have to put in front of our gateways.

The cost of managing keys was quite inhibitive, particularly whentalking about trading chains with small businesses. I think thereís some issue here that needs to look at exactly what kind of transactions governments want to introduce as requiring something like PKI, and what are the transactions you would have trusted partners, people who probably do businesses using telephone or fax or some other less secure method.

If the government decides that they want to do PKI, I think there needs to be a caution in making a lot of transactions have to use PKI because it will slow down perhaps the implementation of electronic commerce across Australian industries, and particularly between industries. I wonder whether that could be two levels, the light touch or commerce which is considered to have low risk and perhaps a higher touch if you want transactions which need pure authentication and identification.

John Gardner

There are two issues that I see. The first oneís around a body as a trusted third party, in particular, a PKI as a trusted third party or anyone whose performing authentications on behalf of, say a customer through to an agency. We find that thatís very hard to describe in a private contractual framework, and thereís limits to what can be done or what I trust them to do under current law.

What we see is the role in government trying to find those areas difficult to describe in that relationship and perhaps smoothing out of the way that that could be contained to what the authentication provider actually does compare to what transaction is being authenticated.So it's first issue on the table.

The second issue is what is being authenticated ?There's a role by the registrar of identities within the community and by that I mean civil identities, business registration identities, communities of interest identities, in seizing what they are identifying, and making sure that authenticators of those identifiers are linked into a way that that identity is those granted so that the government role in managing authenticators in the community also needs to consider that same role in managing the registrars of those identities.I hope that wasn't a bit too cryptic.

Stephen Wilson

I have some extended comments to make, if you do not mind.We run the risk in all of this debate in losing track of what people's certificates are really good for.If you do mind a bit of discourse on that, my strong view is that a lot of people having preconceptions which is some years old in terms of certificates already formed from liability, cost and trust.The original view I think of digital certificates was that it would be an electronic passport.And this is a metaphor that is very easy to grasp, and I think that somebody cooked it up almost on the spur of the moment, when they were just thinking about business opportunities. The trouble with it is that comes up with a very interesting set of problems.

If you think of the digital certificate as an electronic passport context to that relationship, you wind up with issues where Alice has a relationship with Sydney authority, she's holding a certificate, she's trying to convince Bob who she is, Bob has no other relationship with Alice he has no of the context to see who she is, he's got no prior relationship with her CAs. NEAC has indeed spent years on this problem and had a look at two different very good legal analyses which have wound up at being somewhat inclusive.

If you look at the NOIEís website there is a diagram which has all the relationships and has this rather alarming but correct phrase that good legal standing of such and such between who the line pays and CAs is indeterminable. Anybody that wants to get into this debate has looked at the NOIE website has obviously been put off.Now I'm not saying that what you said is wrong, but we are all trained over years and years of going to presentations to think of Alice and Bob as having no context, and we continue to be trained in PKI's because we have an e-mail, we receive a little red seal on it and it's a signed e-mail, we click on the signed e-mail and have a look at the certificate authority which it came from and we're trained to think in terms of this certificate authority is trusted, because I had no other way to trust Miss Alice.

The trend at the top of the agenda, the really important trend, the use of PKI's is dramatically different from that.The technical reason to use PKI is twofold: it gives you what's called the system identities, the origin and integrity of the transaction, and it's persisted in so far as I can get a signed form from Adrian, it hits my machine and I can log it and I can trust it on this machine, and they can pass it on and they can log it halfway in six months, they can come back with that form, which has gone from server to server, you can do that using provisional technology which involves that going through audit trails and all sort of things.

The other thing that's important about computer certificates is that they are machine readable.And this is something that gets insufficient attention. There's no real interest in application when everybody's actually getting signed emails, it just doesn't happen.You look at all the other interesting applications of PKI and they have the same characteristics, the servers that are processing forms automatically at high volume, and it's pretty obvious because if we don't have high volumes, we don't have paper savings.

So it's really important I think to understand the interesting applications of PKI. Rich-context, Alice and Bob have a preordained relationship of some sort, and what PKI's doing is automating the existing relationship.If you think about the context of the submission, what indeed what the HIC's trying to do with the certificates is purely context based. As a non-lawyer it's easy for me to say I donít see there being a lot of liability difficulty in trying to work out what happens when a transaction goes wrong. I mean, the parties are presentable, a licensed medical practitioner comes in, a signed form with the HIC.

Graham

Steve, if I could just finish that point: The liability of these things is easy to understand, and the management of these things is easy to understand. If we try and use PKI to automate these existing relationships it help us understand what killer applications replaces customs and health Ė customs overseas, stuff in Hong Kong is a very important application of how to. It also helps us understand that PKI is an important trend in the future where credit card companies are using chip cards now.

The chip cards contain very sophisticated PKI systems, and yet nobody is being burdened to sign up. The reason for that is that PKI is embedded in the relationships and the context of the transactions. So I guess my fervent desire is that the policy agenda gets onto problems that have real application, the ones that I have enunciated, and they are not Alice and Bob.

We should turn our attention to more problems, and to a much clearer debate about who should be regulating these things. The question about whether the government has a role is a question about grounding till you start thinking, what is the governmentís job in regulating registration roles.

Someone

Stephen, out of that very interesting set of comments, we certainly get the point that a lot of the liability takes place through the conflict of particular contexts in which particular PKI applications occur. However, those particular contexts, those you were alluding to, I think were also likely to involve other forms of authentication in conjunction with PKI as part of that context. Where do those combinations of factors lead you in answering our original question of whatís the future role of government in relation to the regulation of this whole mix of authentication technologies?

Stephen Wilson

Well, thereís two sides to it. Thereís the technological side and this is a government understated, very clear role. With the technological role of IT, thereís an enormously important library of this stuff for everyone to seek standards and by and large it does it in a fairly useful way. [indistinct]. The other side has got wrapped up in government in a very sort of complicated way, that is the idea of personal transport and the issue of very strong identity checks.

The strong identity checks are a national consequence, the idea that Alice and Bob have no other context. If what we did on the other hand was not to identify people personally but use the certificates to coordinate transactions, then we look to the existing communities of interest and the existing authorities.

One example is the existing authority structures that make me a doctor, a missionary or a taxpayer. These are not good examples because the government has a will on us. We all know the good examples, the government has a good understood role in making taxpayers and in making doctors in that authority. I think the authority ought to be delegated now to those sorts of things that we have already charted.

Graham Greenleaf

So youíre saying that thereís no real role for some overall non-government authentication body here, and that what we should be looking for is industry specific or profession specific or activity specific regulatory structures being augmented to deal with the particular problems of authentication.

Stephen Wilson

I think that there is potentially a role for non-government or semi-government bodies to sit above and it might be a good idea for somebody else to put up their hand and talk about the issues around this. The issue, if Iím trying to rely on a certificate, if I set up a server, and Iím processing forms for people, I want to know if the certificates were issued properly, and I want to know the certificate issued was done according to standards, and I want to know that theyíre going to be withdrawn properly. Now that Ďgenericallyí is a problem across industry, in different areas, we want to make sure that information systems are audited and secure.

DSD has a program in conjunction with NATAÖ doing all sorts of things, they rely on technical experts to be making instructions orbiting and the licensing (and I use the word loosely) and the accreditation of those bodies to do an inspection does in fact quite often converge in a very small number of accreditation bodies such as NATA and [something] international.

So I think that fundamental problem that we have in quality control, if you like, is that the certificates themselves were generated in a trustworthy manner and are part of the standards. NOIE right now will know what confers that sort of trust or that word appears in all sorts of other issues because there are health checks that NOIE does. Now you could look to other organisations to do those health checks.

Lyal Collins

Iíd just like to expand on some of Steveís comments and I think that thereís a lot of synergy between what I was saying and Stephenís comments. I think thereís a requirement for technology neutrality in a lot of this. There is a very strong need for accountability in all of this, you have trusted third parties who allocate or designate to be accredited doctors, for instance. We donít actually ever go back and check our credentials, but we do want to know that when something goes wrong, weíve got a plaque on the wall outside that we can go and hold that individual or that company accountable.

Thatís very similar to Stephenís comment about automating process of doing interactive, the trust and confidence to deal with a particular individual occurs by non-technology means. The light touch approach, in the superannuation context, perhaps, is a really good example. The financial planner has a context of a relationship with a fund manager, there is other processes around those other forms of accreditation and they are good, working trust party models to date.

The cross recognition probably, where government might provide some directions, or a non-government regulatory body. The process by which a doctor gets a bank account is a form of crude, and slightly esoteric form of cross recognition. That there is an entity, it has a cross commercial practice, and therefore has an ability to authenticate for a different type of commercial relationship with different levels of liability specific to the type of service. So the cross recognition at the very high level is an area where there could be some contribution in there.

The Electronic Transaction Act, just to move on a little bit, the Electronic Transaction Act and its state derivatives or complementary legislation sets some basic criteria about what a transaction and what an electronic signature can be. Itís technology neutral, and thereís numbers of ways of achieving those. PKI is one of them, I am a vendor promoting an alternate mechanism, and I am sure that there are multiple other processes in place that will do that the same.

An open market approach, letting the market decide, perhaps with some valued input from government or appropriate technology and commercially astute bodies, may well be the approach to go. Itís a little bit of a moot point whether itís to be a government or a non-government body as long as thereís appropriate funding, and it can maintain the appropriate level of trust, just like the institute of accountants and auditors do.

Graham Greenleaf

I am going to throw this back to Catherine and Tom for the moment and ask are these contributions weíre getting answering the questions that you thought you were asking?

Tom Dale

I think so. I should note that we do have both Standards Australia and NATA, and some perspective that they may wish to bring on. I think that the government is certainly conscious of that distinction I made earlier, and does not want to be particularly identified as a market leader or a regulator across the board in all of the areas weíve been talking about.

Thereís been a number of people including Stephen who have said that since the governments originally mould them in all of these matters 3 or 4 years ago, things have changed quite significantly in the marketplace, in the expectations and strategic planning with a lot of federal government agencies and in terms of the will more generally, I guess, and I think the propositions about transactions in context, about fit for purpose approaches to not technologies but for business solutions and the propositions I think that weíve heard about generally making sure that authentication is seen as a means to an end, not an end in itself, the ones that are more fairly obvious, so all those reasons, those are the sort of issues that weíve locked in, that we require a bit more detail on, but yes, weíre getting there.

Alistair Teggart

Iíll just preface what Iím about to say by saying that this is the first time that Iíve spoken on behalf of Standards Australia. Thereís a long history in the area, but a short history in Standards Australiaís involvement. I guess from a starting perspective, if we keep the conversation to PKI, Standards Australia has a long history, back to MP75 in í94, and the tech tree of the GPKA and running the national PKI committee IT 1241, and developing the existing national standards in biometrics. I think thatís a pretty separate subject and one that weíre probably not willing to enter any arrangements about now but at the international level of debate of biometrics is pretty fragmented.

Thereís a recent proposal to the joint tech committee between ISO and IEC to set up an international standardisation committee for biometrics led by the USA that I think will probably be picked up in some form, probably not as a separate committee at an international level but within the work of one of the other committees. And I guess if that progresses, then we would see some involvement for us in standardisation of biometric technologies at the Australian levels.

That said, back to PKI, weíve had a proposal on the table for nearly a year or so saying that we could, based on the fact of that experience, our position as a trusted third party (some people have got different interpretations of what a trusted third party is) but as a national trusted body, we could oversee the evaluation and accreditation procedures based on that experience.

Weíve got a broad representation of stakeholders already, and rigorous processes in place that we have for development of standards and accreditation against standards, through certification through CLAWS, and I guess with appropriate funding, somebody mentioned earlier, we could probably take on that role, if it was judged to be appropriate by industry and government, and if there was a perceived demand.

Catherine Higgins

On that point about perceived demand, do members of IT 12 think there is perceived demand in industry sectors, do we need any more standards, do we have enough? You know, weíve got PKI coming in anyway, the gatekeeper accreditors suppliers can issue PKI privately to any community interest who can pay for it, and so there are cost issues there an so on. But we need to update 4539 and some parts of that so that the registration authorities can recognise for example, do that work quickly, does that make a difference to the demand side of the economy?

Alistair Teggart

I canít answer straight out. There is probably a role for us to develop a handbook based on the general risk management framework, which is 4360, I think. The specifics of PKI, looking at value of transactions, and that would also sit within the existing information security management standards as well. Draw on that.

Stephen Wilson

I make a point that a handbook on authentication. Weíve got to be careful that we donít get [something] trying to reverse issues of standards and process controls and so on in the absence of any context, and we got unstuck in the standards group in trying to come to a standard for R8, and itís exactly the same as writing a standard for passports. So if you do that in the absence of any transaction context, and canít manage risk in the absence of context, we know that now, weíre at the risk again of just chasing our tail, coming up with standards that are addressing academic issues, not actually addressing the real issues which have to do with the specific use of certificates.

Alistair Teggart

The format of a handbook is a lower concern, which doesnít necessarily mean that itís not a valid technical document, it means that perhaps that some of the very rigid process is avoided, The handbook has guidelines, theyíre not standards, but they can carry a fair amount of weight, and I donít think necessarily we could get too bogged down thinking about the contextual issues of risk management in PKI. The handbooks are a more open structure, and I think the emphasis would have to be on context.

Chris Winston

Thanks very much Graham. Maybe the first thing I should do is explain a little bit about NATA, I was conscious of the comment made earlier on in this meeting that there are people in this room with all sorts of different levels of understanding of all different parts of this topic, and I certainly confess that I am one of those, just blindly followed for a number of years. I guess some people around this table know something about NATA so if youíll forgive me I thought it might help if I lead you through how we got involved in part of this area, and that is with the Australasian Information Security Evaluation Program, or AISEP, and the facilities, the AISEFs, that get involved in this.

First of all, what is NATA? NATA is a laboratory accreditation organisation. And for laboratory, you can read that very broadly, itís testing facilities, testing calibration measurement facilities. It started in 1947, so weíve got a pretty long history in this, in fact we can raise the flag for this country in this one because NATA was the worldís first comprehensive laboratory accreditation organisation, remains the worlds oldest comprehensive laboratory accreditation, and the largest, so thatís one for Australia.

I'll talk about some of our international partnerships in a minute.We are endorsed by the Australian government as the Australian authority in laboratory accreditation. We're also a peak body in inspection accreditation which is another form of accreditation for doing different things and two different standards and weíre involved in other things as well. But I think itís the accreditation side thatís important here. I said Iíd take you on a bit of a journey as to how we became involved in the AISEP program because itís a very good demonstration of what we do.

Defence Signals Directorate (DSD) approached us mid-90s when they were looking at outsourcing some of the work that they do in certifying these AISEFS. They were doing a lot of the work themselves in testing products to go on the EPL (the evaluated products list), there was more work than they could handle and they needed to outsource. SO they came to us and said, youíre the accreditation organisation, will you help us develop a program.

So we did, we sat down with a, we drew together a steering committee, which is our usual way of developing these programs, and the steering committee, it depends on what sort of program, but usually involves technical people, business people, whateverís interested in the area at stake, stakeholders in the area. We drew those people together and they put together the criteria which were required in order to tailor the standard that we use in laboratory accreditation, the international standard that we use to accredit testing facilities. So that was done, we called for interest in the accreditation, well, in this case we didnít have to call for interest because itís a closed community in the AISEF community, in others we call for interest and get in applications.

Then the process is that we go out and we do the assessment, we do the evaluation, we do that in association with technical experts in the area. So itís a peer group technical evaluation. If all goes well, then the organisation thatís being assessed becomes accredited by NATA, that accreditation process goes through an accreditation advisory committee, which is one of the number of volunteer committees which we have within NATA, again it contains people from within that industry that can make recommendations to us about how that particular field should operate and through the chairman whether or not that organisation should be accredited. So once thatís done, they become accredited by NATA, that gives them national recognition, particularly if theyíre dealing with government.

The other important thing is it gives them international recognition because NATA is one of a number of accreditation bodies of its type around the world. There are something like 34 bodies in a mutual recognition agreement, 34 economies in a mutual recognition agreement, with NATA, which means that an organisation which produces a test certificate, a NATA-endorsed test certificate in Australia, that test certificate is recognised in these other countries as if that body were accredited in one of those other countries.

Now I think this is a very important phase in the whole area of e-authentication, because unlike some of the politicians in this country who might have believed in the past, the internet ends at the border of Australia, we all know that it doesnít, and that one day, not very far away, we are going, and indeed we do at the moment, we all trade internationally, and weíre going to trade through an authenticated or agreed electronic system. And if thereís going to be call for that system to be authenticated, to be accredited, then itís important that the bodies that accredit that system in the different countries have some relationship with each other and are recognised one to the other.

This has happened in the past in a number of areas with which NATA deals. And the other important thing about this, and touching on the earlier question about should NOIE remain involved, I believe that the clear answer to that is yes, because in many of the other areas in which we were involved, and where technical accreditation underpins trade, and indeed prevents technical barriers to trade, itís only because of that technical recognition, the NATA or NATA-like body around the world, itís only because that exists that there can be government to government agreements in some of these areas. They very much underpin those government to government agreements. And government to government agreements, it is so obvious, can only be undertaken by government.

And it seems to me therefore that there has to be a strong involvement of NOIE or some part of government thatís got the understanding to advise government on how to negotiate and take part in these agreements which will undoubtedly become more and more important as we move forward in this area. Sorry Graham, that was a very long answer, I just tried to lead people through to what accreditation in this space is about and some thoughts on how government might be involved.

Graham Greenleaf

Weíre getting close, about 5 minutes away from having some afternoon tea, but we donít seem to be all that much closer to getting any strong opinions about NOIEís continuing role. Weíve certainly just heard one interesting opinion about that, but Iíd like to come back to that point: the role of government in the continuing regulation in this area, and the need for some alternative private sector body. Would anybody like to come in on that at this stage?

Nigel Evans

I think the first point is that accreditation is one thing, but to have any value, thereís got to be some mechanism to prevent unaccredited operators. I guess thereís an element of buyer beware, but if the price is right, thereíll be plenty of people who will use an unaccredited operator. So thatís issue. The second point that comes out of that is of course, itís constitutionally mooted, whether thatís within the commonwealth or the realm of other jurisdictions, and whether you see it as common, telecommunications or whatever. But there is a constitutional issue there, itís not necessarily in NOIEís court, and I think itís presumptuous to think that it is.

Thatís one point, the other point is that in terms of what government normally regulates, what we normally do and when we license, which is a form of regulation, to license businesses, professionals in various domains, the criteria are normally pretty straight forward and simple, almost on the yes/no and not many questions sort of vague. Whereas in this area it is complex, it is difficult, thereís quite a lot of fuzziness, itís subjective, and thereís whole rafted issues of competence and who can technically do it, and that may well mean that in effect, it is in terms of government perspective, outsourced to some other body.

And so maybe there is a matter of accreditation, and accreditation leads to a government regulation, itís only one part of the process, itís not the whole picture, and I think thatís a point to bear in mind.

Lyal Collins

I think you are right and youíre touching on a point that Iíve made for myself. Authentication is a complex topic, and so are some of the associated risks and liability, theyíre topics that have come up before. We donít yet have enough experience in electronic authentication to fully understand the syntax and semantics of whatís being discussed. We should crawl before we walk. And the accounting industryís fallen over in a couple of example with several centuries of experience and background behind it.

NOIEís role: I think is a good one, as long as the state includes an educative role, particularly to spread the word about the syntax and semantics of the issues. And focus on a single technology is a real problem, as it puts all the eggs in one basket, in one framework, and it leads to some trade practices issues.

The banking community has a problem if it standardizes on an interest Öforces, everybody to buy an interest can have equipment, for instance. That may or may not be an issue everywhere but it also must be whatever technology we choose, we adopt, it must be cost effective. It is a problem throughout the private sector. We donít have the budgets the government does.

Julie Cameron

A simplistic set of questions. As a user, who is trying to be authenticated? Is it me as an individual, is it a company, in which case who should be looking after that?

Iím sort of wondering whether the question as to who looks after the whole issue depends on strength perhaps of authentication whether itís a full PKI/gatekeeper type thing, or whether itís more a Verisign, and whether itís an individual signing a document, or an individual needing to be authenticated as a person, or in a role whether a secretary of a company or a person who is authorised to undertake transactions for a company, or is it a company thatís doing business say with a government organisation?

There is sort of a matrix that weíre trying to deal with here, and perhaps the question of the role of government in this really depends where we are on that matrix. A very sort of simplistic view but I think itís a little bit confusing because of the complexity and the need for some kind of matrix. And that might help say, well government is involved, yes, in PKI for government agencies and for large companies, but perhaps government doesnít need to be involved with things like Verisign for individuals, but there may need to be some form of more legally stringent thing if youíre dealing with the tax office, which of course is a hub and spoke model rather than a peer to peer.

Catherine Higgins

We are actually publishing 2 publications next week which our minister is launching, and one is called ďtrusting the internetĒ and it goes into some of these issues explaining to small business so I think itís very timely and thatís the next NEAC sort of product that weíve got to the market now. And the other is the ďgovernment managerís guide to authentication technologiesĒ and itís got a risk matrix in it so I think when you see some of those things next week it may go towards solving some of these discussions but they are very real educated issues that we need to work through in the marketplace, and they are quite complex.

Graham Greenleaf ††

I confess to be a bit puzzled about this discussion so far, taking up Julieís point in a way, but in a sense turning it on its head, Iím not sure that the level of regulation thatís needed is so much at the large end of the players or their interests being protected rather than the individuals, rather the other way round. I mean, my more general point is that it seems to me thereís a lot of the discussion so far has almost proceeded on the assumption that forms of authentication are uncontentious, but what we have to do is try and ensure that thereís necessary degree of quality control, but weíre not dealing in a field where what is being done is contentious in the first place.

I mean I find that difficult at the moment because Iím living in a jurisdiction where from next year everyone thatís likely to have a digital signature with a PIN and a compulsory national identification number on a smart card that contains 2 biometrics, a photo and a thumbprint. And to think that any of these forms of authentication are non-contentious when you have the potential of combinations like that.

Otherwise, Iím having a nice time in Hong Kong. But that as I said is the ingredient that seems to be missing in some of this discussion and I thought we were going to be in part be in the framework that NOIEís foreshadowing, going to have some discussion on whether thereís any overall regulatory body for all types of authentication technologies that would also be looking at the regulation of the contentious aspects and whether there was any possibility of that moving outside the government sector.

So perhaps Tom could I throw that over to you and say, whatís the breach of this framework youíve been talking about?

Tom Dale

Itís very hard for people in these discussions, and the same goes for the one that we had in Canberra last week. Inevitably as the discussion develops we all tend to come round, I think about three quarters is coloured consciously or otherwise by what particular form of authentication and thatís PKI, for all sorts of reasons itís interesting technologically, and in some ways itís more a sophisticated form of authentication, and it is out there, not to the extent commercially people thought it 3 years ago, but there are digital certificates in existence and they generally revolve around some sort of PKI structure.

So I think that colours our views makes it very hard to talk in terms of policy principles. I think that the fact that people havenít expressed particular views about models of authentication is in itself an answer to some extent, obviously this will take the most extreme example of passwords to a network are authentication, no-one has suggested as far as I know that there needs to be a regulatory policy framework for instance.

Graham Greenleaf

Tom that is precisely what is happening in HK, where there is the investigation of where the PINs should be brought into the authentication legislation in Hong Kong, I know thatís up in the air of course.

Tom Dale

Yes, I canít see that catching on as a debate here somehow. At the other end though in terms of emerging issues in biometrics, after Rogerís presentation I suspect that the discussion around that certainly should be unimpeded by the advantage that people are bringing to the discussion and might be a little bit more contentious.

Graham Greenleaf

Iím going to give Patrick the last comment, but other than that this is a good point to stop for afternoon tea, because as Tom said itís going to be Rogerís job after afternoon tea to help drag us back to first principles and more general considerations.

Patrick Fair

I was just reflecting on whether the government has a role going forward, and I think thereís a reasonable hypothesis you could defend, that government has very little role, has needed very little in terms of choosing and regulating the authentication in terms of individual instances of certification authorities or the type of technology, but where the market isnít likely to work or where thereís likely to be problems is in cross recognition.

And the economic interest of government in the well being of the country might dictate that cross recognition would be very good for economic activity and for interaction and for efficiency, where the market left to its own devices will have people carrying a number of keys which donít cross authenticate and therefore cause an extra cost and extra inefficiency which the technology itself is able to overcome but the force of market and vested interests and opportunistic, and the fact that when systems start and who uses them and who chooses them might dictate against, and Iíd be pretty comfortable leaving it to the market as to whether or not I accept a particular certificate or whether or not I choose to use a particular certificate to authenticate me, I think I might want to have a number of them for different purposes, for some purposes I might choose the very best and for others I might want to be anonymous.

But whether or not those systems spoke to one another is a much harder question and something where government really does have a role.

Graham Greenleaf

Letís break for coffee, weíre right on time.

[ back to top ]

Session 2: Roger Clarkeís paper

Graham Greenleaf

Roger Clarke is going to get us started for this session of the symposium, he needs little introduction, but I havenít heard him introduced, as David did for quite a long while, as Roger Clarke of the ANU, thatís a while ago. While he keeps that affiliation still, as I would say almost all of you know, Roger has principally been a consultant in the e-commerce and information infrastructure and electronic publishing and related areas, including privacy, of course, for quite a number of years now, but he is also one of the most academically productive and prolific non-academics that I know.

Weíve asked Roger to talk about the public interest aspects of all forms of e-authentication, to try to indicate the range of public interest issues that in any further or regulatory or non-regulatory structures for authentication will need to be factored in. Rogerís going to give a slightly lengthier presentation than Catherine did, probably around the 25 minute zone I think, because thereís a lot of these public interest issues to canvas, and that will help us to get off to a good discussion for the rest of the afternoon.

Roger Clarke

Thanks Graham; evening, ladies and gentlemen. The first thing I should do is apologise, because Iíve actually printed out a nice overview set of my slides 9-up. One of the results of this is that the print size is quite small. So Iím going to have to a Richard Alston from time to time, and look down my nose at you so I can read what the hell the next point is.

My background is as Graham said is e-business information and infrastructure, data balance and privacy, and I do it from a strategic perspective, I do it from a strategic perspective, a policy perspective, and public interest perspective and I normally try to say to myself what the hell am I trying to do tonight?And the answer is the intersection of all those, because I've drawn slides through a variety from perspectives here and a variety of slides sets and developed a few specific to the needs of this evening.So I will probably do some have to changing from time to time and you may have to stay awake in order to work out which perspective I'm speaking from at any given time.

The only other generic sort of point I would like to make before I launch is I've argued for years and years and years now that a huge amount of the time was spending on technology and applications of technology and we spend the time on them in separation from the implications issues.That separation has been symbolized tonight because we spend the first time until coffee looking at technology and applications and covenants and those sorts of things and the implications is that soppy wet pinko that comes after coffee.

And then the separate discussion we have on the implications and it's all rot, we have got to get it back wound together so that we're looking at technology applications and implications intertwined and feeding back on one another.So that's the attempt that I'm making here.

Now I'm going to lead off with some general points.You can see the structure in the summary page sitting in front of you.I'm going to start off by asking the question what authentication means.Here as in most circumstances it's misinterpreted.The primary sense in which it gets used and often the exclusive sense in which it is used is as though it meant identity authentication.And there are a couple of honourable exceptions during the discussion earlier on this evening but most of the time that's what everybody implicitly meant by its and I'm sorry but it's wrong.Look up the dictionary and think about what it is that you are doing when you are authenticated, what your focus is.Your focus is on some assertion, that assertion might be about identity, but it might not.

We have to get back to the real question when we are discussing authentication as to what the scope is.Now in order to address this what I would like to do is to get to principles, get to taxonomies, and all those good things that a semi academic and semi consultant type of person likes to do but it's always easier when we start with a simple context and set an example.And I use one of my favourite aphorisms of the Internet.

This gets used interminably by everybody including me and of course that's another $75 U.S. the cartoon bank on the screen for photocopying it, probably $75 twice, we photocopied it as well.But he'll what I wanted do is to draw out some questions about what is it that the people at the other end should be authenticated?Now the words their don't say on the Internet, nobody knows I'm Fido.

The words say Ďon the Internet nobody knows youíre a dogí, so it gives me a perfect entree to point out immediately that it's not necessarily about identity.These are the sorts of things that you might want to authenticate.

One is, which dog?It's Fido, it's that particular identity.

Is it the same dog that I was talking to yesterday?Consider the typical example of a person who is operating as a counsellor, an e-counsellor on the net who is dealing with Wendy or Bob who has been in contact with them last night and has come back and says it's Wendy again and the counsellor says yes I know, as long as it's the same Wendy, does it matter to the heck Wendy is?Neither Wendy and all the counsellor want to have their actual identityhood noted to the other party because it's dangerous for both of them.The Internet is actually a very good medium for those kinds of relationships.

So that's a second and quite different kind of assertion which involves quite different kinds of authentication mechanisms.But sometimes its mind all those things, it's simply what your qualifications or your pedigree, its attributes about the entity or identity that masses.And whether or not you know the identity of entity to go with it is quite separate.And sometimes it's not even the question of the attributes or general attributes about the person or dog, it's about whether when you say I am speaking on behalf of another dog, whether you really do.And that then is a legal question.

And the agency here identity as in government agency, I mean as in principle agent relationship.That's one was alluded to once during the earlier discussion and I think it's a very important facet in the B2B marketplace it's particularly important.And a great deal of the time all you're actually concerned about is where the what you're getting from the other party is what it purports to be as distinct from the question of whether the other party is food they may or may not want to be.So just using that simple little diagram, we can draw out lots of these kinds of things.

And then of course we can do old dry boring taxonomies, now these taxonomies, and there is the paper wrapped around this with all of the points that I'm making here, there's drilled down slide six and drilled down papers and his references here so you can see the deeper aspects that I'm trying to argue.But let's look quickly at the bottom left-hand corner and identity authentication which is what we seem to be mostly focusing on, we seem to blur the human vs. organization has been to things that I think most of the discussion so far has been about.That's 2 of 15 that I identified as being important, approaches to authentication, or differently said, 2 of 15 classes of assertion that are important in B2B, B2C, G2B and all those other kinds of e-business. So we've got to shift our focus to look at a much broader scope.I will talk briefly down the four on the right, attributes authentication hopefully fairly clear, are you a doctor or not a doctor, are you really a qualified counsellor, are you really a member of this club, are you a member of the home forces who can actually open a bank account with the defence forces credit union, being a fairly topical one at the moment.

Agency authentication: do you really represent that principle as you either claim to or as you appear to, not necessarily a claim but an assertion isn't necessarily that I am Roger Clarke.You just as you I'm Roger Clarke because all of the billing gave me as Roger Clarke.I didn't necessarily assert it did I?You always have to be careful about who's making the assertion.

The third one down the right hand side is the question of the eye you?This can be quite important old fashioned issues, is this person logged in from the terminal that's in the appropriate spot of the building, not just the question of who you are, but where you are and whether anybody might be looking over your shoulder who hasn't got your privileges.There is quite a long-standing question of location authentication but there's going to be a few more mobile, or now we have to call it, ubiquitous computing era, and the other one authentication that's already been mentioned, credit card detail checking, e-cash, credential checking.There's a whole pile of these things that we really need to look at.

Now, having established that our scope ought to be really broad if we're talking about e-authentication, otherwise feel free Tom, to call it identity authentication, but please don't muddy, please determine what this purpose and use appropriate terms and define out of scope the things that are out of scope.I much preferred to see you doing the whole lot, hard and challenging though it's going to be.I will then make the same mistake that everyone else's making, and all focus mainly on identity authentication, or is it only identity authentication?I will bury you back to the top left-hand corner because we are going to do a bit of that as well.

So let's start with the simple diagram we all work with, and thanks to Bill Gates, yet again, I cannot believe the number of variations of bugs between different versions of PowerPoint.

This little thing here says 1, and that says n, and that says record column. And itís going to be like this on every one of the next four slides.

Thatís the model that most of us implicitly have most of the time when weíre talking about identity authentication. Whatever the epistemological and ontological assumption is, I can never remember, phenomenology is it? We assume thereís a real world and there are entities out there and they got attributes. Thereís probably a philosopher in the audience that can sort me out on the words. And we assume, well weíre pretty sure, if thereís an abstract world there where we abstract things, well we donít really, we model the real world by creating some bits of data, some pieces of data which represent, usually pretty imperfectly, that identity and those attributes. And for any given identity, there could be multiple sets of records, possibly using multiple sets of identifiers. Thatís the pattern that we normally think in terms of.

Now what we so often overlook is that underlying that identity is an entity, a physical being, an identity is not a physical being, an identity is best conceived of as things like a role or a person in a situation, the expression being used by several people tonight about itís the context in which the person presents to a particular organisation that determines the identity that they are presenting, so we use identity in that sense, and there is an entity with attributes underlying it. And this here points out that there is an m to n relationship between entities and identities. Firstly you shouldnít assume that each human being has only one identity. We have squillions of them. Quick, open your wallet, count your cards, think about all the numbers that arenít on cards in your wallet, all of those organisation-assigned identifiers correspond to an identity. So thereís many of them. So thereís got to be at least one to many. But in practice there are many circumstances in which more than one entity presents using a particular identity. Sometimes with the approval, or perhaps connivance, of the identity themselves, and sometimes because itís ďidentity theftĒ in the many senses in which that word gets used and abused.

So we have to at least get to that level of complexity before we can make any sense at all of some of the questions of identity authentication. And having done that, we then move to the next step, of recognising that thereís some kinds of identifiers, if you want to call them that, that are specialised and different from identifiers because they strike directly through to the underlying identity. And clearly here we are talking about biometrics in the case of human entities, but in the case of legal persons, I challenge you to come up with some sensible entifiers for utterly fictitious legal entities like trust companies, like One.Tel, no even some of the existent ones. Itís very very challenging to think through what that means in some of the B2B contexts, and indeed B2C where the consumer is trying to reach the organisation and strike through to the entity underlying it. Some interesting philosophical challenges. I use the term entifier because it makes sense to strip the id off the front and relate it directly to the entity.

Iíve gone back by means of a classic scholar, but the origins of the words identifier and identity and Iím sure they basically derive from an ancient Greek verb ďto beĒ and therefore itís perfectly legitimate to come up with a neologism like entifier. Interestingly, I donít think the words donít ever existed, itís like one of those funny things like Ďcouthí that doesnít actually exist but should. So I just suggest entifier, just to distinguish it from identifier, just because itís significantly different in practice, and when we have our discussions, once again we need to think our way through ramifications of this. And as you can see from the right hand side of the diagram, having a lot of space left, thatís not quite the end of it.

Because thereís one further category which is very easily overlooked.

In the discussion paper issued by NOIE, there is a mention, one line, unfortunately not taken any further, but on page 4, this other bit does get in there. And, my god they come up with another bug there, the words in the box in the top right hand corner have disappeared. Itís a secret, Iím not going to tell you whatís in there. Did it print? No? It says up there, NIM and data items. And by a NIM, which Iíll define on the next slide, or you can look ahead, I mean a particular kind of identifier. And the particular context that Iím talking about here, is where we have an identity but it is very difficult to strike through to the identity that underlies it. Thatís meant to be 2 bars, but for this version of Powerpoint they didnít separate them enough. Itís meant to be a blockage.

Now thereís 2 different contexts here, or 2 different circumstances.

One is where it is not in practice in the circumstances not feasible to break through, and you can never find out who the entity is underlying the identity. Somebody emails you from hotdickety [at] hotmail.com, and you are unlikely to ever break through unless they give you the information, because you canít issue search warrants, and you havenít got the money to buy people to trace through the layers youíd need to trace through to find out who the hell is out there using that login ID at hotmail. Some organisations possibly have, so then it may not be an absolute blockage. So in your context, thatís anonymity, and that Nym is pretty solid. In the CIAís context, to go to a different extreme, perhaps not so, it may only be a pseudonym.

There are of course quite a few circumstances where people think theyíre anonymous and turn out not to be, and thereís been a couple of expensive but effective criminal investigations which have struck through in the context of child pornography especially, have struck through what those users thought was anonymity and got through to the underlying entity, and quite clearly many of us are very interested in being to achieve that, because the accountability, the social responsibility aspects are very well served by that.

Couple of quick comments. Anonymity is, anonymity has always been, and anonymity will be. Anonymity is also challenging as well as being highly beneficial.

I have been trying to encourage much more discussion of effective pseudonymity, with appropriate kinds of blockages built in that make it genuinely hard for governments and powerful corporations to break through, except when the right circumstances are satisfied. So itís a combination of legal and technological and organisational safeguards necessary to achieve it. I donít think that there has been much success in interesting people in effective pseudonymity yet, but boy Iím continuing to work on it.

My essential point is that unless we have got that rich a model when we talk about identity and entity authentication we arenít going anywhere. And that is my definition of Nym, perfectly negotiable, itís been published that way, but Iíve been known to gradually modify my definitions as the years go by. Nym is used by smallish community around the world at the moment, I originally published all this in 1994, using the term digital persona, but that hasnít particularly taken off, the concept is extremely closely related to what Iím talking about with NIM, but others have taken up Nym but itís an extremely useful neologism because itís not much used to mean anything else, and the route is appropriate, so letís use it. But when you look at the number of different words that are around, that concept has been around since time immemorial in many different contexts, so Iím heartened by that.

So, so much for the lecture, hectoring, about what authentication really means. Letís jump to the question of tools.

And here on this slide, Iíve tried on one slide to fire off whatís in the NOIE discussion paper and refine it a little, because I think thereís a couple of aspects that are useful to work on.

The first point that Iím trying to make is that there is a considerable richness of alternative tools on the left hand side, even more than is in the listed examples, theyíre only listed as examples on the NOIE discussion paper, thereís an even longer list depending on how you want to break it down. The second generic point that Iím making on the right hand side is that for any one of these to work, a whole pile of preconditions have to be satisfied. The great deal of infrastructure necessary is not just PKI to support these digital signatures, all these different kinds of tools require quite a range of things in place.

The next couple of points that I ought to make would be to draw a couple of these to your attention that might otherwise escape. The writing of a signature is well established, that is a physical signature, and I mean by that either the result or the behavioural pattern of writing a signature, and I donít believe we should lose that one because it is quite feasible it may continue to play a role in e-authentication as well. The second bullet on the left Iíd like to generalise the username/password pair because it is a specific instance of a particular piece of knowledge, password in any case, if not the username, which is likely to be in the possession of a person and not in the possession of others. There are many other instances.

There is also various other aspects like password arguments, so Iíd like to generalise that somewhat, and highlight that itís dependent on a reasonably well understood pattern of things and processes otherwise it wonít work.

With the third bullet point, Iíd like to highlight that with PINs, we also have to recognise non-secure PINs. What do I mean by that? Some are hashed in a secure manner, and the ATM EFTPOS example is up in most of our minds. There are other instances of things called PINs that I donít think should be but they are. How many people have got a telecard or an Optus equivalent? That PIN is known to the operators at the other end. And you are then wide open to spoofing by the organisation or any of the individuals who might move outside their agency relationship with their employer and take homea whole bunch of PINs, knowing the number that goes with it. Itís only 12 digits, itís not very hard to memorise. So I think something from a regulatory viewpoint that would be really really handy would be to ban Telstra and Optus from referring to those as PINs. Get another word, fellas. Iím not saying they shouldnít do what theyíre doing, Iím saying they shouldnít debase the concept of PIN, because the concept of PIN carries with it an image of security. And I think there was one other one that I wanted to highlight? No, I think that was all the points. Clearly there is an awful lot of potential points for discussion here. Now let me divert to the fifth bullet point, digital signature and PKI. Iím going to have to have my ritual go at conventional go at PKI, because it just wouldnít be fun if I didnít.

The first point is that itís dependent on a number of things, itís dependent on public key, itís dependent on left put private key, itís dependent on a lot of software, itís dependent on a lot of law, and itís dependent on a lot of faith. To take that a little further, and let me underline conventional x509 based public key infrastructures basically donít work. Thereís plenty of literature on this not only in my papers but much more erudite cryptographers and lawyers have written on this. There are some things that a digital signature can do for you, and there are some things that a public key structure wrapped around it may or may not be able to do for you. But itís extraordinarily difficult to come up with a public key infrastructure to do all the things that used to be claimed.

Now Steven Watts and I have had this out many times, overread and not overread, and there are phrasings of this which Steve and I could probably be happy with, not these phrasings, I underline, but some aspects of this Steven would rephrase, itís being used for the wrong things, stop envisioning it as an e-passport, and Iím quoting him this afternoon. So weíre somewhat apart, but not as far apart as might appear from the phraseology here.

Thereís a whole bunch of prerequisites if youíre going to depend on public key infrastructure to give you assurance. There are many possible kinds of public key infrastructure, remember I am reserving my nastiest for the existing x509v3 based typical implementations of public key infrastructure. Thereís all those sorts of things that has to be done, for godís sake donít think that I can do a tutorial on that slide right now, and x509v3 weíve got to recognise where it came from. It was a hammer lying around when somebody picked up a nail, and somebody said, ooh, ooh Iíve got a hammer, hit the nail quick!

It has a history, it comes from a history that is rather separate from, totally unrelated, but rather disjunct from what itís being applied to, and it has bunches of features which may well have made a lot of sense in the original directory context but donít make a very good fit especially in a B2C or a G2C context. Got some problems in the G2B and B2B as well, but especially serious, I believe, are in the B2C context. And indeed when youíre trying to represent agency relationships, principal/agent, what is it that this employee can sign for on behalf of the company, thereís been a lot of that reverberating around the B2B and G2B environments recently. And thereís always been this problem about what the hell do you do about revocations?

Thereís actually a logical philosophical conundrum in the whole issue of revocation, and itís basically insoluble, and thereís some really poor approaches to solve it and some rather better ones which still actually canít totally solve the problem. And the invasiveness, not just comments about e-authentication but to the public concerns about e-authentication, the impact on the public if the registration authority was to do its job in the most serious minded way, is very very substantial. I continually paint the picture that Kerry Packer has got to stand alongside John Howard has got to stand alongside Prue Goward, has got to stand alongside Nicole Kidman, holding a sheath of documents, they have to do it in a queue.

Iíve always said that I want to be alongside Nicole Kidman, but it is a fact of life that these things have all got to be done, and some of them, adduced difficult, and a great deal of the population is going to have trouble with it. Some of them because theyíre going to have trouble finding the documents, some of them because theyíre just getting seriously upset, some of them because theyíre out bush, running around little territories and such like places, with a lot of threatening things involved if we actually do it. I donít want to dwell much longer, actually Iíll tell you what I do want to do, I want to slip in the slide that I should have put there and what I didnít have when I reviewed this was a rounding off slide on the PKI issue.

Firstly, I donít want to be interpreted as saying that, sorry Richard Alston, digital signatures and public key technology applied to such purposes is totally dead in the water. There are applications and there are potentially approaches that can be taken than the ones that have been taken up until now.

And even with conventional PKI certificates there can be some contexts, device authentication, which we havenít really talked about, is one, and closed communities, is the term Iíd use for what several people mentioned under various guises in earlier discussion, and Stephen Wilsonís point earlier that itís one of the big things about this in a closed community is that itís automated or automatable, and that can give you some considerable comfort in a closed community environment. Iíve always used the example of the strong hierarchical organisations, Iíve always talked about the department of defence and the Catholic church because theyíre the obvious examples.

And I suppose Iíll tell some of you this story that a couple of years ago when I was mentioning that example somebody from the audience came up to me afterwards, a Belgian, I gave the presentation in Europe, a Belgian came up to me afterwards and he said, you do know that the Vatican actually uses x509 v3 based PKI donít you?

So I donít want to be interpreted as saying, especially, that public key technology cannot possibly be applied to a variety of applications in e-authentication, but what weíve got at the moment is not something that enthuses many of us at all.

Iím now going to have my little swipe, and I am afraid it is going to be a swipe, at biometrics. Once again thereís a bunch of slides underneath here which are referred to in the paper which I gave Hong Kong University recently at Grahamís invitation, to go into some depth on what biometrics is and why it is giving us a lot of difficulties, the way in which people are approaching it at the moment.

The essential idea of a biometric process is that you start out by enrolling or registering some form of measuring device, capturing something, what I would call a reference measure, but the industry tends to call a master template, and then at some later time, a measuring device, quite possibly quite a different measuring device, captures what I would call a test measure, but is usually called a live template, in the industry, and they are them matched and analysed in some way, and thereby hang a few tales, which delivers some kind of result, and thereby hangs a few tales as well. And appreciating that and how itís applied and used is very important in making further progress in analysing what biometrics is and isnít good for. Thereís a bit of argumentation as to how the application should be categorised, but Iím going to stick to the reasonably conventional for the moment until I can improve on this, that James Weyman at San Jose is trying hard to come up with a slightly different characterisation that this. But you can either try to answer the question who the heck is this person, and the standard situation in your airport is ďwho is this so that I can check them against a list of stock people who I do not want through this barrier?Ē and that is a frighteningly difficult thing to do because youíre searching for one among many, and thereís enormous errors of commission and omission, type I, type II errors, false positive, false negatives, whatever language you want to use, thereís enormous difficulties in performing that process effectively.

The use for authentication of identities is a rather different one because there is an assertion by someone, possibly by the person themselves, possibly by someone else, possibly by you, because you are proposing that you are this person and then testing whether it really is, and thatís a one to one test and it assumes you have a reference measure available to you for that person and the ability to capture the same biometric and the same conditions in order to perform the test. I draw attention to the possibility of using biometrics in such a manner that you do not disclose identity but you in fact focus on attributes. There are ways of doing it, the game I play is, have you ever stopped to think that the person who is at the border who is inspecting passports currently, doesnít actually need to know who you are? 99.95% of the time they have no need to know who you are. And you can design systems to ensure that they donít. Clearly thereís a trick to it, because if I were to propose that the American Immigration and Naturalisation Service in amongst the many other mistakes that it makes, should not or does not need to know who you are, well thatíll be a bit of a silly argument, Iím not arguing that, Iím saying that the border person does not need to know who you are. If a system is designed in order to perform the tests, and I havenít got the diagram here, thatís in the drill down set, if the system is done in such a way that the testing is done in background mode without disclosure of any more information than is necessary, the border guard merely needs to know the answer: yes the person has checked out against their right thumbprint on this red-headed personís card, and that person is not on the stock list.

Thatís all that the Immigration and Naturalisation Service or the Hong Kong passports person when Graham arrives in Hong Kong actually needs to know. It depends on how you design the system, biometrics can be used in many different ways, and unfortunately so far, weíre only using it in a dumb way. The concept of mythical annoys some people.

Feel free to interpret me as saying that biometrics industries and biometric technologies are inept. But thatís not what Iím saying. Iím saying thereís a whole flood of myths flowing around in the biometrics industry, and about the biometrics industry, and to a considerable extent encouraged by the biometrics industry. It is very hard to get serious information, the rate of change in the marketplace is dramatic, the coming and going of technologies, let alone individual suppliers, is frightening. The number of pilots that gets announced go back through the newspapers and the industry newspapers and count the pilots that have come forward. And then go checking around amongst your friends who have had experiences of using and being subjected biometric schemes, and there are some very embarrassing stories to be told, and while there are one or two biometric suppliers who are quite healthy, thank you very much, itís because theyíre small divisions of large corporations with many other healthy divisions.

Try to find individual suppliers who are making a packet out of biometrics right now is seriously challenging. This could mean a number of things, very early phases of the industry and so forth, one of the things it could mean is that theyíve ended up not getting very many sales, they keep promising and not quite delivering in context. I suggest the latter, but I donít know enough about the industry to be sure. What I do know is, that if you take the worst case, and please donít think Iím tarring every biometric technology with a brush, face recognition, but this has got to be one of the biggest cons every perpetrated on mankind. It doesnít work, and thereís sufficient evidence to show that it doesnít work, and thereís plenty of effort by the organisations who provide the technologies to avoid the independent analyses and information flowing about those independent analyses, it is fraudulent misrepresentation, and feel free to quote me.

[ back to top ]

Discussion on Roger Clarkeís paper

Keith Besgrove

Youíve got some examples there that Iíve never heard of, that youíre sort of assuming that you know what the examples are.

Roger Clarke

Oh sorry, beg your pardon, on that slide?

Okay, Tampa Superbowl was January 2001, and simply the town in which the Superbowl was held, thatís the world championship of football. Sorry, the American championship. And the crowd as they came through the turnstiles, were submitted to video apparatus which it is claimed tested them against the database of terrorists, troublemakers, pickpockets, I donít think we actually know. I donít know whether it was used in Japan, it totally failed, and thatís documented, thereís a couple of publications which are referenced in the literature underneath here, that explain how the information has become available. Eball city is a suburb of Tampa, is a city council of Tampa, which got very enthusiastic about this and installed it quickly and itís failed utterly and dismally and once again itís well documented. Weíre still trying to find information on the others, but the ACLU, were the people whoíve pieced this together through a variety of probably fair means and foul, but the information is very disappointing. What I need to stress here is that irrespective of the effectiveness or ineffectiveness of biometrics, they have a lot of implications.

I can suggest by the way some other examples, apart from face recognition. Itís slightly unfair to suggest that face recognition is a disaster therefore all biometrics are.

There are different kinds of experiences, if we take three of the most common at the moment, hand geometry, I donít have terribly good anecdotal background on, but it has claimed and has made some progress in testing in very constrained circumstances. It uses measures of the shape of knuckles in a field, how you place the whole hand in a field, and there are spaces to ensure that itís meant to be a consistent space, and itís used in particular by INSPAS, the Immigration and Naturalisation Service, in the US, for high fliers, in the sense of business class and above passing through Heathrow, JFK, LAX. 2 anecdotes from my own experience is I have on a number of occasions stood right alongside the INSPAS booth at LAX for periods of 10 minutes at a time.

And Iíve been waiting, I havenít been standing there because of Iíve been waiting for somebody to use it, Iíve been looking for the opportunity, Iíve never seen anybody go past one. So Iíve got no idea, I guess they get used.

The other anecdote that the only Australian who I know has one, hasnít got it anymore. Heís a senior public servant, Canberra Commonwealth public servant, and he always chastises me and takes me on privacy and surveillance matters and biometrics matters, and I said to him one day, but you must have INSPAS surely, of course Iíve had INSPAS for bloody years, heís been in the Hague, heís been in London, New York, on postings. I said, Ďwell how well does it work for you?í He said, Ďoh, shithouse, I gave it back a few weeks ago.í

I said, Ďwhat do you mean?í He said, Ďwell, I mustíve used it 20 times, itís only once worked for me.í He said ĎI just couldnít be bothered and gave it back to them.í

So sorry, the anecdotal evidence ainít real good, but itís used in nuclear power stations, it must be good. The second one is thumbprints, I had an honours student work in the department of computer science, looking at the possibility of masquerade based on conventional commercial products, and he had no difficulty whatsoever in performing a masquerade based on the template thatís stored and available, which is the proposition I put to him in the first place, but I couldnít believe how easily he did it, admittedly heís a first class honours student, but itís not supposed to be that easy.

And iris recognition technology, now weíre starting to talk about something thatís very interesting. Iris recognition technology I think is the one to really watch out for. Itís extremely interesting maths and very interesting physics, and it also requires very specific circumstances for it to work effectively, which is one of the important messages, and which has indeed floated around. Conditions, contexts. So I want to fly through four slides and say that irrespective of whether biometric schemes work or donít work, they have enormous implications for people, some of those, I donít know whether itís privacy, I donít know whether itís civil liberties, I donít know whether itís plain convenience, call it what you will, everybody gets affected by some of it, and people who get picked out as false positives get subjected to a huge amount of it.

Thereís also various kinds of privacy invasiveness, and I want to underline here it is multidimensional. As a submission I donít know whether Iíve got time or money to write a seriously hard submission to you Tom but you only talk about privacy in the context of data privacy in this document. There are four dimensions, biometrics in particular strikes all of them. Itís something of the person intrinsic to them, that is being used, it affects personal behaviour, because it involves surveillance of various kinds, as well as having to do with the privacy of personal data, and the third word of course has to do with the point that youíre striking through to the entity, you are not dealing with an identity. I wasnít going to dwell on it here, there is an argument, particularly as we move into the DNA context, that there may be information exposed in various forms of biometric testing which may relate to things that are close to predestination. The obvious is the meanings of particular genes, or the import of particular genes, there have been arguments, none of which have been terribly well established, that other kinds of biometric might also contain information about the person.

The iris is the obvious one because of iridology. I donít want to stress that one too hard, but there have been arguments, the statement is, and even possibly personal fate, itís that kind of, Iíd better not leave it off.Thereís also threats of personal identity, Iíve mentioned the example of the ease of masquerade based on standard templates of thumbprints, please distinguish masquerade from identity theft, theyíre very different things, and the US FTC doing stupid things with their definitions with their national fraud centre in the US, absolutely criminal incompetence in the way in which theyíre describing things that are just single instances of masquerading and calling them identity theft, really reports theyíre stupid.

There is a thing called Ďidentity theft, and itís serious, and unfortunately biometrics will tend to worsen the situation as well as, not instead of, improving it. Itís a double-edged sword. It obviously is designed to provide access denial to various places and false positives are obviously going to denied access to places that they shouldnít have access to in principle, and it could go so far as enabling identity denial, which youíve got to read, Iím not going to deal with that tonight. And thereís a much more substantial things, my sole point with this slide is it is not just about individual human beings and the privacy of each individual person, it is a serious social, democratic and economic issue that weíre talking about here as well. There are much broader implications. Thatís what I work on in privacy. I donít work much on the impact on individuals, I work on the much more substantial effects.

I have argued in the things I have written so far, and I havenít got the major paper out on this yet, Iíve argued that biometrics should be banned. I donít mean forever. Biometrics should be banned until they are regulated. So here is an express message in the e-authentication context. Thereís a series of things that have to be done. Some of those things need to be done for technical reasons, I got the social import, they will not work well and they will open up the possibilities of insecurity unless they are done. And certainly the standards kinds of things here links directly into the question. Standards Australia and , how do you pronounce it, Chris? Ďnatterí? NATA. Natterís what you do, NATAís who you are. So NATA and Standards Australia must surely have copout meetings, must surely have roles to play in that.

Last couple of concluding points, sorry Graham, weíre nearly there.

11th of September did not change the world. Itís a common misconception, it didnít do it.

Itís what happened on the 12th that changed the world.

What happened on the 11th of September was pretty bloody chilling, we all know what that was. But on the 12th what happened was exploitation of the opportunity.

And there has been very substantial change in balance of discussion especially in the United States, remarkably so in the United Kingdom, where Tony Blair has obviously had his ego played upon and been warned that heís under death thread from 46 different terrorist organisations, where the UK has been turned amazingly, I must say Australia has been a little more circumspect, but some of the disease has reached over here.

My personal position on this is that if Iíve got to choose between a short life and a long life thatís got low quality, Iím not terribly interested in the low quality life. Now I could be in a minority in this room, I could be in a minority in the Australian population, judging by the image we have, Iím definitely in the minority in the US population, oh my god I cannot believe that this software can cock up so many things at once.

What it says in the bubble up the top is, hell Iím willing to give up my civil rights in the fight against terrorists, whose sole aim is to destroy our precious freedoms, there was some little cartoon from the Sydney Morning Herald a little while back and it does appear to sum up, well firstly the fact that Bin Ladenís won, whether he knows it or not, whether heís still alive and in fact whether he ever existed isnít the issue, he appears to have won.

Last points are I fear that there is a considerable lack of public interest voice in these sorts of discussions. In government fora, I donít want to go back over painful history but I do trust that the approach that was adopted with GPKA and GBACK and the lack of transparency of the gatekeeper accreditation process, will not be regarded as a model, it should never be repeated again. They were not happy times. We need much more effective models than that. Thatís in the government context.

In the standard setting processes, I manage to batter my way on to a W3C working group for the platform for privacy preferences. I was the first person who ever got a login ID and password into the W3C site who wasnít actually an employee of the companies who are paying US$50,000 to be members. Since then that has been formalised and there has been a moderate number of external public interest representatives on different working groups. And that is a very positive direction.

Weíve had extraordinarily bad experiences with the Australian Communications Industry forum. In Australia, the public interest representatives who were involved asked for more information, explained the need for more appropriate processes, got nowhere over an extended period of time and walked out en masse. And the last I heard was that theyíre still out en masse. It has been an absolute disaster.

Standards Australia, Iíve worked on a number of working parties over the years, itís extremely difficult for the public interests to be represented there. There are structural reasons, this isnít a complaint at Standards Australia, itís the way these things work. Itís the same thing with CCIT, IETF and a range of other standards organisations and the challenge is right in front of the Biometrics Institute of Australia, I name them specifically because theyíre named in the report. They will be confronted with the same difficulty of how the hell do we get the public voice in [?] the public wonít be interested, and the public wonít be represented unless public interest organisations get involved.

My apologies to public interest organisations that arenít in that list, but that is 60 seconds worth of reflection on the question, are they public interest organisations that can be even invited into these fora and into these committees? And the answer is yes, thereís plenty of them, Iíve left out a few, Iíve thought of a couple more since. And thatís just one person in 60 seconds thinking of a few. Sorry that is not the Health Insurance Commission.

The health issues something or other. One of the problems is the participation of such people as are invited is sometimes very limited, they do not have full membership, the second is that representatives of the public are either employees of someone or are self-employed. If they are employees, they have to make the case to be allowed off work, if theyíre self-employed as a number of us are, we have to justify, somehow weíve got to have a business case to have a hell we are surviving. In many circumstances thereís no funding for travel, particularly vicious internationally, but even within Australia, and funding for participation, particularly when theyíre substantial one and two day events, itís a really hard thing to achieve, so I am concerned that public interest is not going to be sufficiently represented.

And Iím also concerned that Graham is going to hit me over the head because Iíve taken too long.

Graham Greenleaf

Well, that gives us plenty of starting points for the rest of the discussion. Since Roger has spent a lot of the time talking about biometrics, Iíll ask in a second Isabelle Muller, from the Biometrics Institute, if sheíd like to say some things, and then anyone else, from the biometrics area.

But first Iím going to throw another of Rogerís points at Tom and Catherine about the history of public interest participation in GPKA and GPAK, and ask why has history been rewritten in this report?

So that any mention of public interest participation in GPKA and GPAK as completely excised from here, and theyíre being represented as bodies that only included government and industry representatives, just as an instance of the problems of even getting any visibility of public interest participation. So Iíll throw that one to you first while Isabella, and others draw bread.

Tom Dale

I guess firstly I should say that I donít think we need to open major reforms, taking in what youíve given tonight with, which I think is very clear, I mean Iím quite serious about that, and regard that as a useful input. I donít think thereís been any rewriting of history in the document, and in fact in the best bureaucratic tradition, weíre not in the business of producing documents with a particular historical focus, nobody would be interested particularly if we did, and thatís not what weíre being paid for.

I think Rogerís point about disagreements and difficulties over the early stages certainly of the gatekeeper process has dwelled and the involvement of public interest groups and issues and views is not something Iím going to disagree with but I guess it doesnít help in terms of future debate about policy. I think a lot of the issues about who weíre starting are being not made up as we go along but being done from ground up.

For a tortuous time all the agencies and other people involved, thatís not an excuse for when things went wrong, but Iím not so sure that it has anything to do with the current situation which as we say is opening a debate about government structures involved with rather than saying the existing arrangements are great and should be continued. Quite the opposite.

Graham Greenleaf

I think thatís quite an interesting starting point, Tom, that there hasnít been a history of public interest participation in the e-authentication bodies up until now.

Catherine Higgins

Except for NEAC, actually, Charles Britton [ACA?] was a great representative of NEAC for over two years.

Tom Dale

It was a subsequent development to the involvement of people in the early stages of trying to work out what gatekeeper might be. NEAC as an advisory body to the government came later, represented a different stage and did try to involve, as Catherine said, a wider range of groups including academic and experts, people from the retail area, the consumersí association, and a small number of government agencies.

Some of the work he did on liability and other matters that we referred to earlier, some of the work on small business which is a group overlooked in a lot of these debates, we try to pick up as Catherine mention in publications, and so information work later on, but Rogerís points are relevant I think to a lot of areas of public policy, I think as far as funding for public participation goes, I think that most agencies try to treat a lot of proposals that come forward for funding participation by non-government public interest bodies on their merits, we treat things on their merits within real life budgets.

I donít think we would ever not undertake particular proposals without thinking about them, and this is a good starting point. Sorry that wasnít really an answer but Iím very keen to hear about biometrics as well.

Graham Greenleaf

Weíll get another NOIE perspective just before we get on.

Keith Besgrove

I just wanted to add another couple of comments to what Tom has said. We havenít deliberately omitted or deliberately put in things in the discussion paper for hidden agenda purposes. The purpose of the discussion paper is precisely that triggered the discussion, and what weíre trying to do with the discussion paper is trying to get enough information there and enough ideas on the table to trigger this sort of discussion, and thatís as far as we really wanted to take it and in fact weíve left out some thoughts that some of us had, weíve left out some conclusions, that some people may have already in part because we actually want to get a genuine open debate about some of these things.

To respond to some of the things Roger has raised, NOIE is going through this process in part because we donít think we have all the answers. We are looking for genuine input from a range of interest groups and I really do want to emphasise that.

Graham Greenleaf

In my comment Keith was not to suggest any sort of conspiracy but rather itís so difficult for the public interest participation to get into this process that it easily gets forgotten that it was there, which seems to have happened in this case. So letís move on to the biometrics thing, now I donít know Isabelle, Iím afraid. Over to you.

Isabelle Moeller

Well Iím not a biometrics specialist as such, Iím more looking after, for those of you who donít know me, after running the institute and I certainly know there is great interest in biometrics and then we have mainly users as our members, thatís really where the focus is, and like he said we are really there as a forum to make discussion possible and to bring everyone together who is interested in biometrics.

Most of our members at the moment are government departments because they are the ones that are using biometrics and have great interest in it but we are certainly also looking at having more members from financial services, so the interest is certainly there and I can only stress something, weíre not really the ones who will drive standards and anything like that, but really to facilitate the communication and bring everyone together.

Graham Greenleaf

Isabelle, could I just ask in light of the sort of things Roger was raising, has the institute given any thought yet to the type and level of regulation that would be appropriate for biometric technologies used for authentication, and secondly, is there as yet any public interest participation or any structure that allows that in the biometrics institute?

Isabelle Moeller

Well again Iím probably a bit too new to answer that question, I would need to get back to that, but I know there is a lot of discussion that is brought to our attention around privacy and regulation in regards to that. So there are things we are looking at and also some ideas of setting up working groups who could be involved in getting things like that going.

But itís still a little bit early to say a lot more about that, but I can certainly find out exactly a bit more about what is planned. But at this stage nothing is happening as of yet, weíre only a year old, but the interest is certainly there and itís something that weíre looking at.

Graham Greenleaf

Thanks, well Iíd like to ask now first if there is anyone else who is actually working in the biometrics industry, who, mythical though it might be, according to Roger, who would like to come in to the discussion now and then secondly, anyone else who would like to add some comments specifically about the biometrics issues.

David Heath

I am a biometrics consultant. Unfortunately Iíd agree with near enough all of what was said. Most of the culls have been abject failures, the systems arenít as strong as things weíd like to claim they are, fortunately weíve focused on the face which is the weakest by a long way, I would hate to be the person managing the face recognition technology and therefore dealing with the angry people who are not terrorists, although the systems claim they are.

There are some other systems based on fingerprints which have been live for some number of years, I begin youíre aware of Connecticut, and similar systems which are doing too much badly now. There are couple of other projects which are newer, Stockholm Council in rolling out biometrics to all of their schoolchildren in all of their schools, thereíve been a real problem with students who are 7 or 8 years old and are not remembering passwords.

Now I canít understand why that should be true, because every child of 7 or 8 should remember an 8 character password!

So what they found was the teacher was spending half a lesson changing passwords before anybody could get any work done. Now of course the reason they knew the passwords is that the older kids were locking against the younger kids, and looking in places they shouldnít. And they needed some accountability. So from what Iíve heard thatís been working and I believe itís real. I believe.

There are some hospitals in the US under the Hippo legislation that are based in biometrics. I believe at least on hospital is going live, not just trialling, thatís St Vincentís, so there are trials that are moving towards real life. I havenít heard how theyíre going on yet, but I believe theyíre moving on well, but a lot of what Roger has said I agree with. Bar more than you would probably expect.

Graeme Freedman

Iíve got two little anecdotes. Iíve been involved with, actually once, the people Iíve worked with in once smart card trial, where they were using biometrics in the US with the marines in fact, and the reason they were using biometrics there was because these guys would just come in, and theyíre these 17-18 year olds, become Rambo in the army, and never had an account in their life, and thereís no way theyíre going to remember a PIN. And itís exactly the same scenario there as well.

David Heath

Itís IQ as well, isnít it?

Graeme Freedman

Yeah, pretty much. So thatís an IQ issue there very very much. And the other one is actually in an office I worked in for a lot of years, a thing into biometrics for some time. We had very few problems with it, I must say, as a direct user.

David Heath

Which kind of technology?

Graeme Freedman

I think it was called Fingerscan.

David Heath††

Yes, the same brand Woolworths employees use.

Roger Clarke

Yes, it was in fact exactly that.

Michael Milne Hume

From e-commerce security. I used to work for Fingerscan, and Baudes [?] was certainly one of our products. However, I also agree with what Roger has said. I think the biometrics industry here is entirely responsible, really, for not getting itself off the ground. There are no basic standards, there is only one internationally accepted biometric testing station in the world, and thatís somewhere in Belgium or Holland, and the Sanyo laboratories do it in the US.But they do it pretty haphazardly, there is nothing with biometrics that you can actually measure anything against. Thereís no standard, thereís no nothing. And until we get to that stage, itís going to go on languishing.

However, that said, I think that itís very easy to say the system doesnít work, or the technology doesnít very well, and what Roger has said is both true. But if you look at the other side, everything with something that you have to do, like put a finger down, put a hand down, speak into a system, have an iris scan, is something that you do voluntarily. Therefore, when you are looking at a system where you say ďit invades privacyĒ, you donít have to subject yourself to it, particularly if it is just part of another system.

I think if one looks at biometrics as being the be all and end all, that is absolutely wrong. It is simply yet another tool along with the factor, P as a tool, your smart card or your swipe card or whatever it is. Depends on the layers that you wish to put in to create authentication or identification or verification.

But it needs a great deal more work on it, and I think Isabelleís got a lot of hard yakka ahead, because I tried for 2 years to run the biometric subcommittee of standards Australia, and actually getting any people along to the meetings, and secondly to really put together any meaningful papers was extremely difficult. People are interested, yes, but thatís about where it lies.

Adrian McCullagh

Your thing on privacy is a bit of economic naivety, itís like saying that I wonít utilities Microsoft operating system unless I accept their EULA, and use a licence agreement, but I need the Microsoft operating system to use everything else, so Iím actually economically forced to go down that track. Now if Iím about to run for an aeroplane, and theyíve got a facial scanning system, I donít have a choice. If I want to get onto that aeroplane, I have to go through that biometric system. The whole point of all this is access Ė do I have access or donít I have access? I donít think it is to say from a privacy perspective that I really have a choice. There are economic choices, and if I want to get to this business meeting, I have to go through that biometric.

Graham Greenleaf

Iím not expecting Iím going to have much choice when I try to get back into Hong Kong next year, itís a finger scan or nothing to get through immigration in Hong Kong, and when a policeman or an immigration officer stops me and says I want your card, and I want your fingerprint on this device so that I can check that youíre the legitimate holder of this card, I mean that just happens to be one leading example of where this compulsory production of biometric samples is going to happen. But isnít that the area that brings us back to the role of regulation in relation to the biometrics industry because this is such a sensitive area.

Stephen Wilson

I think the role of government is really to start relief by the point that there are no biometric standards yet, because if there are no standards, then it is not possible for someone to certify particular technology. And if itís not possible to certify anything, then there can be no organised governance model. And with no organised governance model fundamentally possible, then the role of government becomes moot, I think. Thatís not to say that the government shouldnít be driving Standards Australia or be more aggressive about producing standards, but my technical analysis suggests at this point that we must be fundamentally a very long way away from standardising biometrics. So I think weíre faced with a moot government role for a long time.

Alistair Teggart.

I think the primary way for anybody initiating any new standardisation project is for somebody from industry to request. Basically Iím not aware of the committee that youíre talking about earlier, but if itís proposed, we do our best to survey the broader industry, build a community of interest, find the experts, find the interests, to get standards off the ground. We donít have it at the moment as far as I know.

Patrick Fair

I just wanted to make two comments.

One is: the only biometric system Iíve had anything to do with is signature recognition and one of the interesting characteristics of that which I would assume is common to other biometric systems is that the person controlling the system can set the parameters of the algorithm so that it will accept different variations in the signature. And this is of course extremely scary to the customer because theyíre saying, well if I want everybody to go through, your signature can change quite a lot and Iíll accept that, but if I want to be really sure, Iíll tweak it right up so itíll be 99% identical to the copy template signature in which case it will reject you a few times when itís valid if you donít do it right.

And that particular characteristic which when youíre reading a biometric characteristic, I would have thought either a hand or an iris, you would have to deal with means when you go back to say, Ďwell, are we really sure that this person is really who we authenticated them as?í Youíve already built in your degree of uncertainty into the end of the system, and thatís one of the reasons why the customer that I was working with didnít buy the system: because they were just unable deal with having to make that decision as to the degree of uncertainty that they would tolerate in authenticating people. Thatís my first point.

My second point is I think itís assumed but nobodyís really articulated it yet, and it hadnít really occurred to me, and I think the key difference with biometrics and probably more to this, is because itís a characteristic of yourself, you canít get rid of it after itís been captured. So with a normal digital signature, you might just say, well Iím not going to use that identity anymore, Iíll get a new card or a new key. But once somebodyís captured a biometric of you, it would be highly personal information that would be very powerful in an ongoing way for many years, and I think that means itís in the realm of personal information in the Privacy Act, and probably in the realm of the higher standard of personal information, the category of clubs and sexual preference and medical information and so on, that might be captured. So we have a regulatory regime in place which is ready made to deal with the issues that are associated with captured biometrics. And it may be that using that regime you may want to set rules that would restrict the extent to which it might be captured, used and reused.

My last point is that thereís a lot of activity in the city at the moment, in new mobile phone technology, and one of the things which mobile phone technology will do is locate you, and there are some very interesting implications to do with real-time location of people by the phone that theyíre carrying. In Europe, as I understand it, the standard thatís being set for that location based information is that the systems are allowed to identify you in real time as to where you are, but they are not allowed to capture where you have been and archive it as a matter of record. And it seems to me that thatís a very kind of blunt instrument in order to crack a nut, in order to guard your personal security, we just wonít capture information which might be valuable to you to protect you or to prove where you were later.

And getting this authentication system right is not all the way, that Roger puts it, with respect, that if these authentication systems exist and they work they will lower our standard of life. In fact, getting these things to work is very much about empowering people to control information and to verify and to use it for their purposes, and the objective ought to be to get them to work properly, not to be suspicious of them and say that the technologyís bad because it could be used in a bad way, in fact thereís a lot you can do once the user can control the information and the user has keys and systems that are within their control.

Graham Greenleaf

Thanks Patrick, now Rogerís got the call next, and then Nigel, and now weíve got hands going up everywhere. This is good.

Roger Clarke

3 quick points:

First one, personal information is defined in various privacy laws in different ways, sometimes information about a person versus information of a person may mean that a biometric may not be covered under a law. Itís one of those problems, itís a change in technology law will get in our way.

Secondly, AISEF MOLEY, Mobile location indicator, is the Australian equivalent of the European approach, and you make my point beautifully, what public interest involvement has there been in MOLEY activities? Itís very hard to find out what on earth it is AISEF in that area.

However the main point I wanted to make was on testing standards.

Talking to James Weyman from San Jose estate, he has some guidelines of his own that he uses when he tries to form testing, and theyíre interesting ones, moderately public, neither he nor I, Iíll phrase it my way, not his way, neither he nor I expect any sense to come out of the United States for the next 18 months to two years because every government agency is completely required to totally believe in biometrics technology, for godís sake donít test it, it might fail. So we wonít see any decent testing standards guidelines coming out of the States for a while.

But there is a rather good document, I think itís directly out of GCHQ Cheltenham, which explains in reasonable depth the approach that they believe should be adopted, and while I canít say Iím weathered to that document, it is well and truly worth analysis, itís really got some serious thinking in there. So there is a little bit of progress emergent in the testing standards area, that is how should you go about designing a test of a particular biometric technology, or a particular application of biometric technology.

Graham Greenleaf

Thanks Roger, Nigel next. Weíve got 10 more minutes then weíre going to stop on time for dinner, so letís get as many quick contributions in as we can.

Nigel Evans

Just picking on one of Rogerís slides, on the use of identification. I think the question actually is this person known to us?

Getting back to the issue of identification versus an entity, and one of the tools weíre possibly using is dealing with the issue of a person with several identities for nefarious purposes, and that is important, and that is, I believe, an important use of the government and the issue of private licences. There is a lot of fraud going on, lots of people want driving licences and shouldnít be with them, and if you think that people driving around, not giving a damn because theyíre alcoholics or perpetual drunks. My second point was the issue of standards.

I think perhaps the reason that standards hasnít really got off the ground is that the people who participate in standards bodies tend traditionally to have been on the whole about compatibility. In other words, getting products from different vendors that work together, and thatís agreed as a common ground to get them to work together.

The issue with biometrics is not compatibility, itís about what are we going to say is acceptable, and in the end comes down to false accept/false reject. And that is a different community of interest to the vendors. And itís possible to argue, wrongly, that the vendors may well have a positive interest in ensuring that that doesnít happen. And therefore if standards are going to get off the grounds in this area, itís a different set of stakeholders that have got to be involved, and how is that set of stakeholders put together. I think thatís the issue.

Brian Newton

I want to just say that I thought what Roger said very effective, was very one-sided, itís easy to criticise things that donít work. Very often things donít work because theyíve been used in the wrong way, or the technology is not mature. The Wright Brothers didnít get off the ground at first attempt, but it didnít mean that the technology was hopeless and that it didnít have a future. And I think we have to bear in mind always the suitability for purpose, the technology thatís being acquired in a given instance against what itís trying to achieve and what it costs.

And to get profound just for a moment, the history of civilisation is a story of sacrificing freedom for security, standard of living, what you might call quality of life. You canít have it both ways, you can either be an outlaw or you can be a civilised member of society and you can subscribe to rule of law and the enforcement of the law. In a democracy we all have the right to assist in formulating the law and deciding what it should be. But once you have it all in place, whether itís something trivial, relatively simple, like speeding regulations, or something really major, like privacy laws, then itís up to everybody essentially to comply. And systems which aim to enhance compliance, are not of themselves tyrannical. Itís not actually a bad thing to find a way to ensure that people actually obey the law, if the law is legitimate, and the constraints are there, and the regulation is there.

All the time we are confronted with the, I worked for a regulator myself, and the pendulum swings back and forth all the time. Sometimes weíre told thereís not enough regulation, look at whatís happened, look at Enron, where were the regulators, look at HIH. Other times, Alan Fels has got to have his wings clipped. Heís getting in peopleís way. Commerce should be free, businessmen should be free to do their thing, they donít need this kind of restraint. And so it goes.

I think itís fair always to criticise a given technology, but not simply to throw it away. It doesnít mean to say that it can never work. The examples that Graham gave earlier of his photograph and his thumbprint are examples of biometrics which may actually be effective in that particular situation Ė doesnít mean that theyíre always effective. Fingerprints generally have done more good than harm I would suggest in the police environment, and DNA testing has got more people out of jail when itís put in. You have to look at the technology in the context and the purpose for which itís being used.

Lyal Collins

I think itís pretty important that we have this discussion. Most of my comments will focus on perhaps on the discussion we had in the first half after the evening, and some of the comments and issues raised by Roger, and indeed the question of accountability that Brian raised. Identity isnít really the problem. Itís a part of the problem, and the legal identity question establish a commercial relationship. I have a commercial relationship with one account in my bank, and I have seven different ways of authenticating myself to act on that account. The account identifier, or entifier to use Rogerís term, isnít really the issue, itís what authority do I have to act on my account, and if somebody does act on my account, is somebody accountable for those actions? Should a dispute arise?

Putting impediments in the place of straight through process that Stephen called for earlier in the evening, I had incomplex set up processes is counterproductive. Accountability for actions is a very strong issue that weíre not discussing here at all and that nobody is discussing. If we have people accountable for their actions, all the existing laws apply. If we have accountability for actions in terms of commercial relationships or citizens to government, business to government, we have one to one relationships, at least one of those entities must have a privacy policy that must address those interactions. There arguably isnít really a privacy issue if we believe our privacy regimes are appropriate. We need to look at a bigger picture more than just identity.

Thereís a long way to go in all of this process, some of the discussion tonight and elements of the NOIE discussion paper, while very useful, are saying things that are being discussed 5 years ago. Weíve got a long way to go yet, I believe. Some parts of industry are running, and some havenít even thought about it. We need to see an ongoing fostering and communication and education role, NOIEís probably a good, well-placed entity for that, and some others. But I think we need to raise the bar and look for full commercial activity, not just identity or identity authentication. And thatís Iíd like to close the evening. Weíre a long way from where we should be discussing the issue.

Graham Greenleaf

Iím going to take one more biometrics comment to finish off before dinner. So the last shot before dinner.

David Heath

Let me preface what I want to say by commenting that if you have been a customer I wouldnít be saying what Iím about to say now. Can I refer to a couple of the technical points raised earlier.

In terms of tuning signature systems, my general thought is that if it needs to be tuned thereís something wrong with it. There is an objective of letting people in easy, or itís letting too many in that it shouldnít be and you need to make it harder. Either way, making it tuneable for local circumstances simply means that you donít have a robust biometric.

The second one was on non-verification, in other words, if something happens, my left thumbprint is exposed to the world, I canít do much about it. The are moves now to make the only repository of biometric information being something in the userís own possession. In other words, I will authenticate myself against something that I carry, and at no times, assuming everything works, is my biometric released openly. It is not stored anywhere, it is not kept anywhere, simply that I match what I carry with me and that device will then say, yes the identity is confirmed. That I think is the only way that biometrics will get a public display.

Graham Greenleaf

Well, itís an interesting test case isnít it, of all of this, with the biometric or reversion of it being stored both as a token but also in a central database, and six and a half million of them.

Patrick Fair

Graham, within a law firm, my days at the law society we tried to implement PKI as a practising certificate for lawyers. And the problem was you couldnít give people signatures which would enable them to encrypt information within the firms in a way that prevented the partners from seeing what was there. You had to have an escort arrangement, otherwise the integrity of the business internally was under threat. And once you then explained to people the systems that needed to be put in place to make that work, they would be unwilling to implement. Thatís the other side of having a separate store of the key, itís a backup, itís an administrative, it can be an emergency system. It might be threatening, but itís also entirely useful practically.

Stephen Wilson.

In response, I understand the logic of keeping the biometric on a token in order to make it very difficult to have identity theft, but Security 101 is that nothing is perfect, and the fundamental problem with biometrics is that it is incapable of dealing with identity theft. If I have a really really strong biometric in 15 years, and somebody does eventually steal that, then I am disenfranchised from that community fundamentally forever. And every other authentication technology can deal with identity theft by revoking, revoking biometrics is fundamentally impossible and thatís what scares me about it.

Brian Newton

Isnít it fundamentally impossible to steal a biometric?

[?]

Generally, No.

Brian Newton

You might steal a token, but thatís not stealing your retina or your fingerprint.

Roger Clarke

Stealís an awkward word because of IP here, it is possible to come up with an artefact which will enable a successful masquerade.

Graham Greenleaf

This is sounding more like the discussion that will happen after. What weíll do is take half an hour for dinner, and after we come back, I think at least the first parts of the agenda where itís compulsory to have a glass of wine in front of you, where weíll start is by looking particularly at biometrics again for a minute, and the existing regulatory structure, particularly privacy laws and the extent to which they do not or deal with biometrics, and then move back to the topic that we started on Tom, which is sort of our principal focus, that out of all of this, from everything weíve heard, what future regulatory structures, for biometrics, PKI and the whole e-authentication package, both in terms of legislation and co-regulation, sounds like might be the sorts of things that might be needed after all of this discussion.

So thatís where weíll go after everyoneís had some dinner.

Thanks very much for everyone for the contribution so far, because I know some of you will have to go without coming back to the table afterwards.

[ back to top ]

General discussion after the break

Graham Greenleaf

There is a special after dinner rule in relation to the transcript, that is, you have absolute discretion to edit anything you say after dinner out of the transcript provided that at the time you say it, you have a glass of wine in your hand. If youíre sober, Thanís taking notes, and thereíll be no let-out. Thatís right, if you make a mistake, you quickly drink something.

Now where we got to was at the point where we want to have a look at, to what extent do existing privacy laws in particular can deal with any of the biometrics issues and also on our agenda thereís a question of how well PKI privacy issues are addressed in the current guidelines by the federal commissioner and the current legislation. So the general question of authentication and current privacy legislation, and then after weíve had a look at that, I think itís back to the original question of what sort of regulatory and co-regulatory structures may be sensible to be looked at from this point onward.

So on the privacy, I think Nigel was going to have something to say, and Chris, I think, is coming in. Now do I have anyone else who would like to come in at the moment? Julieís going to. Well, weíll take Chris first, then Nigel, then Julie, then weíll take some more participants.

Chris Cowper

From the privacy commissionerís office. I suppose Iím responding to a few things that have been said around the table tonight and one of the questions that was raised I think by Patrick was the question of whether a biometric is of itself personal information in terms of the Privacy Act or is it just a record about the biometric thatís personal information? I think thatís still an open question, we think about the issue in the office and some of us are inclined to think that it is, but itís not tested so thereís no definite answer there.

And something I was saying to a couple of people, I think in this whole debate, thereís an issue about current privacy regulation that we need to think about, which is in a sense, itís passive, it doesnít actually help with the decisions about whether you actually introduce a biometric or not, it does provide a framework for protection and accountability and so on once youíve made the decision to proceed with a biometric, but it isnít a decision-making framework as such. So it can give you a bit of false comfort to say itís ok, weíve got privacy regulation, weíve got a privacy framework around this. If you havenít actually done a proper risk analysis and you havenít thought about whether a biometric on balance is an ok thing to do, privacy legislation does something but it doesnít do the whole job.

The next thing Iíve got to mention is that the national privacy principles are minimum standards, so they donít necessarily do the whole job for every particular possible intrusion into privacy, and possibly biometrics is an area where some more specific rules are needed, and I think that some of the discussion around identity theft in the context of biometrics probably are actually worthy of quite a lot of detailed study and discussion. I mean, itís a real issue and itís probably not one that should just be glossed over as part of the risk analysis, it feels like there might be some real threshold issues that we have to think about in that regard, and the privacy commissioner did a presentation to the biometrics institute, Iíll refer you to our website to have a look at that paper, it wasnít a definitive statement, it was basically an examination of risks, benefits, issues and so on, but it did point to the fact that you need to think about choice, accountability and openness when youíre setting up the biometric systems.

Probably something that the paper doesnít talk about but that Iíve been reflecting on in the discussion here is that if youíre making important decisions about a person on basis of a biometric, you probably need to make sure that you have some sort of review mechanism built in, you donít want to make a decision without having human intervention, and challenging the false positives or false negatives. That was probably all that I was going to say except in relation to the PKI guidelines, I think itís important to know there that they had a particular driver which was the possibility that PKI might in someway become a de facto identifier for government use.

So the development process around those guidelines was about PKI in a government context; they were never meant to cover the whole field. So I think that thatís something we have to think about in those guidelines.

Roger Clarke

Could I ask for a clarification please? In the NPPs or whoever theyíre called these days, thereís some kind of obligation that the system developers consider the possibility of anonymity. Is that relevant or actionable in the context of biometrics system design? Because I canít think what force that particular principle has.

Christine Cowper

Well, it probably gives support to your concepts, Roger. I mean, what it says is organisations must provide an opportunity for people to interact anonymously if itís legal and practical. I mean, youíve got to pass those hurdles first, then you have to consider anonymity.

Roger Clarke

But that creates the obligation to check whether itís legal and practical, by implication.

Graham Greenleaf

No, itís a law. Where it is practicable to provide anonymity, there is a requirement to do so. And some, a bridge toll operator, is eventually come to grief, I hope, and have their whole billion dollar investment undone, by a privacy commissioner ruling, that they did not provide anonymity when it was perfectly feasible for them to do so.

But it brings up something to follow on that I wanted to say to Chris, the problem which I thought you would have picked up on is that principleís completely defective in that it has no requirement in it for pseudonymity to be considered and provided where reasonable and practicable. And the reason for that is, when Moira was having her hot house series of negotiations about drafting the NPPs, she just picked up the anonymity principle out of the Australian Privacy Charter and dropped it into the NPPís, and at the time, I raised the question, ĎMoira, wouldnít it be sensible if it said anonymity or pseudonymity where reasonable and practicable?í And the answer was, Iím afraid, ĎGraham, most of the businesses there are going to try and cope with these principles have enough trouble spelling anonymity, let alone pseudonymity.í And Iím not joking, but the way in which the privacy principles were settled, that eventually ended up in the legislation, was intended as a set of voluntary guidelines and there was nothing that passed for reasonable policy analysis before the went in.

Christine Cowper

I suppose I can say that there is going to be a review of the principles of the Act at the end of next year.

Graham Greenleaf

Just before I let Roger come in, can I just add there that letís hope itís a rather better review of the principles than Kathy-Lee presided over, some years ago, which was a complete an utter farce where no dissenting views were even considered or put in the minutes. And when we talk about lack of public interest participation, that round of consultations that led to the private sector amendments were perhaps the greatest farce of all time, and certainly left a bad taste in everyoneís mouth.

Catherine Higgins††

But can the private sector even cope with the privacy Act as it is now? And I was just talking to Chris before about the compliance levels, and youíve had so many complaints and so on, but when you think about business generally in Australia, theyíre more American in their concepts than they are European, so as you were saying, pseudonymity was a challenge to them, so howís it going generally with compliance and so on? Do you want to make a general comment on that?

Christine Cowper

Itís a light touch project.

Graham Greenleaf

Now Roger what was guaranteed to be a 2 second comment then itís Nigel.

Roger Clarke.

I distinguished earlier on anonymity from pseudonymity, I do that in all of my papers, there are people in the world, lots more than there are of me, who donít distinguish them, and who use the term anonymity in a quite vague sense to cover the whole area. And if we were to leverage off that, if the privacy commissioner were to determine thatís what that principle means, weíd be covered, but it would be really nice if we could all get the word pseudonymity built in.

Nigel Waters

I just want to follow on from that, it is my view that we should argue, until somebody tells us otherwise, that anonymity is not an absolute concept, that itís as anonymous as possible. The only thing I wanted to say is on the ethics issue, because I think all of the other points I was going to then raise is that thereís a nice interesting little issue is whether biometrics is an identifier, in terms of NVP7, because if it is, if it is a number that the commonwealth government assigns to individuals, then that has implications for what other private sector organisations can do with that biometric information.

Keith Besgrove

Two things.

On the last one first, the biometrics. Iíve never taken very much interest in biometrics, but listening to whatís being said tonight, it seems clear to me that the value of biometrics, if there is any value in biometrics, is in authenticating card. So as in the case of going through the Hong Kong airport admissions, you have a card, and you have something which is inherent which no-one can steal, which can be matched against something in the card, to prove that itís your card, then youíre half-way. Then the card has to be authenticated or authorised to do whatever comes after that. Now it seems to me whether itís a voice print or a thumb print or a retina scan or something even more sophisticated, that is very secure.

If your card will only work for you, nobody can steal the card, nobody can used the card, then the card is then what youíd use to get through the gate, or start your car or work telephone or whatever it may be. That seems to be the first thing, but in a 2 step process, a biometric might be very effective. Because it would mean something again that you never let go of. Sure, you would have your own inherent characteristic, and you would have a stored matching characteristic on the card, and nobody else would have it.

Coming back to anonymity, and this is a concept that fascinates me because I started out thinking that what weíre talking about here is certified identity of one client or another, authenticity, authentication, and to certify that I am somebody that is nobody is semantically odd, as far as Iím concerned. Do you need to be certified as nobody?

Roger Clarke.

Itís the same nobody as yesterday. If Iím a nobody with a particular attribute, not on a blacklist is actually a very important attribute Iíd like to keep having. And how can you have that anonymously? The border guard doesnít need to know.

Keith Besgrove

The border guard doesnít need to know, the system does.

Roger Clarke.

Actually, when I cross a border, the system at the border does not need to record, any more than the fact that a person who is not on a blacklist can pass through. Thatís all they need to do.

Keith Besgrove

But it doesnít need to know that youíre nobody. I agree with you in that particular instance. All you are checking is that youíre not on that blacklist, the holder of this card is not on the blacklist, it doesnít matter who the holder is, this card, if you like, is not on the blacklist.

Youíve surrendered your identity to this card, and if that makes you feel more a person, fine, now this card is the one that is being admitted, not you.

But in general, certified anonymity is a concept that I find hard to deal with.

Patrick Fair

I think the point of it is the privacy regime or legal regime that deals with identities puts people on the back foot because they have to enforce the policies or principles that were the basis on which they disclose their identity. And the point of being able to transact anonymously Ė

[someone]

What did that mean?

Patrick Fair

Well, if I respond to an email from amazon.com, and decide to buy a CD, then Iíve trusted amazon.com to observe its terms.

[tape change]

To try to do it, but Iíd be in a much better position if I just bought anonymously. I wouldnít have that risk. All AmazonÖ

Keith Besgrove.

But then you wouldnít use PKI would you? You would use web dollars or something.

Patrick Fair.

Thatís right. Thatís the point of transacting anonymously.

All they need to know is that I have the money or I happen to be at this IP address or that Iím the person that theyíve dealt with five other times before because thatís how theyíve profiled my taste of music and I like them to guess what I want to listen to because that makes it easier for me to not have to be up to date.

They send me stuff and say ďthatís what you might like to buyĒ. They donít actually need to know who I am and because I can transact pseudo-anonymously or anonymously, Iím in control.

Alistair Teggart

Itís exactly like going to the corner shop and the woman knows your face.

Keith Besgrove.

Yes, but you can be anonymous without being certified without having any PKI identity or any other identity. All you need is some web dollars.

Graham Greenleaf

You can, but you need, I mean those dollars use public key technology anyway to provide e-cash so itís another way of doing the same thing.

Catherine Higgins

But how can it be anonymous if they have to know where you live?

Graham Greenleaf

Oh, you could have an addressÖ.

Catherine Higgins

The broader examples have interesting timing implications. Youíre not on the black-list now but tomorrow you might be. You know, do you want to destroy all that evidence trail in certain things.

[??]

Most people havenít thought about all this. They just go on the internet and shop and e-bank.

Roger Clarke

But many of them donít shop and donít bank, and thatís the one from the trust viewpoint.

Catherine Higgins

Yeah, but they probably donít know why they donít either some of the time so itís interesting. Itís a bit of both as you said.

Graham Greenleaf

Back to the privacy laws we were talking about. This discussion just indicates how significant that anonymity principle in the NPPs is. For the future operation of the authentication in any form in that that has to be taken seriously. Itís part of the privacy legislation. Nobody knows what it means. No-one has a clue at all.

But someone is going to get a very nasty surprise one day, probably not because the Privacy Commissioner makes some adverse ruling against them which would be hoping too much, but rather because some organisation uses Section 92, the injunction section that enables anybody to go to the Federal Court and seek an injunction against anybody who is breaching any of the privacy principles. And just shut down some identification system that has failed to properly advert that privacy principle. SoÖ

Keith Besgrove

Can that be done anonymously? [laughter]

Graham Greenleaf

In this sense, Australia is ahead of the rest of the world. There is no national privacy legislation anywhere, that has, to the best of my knowledge, any enforceable anonymity principle in it.

Roger Clarke

Do a search on ĎNymí on World law privacy collection.

Graham Greenleaf

Well, the only oneís the German Telecommunication Privacy Act, the late 80s where we copied it from. But there isnít anything else around, so weíre ahead on this.

David Vaile

I was also going to ask whether anybodyís done what weíre still able to do anonymously - has anybody seen the film ĎMinority Reportí? Please put your hands up. [About 4 hands go up]

Would anybody whoís gone to see it like to comment on its likely impact on the biometrics debate?

Stephen Wilson

I thought it was interesting to see that people just accepted that they were being scanned.

Kate Boyle.

I thought that it was accepted.

Nigel Waters

A general point I wanted to make is that obviously no-one is interested in this issue because it comes out of the e-commerce arena but I think itís important that the whole debate about identification and authentication actually takes account of a number of other initiatives that are also happening in government.

Things like a proof of identity steering committee that AUSTRAC is chairing thatís looking across the board at levels of proof of identity. Thereís the border control issues that have obviously taken on a new significance. Thereís issues to do with identification issues being brought up in the context of the electoral roll, e-government and e-voting.

And thereís also a lot happening in relation to driving licences and all of those really come together and if weíre not careful weíre going to miss, things are going to sneak through on one or other of those fronts which actually raise the bar or lower the bar.

It would be useful if somebody, the Privacy Commissioner is the big candidate, tries to see the big picture, which I understand theyíre trying to do at this time.

Moving to the PKI issues, most of you will be aware that they way thatís being dealt with is in two ways.

Firstly, the privacy commissionís guidelines on use of PKI by government agencies and secondly, the privacy criteria in the accreditation process by CAs and RAs under the gatekeeper scheme.

Taking the latter one first, now, that obviously needs updating now because they were done at a time when they referred to the voluntary national privacy principles. Those players, the CAs and the RAs are now subject, most of them, to the National Privacy Principles in the Privacy Act which are slightly different. So there is a need for somebody, whether itís NOIE or whoever, who takes of this process, to review and revise those privacy criteria in the accreditation process.

The other thing to be said about that set of rules is that itís not clear to me that theyíve actually been applied in practice. Sorry if I just rake over the history again. As one of the four people that successively knocked off in an attempt to get through to the GPKI, itís clear if those criteria have ever actually been implemented in terms of the post-certification audit that was meant to happen with the others. I donít think itís important that thatís taken up again.

Moving to the other set of rules that are the Privacy Commissionerís guidelines. I think the problem is thereís actually not much wrong with them, other than the fact that thereís not much evidence that agencies are following them. They look good on paper, but I havenít seen a privacy in practice assessment as required by Guideline Five, Guideline Three, and all of the choices required by those guidelines to be given to individuals about levels of evidence of identity, about multiple or single certificates. Weíve actually got no evidence at the moment that any of the agencies currently implementing PKI are actually following those guidelines.

The other thing is that those guidelines are obviously designed to influence the behaviour of the agencies that are implementing PKI, and most of the issues that those of us who have been involved in PKI have been raising about PKI are actually reside in the area of the infrastructure as a whole and the role of CAs and RAs.

Which brings us back full circle to the need for revised guidelines for those players, and to comply with the international Privacy Principles. Also to hopefully get that privacy impact assessment process entrenched somehow, as Chris as already recommended.

The other point I wanted to make is that there is a bit of a problem at the moment - as Tom and Stephen indicated earlier, all the applications at the moment are business to business or business to government, so somehow the privacy criteria seem a bit irrelevant. They are in fact relevant in that context, but the danger is theyíre being put to one side and systems and frameworks are being put in place to deal with the business to business and business to government use of PKI, which will become de facto standards that havenít picked up on the proper privacy safeguards needed when you move to individuals having certificates.

Graham Greenleaf

Thanks Nigel. Peter van Dyke is someone who knows a bit about this area. Sorry to put you on the spot, Peter, but I wanted to ask whether you thought there were any other aspects of the PKI guidelines that are particularly important and should be observed or any additional things that, in hindsight, might be added to the PKI guidelines.

Peter Van Dyke

I suppose in context we were consultants, we worked closely with the OFPC and NOIE in drafting the guidelines, I suppose as a set of consultantís guidelines and a set of guidelines that came out from the Commissioner. Itís difficult for us to say because we were a bit removed from the process since then, so hearing this feedback in this forum is quite interesting and relevant for us. Iíd agree with what Nigel was saying, especially a lot of the PKI implementations are really just business to business, business to government, government to government. So in that whole framework maybe consumers have not necessarily been thought of. There are the same questions with whatís been happening with auditing, from a privacy perspective, of CAs and RAs. Now whatís happened to that and the gatekeeper process? I suppose weíre a bit curious as to whatís happened there.

Ö

[someone]

I should declare that I was involved with Chrisí team in reviewing privacy guidelines on PKI and I think one of the issues that we tabled but never quite got to was the separation of the information of what might be in a certificate from the information that might be gathered subsequently on a per transaction basis in real time by the application thatís using the certificate. I think this is a really rich area that I just want to table.

I donít have an answer or even a position to take, except to go back over my view that weíre all overly obsessed with the idea of the electronic passport and I think that what I saw of the work and what I see of the deliverable now, meaning the guidelines, there is an expectation there that the only contact between the people that are transacting is the certificate. And weíve got some tremendous privacy positive stuff and maybe even some avenues that go to pseudonymity where a relatively diluted certificate that has minimum identification information in it could be used to initiate a transaction and then privacy invasive, potentially sensitive stuff would be asked in real time.

The classic example is that people seem to have a de facto expectation, thanks to a certain CA, that youíre birth-date goes in your certificate. Now I can imagine plenty of government application where the birth-date is an important thing to maybe do some statistical or sort of stochastic verification. Whereas if a retail application asked me for my birth-date then I would immediately decline.

So if we separate the legitimacy of some application from gathering personal data on top of the data thatís present in the certificate, I think thatís a really important framework to go forward with. And Iím just tabling that might be an area to progress the idea of all sorts of things, pseudonymity, less invasive information in certificates and so on. Weíve got to separate out the information thatís gathered once and once only at registration, versus the information thatís gathered transactionally.

Graham Greenleaf

Stephen, at risk of being accused of being heavily obsessed with an electronic passport

[someone]

You havenít lost it, have you?

Graham Greenleaf

Well, I had my ID card stolen in China, that was bad enough. But one of the issues that, as Peter and Nigel are suggesting, are outside the PKI guideline framework, itís always been a real concern to me, is the lack of any type of guarantees in government to consumer or citizen use of PKI, that guarantees that the use of certificates will not become compulsory in transactions with government, that choice of methods of authentication will survive. And itís always struck me as really crucial to the citizenís interest in PKI to prevent the notion of an electronic passport emerging out of what were initially disparate PKI government initiatives. There should be a guarantee from the Australian government that the use of digital signatures will not become compulsory in transactions with the Australian government.

Keith Besgrove

Sorry, are you saying that the company seal is not dead.

Graham Greenleaf

I donít think so. No, Iím talking about individuals, not companies Ė

Keith Besgrove

Well, even so, whatís the corresponding authentication, whatever word you want to useĖ

Roger Clarke.

NPC reported to be an identifier for a corporation.

Keith Besgrove

Are you saying that you have to deal with paper, or there is some alternative electronic authentication which you could choose?

Graham Greenleaf

Ideally that alternative electronic authentication methods exist as well as the choice, if you want, to stick with paper-based transactions, that the Australian government wonít go the way of the Australian banks and attempt, whether they announce it or not, to de facto stop anyone queuing up in a bank and doing a real live transaction and force everyone to go electronic. Looking at the perspective Iím coming from at the moment, I see the Hong Kong government instituting a series of very cunning ploys to force everyone to accept a mandatory Hong Kong Post e-cert and to use it in all sorts of contexts.

Iím not drawing any analogies, Iím just saying that in the Australian context, I think the future of digital signatures would be much more secure and safe in relation to government to citizen if there were real guarantees that they would not become compulsory, that they wouldnít become the digital passport.

The NOIE paper is very good in philosophy in this respect, it seems to really recognise and encourage a multiplicity of acceptable forms of electronic authentication. Not just one flavour, but a genuine choice, and Tom if you wanted to build into principle Ė

Catherine Higgins

And youíll see the piece that the minister releases next week called the ďOnline guide to authenticationĒ also reinforces that agencies will choose that type of authentication Ö that doesnít kind of guarantee from the consumer perspective, but it does go through the whole range of authentication technologies and their uses.

Graham Greenleaf

Well, I think the guarantees from the consumer perspective is one of the real missing elements in the Australian picture.

Tom Dale

Iíd just like to deal with that issue, because I donít think itís a major issue for deliberations here, but if people still want to talk about it thatís fine.

As far as authentication goes, the government has never, as far as Iím aware, has made specific, any mandating of particular forms of transactions for individuals, and as far as PKI goes, as a particular form of authentication goes, I am unaware of any current or planned transactions between individuals and the government encouraging, let alone mandating, the use of PKI.

As we all know, individual use of PKIs is pretty much non-existent, and if it remains so for the foreseeable future, I donít think anyone in the industry or the government cares. Thatís not an issue, it wonít happen.

As far as government guarantees on government to citizen transactions, I think itís made clear, but maybe it could be made even more clear, the government, in its targets for online transactions, that government agencies were in no way expected to mandate particular forms of transactions, and certainly were not intended to create two classes of transactions whereby those involved in non-electronic dealings with their government were somehow at a disadvantage.

That was always a concern I think, and itís still a concern to the government and it needs to be made more explicit, so much the better, but I suspect youíre dealing with what I hope is a non-issue for the future. I donít think itís going to count.

Nigel Evans

I donít think thereís any question of government in the foreseeable future saying that the only way that the only way you can deal with the government is electronically.

Keith Besgrove

They already do.

Nigel Evans

In respect of pension payouts and things like that, youíve got to have a bank account, it will pay into your bank account. That is not an argument, itís very efficient, there are good reasons for it. But to say they will not force you to deal electronically, thatís not the same thing. They say, weíre not going to post out cheques, weíre not going to hand out cash. We want to put the money somewhere. How we get it there is a different issue.

My point is I donít think thereís any question of government saying that the only way you can talk to the government, have a dialog with the government, whatever itís about, is electronically. I really donít think thatís on the card. I donít think the politicians will wear that. And so that there will always be face to face transactions. However, where there are electronic transactions, we do choose to do business with government electronically, then I think governments will say we will of course require to use or include in the process, methods that enable us to be confident that we are dealing with who we think weíre dealing with. It depends on the risk.

Graham Greenleaf

The question is whether there is only one method, or whether there is a choice of reasonable authentication.

Keith Besgrove

You might have a choice of 3 or 4 distasteful methods Ė

Graham Greenleaf

The very process of choice stops the effective aggregation of information. Choice in itself is valuable.

[unknown]

If the choice costs 10 times as much not having the choice, if dealing electronically is 10 or 100 times as efficient, then surely the people who want to have that choice, need to have a price differential.

Catherine Higgins

Witness the success of e-tax as well, SSL, but huge success in terms of individuals lodging their tax.

Lyal Collins

My question is in form of a clarification.

If we are in an environment that say you can only use PKI to get to government, 1. the governmentís picked a winner, and the second one is, fundamentally with PKI, and we got a whole bunch around, then weíre no better off than when we started the discussion earlier this evening.

The other element of that is that businesses and citizens have no interest in PKIs at all, do they? Commercially, itís about .0001% interest in the marketplace.

Mandating one environment for dealing with government, either with a business or a citizen, that is not used in the business to business or person to business environment is doubling the cost, including choice across the entire economy, rather than just government, has to happen to make cost effective outcome for providers.

Julie Cameron

One of the concerns I have with the whole e-authentication issue is we run the risk of creating two classes of citizen. Not everybody is going to be able to use e-authentication. And somehow we have to make sure that not only government makes it difficult for them and delays payment, tax refunds or whatever, but also that industry is already starting denial of service, if you like: if you donít use Internet banking, you wait in a queue longer.

But worse than that, they will also use identification and e-authentication to say whether or not they want to actually let you to have the service. They may or may not allow you into the web site, or access for that particular kind of service. You may not be profitable to them. And if we push everybody down without anonymous, to do business anonymously, we run the risk that thereís an unprofitable group in the community that wonít get access to service or will be denied service.

So I really want to follow on quite a lot from about what Nigelís been saying and what Grahamís been saying about the importance of having anonymous e-transactions; but also dealing with this issue of making it illegal to deny service, because that is an issue which is coming in at the moment.

Keith Besgrove

It should. At the moment you have to have a pensionerís card to claim a pension basically. If that pensionerís card works electronically, fine. Same with Medicare. Youíve got to have a Medicare card to claim Medicare.

Julie Cameron

Iím talking about business practice.

Keith Besgrove

Youíre talking about private sector.

Julie Cameron

Iím talking about private sector business practice.

Keith Besgrove

Ok, well, maybe in the private sector you have a case, but from a government point of view, it probably makes sense, itís cheaper from a customerís point of view, and more convenient, and better from a governmentís point of view to deal electronically, and there is very little additional overhead, in providing a token which works on the Internet as well as it does in one of these things.

Julie Cameron

But doesnít it depend on whether they need to identify you prior to giving you services?

Keith Besgrove

Well, unfortunately it does, but that is there, that is a given, theyíre not just going to give me anything if Iím not entitled to it, which is right. Youíve got to have entitlement to begin with.

After that, it becomes simply a question of ways and means, and if the electronic method is better for me and them, then letís go, thatís fine.

David Heath

Two comments that grow out of this short argument here, which leads into my point that I was trying to make about 10 minutes ago.

If you had to use a bank to store your banking payment, what if no banks think youíre not profitable?

Secondly, and very similarly, just how many certs can you fit on one PC in a nursing home?

And the point I really want to make is why canít we have a zero information identities? Youíre born, you start with zero, why canít you start another one? By the chain of transactions that that identity does, you establish a level of trust, a level of proof. Iím throwing up a full discussion, but it seems to me that you donít have to start with anything. Start with absolutely nothing.

Catherine Higgins

Ö

[someone]

It depends on what benefits flow to that identity.

[someone]

If we can take 100 identities, and pick off 100 sets of benefitsÖ !

Nigel Evans

Can I say this is the fundamental difference between doing business with government and doing business with private sector. The private couldnít give a ratís hoof Ė governments are about rationing. Governments want to know who theyíre dealing with because many of the things they deliver are rationed, in the sense that there is entitlement and so on and so forth. On the whole, governments want to know who theyíre dealing with, the private sector couldnít give a ratís hoof. That is an important difference between the two.

Nigel Evans

Can I just go back 10 or 15 minutes and picking up on privacy and connecting it to biometrics.

Graham Greenleaf

A quick one, because I then want to hand back to Tom to show if he has any remaining questions left that he wants to ask everyone.

Nigel Evans

Iíd observed that all the privacy principles they started with are the ones from the OECD, and Iím not quite sure how much scope theyíve got to tinker with those, whether the OECD agreements are under treaty Ė

Graham Greenleaf

No, they are not, they have no effect on anything.

Nigel Evans

One of the things weíve done is to pick up the European practice of identifying sensitive personal information, and thatís I think been embodied in both the Commonwealth and NSW State legislation, Section 19, one of the things in there is health, and this takes us to the biometrics of DNA and so on.

The point to remember in biometrics is that it doesnít record the raw data. It records a digest, and that I think brings us to an important principle: if that raw information is destroyed after processing at capture time, who gives a stuff, and as long as that digest, that numeric digest, which may be a fairly complicated number (I donít use Ďcomplexí, the difference between is a mathematicianís problem), as long as that cannot be reverse engineered back to the raw data, and as I understand it, none of them can, and someone correct me if Iím wrong Ė

Roger Clarke

Proper ones canít.

Nigel Evans

Proper ones, what you then have is a number that canít be reverse engineered.

So thereís clearly no implications of some physical characteristic of you. It is like a representation, a short hand representation, but then youíve got a number, and the number can be very easily stolen. Youíre not stealing a picture, youíre not stealing a fingerprint, youíre stealing a number that is a digest of that characteristic.

The issue then is how easy is it to inject that number into a system to represent somebody else? And thatís really what the issue has become.

Michael Milne

Yes, it gives you a number. But when you put your finger down, or you get your face recognised, or your voice, or whatever it is, it doesnít give you an absolutely identical [Ö], so there is no 100% match. So what youíre saying is true is from the sheer point of view that yes, this is a proper thing, and you want to look at it and identify it, but it isnít as easy than if I switched that number, and I can reproduce it.

David Heath

Because any reasonable system will reject exact matches, in an electronic context.

[ back to top ]

Conclusion

Graham Greenleaf

Well, weíre going to finish off by going back to Tom and Catherine. The question I want to ask Tom is: what do you want to receive submissions on? What are the questions that havenít been answered tonight as far as youíre concerned, but you want to get those cards and letters rolling in.

Tom Dale

Some concluding remarks. Those of you in the room who like me are past the age of 45 years and have a plane to catch in the morning will realise that we donít want to drag out proceedings of these discussions. I wouldnít presume to try and summarise the discussions, for some of you rather amusingly suggested before. So just some concluding remarks, Graham I do appreciate the opportunity to have the last few words.

Iím very concerned about Stephenís very loose use of the term Ďelectronic passportí in a room reasonably replete with legal practitioners. As far as Iím aware, electronic Passport with a capital P is traded by a large software company which will remain nameless, so donít do it again. Itís not that sort of Passport, OK?†† [laughter]

One consistent message coming through from people in the group this afternoon and this evening is the need that the advice that the government receives on this matter doesnít make too many assumptions.

It does go back to what is usually termed first principles - not first principles of how PKI works by any means, but first principles about what authentication actually means. I agree with about 60% of Rogerís views on that, but thatís a good start.

Nigel Waters

Thatís the highest rating heís ever had. [laughter]

Tom Dale

Can I say comparing the proceedings this evening with those that weíve had in Canberra a week or so ago, clearly in terms of that discussion about first principles on authentication as opposed to particular methods of authentication, I think the discussion here has been far more open and in some ways far more useful, but to some extent that was no surprise.

People did bring a certain amount of baggage, history or whatever to the discussions in Canberra, whether they worked for the government or they were vendors of particular issues or solutions. And to some extent, on this issue we can go digging up the past a little bit too much, and I donít know that it helps future debates on public policy to be quite honest. Some of it is almost ancient history in Internet years, and really who cares.

The discussions about first principles that weíve taken away have been helpful, yes they will be part of our advice to the government on the way weíre going at the moment, and no weíre not starting out with too many preconceived views. I think thereís a clear message about settling some of those fundamentals before worrying about fine details of governance.

Governance structures for authentication only matter when youíve got a clear understanding both commercially and in public policy terms what authentication is for, and thatís a long way, and therefore you get to technologies and technology governance structures. So weíve got a few things to worry about before, if I recall right, Appendix C and the governance structures are worried about too much.

PKI, some useful discussions. I think, Roger, the point youíve got to bear in mind from our point of view, there are a lot of legacy structures weíve got to deal with there, gatekeeper or no gatekeeper. PKI exists, rightly or wrongly, and there are some digital certificates out there, and decisions by the government have to take account of whatís there as opposed to what ought to be there. I donít know what the answer is, but I found the contributions to be helpful.

Gatekeeper: we didnít get a lot of guidance on that one way or the other; I didnít expect to. We had some specific questions about the follow-up order process for CAs and RAs under gatekeeper. Yes that is behind schedule, youíre right, I signed off earlier this week on an audit tendering process to take that forward, and we should see some results on that within about 3 months or so. Itís behind schedule but itís a resources issue, not a sinister policy choice, as is the usual case in governments.

Biometrics: I believe that the most interesting and the more controversial and the more important area in the long term, not just coming out of this eveningís discussions, but things that we quite consciously put into our discussion paper relate to the biometrics issue. At the domestic issue, I think that itís clear that the full scope and potential of the existing privacy act and the forthcoming review process need to be explored fully before people start talking about reinventing regulatory structures that may not exist at the moment. We have no particular mandate from the government to become a focal point for a domestic policy debate, on biometrics regulation, on the other hand weíre not afraid of it either. And weíll certainly be putting some fourth-rate advice to the government and taking some further views on that issue, I hope, because as I saidthere are concerns there that in my view make the PKI debate look academic, and I say that in a non pejorative sense.

Couple of quick comments. At the international level of biometrics, I think there is some scope for commissioning the OECD to do some policy work on biometrics at a comparative level between countries. We are involved with a number of OECD bodies, including the Working Party on Information Security and Privacy, I would welcome peopleís views on an Australian government proposal, it has to be government proposal, to commissions and further work on that over the next 12 months. The staff at the OECD are wholly capable and professional in doing that work, but we need to into support in some other countries.

In terms of public interest involvement in those processes, itís not quite a closed door Roger. Yes, you have to find your own way to Paris, but some recent work of that working party has involved bodies with fairly impeccable "soppy Pinko" credentials. The Electronic Privacy Information Centre has been involved in some recent discussions in security guidelines there as a full member of that working party, and weíd be happy to provide more information to that to anybody, itís not a secret.

We talked about the geographics of these seminars, weíve got a number to go, and if anybody has any unfinished business, weíll see you in Melbourne on the 6th. I guess I didnít get my wish to hold one of the seminars in my own home town which is Newscastle.

Thank you for your contributions, we found it a useful exercise. Iíll ask Kate and Catherine to conclude in a moment, because they have put a lot of work into not just the paper itself but in the follow up work on the list server and in working with the Cyberspace Law and Policy Centre in what I hope has been a successful joint function tonight. No, but if I had too many unanswered questions Graham, there is still a period for further formal submissions, we still have the proverbial open mind on the issue. And I thank you again for your time and efforts.

Kate Boyle

With regard to follow up and what weíre doing next, Iíll give you the web address, itís www.noie.gov.au/authentication_policy/index . Weíve got a list that you can sign up to and itís low volume, weíre just sending out information on an event or a paper thatís being put out for discussion or comment, and weíll be sending out the follow-up to these workshops so you might be interested in signing up to that.

Graham Greenleaf

As a final comment, Iíd just like to particularly thank Baker & McKenzie for providing once again a very nice venue, all sorts of assistance and providing a really good location for these events. Iíd like to thank David and Than for organising it so well once again, and Iíd like to thank all of you for being good long stayers, five and a half hours worth of symposium, and Iíd particularly like to thank NOIE for once again collaborating with us on putting on one of these symposia.

Over the first year of the Centreís operation, I think perhaps the single most successful thing that weíve managed to do is establish such a good working relationship thatís provided a lot of really helpful discussion and information to a lot of people and involved a very considerable number of people with high levels of expertise such as everyone around these tables in some high level discussions.

Before we started the Centre, this was one of our sort of two or three benchmark things that we wanted to do and we didnít know if itíd work. It has probably turned out to be, I think, the single most successful thing that weíve been involved in, these symposia. A lot of the credit for that goes to NOIE for their willing participation. Itís a very nice example of a very open and participatory consultative process.

So thanks Tom, thanks Kate and Catherine. And thanks everyone here tonight for making this a successful event.

 

≠≠≠

[ back to top ]