Home - Cyberspace Law and Policy Centre log
Cyberspace law and Policy Centre logo text
Home | The Centre | Events | Publications | Site Map | Contact Us
You are here: Home >> Events >>2002 >> E-Authentication >> EAuthentication_Transcript.htm

 


 

Transcript of Symposium and Consultation on
E-Authentication

Held on 11 July 2002

 [Draft - corrections welcome]

 

Hosted by
Baker & McKenzie Cyberspace Law and Policy Centre (at UNSW Law Faculty)
and
the National Office of the Information Economy

 

At the offices of Baker & McKenzie Sydney, Australia

Transcript prepared by Nick Chen, edited by Than Yeng.

(Please go back to the main E-Authentication Symposium page for the background papers.)

 


 

Contents

Introduction

Presentation 1: NOIE’s e-Authentication discussion paper

Discussion on the NOIE presentation

Session 2: Roger Clarke’s paper

Discussion on Roger Clarke’s paper

General discussion after the break

Conclusion

 



Introduction

David Vaile, Executive Director of the Baker & McKenzie Cyberspace Law and Policy Centre

Welcome to this symposium on E-authentication, the third event in a series which investigates aspects of cyberspace in the light of various public interests. 

One of the aims of these symposia is largely to dispense with the conference style format consisting mostly of prepared lengthy speeches where real discussion tends to happen on the sidelines. What we want to facilitate instead is open-ended, wide ranging discussion of issues that are of interest to experts and stakeholders in the field, and to disseminate the results of these discussions to a broad audience. Accordingly, we’ll record most of what is said with a view to making it available in slightly edited format on the web.

Later on we also hope to publish a series of books which the symposium proceedings will appear together with related papers, articles and materials. We’ll also be taking some snapshots to record the event so please tell us or the photographer if you don’t want to appear in any of these photographs. Before I introduce the themes of the present symposium I’d like to introduce you to the Baker and McKenzie Cyberspace Law and Policy Centre where I am the new executive director. My name’s David Vaile, if I haven’t met you yet.

The Centre has been up and running since late 2000, attached to the Law Faculty of the University of New South Wales.

We are generously supported by our hosts tonight, Baker and McKenzie. As well as providing the bulk of our funding Bakers also supports the centre in other ways, such as allowing us to use its facilities for events like this. I should emphasise that otherwise we are quite independent of Bakers, we are not a mouthpiece for the views of the firm or its clients and we are free to pursue our own academic and public policy interests under the watchful eye of the law faculty at UNSW. That said, we are lucky to have at Bakers a number of the most experience practitioners working in the area and this is often a source of valuable ideas and feedback for the centre.

The Centre runs a variety of events in addition to this sort of symposium. For instance it arranges conferences, events in the continuing legal education program, and the centre itself has a relatively small secretariat including Than, who’s the inaugural coordinator. He’s been doing a great job to get us to where we are today.

Our activities are driven mainly though by our group of research associates and collaborators, several of whom are here this afternoon. I’m not sure it would make sense to name them all, but I’m sure you’ll find them later on. In addition to these research associates, we are fortunate to have participating in the symposium a large number of people from a broad range of disciplines, government industry, academia, the legal profession, and public interest advocacy.  Fortunately we have a mix of IT the people and lawyers; this should lighten up the proceedings!

So, we should continue the cross-cultural dialogue initiated in our past symposia. 

As we were planning this event, we discovered NOIE, the National Office of the Information Economy, was intending to run a consultation in Sydney as part of a national program seeking feedback on their recent authentication discussion paper.  We're proud that NOIE chose to conduct their consultation session in Sydney jointly with us as co-hosts of this event.  No doubt Catherine [Higgins]and Tom [Dale] will make sure that you all have a chance to comment on some of the specific topics that they seek to address, although I'm sure that the debate will inevitably cover much broader ground.

The first part of the symposium will begin with a presentation from Catherine Higgins from NOIE. She'll focus on the outline of their authentication discussion paper, of which many of you may already be aware.  The main technologies covered in their paper include biometrics and the gatekeepers scheme. I understand NOIE emphasizes their interest in seeking reactions to a much broader range of the authentication options. 

The second part of the symposium will be started by a presentation from Roger Clark of the ANU. Roger will consider some fundamental technical, and social limitations of some of the newer and more complex authentication tools, and ask questions about what this means and where they might fit in broader mosaic of online relationships. 

The third part of the symposium will consist of free-ranging discussions after dinner. 

This symposium is aimed at discussing the implications of e-authentication and the new environment in which it finds itself in the interests of all the parties concerned, most notably the transaction participants, service providers, and those who support the integrity of the system.

So what do we mean by ‘e-authentication’?  It's a fairly new term, covering a range of tools including passwords, PKI, and biometrics.  These systems attempt to identify, verify, or otherwise raise trust in the participants in an online environment by the use of technological, and to some extent organizational, mechanisms.  

I note in passing that there are some complex legal, social, and technological issues in this area, and we have a very diverse audience here today, so I'd encourage anyone speaking to recognize that not everyone may share the background knowledge and jargon that you may take for granted. Please provide a little bit more context and explanation than you would if you were just amongst your peers where you could perhaps take for granted your audience’s level of knowledge. 

Hopefully this symposium will cast a penetrating light on the issues surrounding the authentication in general, specific implementations of it, how well they match the needs of various users and stakeholders, and what type of regulation may be needed. However, I don't want to steal anyone's thunder, so I'll hand over to the joint chairs of this session. 

One of them was meant to be Chris Connolly, who many of you may know. He’s a co-director of this Centre, but he has been called away to help his wife in the birth of a new, currently unidentified, entity. 

Luckily Professor Graham Greenleaf, another co-director, on my right, has agreed to step in on short notice, and share the chair with Tom Dale from NOIE.  Welcome Graham and Tom. And over to you Catherine.

[ back to top ]

Presentation 1: NOIE’s E-Authentication Framework discussion paper

Catherine Higgins, NOIE

Thanks David. I'd like to talk today about the discussion paper and some of the background to where it comes from. 

As pointed out I think some people have a depth of knowledge in this subject and some people don't, and we've been discovering that over the last two years at NOIE.  We really have been intending to educate a lot of audiences about the authentication technology over the last couple of years and we've had an industry and government council whose term had ended but they were called the national electronic authentication council and Stephen Wilson was a member of the council.  So some of the thinking that comes from this paper actually comes from the last two years and where authentication technologies had evolved from.

I just like to go through the paper very quickly because some people will have read it and talk about some of the questions that were trying to answer.  And also I'll talk about the consultation process the little bit and the submissions we received so far in response to our paper and the others we hope to receive in the next two months.  So those of you who have read the paper will see that we have provided an introduction to the whole subject and we've tried to set the context of authentication in terms of electronic transactions, identity management. 

We find it hard sometimes to talk about authentication as a means to itself which I think is the wrong thing to do in Tom's terms of Internet or e-commerce agenda.  So really authentication has enabling and protective security aspects to it and I think this is important and probably hasn't been raised that much in the debate in Australia to date. 

In terms of enabling it enables e-transaction because it identifies individuals online, and it also is an access control technology in that it can be used to control access to remote computers, servers, and so one, so it's a protective security concept in that sense, and I think in Australia we need to talk more about that it in the industry because we have a lot of unprotected systems.  So that's the other angle of authentication technology, the protective security elements.

Also I think we're going to talk quite a bit about biometrics tonight, and it's getting a loss of play in Australia right now because of the law-enforcement aspects of the use of biometrics or the potential uses of biometric technologies, and that's an area which I think is very interesting, and there's a lot of consumer issues and societal issues surrounding the use of biometrics so hopefully we have quite a rigorous debate about that tonight.

The paper is divided into three sections, and so as I said the first is an introduction to why we have authentication technologies at all and what they help us to achieve more broadly in the information economy.  If you go through the Commonwealth government's role to date in authentication and some of you will know that NOIE's been quite involved in authentication in terms of digital signature certificates, and particularly because we accredit IT members under our gatekeeper program so that accredits those industries.  Members do go out and issue digital certificates.

So we look at trends in section 2 of the paper and really I think, as was said the biggest trend and noticeable thing over the last two years was that passwords, pins, and those more basic forms of authentication technology are commonly known and used.  The more high-end areas such as biometrics and PKI, we have concluded that those areas do need considerable regulatory and accreditation attention and we would like to talk about those specific areas in depth tonight.  And cross recognition, the whole concept of recognizing other trusts schemes is another area which we have covered in this paper. NOIE runs the gatekeeper schemes, we want to look at recognizing another country's schemes, we have covered that in this paper as well. 

I think that area has been a policy discussion for a number of years, but I think it's still got a fair way to play in terms of making international e commerce a reality and having the exchange of digital signature certificates across economies. So that's currently being discussed in APEC, and now the international forum, and we cover the foundations of our views about cross recognition in this paper.

The whole area of standards and accreditation and so one is covered in this paper as well on page 17.  And really we talk about PKI and the standards there simply because there are standards in that area, and it's also a complex area of technology which requires standards. 

So we talk there about the original standards, the Australian standards, and I see Alistair hasn't come along yet, but he's coming from standards Australia, and those standards were named 4539.  They were the precursors to the gatekeeper schemes.  So we have got some questions in hear about whether standards will drive the take up of PKI digital certificates in a private economy in Australia, we like to ask a series of questions and try and have some debate and discussion around that tonight.  But it also is if you that standards don't drive the take up of technology either, so we would like to discuss that more tonight.

One other big issues that NOIE is considering in this discussion paper is our role in this process, NOIE's been very involved in authentication, education, but also in a stronger role as the accreditor of the gatekeeper schemes accreditor.  We are really seeking some comments from industry parties as to whether someone else may be better placed to take on that role as the accreditor in future years and we have a series of questions around that and it involves a range of stakeholders including those vendors who are already accredited under the gatekeeper, and we have to look at the business model surrounding, potentially outsourcing gatekeeper from NOIE, and therefore what NOIE's role will be the future. 

So there is appendix C of this paper which I think has been circulated before tonight, sets out a framework for the governance, a new governance framework if you like, for PKI.  People like Stephen Wilson will have seen this before because we discussed this at the end of last year so it has a governance structure which has an industry government board and then it has a role for standards Australia and it has to define which of those with exactly be in that third party accrediting role.  But we have put some framework around that there. 

We are really trying to get comments back from industry users on whether they can see that national framework being necessary for the rollout of PKI and therefore whether standards Australia and NOIE should really investigate the feasibility of starting up that framework, how much time and money we should invest in that.  And that's a big issue, and it's about demand drivers as well in the economy.

So just a little bit about the process so far, we have had one workshop so far which was in Canberra and unsurprisingly that was dominated by government agencies who have been quite strong users of authentication technology particularly PKI, and also the IT security vendors, so it was quite a good session, but it became apparent to us that people still don't really understand authentication technology fully, and the way they are try to implement them in government agencies, and that they are still seeking answers to some questions. 

There are some good PKI rollouts that happened from Canberra, which has been government and business applications and tax, and the health insurance commission of those two examples.  They are seeking more sort of work and guidance in how reached critical mass with those rollouts.  So we're hoping we have had four returns to our papers so far in terms of submissions, and we're hoping to get a number of concerted submissions, from industry consumers and governments over the next few months. 

It's interesting, the ones we have received I just took a note of them just let you know, that the variety of people who have responded to our paper.  Two of them are IT security vendors, Gangooli and associates who have done a market stakeholder analysis, and PKI Plus who are an e-security vendor firm. 

The Australian consumers association made a submission which was based along the lines of the submissions that Charles Britain made to the private commission on PKI guidelines, so he was coming from the same angle as when he saw our paper.  The fourth one that is forthcoming I think, is from Glen Turner Arnetts, so from the education sector, his users of PKI technology. 

So I'm quite looking forward to reading that one because it comes from a user's perspective.  We have had a lot of e-mail traffic from IT-12 which is the standards Australia committee which originally dealt with the first PKI standards 4539, and it is good timing now that Alistair has just walked in the door.

And the sixth submission that we have had is from the New Zealand government which is really interesting because they are still looking at the whole framework at this point.  And their authentication strategy seems to focus on the consumer level so they are looking at the government consumer issues and how they issued identities to individuals within an economy which is quite good and timely at this stage.  We have also had a good discussion with VISA and some of the credit card companies about what they are doing and that was very useful as well because it is a real commercial perspective to the authentication field and that's been very useful because I think that the verified by VISA scheme is getting quite a lot of take up amongst the retailers and the e-tailers.

So look we are hoping for more submissions and answers to some of our questions, we are having another consultation session in Melbourne on the sixth of August, and we are also having another consultation session with the computer association in Adelaide on 30th July and perhaps one in Brisbane as well.  But anyway, we are looking forward to your comments on the paper, and this next session we are going to go into looks at some specific issues which outlined in the paper and we stop all the about questions.  So that's all for now.

[ back to top ]

Discussion on the NOIE presentation

Professor Graham Greenleaf, UNSW Law Faculty

Thanks Catherine. We have another formal presentation after the break, and we are going to hear from Roger Clarke, about the question of whether conventional PKI is a good idea. However before we deal with questions like that, I think we can start with one of the broad issues on the agenda in front of you, and deal with the question of what is the role of the government in promoting and regulating e-authentication technology. 

Would someone like to put a view on the future role of government in authentication technology regulation generally, and just before you do, a reminder that we would like each person before they speak, to identify themselves, which of course I didn't do -- I am Graham Greenleaf -- and also for those of you sitting at the table could you please turn your name card around so that it faces Tom or faces me so we know who we are getting contributions from.  Thanks.  Okay, so who would like to start off the discussion on the role government in future technology, future e-authentication regulation?

Graeme Freedman

I noticed the U.S. government is trying to make some specifications for UV probability spectrum for cars, which they are currently issuing. The really interesting thing for me is that the report, which came in today, reported how airline crews in Europe are having troubles with their uniforms and credentials being stolen.

From the transport workers' union in the U.S., there are concerns for the safety of those crew members, and there has been a push for better certification and authentication. My guess is that the role of the government will probably be directly proportional to the perceived threat of outside interference with your average Joe.

The political process will in many ways determine the perception of threat rather than any technology as it goes forward.  It's interesting to see, laypeople, in U.S. transport workers, people looking after the aircraft, unloading the aircraft, things like that, being very concerned about the issues, not because they understand the technology, but because they think there has got to be at technical way of making their operations safer.

Tom Dale

So you think that at the moment, a lot of the evolving perceptions that are around authentication are made in terms of access and security, and that in itself might be a political driver.

Graeme Freedman  

I think where governments are involved in these things, people, in a situation where there's no threat and where there's no real need for things to happen, governments probably don't need to be involved.

As the risk gets greater and we consider that our lives can be more affected physically and virtually, then we may as a community want greater involvement.  I think that governments will be involved as much as the community wants them to be involved from the political process.

Graham Greenleaf

If I can just take that last comment you made, put up one hypothesis, I would say that every form of authentication is a potential threat to privacy by potential abuse, and consequently, it's inevitable that governments will be more and more involved in privacy regulation in the e-authentication era, and that we can expect a much greater the level of legislation in relation to authentication than we currently have in the Federal Privacy Act.  So I would throw that in that this is at least one area where government regulation is unavoidable.

Nigel Evans

I observe that there are issues of trust.  Governments have regulated in this area. You can't get private inquiry agents in New South Wales, without being licensed by the New South Wales government, because it's perceived as being an area which the operatives must be trustworthy. 

Therefore trustworthiness surely is an issue.  Then maybe some people who perhaps until quite recently have said "well, a reputable organization with a good brand name is inherently trustworthy", I think that is now greeted with a certain amount of mirth in many circles and I don't think it's politically sustainable anymore.  So I think the need for trust may be in itself be a cause for a need to regulate licences.

Graham Greenleaf

Thanks Nigel. Would anyone like to respond?

Lyal Collins

I would like to contribute to the general discussion. We’ve heard the term identity and authentication used here this afternoon, and we shouldn’t forget that particularly in the commercial environment, it’s the authority associated with a particular commercial relationship that is also of issue.

The identity and the authority only really have relevance in a point-to-point customer to vendor environment, and there’s a lot of good working models in the business community today, where there hasn’t necessarily been any regulatory input by government, In some cases there has been input by other bodies, including community, or industry regulators.

It’s sometimes slightly different of course with statutory or government bodies where there’s inherently trust because they are part of the political, the governance process of the culture. I do take forward, though, the comment that the large, monolithic and sometimes self-regulatory environments like accountants and auditors, do sometimes get it wrong. You must plan for failure in whatever mechanism we have going for or have a multiplicity of mechanisms that suit different commercial sectors.

Graham Greenleaf

I’ll raise another of the topics that Catherine has flagged, and that’s the suggestion that NOIE might move towards promoting some non-government authentication body to take over a more generalised portion of the work the gatekeeper has been doing at present, and ask for comments about that suggestion, and also the related question of if there was sense in such a non-government body in the field, would it only make sense for it to be dealing only with PKI or would it make sense for it to be dealing with a wider range of authentication methods and technologies. But before I do I think I’ll ask Tom or Catherine perhaps just to clarify what NOIE’s view is on that second question, about what scope of operations did you have in mind for that sort of body?

Catherine Higgins

We did have some discussion about this last week in Canberra, and our thinking has been narrower in that we have been looking at the PKI area in particular and because the gatekeeper standards which are listed in here are quite comprehensive in themselves.

But we did have a discussion last week in Canberra, and a lot of people were a little bit concerned with this suggestion that the management or governance council above this sort of structure would have to be very representative of industry users’ views, and existing commercial standards that are already operating, we didn’t want to overregulate in that sense.

But we really were looking at a narrower context of PKI because we see that Jas Anson and Standards Australia have that kind of expertise, so if we had a broader concept of authentication which included areas like biometrics and existing authentication technologies in business it would have to be a broader management council at the top of the structure, and it could even be quite unwieldy, so it would be a matter of how you would get that input from business and also whether it is required at that broader level or only for certain technologies.

We have outlined the governance structures in this paper for the PKI management council model, and it’s that diagram at C and some of the earlier stuff on page 19 of the paper.

Tom Dale

Can I just make an additional comment. I think it is important to distinguish between the role the federal government has played today in not so much the gatekeeper PKI framework but in its commitment to utilisation of PKI for particular purposes. 

Essentially the policies rollout of the federal government has been confined pretty much to government businesses transaction component, with a couple of exceptions. In general the Federal government has not been focussing on PKI or any other particular forms of authentication, in terms of government to individual transactions, and I think a lot of the policy issues raised will likely be raised later on.

There's a distinction between the government trying to establish a trust framework for some sort of transactions in business and transacting electronically with governments. The gatekeeper structure has evolved as a system of standing in governments for PKI, which is a different issue again, and I guess we’re trying not to confuse them too much and there’s no suggestion that the, well there’s no obvious reason why a change in the government’s structures, I guess a fairly substantial legacy arrangement such as gatekeeper needs to lead to any change at all in the government’s general approach in promoting PKI for particular purposes.

That’s the issue with government online, the democracy, it doesn’t necessarily mean the government is also in charge of its standards and the accreditations.

Julie Cameron

I’m just taking a business point of view, and following on a little bit from what Tom has said.  From an implementation point of view, I’m an electronic commerce practitioner, whereas he’s been involved in implementing industry project. We would recommend perhaps a light touch. We looked at implementing PKI into superannuation for various transaction purposes.

We found that there were issues in the trading community, like cost; how much is it going to cost us to set up things like CAs and RAs? The actual cost of the products that we would need to implement, and the cost of implementing the product we would have to put in front of our gateways.

The cost of managing keys was quite inhibitive, particularly when  talking about trading chains with small businesses. I think there’s some issue here that needs to look at exactly what kind of transactions governments want to introduce as requiring something like PKI, and what are the transactions you would have trusted partners, people who probably do businesses using telephone or fax or some other less secure method.

If the government decides that they want to do PKI, I think there needs to be a caution in making a lot of transactions have to use PKI because it will slow down perhaps the implementation of electronic commerce across Australian industries, and particularly between industries. I wonder whether that could be two levels, the light touch or commerce which is considered to have low risk and perhaps a higher touch if you want transactions which need pure authentication and identification.

John Gardner

There are two issues that I see. The first one’s around a body as a trusted third party, in particular, a PKI as a trusted third party or anyone whose performing authentications on behalf of, say a customer through to an agency. We find that that’s very hard to describe in a private contractual framework, and there’s limits to what can be done or what I trust them to do under current law. 

What we see is the role in government trying to find those areas difficult to describe in that relationship and perhaps smoothing out of the way that that could be contained to what the authentication provider actually does compare to what transaction is being authenticated.  So it's first issue on the table. 

The second issue is what is being authenticated ?  There's a role by the registrar of identities within the community and by that I mean civil identities, business registration identities, communities of interest identities, in seizing what they are identifying, and making sure that authenticators of those identifiers are linked into a way that that identity is those granted so that the government role in managing authenticators in the community also needs to consider that same role in managing the registrars of those identities.  I hope that wasn't a bit too cryptic.

Stephen Wilson

I have some extended comments to make, if you do not mind.  We run the risk in all of this debate in losing track of what people's certificates are really good for.  If you do mind a bit of discourse on that, my strong view is that a lot of people having preconceptions which is some years old in terms of certificates already formed from liability, cost and trust.  The original view I think of digital certificates was that it would be an electronic passport.  And this is a metaphor that is very easy to grasp, and I think that somebody cooked it up almost on the spur of the moment, when they were just thinking about business opportunities. The trouble with it is that comes up with a very interesting set of problems. 

If you think of the digital certificate as an electronic passport context to that relationship, you wind up with issues where Alice has a relationship with Sydney authority, she's holding a certificate, she's trying to convince Bob who she is, Bob has no other relationship with Alice he has no of the context to see who she is, he's got no prior relationship with her CAs. NEAC has indeed spent years on this problem and had a look at two different very good legal analyses which have wound up at being somewhat inclusive. 

If you look at the NOIE’s website there is a diagram which has all the relationships and has this rather alarming but correct phrase that good legal standing of such and such between who the line pays and CAs is indeterminable. Anybody that wants to get into this debate has looked at the NOIE website has obviously been put off.  Now I'm not saying that what you said is wrong, but we are all trained over years and years of going to presentations to think of Alice and Bob as having no context, and we continue to be trained in PKI's because we have an e-mail, we receive a little red seal on it and it's a signed e-mail, we click on the signed e-mail and have a look at the certificate authority which it came from and we're trained to think in terms of this certificate authority is trusted, because I had no other way to trust Miss Alice. 

The trend at the top of the agenda, the really important trend, the use of PKI's is dramatically different from that.  The technical reason to use PKI is twofold: it gives you what's called the system identities, the origin and integrity of the transaction, and it's persisted in so far as I can get a signed form from Adrian, it hits my machine and I can log it and I can trust it on this machine, and they can pass it on and they can log it halfway in six months, they can come back with that form, which has gone from server to server, you can do that using provisional technology which involves that going through audit trails and all sort of things.

The other thing that's important about computer certificates is that they are machine readable.  And this is something that gets insufficient attention. There's no real interest in application when everybody's actually getting signed emails, it just doesn't happen.  You look at all the other interesting applications of PKI and they have the same characteristics, the servers that are processing forms automatically at high volume, and it's pretty obvious because if we don't have high volumes, we don't have paper savings. 

So it's really important I think to understand the interesting applications of PKI. Rich-context, Alice and Bob have a preordained relationship of some sort, and what PKI's doing is automating the existing relationship.  If you think about the context of the submission, what indeed what the HIC's trying to do with the certificates is purely context based. As a non-lawyer it's easy for me to say I don’t see there being a lot of liability difficulty in trying to work out what happens when a transaction goes wrong. I mean, the parties are presentable, a licensed medical practitioner comes in, a signed form with the HIC.

Graham

Steve, if I could just finish that point: The liability of these things is easy to understand, and the management of these things is easy to understand. If we try and use PKI to automate these existing relationships it help us understand what killer applications replaces customs and health – customs overseas, stuff in Hong Kong is a very important application of how to. It also helps us understand that PKI is an important trend in the future where credit card companies are using chip cards now.

The chip cards contain very sophisticated PKI systems, and yet nobody is being burdened to sign up. The reason for that is that PKI is embedded in the relationships and the context of the transactions. So I guess my fervent desire is that the policy agenda gets onto problems that have real application, the ones that I have enunciated, and they are not Alice and Bob.

We should turn our attention to more problems, and to a much clearer debate about who should be regulating these things. The question about whether the government has a role is a question about grounding till you start thinking, what is the government’s job in regulating registration roles.

Someone

Stephen, out of that very interesting set of comments, we certainly get the point that a lot of the liability takes place through the conflict of particular contexts in which particular PKI applications occur. However, those particular contexts, those you were alluding to, I think were also likely to involve other forms of authentication in conjunction with PKI as part of that context. Where do those combinations of factors lead you in answering our original question of what’s the future role of government in relation to the regulation of this whole mix of authentication technologies?

Stephen Wilson

Well, there’s two sides to it. There’s the technological side and this is a government understated, very clear role. With the technological role of IT, there’s an enormously important library of this stuff for everyone to seek standards and by and large it does it in a fairly useful way. [indistinct]. The other side has got wrapped up in government in a very sort of complicated way, that is the idea of personal transport and the issue of very strong identity checks.

The strong identity checks are a national consequence, the idea that Alice and Bob have no other context. If what we did on the other hand was not to identify people personally but use the certificates to coordinate transactions, then we look to the existing communities of interest and the existing authorities.

One example is the existing authority structures that make me a doctor, a missionary or a taxpayer. These are not good examples because the government has a will on us. We all know the good examples, the government has a good understood role in making taxpayers and in making doctors in that authority. I think the authority ought to be delegated now to those sorts of things that we have already charted.

Graham Greenleaf

So you’re saying that there’s no real role for some overall non-government authentication body here, and that what we should be looking for is industry specific or profession specific or activity specific regulatory structures being augmented to deal with the particular problems of authentication.

Stephen Wilson

I think that there is potentially a role for non-government or semi-government bodies to sit above and it might be a good idea for somebody else to put up their hand and talk about the issues around this. The issue, if I’m trying to rely on a certificate, if I set up a server, and I’m processing forms for people, I want to know if the certificates were issued properly, and I want to know the certificate issued was done according to standards, and I want to know that they’re going to be withdrawn properly. Now that ‘generically’ is a problem across industry, in different areas, we want to make sure that information systems are audited and secure.

DSD has a program in conjunction with NATA… doing all sorts of things, they rely on technical experts to be making instructions orbiting and the licensing (and I use the word loosely) and the accreditation of those bodies to do an inspection does in fact quite often converge in a very small number of accreditation bodies such as NATA and [something] international.

So I think that fundamental problem that we have in quality control, if you like, is that the certificates themselves were generated in a trustworthy manner and are part of the standards. NOIE right now will know what confers that sort of trust or that word appears in all sorts of other issues because there are health checks that NOIE does. Now you could look to other organisations to do those health checks.

Lyal Collins

I’d just like to expand on some of Steve’s comments and I think that there’s a lot of synergy between what I was saying and Stephen’s comments. I think there’s a requirement for technology neutrality in a lot of this. There is a very strong need for accountability in all of this, you have trusted third parties who allocate or designate to be accredited doctors, for instance. We don’t actually ever go back and check our credentials, but we do want to know that when something goes wrong, we’ve got a plaque on the wall outside that we can go and hold that individual or that company accountable.

That’s very similar to Stephen’s comment about automating process of doing interactive, the trust and confidence to deal with a particular individual occurs by non-technology means. The light touch approach, in the superannuation context, perhaps, is a really good example. The financial planner has a context of a relationship with a fund manager, there is other processes around those other forms of accreditation and they are good, working trust party models to date.

The cross recognition probably, where government might provide some directions, or a non-government regulatory body. The process by which a doctor gets a bank account is a form of crude, and slightly esoteric form of cross recognition. That there is an entity, it has a cross commercial practice, and therefore has an ability to authenticate for a different type of commercial relationship with different levels of liability specific to the type of service. So the cross recognition at the very high level is an area where there could be some contribution in there.

The Electronic Transaction Act, just to move on a little bit, the Electronic Transaction Act and its state derivatives or complementary legislation sets some basic criteria about what a transaction and what an electronic signature can be. It’s technology neutral, and there’s numbers of ways of achieving those. PKI is one of them, I am a vendor promoting an alternate mechanism, and I am sure that there are multiple other processes in place that will do that the same.

An open market approach, letting the market decide, perhaps with some valued input from government or appropriate technology and commercially astute bodies, may well be the approach to go. It’s a little bit of a moot point whether it’s to be a government or a non-government body as long as there’s appropriate funding, and it can maintain the appropriate level of trust, just like the institute of accountants and auditors do.

Graham Greenleaf

 I am going to throw this back to Catherine and Tom for the moment and ask are these contributions we’re getting answering the questions that you thought you were asking?

Tom Dale

I think so. I should note that we do have both Standards Australia and NATA, and some perspective that they may wish to bring on. I think that the government is certainly conscious of that distinction I made earlier, and does not want to be particularly identified as a market leader or a regulator across the board in all of the areas we’ve been talking about.

There’s been a number of people including Stephen who have said that since the governments originally mould them in all of these matters 3 or 4 years ago, things have changed quite significantly in the marketplace, in the expectations and strategic planning with a lot of federal government agencies and in terms of the will more generally, I guess, and I think the propositions about transactions in context, about fit for purpose approaches to not technologies but for business solutions and the propositions I think that we’ve heard about generally making sure that authentication is seen as a means to an end, not an end in itself, the ones that are more fairly obvious, so all those reasons, those are the sort of issues that we’ve locked in, that we require a bit more detail on, but yes, we’re getting there.

Alistair Teggart

I’ll just preface what I’m about to say by saying that this is the first time that I’ve spoken on behalf of Standards Australia. There’s a long history in the area, but a short history in Standards Australia’s involvement. I guess from a starting perspective, if we keep the conversation to PKI, Standards Australia has a long history, back to MP75 in ’94, and the tech tree of the GPKA and running the national PKI committee IT 1241, and developing the existing national standards in biometrics. I think that’s a pretty separate subject and one that we’re probably not willing to enter any arrangements about now but at the international level of debate of biometrics is pretty fragmented.

There’s a recent proposal to the joint tech committee between ISO and IEC to set up an international standardisation committee for biometrics led by the USA that I think will probably be picked up in some form, probably not as a separate committee at an international level but within the work of one of the other committees. And I guess if that progresses, then we would see some involvement for us in standardisation of biometric technologies at the Australian levels.

That said, back to PKI, we’ve had a proposal on the table for nearly a year or so saying that we could, based on the fact of that experience, our position as a trusted third party (some people have got different interpretations of what a trusted third party is) but as a national trusted body, we could oversee the evaluation and accreditation procedures based on that experience.

We’ve got a broad representation of stakeholders already, and rigorous processes in place that we have for development of standards and accreditation against standards, through certification through CLAWS, and I guess with appropriate funding, somebody mentioned earlier, we could probably take on that role, if it was judged to be appropriate by industry and government, and if there was a perceived demand.

Catherine Higgins 

On that point about perceived demand, do members of IT 12 think there is perceived demand in industry sectors, do we need any more standards, do we have enough? You know, we’ve got PKI coming in anyway, the gatekeeper accreditors suppliers can issue PKI privately to any community interest who can pay for it, and so there are cost issues there an so on. But we need to update 4539 and some parts of that so that the registration authorities can recognise for example, do that work quickly, does that make a difference to the demand side of the economy?

Alistair Teggart

I can’t answer straight out. There is probably a role for us to develop a handbook based on the general risk management framework, which is 4360, I think. The specifics of PKI, looking at value of transactions, and that would also sit within the existing information security management standards as well. Draw on that.

Stephen Wilson 

I make a point that a handbook on authentication. We’ve got to be careful that we don’t get [something] trying to reverse issues of standards and process controls and so on in the absence of any context, and we got unstuck in the standards group in trying to come to a standard for R8, and it’s exactly the same as writing a standard for passports. So if you do that in the absence of any transaction context, and can’t manage risk in the absence of context, we know that now, we’re at the risk again of just chasing our tail, coming up with standards that are addressing academic issues, not actually addressing the real issues which have to do with the specific use of certificates.

Alistair Teggart 

The format of a handbook is a lower concern, which doesn’t necessarily mean that it’s not a valid technical document, it means that perhaps that some of the very rigid process is avoided, The handbook has guidelines, they’re not standards, but they can carry a fair amount of weight, and I don’t think necessarily we could get too bogged down thinking about the contextual issues of risk management in PKI. The handbooks are a more open structure, and I think the emphasis would have to be on context.

Chris Winston

Thanks very much Graham. Maybe the first thing I should do is explain a little bit about NATA, I was conscious of the comment made earlier on in this meeting that there are people in this room with all sorts of different levels of understanding of all different parts of this topic, and I certainly confess that I am one of those, just blindly followed for a number of years. I guess some people around this table know something about NATA so if you’ll forgive me I thought it might help if I lead you through how we got involved in part of this area, and that is with the Australasian Information Security Evaluation Program, or AISEP, and the facilities, the AISEFs, that get involved in this.

First of all, what is NATA? NATA is a laboratory accreditation organisation. And for laboratory, you can read that very broadly, it’s testing facilities, testing calibration measurement facilities. It started in 1947, so we’ve got a pretty long history in this, in fact we can raise the flag for this country in this one because NATA was the world’s first comprehensive laboratory accreditation organisation, remains the worlds oldest comprehensive laboratory accreditation, and the largest, so that’s one for Australia.

I'll talk about some of our international partnerships in a minute.  We are endorsed by the Australian government as the Australian authority in laboratory accreditation. We're also a peak body in inspection accreditation which is another form of accreditation for doing different things and two different standards and we’re involved in other things as well. But I think it’s the accreditation side that’s important here. I said I’d take you on a bit of a journey as to how we became involved in the AISEP program because it’s a very good demonstration of what we do.

Defence Signals Directorate (DSD) approached us mid-90s when they were looking at outsourcing some of the work that they do in certifying these AISEFS. They were doing a lot of the work themselves in testing products to go on the EPL (the evaluated products list), there was more work than they could handle and they needed to outsource. SO they came to us and said, you’re the accreditation organisation, will you help us develop a program.

So we did, we sat down with a, we drew together a steering committee, which is our usual way of developing these programs, and the steering committee, it depends on what sort of program, but usually involves technical people, business people, whatever’s interested in the area at stake, stakeholders in the area. We drew those people together and they put together the criteria which were required in order to tailor the standard that we use in laboratory accreditation, the international standard that we use to accredit testing facilities. So that was done, we called for interest in the accreditation, well, in this case we didn’t have to call for interest because it’s a closed community in the AISEF community, in others we call for interest and get in applications.

Then the process is that we go out and we do the assessment, we do the evaluation, we do that in association with technical experts in the area. So it’s a peer group technical evaluation. If all goes well, then the organisation that’s being assessed becomes accredited by NATA, that accreditation process goes through an accreditation advisory committee, which is one of the number of volunteer committees which we have within NATA, again it contains people from within that industry that can make recommendations to us about how that particular field should operate and through the chairman whether or not that organisation should be accredited. So once that’s done, they become accredited by NATA, that gives them national recognition, particularly if they’re dealing with government.

The other important thing is it gives them international recognition because NATA is one of a number of accreditation bodies of its type around the world. There are something like 34 bodies in a mutual recognition agreement, 34 economies in a mutual recognition agreement, with NATA, which means that an organisation which produces a test certificate, a NATA-endorsed test certificate in Australia, that test certificate is recognised in these other countries as if that body were accredited in one of those other countries.

Now I think this is a very important phase in the whole area of e-authentication, because unlike some of the politicians in this country who might have believed in the past, the internet ends at the border of Australia, we all know that it doesn’t, and that one day, not very far away, we are going, and indeed we do at the moment, we all trade internationally, and we’re going to trade through an authenticated or agreed electronic system. And if there’s going to be call for that system to be authenticated, to be accredited, then it’s important that the bodies that accredit that system in the different countries have some relationship with each other and are recognised one to the other.

This has happened in the past in a number of areas with which NATA deals. And the other important thing about this, and touching on the earlier question about should NOIE remain involved, I believe that the clear answer to that is yes, because in many of the other areas in which we were involved, and where technical accreditation underpins trade, and indeed prevents technical barriers to trade, it’s only because of that technical recognition, the NATA or NATA-like body around the world, it’s only because that exists that there can be government to government agreements in some of these areas. They very much underpin those government to government agreements. And government to government agreements, it is so obvious, can only be undertaken by government.

And it seems to me therefore that there has to be a strong involvement of NOIE or some part of government that’s got the understanding to advise government on how to negotiate and take part in these agreements which will undoubtedly become more and more important as we move forward in this area. Sorry Graham, that was a very long answer, I just tried to lead people through to what accreditation in this space is about and some thoughts on how government might be involved.

Graham Greenleaf 

We’re getting close, about 5 minutes away from having some afternoon tea, but we don’t seem to be all that much closer to getting any strong opinions about NOIE’s continuing role. We’ve certainly just heard one interesting opinion about that, but I’d like to come back to that point: the role of government in the continuing regulation in this area, and the need for some alternative private sector body. Would anybody like to come in on that at this stage?

Nigel Evans 

I think the first point is that accreditation is one thing, but to have any value, there’s got to be some mechanism to prevent unaccredited operators. I guess there’s an element of buyer beware, but if the price is right, there’ll be plenty of people who will use an unaccredited operator. So that’s issue. The second point that comes out of that is of course, it’s constitutionally mooted, whether that’s within the commonwealth or the realm of other jurisdictions, and whether you see it as common, telecommunications or whatever. But there is a constitutional issue there, it’s not necessarily in NOIE’s court, and I think it’s presumptuous to think that it is.

That’s one point, the other point is that in terms of what government normally regulates, what we normally do and when we license, which is a form of regulation, to license businesses, professionals in various domains, the criteria are normally pretty straight forward and simple, almost on the yes/no and not many questions sort of vague. Whereas in this area it is complex, it is difficult, there’s quite a lot of fuzziness, it’s subjective, and there’s whole rafted issues of competence and who can technically do it, and that may well mean that in effect, it is in terms of government perspective, outsourced to some other body.

And so maybe there is a matter of accreditation, and accreditation leads to a government regulation, it’s only one part of the process, it’s not the whole picture, and I think that’s a point to bear in mind.

Lyal Collins

 I think you are right and you’re touching on a point that I’ve made for myself. Authentication is a complex topic, and so are some of the associated risks and liability, they’re topics that have come up before. We don’t yet have enough experience in electronic authentication to fully understand the syntax and semantics of what’s being discussed. We should crawl before we walk. And the accounting industry’s fallen over in a couple of example with several centuries of experience and background behind it.

NOIE’s role: I think is a good one, as long as the state includes an educative role, particularly to spread the word about the syntax and semantics of the issues. And focus on a single technology is a real problem, as it puts all the eggs in one basket, in one framework, and it leads to some trade practices issues.

The banking community has a problem if it standardizes on an interest …forces, everybody to buy an interest can have equipment, for instance. That may or may not be an issue everywhere but it also must be whatever technology we choose, we adopt, it must be cost effective. It is a problem throughout the private sector. We don’t have the budgets the government does.

Julie Cameron

A simplistic set of questions. As a user, who is trying to be authenticated? Is it me as an individual, is it a company, in which case who should be looking after that?

I’m sort of wondering whether the question as to who looks after the whole issue depends on strength perhaps of authentication whether it’s a full PKI/gatekeeper type thing, or whether it’s more a Verisign, and whether it’s an individual signing a document, or an individual needing to be authenticated as a person, or in a role whether a secretary of a company or a person who is authorised to undertake transactions for a company, or is it a company that’s doing business say with a government organisation?

There is sort of a matrix that we’re trying to deal with here, and perhaps the question of the role of government in this really depends where we are on that matrix. A very sort of simplistic view but I think it’s a little bit confusing because of the complexity and the need for some kind of matrix. And that might help say, well government is involved, yes, in PKI for government agencies and for large companies, but perhaps government doesn’t need to be involved with things like Verisign for individuals, but there may need to be some form of more legally stringent thing if you’re dealing with the tax office, which of course is a hub and spoke model rather than a peer to peer.

Catherine Higgins  

We are actually publishing 2 publications next week which our minister is launching, and one is called “trusting the internet” and it goes into some of these issues explaining to small business so I think it’s very timely and that’s the next NEAC sort of product that we’ve got to the market now. And the other is the “government manager’s guide to authentication technologies” and it’s got a risk matrix in it so I think when you see some of those things next week it may go towards solving some of these discussions but they are very real educated issues that we need to work through in the marketplace, and they are quite complex.

Graham Greenleaf   

I confess to be a bit puzzled about this discussion so far, taking up Julie’s point in a way, but in a sense turning it on its head, I’m not sure that the level of regulation that’s needed is so much at the large end of the players or their interests being protected rather than the individuals, rather the other way round. I mean, my more general point is that it seems to me there’s a lot of the discussion so far has almost proceeded on the assumption that forms of authentication are uncontentious, but what we have to do is try and ensure that there’s necessary degree of quality control, but we’re not dealing in a field where what is being done is contentious in the first place.

I mean I find that difficult at the moment because I’m living in a jurisdiction where from next year everyone that’s likely to have a digital signature with a PIN and a compulsory national identification number on a smart card that contains 2 biometrics, a photo and a thumbprint. And to think that any of these forms of authentication are non-contentious when you have the potential of combinations like that.

Otherwise, I’m having a nice time in Hong Kong. But that as I said is the ingredient that seems to be missing in some of this discussion and I thought we were going to be in part be in the framework that NOIE’s foreshadowing, going to have some discussion on whether there’s any overall regulatory body for all types of authentication technologies that would also be looking at the regulation of the contentious aspects and whether there was any possibility of that moving outside the government sector.

So perhaps Tom could I throw that over to you and say, what’s the breach of this framework you’ve been talking about?

Tom Dale

It’s very hard for people in these discussions, and the same goes for the one that we had in Canberra last week. Inevitably as the discussion develops we all tend to come round, I think about three quarters is coloured consciously or otherwise by what particular form of authentication and that’s PKI, for all sorts of reasons it’s interesting technologically, and in some ways it’s more a sophisticated form of authentication, and it is out there, not to the extent commercially people thought it 3 years ago, but there are digital certificates in existence and they generally revolve around some sort of PKI structure.

So I think that colours our views makes it very hard to talk in terms of policy principles. I think that the fact that people haven’t expressed particular views about models of authentication is in itself an answer to some extent, obviously this will take the most extreme example of passwords to a network are authentication, no-one has suggested as far as I know that there needs to be a regulatory policy framework for instance.

Graham Greenleaf  

Tom that is precisely what is happening in HK, where there is the investigation of where the PINs should be brought into the authentication legislation in Hong Kong, I know that’s up in the air of course.

Tom Dale   

Yes, I can’t see that catching on as a debate here somehow. At the other end though in terms of emerging issues in biometrics, after Roger’s presentation I suspect that the discussion around that certainly should be unimpeded by the advantage that people are bringing to the discussion and might be a little bit more contentious.

Graham Greenleaf

I’m going to give Patrick the last comment, but other than that this is a good point to stop for afternoon tea, because as Tom said it’s going to be Roger’s job after afternoon tea to help drag us back to first principles and more general considerations.

Patrick Fair

I was just reflecting on whether the government has a role going forward, and I think there’s a reasonable hypothesis you could defend, that government has very little role, has needed very little in terms of choosing and regulating the authentication in terms of individual instances of certification authorities or the type of technology, but where the market isn’t likely to work or where there’s likely to be problems is in cross recognition.

And the economic interest of government in the well being of the country might dictate that cross recognition would be very good for economic activity and for interaction and for efficiency, where the market left to its own devices will have people carrying a number of keys which don’t cross authenticate and therefore cause an extra cost and extra inefficiency which the technology itself is able to overcome but the force of market and vested interests and opportunistic, and the fact that when systems start and who uses them and who chooses them might dictate against, and I’d be pretty comfortable leaving it to the market as to whether or not I accept a particular certificate or whether or not I choose to use a particular certificate to authenticate me, I think I might want to have a number of them for different purposes, for some purposes I might choose the very best and for others I might want to be anonymous.

But whether or not those systems spoke to one another is a much harder question and something where government really does have a role.

Graham Greenleaf

Let’s break for coffee, we’re right on time.

[ back to top ]

Session 2: Roger Clarke’s paper

Graham Greenleaf

Roger Clarke is going to get us started for this session of the symposium, he needs little introduction, but I haven’t heard him introduced, as David did for quite a long while, as Roger Clarke of the ANU, that’s a while ago. While he keeps that affiliation still, as I would say almost all of you know, Roger has principally been a consultant in the e-commerce and information infrastructure and electronic publishing and related areas, including privacy, of course, for quite a number of years now, but he is also one of the most academically productive and prolific non-academics that I know.

We’ve asked Roger to talk about the public interest aspects of all forms of e-authentication, to try to indicate the range of public interest issues that in any further or regulatory or non-regulatory structures for authentication will need to be factored in. Roger’s going to give a slightly lengthier presentation than Catherine did, probably around the 25 minute zone I think, because there’s a lot of these public interest issues to canvas, and that will help us to get off to a good discussion for the rest of the afternoon.

Roger Clarke

Thanks Graham; evening, ladies and gentlemen. The first thing I should do is apologise, because I’ve actually printed out a nice overview set of my slides 9-up. One of the results of this is that the print size is quite small. So I’m going to have to a Richard Alston from time to time, and look down my nose at you so I can read what the hell the next point is.

My background is as Graham said is e-business information and infrastructure, data balance and privacy, and I do it from a strategic perspective, I do it from a strategic perspective, a policy perspective, and public interest perspective and I normally try to say to myself what the hell am I trying to do tonight?  And the answer is the intersection of all those, because I've drawn slides through a variety from perspectives here and a variety of slides sets and developed a few specific to the needs of this evening.  So I will probably do some have to changing from time to time and you may have to stay awake in order to work out which perspective I'm speaking from at any given time. 

The only other generic sort of point I would like to make before I launch is I've argued for years and years and years now that a huge amount of the time was spending on technology and applications of technology and we spend the time on them in separation from the implications issues.  That separation has been symbolized tonight because we spend the first time until coffee looking at technology and applications and covenants and those sorts of things and the implications is that soppy wet pinko that comes after coffee. 

And then the separate discussion we have on the implications and it's all rot, we have got to get it back wound together so that we're looking at technology applications and implications intertwined and feeding back on one another.  So that's the attempt that I'm making here.

Now I'm going to lead off with some general points.  You can see the structure in the summary page sitting in front of you.  I'm going to start off by asking the question what authentication means.  Here as in most circumstances it's misinterpreted.  The primary sense in which it gets used and often the exclusive sense in which it is used is as though it meant identity authentication.  And there are a couple of honourable exceptions during the discussion earlier on this evening but most of the time that's what everybody implicitly meant by its and I'm sorry but it's wrong.  Look up the dictionary and think about what it is that you are doing when you are authenticated, what your focus is.  Your focus is on some assertion, that assertion might be about identity, but it might not. 

We have to get back to the real question when we are discussing authentication as to what the scope is.  Now in order to address this what I would like to do is to get to principles, get to taxonomies, and all those good things that a semi academic and semi consultant type of person likes to do but it's always easier when we start with a simple context and set an example.  And I use one of my favourite aphorisms of the Internet. 

This gets used interminably by everybody including me and of course that's another $75 U.S. the cartoon bank on the screen for photocopying it, probably $75 twice, we photocopied it as well.  But he'll what I wanted do is to draw out some questions about what is it that the people at the other end should be authenticated?  Now the words their don't say on the Internet, nobody knows I'm Fido.

The words say ‘on the Internet nobody knows you’re a dog’, so it gives me a perfect entree to point out immediately that it's not necessarily about identity.  These are the sorts of things that you might want to authenticate. 

One is, which dog?  It's Fido, it's that particular identity. 

Is it the same dog that I was talking to yesterday?  Consider the typical example of a person who is operating as a counsellor, an e-counsellor on the net who is dealing with Wendy or Bob who has been in contact with them last night and has come back and says it's Wendy again and the counsellor says yes I know, as long as it's the same Wendy, does it matter to the heck Wendy is?  Neither Wendy and all the counsellor want to have their actual identityhood noted to the other party because it's dangerous for both of them.  The Internet is actually a very good medium for those kinds of relationships. 

So that's a second and quite different kind of assertion which involves quite different kinds of authentication mechanisms.  But sometimes its mind all those things, it's simply what your qualifications or your pedigree, its attributes about the entity or identity that masses.  And whether or not you know the identity of entity to go with it is quite separate.  And sometimes it's not even the question of the attributes or general attributes about the person or dog, it's about whether when you say I am speaking on behalf of another dog, whether you really do.  And that then is a legal question. 

And the agency here identity as in government agency, I mean as in principle agent relationship.  That's one was alluded to once during the earlier discussion and I think it's a very important facet in the B2B marketplace it's particularly important.  And a great deal of the time all you're actually concerned about is where the what you're getting from the other party is what it purports to be as distinct from the question of whether the other party is food they may or may not want to be.  So just using that simple little diagram, we can draw out lots of these kinds of things. 

And then of course we can do old dry boring taxonomies, now these taxonomies, and there is the paper wrapped around this with all of the points that I'm making here, there's drilled down slide six and drilled down papers and his references here so you can see the deeper aspects that I'm trying to argue.  But let's look quickly at the bottom left-hand corner and identity authentication which is what we seem to be mostly focusing on, we seem to blur the human vs. organization has been to things that I think most of the discussion so far has been about.  That's 2 of 15 that I identified as being important, approaches to authentication, or differently said, 2 of 15 classes of assertion that are important in B2B, B2C, G2B and all those other kinds of e-business. So we've got to shift our focus to look at a much broader scope.  I will talk briefly down the four on the right, attributes authentication hopefully fairly clear, are you a doctor or not a doctor, are you really a qualified counsellor, are you really a member of this club, are you a member of the home forces who can actually open a bank account with the defence forces credit union, being a fairly topical one at the moment. 

Agency authentication: do you really represent that principle as you either claim to or as you appear to, not necessarily a claim but an assertion isn't necessarily that I am Roger Clarke.  You just as you I'm Roger Clarke because all of the billing gave me as Roger Clarke.  I didn't necessarily assert it did I?  You always have to be careful about who's making the assertion. 

The third one down the right hand side is the question of the eye you?  This can be quite important old fashioned issues, is this person logged in from the terminal that's in the appropriate spot of the building, not just the question of who you are, but where you are and whether anybody might be looking over your shoulder who hasn't got your privileges.  There is quite a long-standing question of location authentication but there's going to be a few more mobile, or now we have to call it, ubiquitous computing era, and the other one authentication that's already been mentioned, credit card detail checking, e-cash, credential checking.  There's a whole pile of these things that we really need to look at. 

Now, having established that our scope ought to be really broad if we're talking about e-authentication, otherwise feel free Tom, to call it identity authentication, but please don't muddy, please determine what this purpose and use appropriate terms and define out of scope the things that are out of scope.  I much preferred to see you doing the whole lot, hard and challenging though it's going to be.  I will then make the same mistake that everyone else's making, and all focus mainly on identity authentication, or is it only identity authentication?  I will bury you back to the top left-hand corner because we are going to do a bit of that as well. 

So let's start with the simple diagram we all work with, and thanks to Bill Gates, yet again, I cannot believe the number of variations of bugs between different versions of PowerPoint.

This little thing here says 1, and that says n, and that says record column. And it’s going to be like this on every one of the next four slides.

That’s the model that most of us implicitly have most of the time when we’re talking about identity authentication. Whatever the epistemological and ontological assumption is, I can never remember, phenomenology is it? We assume there’s a real world and there are entities out there and they got attributes. There’s probably a philosopher in the audience that can sort me out on the words. And we assume, well we’re pretty sure, if there’s an abstract world there where we abstract things, well we don’t really, we model the real world by creating some bits of data, some pieces of data which represent, usually pretty imperfectly, that identity and those attributes. And for any given identity, there could be multiple sets of records, possibly using multiple sets of identifiers. That’s the pattern that we normally think in terms of.

Now what we so often overlook is that underlying that identity is an entity, a physical being, an identity is not a physical being, an identity is best conceived of as things like a role or a person in a situation, the expression being used by several people tonight about it’s the context in which the person presents to a particular organisation that determines the identity that they are presenting, so we use identity in that sense, and there is an entity with attributes underlying it. And this here points out that there is an m to n relationship between entities and identities. Firstly you shouldn’t assume that each human being has only one identity. We have squillions of them. Quick, open your wallet, count your cards, think about all the numbers that aren’t on cards in your wallet, all of those organisation-assigned identifiers correspond to an identity. So there’s many of them. So there’s got to be at least one to many. But in practice there are many circumstances in which more than one entity presents using a particular identity. Sometimes with the approval, or perhaps connivance, of the identity themselves, and sometimes because it’s “identity theft” in the many senses in which that word gets used and abused.

So we have to at least get to that level of complexity before we can make any sense at all of some of the questions of identity authentication. And having done that, we then move to the next step, of recognising that there’s some kinds of identifiers, if you want to call them that, that are specialised and different from identifiers because they strike directly through to the underlying identity. And clearly here we are talking about biometrics in the case of human entities, but in the case of legal persons, I challenge you to come up with some sensible entifiers for utterly fictitious legal entities like trust companies, like One.Tel, no even some of the existent ones. It’s very very challenging to think through what that means in some of the B2B contexts, and indeed B2C where the consumer is trying to reach the organisation and strike through to the entity underlying it. Some interesting philosophical challenges. I use the term entifier because it makes sense to strip the id off the front and relate it directly to the entity.

I’ve gone back by means of a classic scholar, but the origins of the words identifier and identity and I’m sure they basically derive from an ancient Greek verb “to be” and therefore it’s perfectly legitimate to come up with a neologism like entifier. Interestingly, I don’t think the words don’t ever existed, it’s like one of those funny things like ‘couth’ that doesn’t actually exist but should. So I just suggest entifier, just to distinguish it from identifier, just because it’s significantly different in practice, and when we have our discussions, once again we need to think our way through ramifications of this. And as you can see from the right hand side of the diagram, having a lot of space left, that’s not quite the end of it.

Because there’s one further category which is very easily overlooked.

In the discussion paper issued by NOIE, there is a mention, one line, unfortunately not taken any further, but on page 4, this other bit does get in there. And, my god they come up with another bug there, the words in the box in the top right hand corner have disappeared. It’s a secret, I’m not going to tell you what’s in there. Did it print? No? It says up there, NIM and data items. And by a NIM, which I’ll define on the next slide, or you can look ahead, I mean a particular kind of identifier. And the particular context that I’m talking about here, is where we have an identity but it is very difficult to strike through to the identity that underlies it. That’s meant to be 2 bars, but for this version of Powerpoint they didn’t separate them enough. It’s meant to be a blockage.

Now there’s 2 different contexts here, or 2 different circumstances.

One is where it is not in practice in the circumstances not feasible to break through, and you can never find out who the entity is underlying the identity. Somebody emails you from hotdickety [at] hotmail.com, and you are unlikely to ever break through unless they give you the information, because you can’t issue search warrants, and you haven’t got the money to buy people to trace through the layers you’d need to trace through to find out who the hell is out there using that login ID at hotmail. Some organisations possibly have, so then it may not be an absolute blockage. So in your context, that’s anonymity, and that Nym is pretty solid. In the CIA’s context, to go to a different extreme, perhaps not so, it may only be a pseudonym.

There are of course quite a few circumstances where people think they’re anonymous and turn out not to be, and there’s been a couple of expensive but effective criminal investigations which have struck through in the context of child pornography especially, have struck through what those users thought was anonymity and got through to the underlying entity, and quite clearly many of us are very interested in being to achieve that, because the accountability, the social responsibility aspects are very well served by that.

Couple of quick comments. Anonymity is, anonymity has always been, and anonymity will be. Anonymity is also challenging as well as being highly beneficial.

I have been trying to encourage much more discussion of effective pseudonymity, with appropriate kinds of blockages built in that make it genuinely hard for governments and powerful corporations to break through, except when the right circumstances are satisfied. So it’s a combination of legal and technological and organisational safeguards necessary to achieve it. I don’t think that there has been much success in interesting people in effective pseudonymity yet, but boy I’m continuing to work on it.

My essential point is that unless we have got that rich a model when we talk about identity and entity authentication we aren’t going anywhere. And that is my definition of Nym, perfectly negotiable, it’s been published that way, but I’ve been known to gradually modify my definitions as the years go by. Nym is used by smallish community around the world at the moment, I originally published all this in 1994, using the term digital persona, but that hasn’t particularly taken off, the concept is extremely closely related to what I’m talking about with NIM, but others have taken up Nym but it’s an extremely useful neologism because it’s not much used to mean anything else, and the route is appropriate, so let’s use it. But when you look at the number of different words that are around, that concept has been around since time immemorial in many different contexts, so I’m heartened by that.

So, so much for the lecture, hectoring, about what authentication really means. Let’s jump to the question of tools.

And here on this slide, I’ve tried on one slide to fire off what’s in the NOIE discussion paper and refine it a little, because I think there’s a couple of aspects that are useful to work on.

The first point that I’m trying to make is that there is a considerable richness of alternative tools on the left hand side, even more than is in the listed examples, they’re only listed as examples on the NOIE discussion paper, there’s an even longer list depending on how you want to break it down. The second generic point that I’m making on the right hand side is that for any one of these to work, a whole pile of preconditions have to be satisfied. The great deal of infrastructure necessary is not just PKI to support these digital signatures, all these different kinds of tools require quite a range of things in place.

The next couple of points that I ought to make would be to draw a couple of these to your attention that might otherwise escape. The writing of a signature is well established, that is a physical signature, and I mean by that either the result or the behavioural pattern of writing a signature, and I don’t believe we should lose that one because it is quite feasible it may continue to play a role in e-authentication as well. The second bullet on the left I’d like to generalise the username/password pair because it is a specific instance of a particular piece of knowledge, password in any case, if not the username, which is likely to be in the possession of a person and not in the possession of others. There are many other instances.

There is also various other aspects like password arguments, so I’d like to generalise that somewhat, and highlight that it’s dependent on a reasonably well understood pattern of things and processes otherwise it won’t work.

With the third bullet point, I’d like to highlight that with PINs, we also have to recognise non-secure PINs. What do I mean by that? Some are hashed in a secure manner, and the ATM EFTPOS example is up in most of our minds. There are other instances of things called PINs that I don’t think should be but they are. How many people have got a telecard or an Optus equivalent? That PIN is known to the operators at the other end. And you are then wide open to spoofing by the organisation or any of the individuals who might move outside their agency relationship with their employer and take home  a whole bunch of PINs, knowing the number that goes with it. It’s only 12 digits, it’s not very hard to memorise. So I think something from a regulatory viewpoint that would be really really handy would be to ban Telstra and Optus from referring to those as PINs. Get another word, fellas. I’m not saying they shouldn’t do what they’re doing, I’m saying they shouldn’t debase the concept of PIN, because the concept of PIN carries with it an image of security. And I think there was one other one that I wanted to highlight? No, I think that was all the points. Clearly there is an awful lot of potential points for discussion here. Now let me divert to the fifth bullet point, digital signature and PKI. I’m going to have to have my ritual go at conventional go at PKI, because it just wouldn’t be fun if I didn’t.

The first point is that it’s dependent on a number of things, it’s dependent on public key, it’s dependent on left put private key, it’s dependent on a lot of software, it’s dependent on a lot of law, and it’s dependent on a lot of faith. To take that a little further, and let me underline conventional x509 based public key infrastructures basically don’t work. There’s plenty of literature on this not only in my papers but much more erudite cryptographers and lawyers have written on this. There are some things that a digital signature can do for you, and there are some things that a public key structure wrapped around it may or may not be able to do for you. But it’s extraordinarily difficult to come up with a public key infrastructure to do all the things that used to be claimed.

Now Steven Watts and I have had this out many times, overread and not overread, and there are phrasings of this which Steve and I could probably be happy with, not these phrasings, I underline, but some aspects of this Steven would rephrase, it’s being used for the wrong things, stop envisioning it as an e-passport, and I’m quoting him this afternoon. So we’re somewhat apart, but not as far apart as might appear from the phraseology here.

There’s a whole bunch of prerequisites if you’re going to depend on public key infrastructure to give you assurance. There are many possible kinds of public key infrastructure, remember I am reserving my nastiest for the existing x509v3 based typical implementations of public key infrastructure. There’s all those sorts of things that has to be done, for god’s sake don’t think that I can do a tutorial on that slide right now, and x509v3 we’ve got to recognise where it came from. It was a hammer lying around when somebody picked up a nail, and somebody said, ooh, ooh I’ve got a hammer, hit the nail quick!

It has a history, it comes from a history that is rather separate from, totally unrelated, but rather disjunct from what it’s being applied to, and it has bunches of features which may well have made a lot of sense in the original directory context but don’t make a very good fit especially in a B2C or a G2C context. Got some problems in the G2B and B2B as well, but especially serious, I believe, are in the B2C context. And indeed when you’re trying to represent agency relationships, principal/agent, what is it that this employee can sign for on behalf of the company, there’s been a lot of that reverberating around the B2B and G2B environments recently. And there’s always been this problem about what the hell do you do about revocations?

There’s actually a logical philosophical conundrum in the whole issue of revocation, and it’s basically insoluble, and there’s some really poor approaches to solve it and some rather better ones which still actually can’t totally solve the problem. And the invasiveness, not just comments about e-authentication but to the public concerns about e-authentication, the impact on the public if the registration authority was to do its job in the most serious minded way, is very very substantial. I continually paint the picture that Kerry Packer has got to stand alongside John Howard has got to stand alongside Prue Goward, has got to stand alongside Nicole Kidman, holding a sheath of documents, they have to do it in a queue.

I’ve always said that I want to be alongside Nicole Kidman, but it is a fact of life that these things have all got to be done, and some of them, adduced difficult, and a great deal of the population is going to have trouble with it. Some of them because they’re going to have trouble finding the documents, some of them because they’re just getting seriously upset, some of them because they’re out bush, running around little territories and such like places, with a lot of threatening things involved if we actually do it. I don’t want to dwell much longer, actually I’ll tell you what I do want to do, I want to slip in the slide that I should have put there and what I didn’t have when I reviewed this was a rounding off slide on the PKI issue.

Firstly, I don’t want to be interpreted as saying that, sorry Richard Alston, digital signatures and public key technology applied to such purposes is totally dead in the water. There are applications and there are potentially approaches that can be taken than the ones that have been taken up until now.

And even with conventional PKI certificates there can be some contexts, device authentication, which we haven’t really talked about, is one, and closed communities, is the term I’d use for what several people mentioned under various guises in earlier discussion, and Stephen Wilson’s point earlier that it’s one of the big things about this in a closed community is that it’s automated or automatable, and that can give you some considerable comfort in a closed community environment. I’ve always used the example of the strong hierarchical organisations, I’ve always talked about the department of defence and the Catholic church because they’re the obvious examples.

And I suppose I’ll tell some of you this story that a couple of years ago when I was mentioning that example somebody from the audience came up to me afterwards, a Belgian, I gave the presentation in Europe, a Belgian came up to me afterwards and he said, you do know that the Vatican actually uses x509 v3 based PKI don’t you?

So I don’t want to be interpreted as saying, especially, that public key technology cannot possibly be applied to a variety of applications in e-authentication, but what we’ve got at the moment is not something that enthuses many of us at all.

I’m now going to have my little swipe, and I am afraid it is going to be a swipe, at biometrics. Once again there’s a bunch of slides underneath here which are referred to in the paper which I gave Hong Kong University recently at Graham’s invitation, to go into some depth on what biometrics is and why it is giving us a lot of difficulties, the way in which people are approaching it at the moment.

 The essential idea of a biometric process is that you start out by enrolling or registering some form of measuring device, capturing something, what I would call a reference measure, but the industry tends to call a master template, and then at some later time, a measuring device, quite possibly quite a different measuring device, captures what I would call a test measure, but is usually called a live template, in the industry, and they are them matched and analysed in some way, and thereby hang a few tales, which delivers some kind of result, and thereby hangs a few tales as well. And appreciating that and how it’s applied and used is very important in making further progress in analysing what biometrics is and isn’t good for. There’s a bit of argumentation as to how the application should be categorised, but I’m going to stick to the reasonably conventional for the moment until I can improve on this, that James Weyman at San Jose is trying hard to come up with a slightly different characterisation that this. But you can either try to answer the question who the heck is this person, and the standard situation in your airport is “who is this so that I can check them against a list of stock people who I do not want through this barrier?” and that is a frighteningly difficult thing to do because you’re searching for one among many, and there’s enormous errors of commission and omission, type I, type II errors, false positive, false negatives, whatever language you want to use, there’s enormous difficulties in performing that process effectively.

The use for authentication of identities is a rather different one because there is an assertion by someone, possibly by the person themselves, possibly by someone else, possibly by you, because you are proposing that you are this person and then testing whether it really is, and that’s a one to one test and it assumes you have a reference measure available to you for that person and the ability to capture the same biometric and the same conditions in order to perform the test. I draw attention to the possibility of using biometrics in such a manner that you do not disclose identity but you in fact focus on attributes. There are ways of doing it, the game I play is, have you ever stopped to think that the person who is at the border who is inspecting passports currently, doesn’t actually need to know who you are? 99.95% of the time they have no need to know who you are. And you can design systems to ensure that they don’t. Clearly there’s a trick to it, because if I were to propose that the American Immigration and Naturalisation Service in amongst the many other mistakes that it makes, should not or does not need to know who you are, well that’ll be a bit of a silly argument, I’m not arguing that, I’m saying that the border person does not need to know who you are. If a system is designed in order to perform the tests, and I haven’t got the diagram here, that’s in the drill down set, if the system is done in such a way that the testing is done in background mode without disclosure of any more information than is necessary, the border guard merely needs to know the answer: yes the person has checked out against their right thumbprint on this red-headed person’s card, and that person is not on the stock list.

That’s all that the Immigration and Naturalisation Service or the Hong Kong passports person when Graham arrives in Hong Kong actually needs to know. It depends on how you design the system, biometrics can be used in many different ways, and unfortunately so far, we’re only using it in a dumb way. The concept of mythical annoys some people.

Feel free to interpret me as saying that biometrics industries and biometric technologies are inept. But that’s not what I’m saying. I’m saying there’s a whole flood of myths flowing around in the biometrics industry, and about the biometrics industry, and to a considerable extent encouraged by the biometrics industry. It is very hard to get serious information, the rate of change in the marketplace is dramatic, the coming and going of technologies, let alone individual suppliers, is frightening. The number of pilots that gets announced go back through the newspapers and the industry newspapers and count the pilots that have come forward. And then go checking around amongst your friends who have had experiences of using and being subjected biometric schemes, and there are some very embarrassing stories to be told, and while there are one or two biometric suppliers who are quite healthy, thank you very much, it’s because they’re small divisions of large corporations with many other healthy divisions.

Try to find individual suppliers who are making a packet out of biometrics right now is seriously challenging. This could mean a number of things, very early phases of the industry and so forth, one of the things it could mean is that they’ve ended up not getting very many sales, they keep promising and not quite delivering in context. I suggest the latter, but I don’t know enough about the industry to be sure. What I do know is, that if you take the worst case, and please don’t think I’m tarring every biometric technology with a brush, face recognition, but this has got to be one of the biggest cons every perpetrated on mankind. It doesn’t work, and there’s sufficient evidence to show that it doesn’t work, and there’s plenty of effort by the organisations who provide the technologies to avoid the independent analyses and information flowing about those independent analyses, it is fraudulent misrepresentation, and feel free to quote me.

[ back to top ]

Discussion on Roger Clarke’s paper

Keith Besgrove

You’ve got some examples there that I’ve never heard of, that you’re sort of assuming that you know what the examples are.

Roger Clarke

Oh sorry, beg your pardon, on that slide?

Okay, Tampa Superbowl was January 2001, and simply the town in which the Superbowl was held, that’s the world championship of football. Sorry, the American championship. And the crowd as they came through the turnstiles, were submitted to video apparatus which it is claimed tested them against the database of terrorists, troublemakers, pickpockets, I don’t think we actually know. I don’t know whether it was used in Japan, it totally failed, and that’s documented, there’s a couple of publications which are referenced in the literature underneath here, that explain how the information has become available. Eball city is a suburb of Tampa, is a city council of Tampa, which got very enthusiastic about this and installed it quickly and it’s failed utterly and dismally and once again it’s well documented. We’re still trying to find information on the others, but the ACLU, were the people who’ve pieced this together through a variety of probably fair means and foul, but the information is very disappointing. What I need to stress here is that irrespective of the effectiveness or ineffectiveness of biometrics, they have a lot of implications.

I can suggest by the way some other examples, apart from face recognition. It’s slightly unfair to suggest that face recognition is a disaster therefore all biometrics are.

There are different kinds of experiences, if we take three of the most common at the moment, hand geometry, I don’t have terribly good anecdotal background on, but it has claimed and has made some progress in testing in very constrained circumstances. It uses measures of the shape of knuckles in a field, how you place the whole hand in a field, and there are spaces to ensure that it’s meant to be a consistent space, and it’s used in particular by INSPAS, the Immigration and Naturalisation Service, in the US, for high fliers, in the sense of business class and above passing through Heathrow, JFK, LAX. 2 anecdotes from my own experience is I have on a number of occasions stood right alongside the INSPAS booth at LAX for periods of 10 minutes at a time.

And I’ve been waiting, I haven’t been standing there because of I’ve been waiting for somebody to use it, I’ve been looking for the opportunity, I’ve never seen anybody go past one. So I’ve got no idea, I guess they get used.

The other anecdote that the only Australian who I know has one, hasn’t got it anymore. He’s a senior public servant, Canberra Commonwealth public servant, and he always chastises me and takes me on privacy and surveillance matters and biometrics matters, and I said to him one day, but you must have INSPAS surely, of course I’ve had INSPAS for bloody years, he’s been in the Hague, he’s been in London, New York, on postings. I said, ‘well how well does it work for you?’ He said, ‘oh, shithouse, I gave it back a few weeks ago.’

I said, ‘what do you mean?’ He said, ‘well, I must’ve used it 20 times, it’s only once worked for me.’ He said ‘I just couldn’t be bothered and gave it back to them.’

So sorry, the anecdotal evidence ain’t real good, but it’s used in nuclear power stations, it must be good. The second one is thumbprints, I had an honours student work in the department of computer science, looking at the possibility of masquerade based on conventional commercial products, and he had no difficulty whatsoever in performing a masquerade based on the template that’s stored and available, which is the proposition I put to him in the first place, but I couldn’t believe how easily he did it, admittedly he’s a first class honours student, but it’s not supposed to be that easy.

And iris recognition technology, now we’re starting to talk about something that’s very interesting. Iris recognition technology I think is the one to really watch out for. It’s extremely interesting maths and very interesting physics, and it also requires very specific circumstances for it to work effectively, which is one of the important messages, and which has indeed floated around. Conditions, contexts. So I want to fly through four slides and say that irrespective of whether biometric schemes work or don’t work, they have enormous implications for people, some of those, I don’t know whether it’s privacy, I don’t know whether it’s civil liberties, I don’t know whether it’s plain convenience, call it what you will, everybody gets affected by some of it, and people who get picked out as false positives get subjected to a huge amount of it.

There’s also various kinds of privacy invasiveness, and I want to underline here it is multidimensional. As a submission I don’t know whether I’ve got time or money to write a seriously hard submission to you Tom but you only talk about privacy in the context of data privacy in this document. There are four dimensions, biometrics in particular strikes all of them. It’s something of the person intrinsic to them, that is being used, it affects personal behaviour, because it involves surveillance of various kinds, as well as having to do with the privacy of personal data, and the third word of course has to do with the point that you’re striking through to the entity, you are not dealing with an identity. I wasn’t going to dwell on it here, there is an argument, particularly as we move into the DNA context, that there may be information exposed in various forms of biometric testing which may relate to things that are close to predestination. The obvious is the meanings of particular genes, or the import of particular genes, there have been arguments, none of which have been terribly well established, that other kinds of biometric might also contain information about the person.

The iris is the obvious one because of iridology. I don’t want to stress that one too hard, but there have been arguments, the statement is, and even possibly personal fate, it’s that kind of, I’d better not leave it off.  There’s also threats of personal identity, I’ve mentioned the example of the ease of masquerade based on standard templates of thumbprints, please distinguish masquerade from identity theft, they’re very different things, and the US FTC doing stupid things with their definitions with their national fraud centre in the US, absolutely criminal incompetence in the way in which they’re describing things that are just single instances of masquerading and calling them identity theft, really reports they’re stupid.

There is a thing called ‘identity theft, and it’s serious, and unfortunately biometrics will tend to worsen the situation as well as, not instead of, improving it. It’s a double-edged sword. It obviously is designed to provide access denial to various places and false positives are obviously going to denied access to places that they shouldn’t have access to in principle, and it could go so far as enabling identity denial, which you’ve got to read, I’m not going to deal with that tonight. And there’s a much more substantial things, my sole point with this slide is it is not just about individual human beings and the privacy of each individual person, it is a serious social, democratic and economic issue that we’re talking about here as well. There are much broader implications. That’s what I work on in privacy. I don’t work much on the impact on individuals, I work on the much more substantial effects.

I have argued in the things I have written so far, and I haven’t got the major paper out on this yet, I’ve argued that biometrics should be banned. I don’t mean forever. Biometrics should be banned until they are regulated. So here is an express message in the e-authentication context. There’s a series of things that have to be done. Some of those things need to be done for technical reasons, I got the social import, they will not work well and they will open up the possibilities of insecurity unless they are done. And certainly the standards kinds of things here links directly into the question. Standards Australia and , how do you pronounce it, Chris? ‘natter’? NATA. Natter’s what you do, NATA’s who you are. So NATA and Standards Australia must surely have copout meetings, must surely have roles to play in that.

Last couple of concluding points, sorry Graham, we’re nearly there.

11th of September did not change the world. It’s a common misconception, it didn’t do it.

It’s what happened on the 12th that changed the world.

What happened on the 11th of September was pretty bloody chilling, we all know what that was. But on the 12th what happened was exploitation of the opportunity.

And there has been very substantial change in balance of discussion especially in the United States, remarkably so in the United Kingdom, where Tony Blair has obviously had his ego played upon and been warned that he’s under death thread from 46 different terrorist organisations, where the UK has been turned amazingly, I must say Australia has been a little more circumspect, but some of the disease has reached over here.

My personal position on this is that if I’ve got to choose between a short life and a long life that’s got low quality, I’m not terribly interested in the low quality life. Now I could be in a minority in this room, I could be in a minority in the Australian population, judging by the image we have, I’m definitely in the minority in the US population, oh my god I cannot believe that this software can cock up so many things at once.

What it says in the bubble up the top is, hell I’m willing to give up my civil rights in the fight against terrorists, whose sole aim is to destroy our precious freedoms, there was some little cartoon from the Sydney Morning Herald a little while back and it does appear to sum up, well firstly the fact that Bin Laden’s won, whether he knows it or not, whether he’s still alive and in fact whether he ever existed isn’t the issue, he appears to have won.

Last points are I fear that there is a considerable lack of public interest voice in these sorts of discussions. In government fora, I don’t want to go back over painful history but I do trust that the approach that was adopted with GPKA and GBACK and the lack of transparency of the gatekeeper accreditation process, will not be regarded as a model, it should never be repeated again. They were not happy times. We need much more effective models than that. That’s in the government context.

In the standard setting processes, I manage to batter my way on to a W3C working group for the platform for privacy preferences. I was the first person who ever got a login ID and password into the W3C site who wasn’t actually an employee of the companies who are paying US$50,000 to be members. Since then that has been formalised and there has been a moderate number of external public interest representatives on different working groups. And that is a very positive direction.

We’ve had extraordinarily bad experiences with the Australian Communications Industry forum. In Australia, the public interest representatives who were involved asked for more information, explained the need for more appropriate processes, got nowhere over an extended period of time and walked out en masse. And the last I heard was that they’re still out en masse. It has been an absolute disaster.

Standards Australia, I’ve worked on a number of working parties over the years, it’s extremely difficult for the public interests to be represented there. There are structural reasons, this isn’t a complaint at Standards Australia, it’s the way these things work. It’s the same thing with CCIT, IETF and a range of other standards organisations and the challenge is right in front of the Biometrics Institute of Australia, I name them specifically because they’re named in the report. They will be confronted with the same difficulty of how the hell do we get the public voice in [?] the public won’t be interested, and the public won’t be represented unless public interest organisations get involved.

My apologies to public interest organisations that aren’t in that list, but that is 60 seconds worth of reflection on the question, are they public interest organisations that can be even invited into these fora and into these committees? And the answer is yes, there’s plenty of them, I’ve left out a few, I’ve thought of a couple more since. And that’s just one person in 60 seconds thinking of a few. Sorry that is not the Health Insurance Commission.

The health issues something or other. One of the problems is the participation of such people as are invited is sometimes very limited, they do not have full membership, the second is that representatives of the public are either employees of someone or are self-employed. If they are employees, they have to make the case to be allowed off work, if they’re self-employed as a number of us are, we have to justify, somehow we’ve got to have a business case to have a hell we are surviving. In many circumstances there’s no funding for travel, particularly vicious internationally, but even within Australia, and funding for participation, particularly when they’re substantial one and two day events, it’s a really hard thing to achieve, so I am concerned that public interest is not going to be sufficiently represented.

And I’m also concerned that Graham is going to hit me over the head because I’ve taken too long.

Graham Greenleaf 

Well, that gives us plenty of starting points for the rest of the discussion. Since Roger has spent a lot of the time talking about biometrics, I’ll ask in a second Isabelle Muller, from the Biometrics Institute, if she’d like to say some things, and then anyone else, from the biometrics area.

But first I’m going to throw another of Roger’s points at Tom and Catherine about the history of public interest participation in GPKA and GPAK, and ask why has history been rewritten in this report?

So that any mention of public interest participation in GPKA and GPAK as completely excised from here, and they’re being represented as bodies that only included government and industry representatives, just as an instance of the problems of even getting any visibility of public interest participation. So I’ll throw that one to you first while Isabella, and others draw bread.

Tom Dale   

I guess firstly I should say that I don’t think we need to open major reforms, taking in what you’ve given tonight with, which I think is very clear, I mean I’m quite serious about that, and regard that as a useful input. I don’t think there’s been any rewriting of history in the document, and in fact in the best bureaucratic tradition, we’re not in the business of producing documents with a particular historical focus, nobody would be interested particularly if we did, and that’s not what we’re being paid for.

I think Roger’s point about disagreements and difficulties over the early stages certainly of the gatekeeper process has dwelled and the involvement of public interest groups and issues and views is not something I’m going to disagree with but I guess it doesn’t help in terms of future debate about policy. I think a lot of the issues about who we’re starting are being not made up as we go along but being done from ground up.

For a tortuous time all the agencies and other people involved, that’s not an excuse for when things went wrong, but I’m not so sure that it has anything to do with the current situation which as we say is opening a debate about government structures involved with rather than saying the existing arrangements are great and should be continued. Quite the opposite.

Graham Greenleaf  

I think that’s quite an interesting starting point, Tom, that there hasn’t been a history of public interest participation in the e-authentication bodies up until now.

Catherine Higgins

Except for NEAC, actually, Charles Britton [ACA?] was a great representative of NEAC for over two years.

Tom Dale  

It was a subsequent development to the involvement of people in the early stages of trying to work out what gatekeeper might be. NEAC as an advisory body to the government came later, represented a different stage and did try to involve, as Catherine said, a wider range of groups including academic and experts, people from the retail area, the consumers’ association, and a small number of government agencies.

Some of the work he did on liability and other matters that we referred to earlier, some of the work on small business which is a group overlooked in a lot of these debates, we try to pick up as Catherine mention in publications, and so information work later on, but Roger’s points are relevant I think to a lot of areas of public policy, I think as far as funding for public participation goes, I think that most agencies try to treat a lot of proposals that come forward for funding participation by non-government public interest bodies on their merits, we treat things on their merits within real life budgets.

I don’t think we would ever not undertake particular proposals without thinking about them, and this is a good starting point. Sorry that wasn’t really an answer but I’m very keen to hear about biometrics as well.

Graham Greenleaf 

We’ll get another NOIE perspective just before we get on.

Keith Besgrove

I just wanted to add another couple of comments to what Tom has said. We haven’t deliberately omitted or deliberately put in things in the discussion paper for hidden agenda purposes. The purpose of the discussion paper is precisely that triggered the discussion, and what we’re trying to do with the discussion paper is trying to get enough information there and enough ideas on the table to trigger this sort of discussion, and that’s as far as we really wanted to take it and in fact we’ve left out some thoughts that some of us had, we’ve left out some conclusions, that some people may have already in part because we actually want to get a genuine open debate about some of these things.

To respond to some of the things Roger has raised, NOIE is going through this process in part because we don’t think we have all the answers. We are looking for genuine input from a range of interest groups and I really do want to emphasise that.

Graham Greenleaf  

In my comment Keith was not to suggest any sort of conspiracy but rather it’s so difficult for the public interest participation to get into this process that it easily gets forgotten that it was there, which seems to have happened in this case. So let’s move on to the biometrics thing, now I don’t know Isabelle, I’m afraid. Over to you.

Isabelle Moeller 

Well I’m not a biometrics specialist as such, I’m more looking after, for those of you who don’t know me, after running the institute and I certainly know there is great interest in biometrics and then we have mainly users as our members, that’s really where the focus is, and like he said we are really there as a forum to make discussion possible and to bring everyone together who is interested in biometrics.

Most of our members at the moment are government departments because they are the ones that are using biometrics and have great interest in it but we are certainly also looking at having more members from financial services, so the interest is certainly there and I can only stress something, we’re not really the ones who will drive standards and anything like that, but really to facilitate the communication and bring everyone together.

Graham Greenleaf 

Isabelle, could I just ask in light of the sort of things Roger was raising, has the institute given any thought yet to the type and level of regulation that would be appropriate for biometric technologies used for authentication, and secondly, is there as yet any public interest participation or any structure that allows that in the biometrics institute?

Isabelle Moeller 

Well again I’m probably a bit too new to answer that question, I would need to get back to that, but I know there is a lot of discussion that is brought to our attention around privacy and regulation in regards to that. So there are things we are looking at and also some ideas of setting up working groups who could be involved in getting things like that going.

But it’s still a little bit early to say a lot more about that, but I can certainly find out exactly a bit more about what is planned. But at this stage nothing is happening as of yet, we’re only a year old, but the interest is certainly there and it’s something that we’re looking at.

Graham Greenleaf 

Thanks, well I’d like to ask now first if there is anyone else who is actually working in the biometrics industry, who, mythical though it might be, according to Roger, who would like to come in to the discussion now and then secondly, anyone else who would like to add some comments specifically about the biometrics issues.

David Heath  

I am a biometrics consultant. Unfortunately I’d agree with near enough all of what was said. Most of the culls have been abject failures, the systems aren’t as strong as things we’d like to claim they are, fortunately we’ve focused on the face which is the weakest by a long way, I would hate to be the person managing the face recognition technology and therefore dealing with the angry people who are not terrorists, although the systems claim they are.

There are some other systems based on fingerprints which have been live for some number of years, I begin you’re aware of Connecticut, and similar systems which are doing too much badly now. There are couple of other projects which are newer, Stockholm Council in rolling out biometrics to all of their schoolchildren in all of their schools, there’ve been a real problem with students who are 7 or 8 years old and are not remembering passwords.

Now I can’t understand why that should be true, because every child of 7 or 8 should remember an 8 character password!

So what they found was the teacher was spending half a lesson changing passwords before anybody could get any work done. Now of course the reason they knew the passwords is that the older kids were locking against the younger kids, and looking in places they shouldn’t. And they needed some accountability. So from what I’ve heard that’s been working and I believe it’s real. I believe.

There are some hospitals in the US under the Hippo legislation that are based in biometrics. I believe at least on hospital is going live, not just trialling, that’s St Vincent’s, so there are trials that are moving towards real life. I haven’t heard how they’re going on yet, but I believe they’re moving on well, but a lot of what Roger has said I agree with. Bar more than you would probably expect.

Graeme Freedman   

I’ve got two little anecdotes. I’ve been involved with, actually once, the people I’ve worked with in once smart card trial, where they were using biometrics in the US with the marines in fact, and the reason they were using biometrics there was because these guys would just come in, and they’re these 17-18 year olds, become Rambo in the army, and never had an account in their life, and there’s no way they’re going to remember a PIN. And it’s exactly the same scenario there as well.

David Heath

It’s IQ as well, isn’t it?

Graeme Freedman  

Yeah, pretty much. So that’s an IQ issue there very very much. And the other one is actually in an office I worked in for a lot of years, a thing into biometrics for some time. We had very few problems with it, I must say, as a direct user.

David Heath 

Which kind of technology?

Graeme Freedman 

I think it was called Fingerscan.

David Heath  

Yes, the same brand Woolworths employees use.

Roger Clarke 

Yes, it was in fact exactly that.

Michael Milne Hume

From e-commerce security. I used to work for Fingerscan, and Baudes [?] was certainly one of our products. However, I also agree with what Roger has said. I think the biometrics industry here is entirely responsible, really, for not getting itself off the ground. There are no basic standards, there is only one internationally accepted biometric testing station in the world, and that’s somewhere in Belgium or Holland, and the Sanyo laboratories do it in the US.  But they do it pretty haphazardly, there is nothing with biometrics that you can actually measure anything against. There’s no standard, there’s no nothing. And until we get to that stage, it’s going to go on languishing.

However, that said, I think that it’s very easy to say the system doesn’t work, or the technology doesn’t very well, and what Roger has said is both true. But if you look at the other side, everything with something that you have to do, like put a finger down, put a hand down, speak into a system, have an iris scan, is something that you do voluntarily. Therefore, when you are looking at a system where you say “it invades privacy”, you don’t have to subject yourself to it, particularly if it is just part of another system.

I think if one looks at biometrics as being the be all and end all, that is absolutely wrong. It is simply yet another tool along with the factor, P as a tool, your smart card or your swipe card or whatever it is. Depends on the layers that you wish to put in to create authentication or identification or verification.

But it needs a great deal more work on it, and I think Isabelle’s got a lot of hard yakka ahead, because I tried for 2 years to run the biometric subcommittee of standards Australia, and actually getting any people along to the meetings, and secondly to really put together any meaningful papers was extremely difficult. People are interested, yes, but that’s about where it lies.

Adrian McCullagh 

Your thing on privacy is a bit of economic naivety, it’s like saying that I won’t utilities Microsoft operating system unless I accept their EULA, and use a licence agreement, but I need the Microsoft operating system to use everything else, so I’m actually economically forced to go down that track. Now if I’m about to run for an aeroplane, and they’ve got a facial scanning system, I don’t have a choice. If I want to get onto that aeroplane, I have to go through that biometric system. The whole point of all this is access – do I have access or don’t I have access? I don’t think it is to say from a privacy perspective that I really have a choice. There are economic choices, and if I want to get to this business meeting, I have to go through that biometric.

Graham Greenleaf  

I’m not expecting I’m going to have much choice when I try to get back into Hong Kong next year, it’s a finger scan or nothing to get through immigration in Hong Kong, and when a policeman or an immigration officer stops me and says I want your card, and I want your fingerprint on this device so that I can check that you’re the legitimate holder of this card, I mean that just happens to be one leading example of where this compulsory production of biometric samples is going to happen. But isn’t that the area that brings us back to the role of regulation in relation to the biometrics industry because this is such a sensitive area.

Stephen Wilson

 I think the role of government is really to start relief by the point that there are no biometric standards yet, because if there are no standards, then it is not possible for someone to certify particular technology. And if it’s not possible to certify anything, then there can be no organised governance model. And with no organised governance model fundamentally possible, then the role of government becomes moot, I think. That’s not to say that the government shouldn’t be driving Standards Australia or be more aggressive about producing standards, but my technical analysis suggests at this point that we must be fundamentally a very long way away from standardising biometrics. So I think we’re faced with a moot government role for a long time.

Alistair Teggart. 

I think the primary way for anybody initiating any new standardisation project is for somebody from industry to request. Basically I’m not aware of the committee that you’re talking about earlier, but if it’s proposed, we do our best to survey the broader industry, build a community of interest, find the experts, find the interests, to get standards off the ground. We don’t have it at the moment as far as I know.

Patrick Fair  

I just wanted to make two comments.

One is: the only biometric system I’ve had anything to do with is signature recognition and one of the interesting characteristics of that which I would assume is common to other biometric systems is that the person controlling the system can set the parameters of the algorithm so that it will accept different variations in the signature. And this is of course extremely scary to the customer because they’re saying, well if I want everybody to go through, your signature can change quite a lot and I’ll accept that, but if I want to be really sure, I’ll tweak it right up so it’ll be 99% identical to the copy template signature in which case it will reject you a few times when it’s valid if you don’t do it right.

And that particular characteristic which when you’re reading a biometric characteristic, I would have thought either a hand or an iris, you would have to deal with means when you go back to say, ‘well, are we really sure that this person is really who we authenticated them as?’ You’ve already built in your degree of uncertainty into the end of the system, and that’s one of the reasons why the customer that I was working with didn’t buy the system: because they were just unable deal with having to make that decision as to the degree of uncertainty that they would tolerate in authenticating people. That’s my first point.

My second point is I think it’s assumed but nobody’s really articulated it yet, and it hadn’t really occurred to me, and I think the key difference with biometrics and probably more to this, is because it’s a characteristic of yourself, you can’t get rid of it after it’s been captured. So with a normal digital signature, you might just say, well I’m not going to use that identity anymore, I’ll get a new card or a new key. But once somebody’s captured a biometric of you, it would be highly personal information that would be very powerful in an ongoing way for many years, and I think that means it’s in the realm of personal information in the Privacy Act, and probably in the realm of the higher standard of personal information, the category of clubs and sexual preference and medical information and so on, that might be captured. So we have a regulatory regime in place which is ready made to deal with the issues that are associated with captured biometrics. And it may be that using that regime you may want to set rules that would restrict the extent to which it might be captured, used and reused.

My last point is that there’s a lot of activity in the city at the moment, in new mobile phone technology, and one of the things which mobile phone technology will do is locate you, and there are some very interesting implications to do with real-time location of people by the phone that they’re carrying. In Europe, as I understand it, the standard that’s being set for that location based information is that the systems are allowed to identify you in real time as to where you are, but they are not allowed to capture where you have been and archive it as a matter of record. And it seems to me that that’s a very kind of blunt instrument in order to crack a nut, in order to guard your personal security, we just won’t capture information which might be valuable to you to protect you or to prove where you were later.

And getting this authentication system right is not all the way, that Roger puts it, with respect, that if these authentication systems exist and they work they will lower our standard of life. In fact, getting these things to work is very much about empowering people to control information and to verify and to use it for their purposes, and the objective ought to be to get them to work properly, not to be suspicious of them and say that the technology’s bad because it could be used in a bad way, in fact there’s a lot you can do once the user can control the information and the user has keys and systems that are within their control.

Graham Greenleaf 

Thanks Patrick, now Roger’s got the call next, and then Nigel, and now we’ve got hands going up everywhere. This is good.

Roger Clarke 

3 quick points:

First one, personal information is defined in various privacy laws in different ways, sometimes information about a person versus information of a person may mean that a biometric may not be covered under a law. It’s one of those problems, it’s a change in technology law will get in our way.

Secondly, AISEF MOLEY, Mobile location indicator, is the Australian equivalent of the European approach, and you make my point beautifully, what public interest involvement has there been in MOLEY activities? It’s very hard to find out what on earth it is AISEF in that area.

However the main point I wanted to make was on testing standards.

Talking to James Weyman from San Jose estate, he has some guidelines of his own that he uses when he tries to form testing, and they’re interesting ones, moderately public, neither he nor I, I’ll phrase it my way, not his way, neither he nor I expect any sense to come out of the United States for the next 18 months to two years because every government agency is completely required to totally believe in biometrics technology, for god’s sake don’t test it, it might fail. So we won’t see any decent testing standards guidelines coming out of the States for a while.

But there is a rather good document, I think it’s directly out of GCHQ Cheltenham, which explains in reasonable depth the approach that they believe should be adopted, and while I can’t say I’m weathered to that document, it is well and truly worth analysis, it’s really got some serious thinking in there. So there is a little bit of progress emergent in the testing standards area, that is how should you go about designing a test of a particular biometric technology, or a particular application of biometric technology.

Graham Greenleaf 

Thanks Roger, Nigel next. We’ve got 10 more minutes then we’re going to stop on time for dinner, so let’s get as many quick contributions in as we can.

Nigel Evans

Just picking on one of Roger’s slides, on the use of identification. I think the question actually is this person known to us?

Getting back to the issue of identification versus an entity, and one of the tools we’re possibly using is dealing with the issue of a person with several identities for nefarious purposes, and that is important, and that is, I believe, an important use of the government and the issue of private licences. There is a lot of fraud going on, lots of people want driving licences and shouldn’t be with them, and if you think that people driving around, not giving a damn because they’re alcoholics or perpetual drunks. My second point was the issue of standards.

I think perhaps the reason that standards hasn’t really got off the ground is that the people who participate in standards bodies tend traditionally to have been on the whole about compatibility. In other words, getting products from different vendors that work together, and that’s agreed as a common ground to get them to work together.

The issue with biometrics is not compatibility, it’s about what are we going to say is acceptable, and in the end comes down to false accept/false reject. And that is a different community of interest to the vendors. And it’s possible to argue, wrongly, that the vendors may well have a positive interest in ensuring that that doesn’t happen. And therefore if standards are going to get off the grounds in this area, it’s a different set of stakeholders that have got to be involved, and how is that set of stakeholders put together. I think that’s the issue.

Brian Newton  

I want to just say that I thought what Roger said very effective, was very one-sided, it’s easy to criticise things that don’t work. Very often things don’t work because they’ve been used in the wrong way, or the technology is not mature. The Wright Brothers didn’t get off the ground at first attempt, but it didn’t mean that the technology was hopeless and that it didn’t have a future. And I think we have to bear in mind always the suitability for purpose, the technology that’s being acquired in a given instance against what it’s trying to achieve and what it costs.

And to get profound just for a moment, the history of civilisation is a story of sacrificing freedom for security, standard of living, what you might call quality of life. You can’t have it both ways, you can either be an outlaw or you can be a civilised member of society and you can subscribe to rule of law and the enforcement of the law. In a democracy we all have the right to assist in formulating the law and deciding what it should be. But once you have it all in place, whether it’s something trivial, relatively simple, like speeding regulations, or something really major, like privacy laws, then it’s up to everybody essentially to comply. And systems which aim to enhance compliance, are not of themselves tyrannical. It’s not actually a bad thing to find a way to ensure that people actually obey the law, if the law is legitimate, and the constraints are there, and the regulation is there.

All the time we are confronted with the, I worked for a regulator myself, and the pendulum swings back and forth all the time. Sometimes we’re told there’s not enough regulation, look at what’s happened, look at Enron, where were the regulators, look at HIH. Other times, Alan Fels has got to have his wings clipped. He’s getting in people’s way. Commerce should be free, businessmen should be free to do their thing, they don’t need this kind of restraint. And so it goes.

I think it’s fair always to criticise a given technology, but not simply to throw it away. It doesn’t mean to say that it can never work. The examples that Graham gave earlier of his photograph and his thumbprint are examples of biometrics which may actually be effective in that particular situation – doesn’t mean that they’re always effective. Fingerprints generally have done more good than harm I would suggest in the police environment, and DNA testing has got more people out of jail when it’s put in. You have to look at the technology in the context and the purpose for which it’s being used.

Lyal Collins

 I think it’s pretty important that we have this discussion. Most of my comments will focus on perhaps on the discussion we had in the first half after the evening, and some of the comments and issues raised by Roger, and indeed the question of accountability that Brian raised. Identity isn’t really the problem. It’s a part of the problem, and the legal identity question establish a commercial relationship. I have a commercial relationship with one account in my bank, and I have seven different ways of authenticating myself to act on that account. The account identifier, or entifier to use Roger’s term, isn’t really the issue, it’s what authority do I have to act on my account, and if somebody does act on my account, is somebody accountable for those actions? Should a dispute arise?

Putting impediments in the place of straight through process that Stephen called for earlier in the evening, I had in  complex set up processes is counterproductive. Accountability for actions is a very strong issue that we’re not discussing here at all and that nobody is discussing. If we have people accountable for their actions, all the existing laws apply. If we have accountability for actions in terms of commercial relationships or citizens to government, business to government, we have one to one relationships, at least one of those entities must have a privacy policy that must address those interactions. There arguably isn’t really a privacy issue if we believe our privacy regimes are appropriate. We need to look at a bigger picture more than just identity.

There’s a long way to go in all of this process, some of the discussion tonight and elements of the NOIE discussion paper, while very useful, are saying things that are being discussed 5 years ago. We’ve got a long way to go yet, I believe. Some parts of industry are running, and some haven’t even thought about it. We need to see an ongoing fostering and communication and education role, NOIE’s probably a good, well-placed entity for that, and some others. But I think we need to raise the bar and look for full commercial activity, not just identity or identity authentication. And that’s I’d like to close the evening. We’re a long way from where we should be discussing the issue.

Graham Greenleaf

I’m going to take one more biometrics comment to finish off before dinner. So the last shot before dinner.

David Heath

Let me preface what I want to say by commenting that if you have been a customer I wouldn’t be saying what I’m about to say now. Can I refer to a couple of the technical points raised earlier.

In terms of tuning signature systems, my general thought is that if it needs to be tuned there’s something wrong with it. There is an objective of letting people in easy, or it’s letting too many in that it shouldn’t be and you need to make it harder. Either way, making it tuneable for local circumstances simply means that you don’t have a robust biometric.

The second one was on non-verification, in other words, if something happens, my left thumbprint is exposed to the world, I can’t do much about it. The are moves now to make the only repository of biometric information being something in the user’s own possession. In other words, I will authenticate myself against something that I carry, and at no times, assuming everything works, is my biometric released openly. It is not stored anywhere, it is not kept anywhere, simply that I match what I carry with me and that device will then say, yes the identity is confirmed. That I think is the only way that biometrics will get a public display.

Graham Greenleaf 

Well, it’s an interesting test case isn’t it, of all of this, with the biometric or reversion of it being stored both as a token but also in a central database, and six and a half million of them.

Patrick Fair

Graham, within a law firm, my days at the law society we tried to implement PKI as a practising certificate for lawyers. And the problem was you couldn’t give people signatures which would enable them to encrypt information within the firms in a way that prevented the partners from seeing what was there. You had to have an escort arrangement, otherwise the integrity of the business internally was under threat. And once you then explained to people the systems that needed to be put in place to make that work, they would be unwilling to implement. That’s the other side of having a separate store of the key, it’s a backup, it’s an administrative, it can be an emergency system. It might be threatening, but it’s also entirely useful practically.

Stephen Wilson.

In response, I understand the logic of keeping the biometric on a token in order to make it very difficult to have identity theft, but Security 101 is that nothing is perfect, and the fundamental problem with biometrics is that it is incapable of dealing with identity theft. If I have a really really strong biometric in 15 years, and somebody does eventually steal that, then I am disenfranchised from that community fundamentally forever. And every other authentication technology can deal with identity theft by revoking, revoking biometrics is fundamentally impossible and that’s what scares me about it.

Brian Newton

Isn’t it fundamentally impossible to steal a biometric?

[?]

Generally, No.

Brian Newton

You might steal a token, but that’s not stealing your retina or your fingerprint.

Roger Clarke

Steal’s an awkward word because of IP here, it is possible to come up with an artefact which will enable a successful masquerade.

Graham Greenleaf

This is sounding more like the discussion that will happen after. What we’ll do is take half an hour for dinner, and after we come back, I think at least the first parts of the agenda where it’s compulsory to have a glass of wine in front of you, where we’ll start is by looking particularly at biometrics again for a minute, and the existing regulatory structure, particularly privacy laws and the extent to which they do not or deal with biometrics, and then move back to the topic that we started on Tom, which is sort of our principal focus, that out of all of this, from everything we’ve heard, what future regulatory structures, for biometrics, PKI and the whole e-authentication package, both in terms of legislation and co-regulation, sounds like might be the sorts of things that might be needed after all of this discussion.

So that’s where we’ll go after everyone’s had some dinner.

Thanks very much for everyone for the contribution so far, because I know some of you will have to go without coming back to the table afterwards.

[ back to top ]

General discussion after the break

Graham Greenleaf 

There is a special after dinner rule in relation to the transcript, that is, you have absolute discretion to edit anything you say after dinner out of the transcript provided that at the time you say it, you have a glass of wine in your hand. If you’re sober, Than’s taking notes, and there’ll be no let-out. That’s right, if you make a mistake, you quickly drink something.

Now where we got to was at the point where we want to have a look at, to what extent do existing privacy laws in particular can deal with any of the biometrics issues and also on our agenda there’s a question of how well PKI privacy issues are addressed in the current guidelines by the federal commissioner and the current legislation. So the general question of authentication and current privacy legislation, and then after we’ve had a look at that, I think it’s back to the original question of what sort of regulatory and co-regulatory structures may be sensible to be looked at from this point onward. 

So on the privacy, I think Nigel was going to have something to say, and Chris, I think, is coming in. Now do I have anyone else who would like to come in at the moment? Julie’s going to. Well, we’ll take Chris first, then Nigel, then Julie, then we’ll take some more participants.

Chris Cowper

From the privacy commissioner’s office. I suppose I’m responding to a few things that have been said around the table tonight and one of the questions that was raised I think by Patrick was the question of whether a biometric is of itself personal information in terms of the Privacy Act or is it just a record about the biometric that’s personal information? I think that’s still an open question, we think about the issue in the office and some of us are inclined to think that it is, but it’s not tested so there’s no definite answer there.

And something I was saying to a couple of people, I think in this whole debate, there’s an issue about current privacy regulation that we need to think about, which is in a sense, it’s passive, it doesn’t actually help with the decisions about whether you actually introduce a biometric or not, it does provide a framework for protection and accountability and so on once you’ve made the decision to proceed with a biometric, but it isn’t a decision-making framework as such. So it can give you a bit of false comfort to say it’s ok, we’ve got privacy regulation, we’ve got a privacy framework around this. If you haven’t actually done a proper risk analysis and you haven’t thought about whether a biometric on balance is an ok thing to do, privacy legislation does something but it doesn’t do the whole job.

The next thing I’ve got to mention is that the national privacy principles are minimum standards, so they don’t necessarily do the whole job for every particular possible intrusion into privacy, and possibly biometrics is an area where some more specific rules are needed, and I think that some of the discussion around identity theft in the context of biometrics probably are actually worthy of quite a lot of detailed study and discussion. I mean, it’s a real issue and it’s probably not one that should just be glossed over as part of the risk analysis, it feels like there might be some real threshold issues that we have to think about in that regard, and the privacy commissioner did a presentation to the biometrics institute, I’ll refer you to our website to have a look at that paper, it wasn’t a definitive statement, it was basically an examination of risks, benefits, issues and so on, but it did point to the fact that you need to think about choice, accountability and openness when you’re setting up the biometric systems.

Probably something that the paper doesn’t talk about but that I’ve been reflecting on in the discussion here is that if you’re making important decisions about a person on basis of a biometric, you probably need to make sure that you have some sort of review mechanism built in, you don’t want to make a decision without having human intervention, and challenging the false positives or false negatives. That was probably all that I was going to say except in relation to the PKI guidelines, I think it’s important to know there that they had a particular driver which was the possibility that PKI might in someway become a de facto identifier for government use.

So the development process around those guidelines was about PKI in a government context; they were never meant to cover the whole field. So I think that that’s something we have to think about in those guidelines.

Roger Clarke

Could I ask for a clarification please? In the NPPs or whoever they’re called these days, there’s some kind of obligation that the system developers consider the possibility of anonymity. Is that relevant or actionable in the context of biometrics system design? Because I can’t think what force that particular principle has.

Christine Cowper 

Well, it probably gives support to your concepts, Roger. I mean, what it says is organisations must provide an opportunity for people to interact anonymously if it’s legal and practical. I mean, you’ve got to pass those hurdles first, then you have to consider anonymity.

Roger Clarke

But that creates the obligation to check whether it’s legal and practical, by implication.

Graham Greenleaf 

No, it’s a law. Where it is practicable to provide anonymity, there is a requirement to do so. And some, a bridge toll operator, is eventually come to grief, I hope, and have their whole billion dollar investment undone, by a privacy commissioner ruling, that they did not provide anonymity when it was perfectly feasible for them to do so.

But it brings up something to follow on that I wanted to say to Chris, the problem which I thought you would have picked up on is that principle’s completely defective in that it has no requirement in it for pseudonymity to be considered and provided where reasonable and practicable. And the reason for that is, when Moira was having her hot house series of negotiations about drafting the NPPs, she just picked up the anonymity principle out of the Australian Privacy Charter and dropped it into the NPP’s, and at the time, I raised the question, ‘Moira, wouldn’t it be sensible if it said anonymity or pseudonymity where reasonable and practicable?’ And the answer was, I’m afraid, ‘Graham, most of the businesses there are going to try and cope with these principles have enough trouble spelling anonymity, let alone pseudonymity.’ And I’m not joking, but the way in which the privacy principles were settled, that eventually ended up in the legislation, was intended as a set of voluntary guidelines and there was nothing that passed for reasonable policy analysis before the went in.

Christine Cowper 

I suppose I can say that there is going to be a review of the principles of the Act at the end of next year.

Graham Greenleaf

Just before I let Roger come in, can I just add there that let’s hope it’s a rather better review of the principles than Kathy-Lee presided over, some years ago, which was a complete an utter farce where no dissenting views were even considered or put in the minutes. And when we talk about lack of public interest participation, that round of consultations that led to the private sector amendments were perhaps the greatest farce of all time, and certainly left a bad taste in everyone’s mouth.

Catherine Higgins  

But can the private sector even cope with the privacy Act as it is now? And I was just talking to Chris before about the compliance levels, and you’ve had so many complaints and so on, but when you think about business generally in Australia, they’re more American in their concepts than they are European, so as you were saying, pseudonymity was a challenge to them, so how’s it going generally with compliance and so on? Do you want to make a general comment on that?

Christine Cowper

It’s a light touch project.

Graham Greenleaf

Now Roger what was guaranteed to be a 2 second comment then it’s Nigel.

Roger Clarke. 

I distinguished earlier on anonymity from pseudonymity, I do that in all of my papers, there are people in the world, lots more than there are of me, who don’t distinguish them, and who use the term anonymity in a quite vague sense to cover the whole area. And if we were to leverage off that, if the privacy commissioner were to determine that’s what that principle means, we’d be covered, but it would be really nice if we could all get the word pseudonymity built in.

Nigel Waters

I just want to follow on from that, it is my view that we should argue, until somebody tells us otherwise, that anonymity is not an absolute concept, that it’s as anonymous as possible. The only thing I wanted to say is on the ethics issue, because I think all of the other points I was going to then raise is that there’s a nice interesting little issue is whether biometrics is an identifier, in terms of NVP7, because if it is, if it is a number that the commonwealth government assigns to individuals, then that has implications for what other private sector organisations can do with that biometric information.

Keith Besgrove

Two things.

On the last one first, the biometrics. I’ve never taken very much interest in biometrics, but listening to what’s being said tonight, it seems clear to me that the value of biometrics, if there is any value in biometrics, is in authenticating card. So as in the case of going through the Hong Kong airport admissions, you have a card, and you have something which is inherent which no-one can steal, which can be matched against something in the card, to prove that it’s your card, then you’re half-way. Then the card has to be authenticated or authorised to do whatever comes after that. Now it seems to me whether it’s a voice print or a thumb print or a retina scan or something even more sophisticated, that is very secure.

If your card will only work for you, nobody can steal the card, nobody can used the card, then the card is then what you’d use to get through the gate, or start your car or work telephone or whatever it may be. That seems to be the first thing, but in a 2 step process, a biometric might be very effective. Because it would mean something again that you never let go of. Sure, you would have your own inherent characteristic, and you would have a stored matching characteristic on the card, and nobody else would have it.

Coming back to anonymity, and this is a concept that fascinates me because I started out thinking that what we’re talking about here is certified identity of one client or another, authenticity, authentication, and to certify that I am somebody that is nobody is semantically odd, as far as I’m concerned. Do you need to be certified as nobody?

Roger Clarke. 

It’s the same nobody as yesterday. If I’m a nobody with a particular attribute, not on a blacklist is actually a very important attribute I’d like to keep having. And how can you have that anonymously? The border guard doesn’t need to know.

Keith Besgrove

The border guard doesn’t need to know, the system does.

Roger Clarke.

Actually, when I cross a border, the system at the border does not need to record, any more than the fact that a person who is not on a blacklist can pass through. That’s all they need to do.

Keith Besgrove

But it doesn’t need to know that you’re nobody. I agree with you in that particular instance. All you are checking is that you’re not on that blacklist, the holder of this card is not on the blacklist, it doesn’t matter who the holder is, this card, if you like, is not on the blacklist.

You’ve surrendered your identity to this card, and if that makes you feel more a person, fine, now this card is the one that is being admitted, not you.

But in general, certified anonymity is a concept that I find hard to deal with.

Patrick Fair

I think the point of it is the privacy regime or legal regime that deals with identities puts people on the back foot because they have to enforce the policies or principles that were the basis on which they disclose their identity. And the point of being able to transact anonymously –

[someone]

What did that mean?

Patrick Fair 

Well, if I respond to an email from amazon.com, and decide to buy a CD, then I’ve trusted amazon.com to observe its terms.

[tape change]

To try to do it, but I’d be in a much better position if I just bought anonymously. I wouldn’t have that risk. All Amazon…

Keith Besgrove.

But then you wouldn’t use PKI would you? You would use web dollars or something.

Patrick Fair.

That’s right. That’s the point of transacting anonymously.

All they need to know is that I have the money or I happen to be at this IP address or that I’m the person that they’ve dealt with five other times before because that’s how they’ve profiled my taste of music and I like them to guess what I want to listen to because that makes it easier for me to not have to be up to date.

They send me stuff and say “that’s what you might like to buy”. They don’t actually need to know who I am and because I can transact pseudo-anonymously or anonymously, I’m in control.

Alistair Teggart

 It’s exactly like going to the corner shop and the woman knows your face.

Keith Besgrove.

Yes, but you can be anonymous without being certified without having any PKI identity or any other identity. All you need is some web dollars.

Graham Greenleaf

You can, but you need, I mean those dollars use public key technology anyway to provide e-cash so it’s another way of doing the same thing.

Catherine Higgins

But how can it be anonymous if they have to know where you live?

Graham Greenleaf

Oh, you could have an address….

Catherine Higgins

The broader examples have interesting timing implications. You’re not on the black-list now but tomorrow you might be. You know, do you want to destroy all that evidence trail in certain things.

[??]

Most people haven’t thought about all this. They just go on the internet and shop and e-bank.

Roger Clarke

But many of them don’t shop and don’t bank, and that’s the one from the trust viewpoint.

Catherine Higgins

Yeah, but they probably don’t know why they don’t either some of the time so it’s interesting. It’s a bit of both as you said.

Graham Greenleaf

Back to the privacy laws we were talking about. This discussion just indicates how significant that anonymity principle in the NPPs is. For the future operation of the authentication in any form in that that has to be taken seriously. It’s part of the privacy legislation. Nobody knows what it means. No-one has a clue at all.

But someone is going to get a very nasty surprise one day, probably not because the Privacy Commissioner makes some adverse ruling against them which would be hoping too much, but rather because some organisation uses Section 92, the injunction section that enables anybody to go to the Federal Court and seek an injunction against anybody who is breaching any of the privacy principles. And just shut down some identification system that has failed to properly advert that privacy principle. So…

Keith Besgrove

Can that be done anonymously? [laughter]

Graham Greenleaf

In this sense, Australia is ahead of the rest of the world. There is no national privacy legislation anywhere, that has, to the best of my knowledge, any enforceable anonymity principle in it.

Roger Clarke

Do a search on ‘Nym’ on World law privacy collection.

Graham Greenleaf

Well, the only one’s the German Telecommunication Privacy Act, the late 80s where we copied it from. But there isn’t anything else around, so we’re ahead on this.

David Vaile 

I was also going to ask whether anybody’s done what we’re still able to do anonymously - has anybody seen the film ‘Minority Report’? Please put your hands up. [About 4 hands go up]

Would anybody who’s gone to see it like to comment on its likely impact on the biometrics debate?

Stephen Wilson

I thought it was interesting to see that people just accepted that they were being scanned.

Kate Boyle.

I thought that it was accepted.

Nigel Waters

A general point I wanted to make is that obviously no-one is interested in this issue because it comes out of the e-commerce arena but I think it’s important that the whole debate about identification and authentication actually takes account of a number of other initiatives that are also happening in government.

Things like a proof of identity steering committee that AUSTRAC is chairing that’s looking across the board at levels of proof of identity. There’s the border control issues that have obviously taken on a new significance. There’s issues to do with identification issues being brought up in the context of the electoral roll, e-government and e-voting.

And there’s also a lot happening in relation to driving licences and all of those really come together and if we’re not careful we’re going to miss, things are going to sneak through on one or other of those fronts which actually raise the bar or lower the bar.

It would be useful if somebody, the Privacy Commissioner is the big candidate, tries to see the big picture, which I understand they’re trying to do at this time.

Moving to the PKI issues, most of you will be aware that they way that’s being dealt with is in two ways.

Firstly, the privacy commission’s guidelines on use of PKI by government agencies and secondly, the privacy criteria in the accreditation process by CAs and RAs under the gatekeeper scheme.

Taking the latter one first, now, that obviously needs updating now because they were done at a time when they referred to the voluntary national privacy principles. Those players, the CAs and the RAs are now subject, most of them, to the National Privacy Principles in the Privacy Act which are slightly different. So there is a need for somebody, whether it’s NOIE or whoever, who takes of this process, to review and revise those privacy criteria in the accreditation process.

The other thing to be said about that set of rules is that it’s not clear to me that they’ve actually been applied in practice. Sorry if I just rake over the history again. As one of the four people that successively knocked off in an attempt to get through to the GPKI, it’s clear if those criteria have ever actually been implemented in terms of the post-certification audit that was meant to happen with the others. I don’t think it’s important that that’s taken up again.

Moving to the other set of rules that are the Privacy Commissioner’s guidelines. I think the problem is there’s actually not much wrong with them, other than the fact that there’s not much evidence that agencies are following them. They look good on paper, but I haven’t seen a privacy in practice assessment as required by Guideline Five, Guideline Three, and all of the choices required by those guidelines to be given to individuals about levels of evidence of identity, about multiple or single certificates. We’ve actually got no evidence at the moment that any of the agencies currently implementing PKI are actually following those guidelines.

The other thing is that those guidelines are obviously designed to influence the behaviour of the agencies that are implementing PKI, and most of the issues that those of us who have been involved in PKI have been raising about PKI are actually reside in the area of the infrastructure as a whole and the role of CAs and RAs.

Which brings us back full circle to the need for revised guidelines for those players, and to comply with the international Privacy Principles. Also to hopefully get that privacy impact assessment process entrenched somehow, as Chris as already recommended.

The other point I wanted to make is that there is a bit of a problem at the moment - as Tom and Stephen indicated earlier, all the applications at the moment are business to business or business to government, so somehow the privacy criteria seem a bit irrelevant. They are in fact relevant in that context, but the danger is they’re being put to one side and systems and frameworks are being put in place to deal with the business to business and business to government use of PKI, which will become de facto standards that haven’t picked up on the proper privacy safeguards needed when you move to individuals having certificates.

Graham Greenleaf

Thanks Nigel. Peter van Dyke is someone who knows a bit about this area. Sorry to put you on the spot, Peter, but I wanted to ask whether you thought there were any other aspects of the PKI guidelines that are particularly important and should be observed or any additional things that, in hindsight, might be added to the PKI guidelines.

Peter Van Dyke

I suppose in context we were consultants, we worked closely with the OFPC and NOIE in drafting the guidelines, I suppose as a set of consultant’s guidelines and a set of guidelines that came out from the Commissioner. It’s difficult for us to say because we were a bit removed from the process since then, so hearing this feedback in this forum is quite interesting and relevant for us. I’d agree with what Nigel was saying, especially a lot of the PKI implementations are really just business to business, business to government, government to government. So in that whole framework maybe consumers have not necessarily been thought of. There are the same questions with what’s been happening with auditing, from a privacy perspective, of CAs and RAs. Now what’s happened to that and the gatekeeper process? I suppose we’re a bit curious as to what’s happened there.

[someone]

I should declare that I was involved with Chris’ team in reviewing privacy guidelines on PKI and I think one of the issues that we tabled but never quite got to was the separation of the information of what might be in a certificate from the information that might be gathered subsequently on a per transaction basis in real time by the application that’s using the certificate. I think this is a really rich area that I just want to table.

I don’t have an answer or even a position to take, except to go back over my view that we’re all overly obsessed with the idea of the electronic passport and I think that what I saw of the work and what I see of the deliverable now, meaning the guidelines, there is an expectation there that the only contact between the people that are transacting is the certificate. And we’ve got some tremendous privacy positive stuff and maybe even some avenues that go to pseudonymity where a relatively diluted certificate that has minimum identification information in it could be used to initiate a transaction and then privacy invasive, potentially sensitive stuff would be asked in real time.

The classic example is that people seem to have a de facto expectation, thanks to a certain CA, that you’re birth-date goes in your certificate. Now I can imagine plenty of government application where the birth-date is an important thing to maybe do some statistical or sort of stochastic verification. Whereas if a retail application asked me for my birth-date then I would immediately decline.

So if we separate the legitimacy of some application from gathering personal data on top of the data that’s present in the certificate, I think that’s a really important framework to go forward with. And I’m just tabling that might be an area to progress the idea of all sorts of things, pseudonymity, less invasive information in certificates and so on. We’ve got to separate out the information that’s gathered once and once only at registration, versus the information that’s gathered transactionally.

Graham Greenleaf

Stephen, at risk of being accused of being heavily obsessed with an electronic passport

[someone]

You haven’t lost it, have you?

Graham Greenleaf

Well, I had my ID card stolen in China, that was bad enough. But one of the issues that, as Peter and Nigel are suggesting, are outside the PKI guideline framework, it’s always been a real concern to me, is the lack of any type of guarantees in government to consumer or citizen use of PKI, that guarantees that the use of certificates will not become compulsory in transactions with government, that choice of methods of authentication will survive. And it’s always struck me as really crucial to the citizen’s interest in PKI to prevent the notion of an electronic passport emerging out of what were initially disparate PKI government initiatives. There should be a guarantee from the Australian government that the use of digital signatures will not become compulsory in transactions with the Australian government.

Keith Besgrove

Sorry, are you saying that the company seal is not dead.

Graham Greenleaf

I don’t think so. No, I’m talking about individuals, not companies –

Keith Besgrove

Well, even so, what’s the corresponding authentication, whatever word you want to use–

Roger Clarke.

NPC reported to be an identifier for a corporation.

Keith Besgrove

Are you saying that you have to deal with paper, or there is some alternative electronic authentication which you could choose?

Graham Greenleaf

Ideally that alternative electronic authentication methods exist as well as the choice, if you want, to stick with paper-based transactions, that the Australian government won’t go the way of the Australian banks and attempt, whether they announce it or not, to de facto stop anyone queuing up in a bank and doing a real live transaction and force everyone to go electronic. Looking at the perspective I’m coming from at the moment, I see the Hong Kong government instituting a series of very cunning ploys to force everyone to accept a mandatory Hong Kong Post e-cert and to use it in all sorts of contexts.

I’m not drawing any analogies, I’m just saying that in the Australian context, I think the future of digital signatures would be much more secure and safe in relation to government to citizen if there were real guarantees that they would not become compulsory, that they wouldn’t become the digital passport.

The NOIE paper is very good in philosophy in this respect, it seems to really recognise and encourage a multiplicity of acceptable forms of electronic authentication. Not just one flavour, but a genuine choice, and Tom if you wanted to build into principle –

Catherine Higgins

And you’ll see the piece that the minister releases next week called the “Online guide to authentication” also reinforces that agencies will choose that type of authentication … that doesn’t kind of guarantee from the consumer perspective, but it does go through the whole range of authentication technologies and their uses.

Graham Greenleaf

Well, I think the guarantees from the consumer perspective is one of the real missing elements in the Australian picture.

Tom Dale

I’d just like to deal with that issue, because I don’t think it’s a major issue for deliberations here, but if people still want to talk about it that’s fine.

As far as authentication goes, the government has never, as far as I’m aware, has made specific, any mandating of particular forms of transactions for individuals, and as far as PKI goes, as a particular form of authentication goes, I am unaware of any current or planned transactions between individuals and the government encouraging, let alone mandating, the use of PKI.

As we all know, individual use of PKIs is pretty much non-existent, and if it remains so for the foreseeable future, I don’t think anyone in the industry or the government cares. That’s not an issue, it won’t happen.

As far as government guarantees on government to citizen transactions, I think it’s made clear, but maybe it could be made even more clear, the government, in its targets for online transactions, that government agencies were in no way expected to mandate particular forms of transactions, and certainly were not intended to create two classes of transactions whereby those involved in non-electronic dealings with their government were somehow at a disadvantage.

That was always a concern I think, and it’s still a concern to the government and it needs to be made more explicit, so much the better, but I suspect you’re dealing with what I hope is a non-issue for the future. I don’t think it’s going to count.

Nigel Evans

I don’t think there’s any question of government in the foreseeable future saying that the only way that the only way you can deal with the government is electronically.

Keith Besgrove

They already do.

Nigel Evans

In respect of pension payouts and things like that, you’ve got to have a bank account, it will pay into your bank account. That is not an argument, it’s very efficient, there are good reasons for it. But to say they will not force you to deal electronically, that’s not the same thing. They say, we’re not going to post out cheques, we’re not going to hand out cash. We want to put the money somewhere. How we get it there is a different issue.

My point is I don’t think there’s any question of government saying that the only way you can talk to the government, have a dialog with the government, whatever it’s about, is electronically. I really don’t think that’s on the card. I don’t think the politicians will wear that. And so that there will always be face to face transactions. However, where there are electronic transactions, we do choose to do business with government electronically, then I think governments will say we will of course require to use or include in the process, methods that enable us to be confident that we are dealing with who we think we’re dealing with. It depends on the risk.

Graham Greenleaf 

The question is whether there is only one method, or whether there is a choice of reasonable authentication.

Keith Besgrove

You might have a choice of 3 or 4 distasteful methods –

Graham Greenleaf

The very process of choice stops the effective aggregation of information. Choice in itself is valuable.

[unknown]

If the choice costs 10 times as much not having the choice, if dealing electronically is 10 or 100 times as efficient, then surely the people who want to have that choice, need to have a price differential.

Catherine Higgins

Witness the success of e-tax as well, SSL, but huge success in terms of individuals lodging their tax.

Lyal Collins

My question is in form of a clarification.

If we are in an environment that say you can only use PKI to get to government, 1. the government’s picked a winner, and the second one is, fundamentally with PKI, and we got a whole bunch around, then we’re no better off than when we started the discussion earlier this evening.

The other element of that is that businesses and citizens have no interest in PKIs at all, do they? Commercially, it’s about .0001% interest in the marketplace.

Mandating one environment for dealing with government, either with a business or a citizen, that is not used in the business to business or person to business environment is doubling the cost, including choice across the entire economy, rather than just government, has to happen to make cost effective outcome for providers.

Julie Cameron

One of the concerns I have with the whole e-authentication issue is we run the risk of creating two classes of citizen. Not everybody is going to be able to use e-authentication. And somehow we have to make sure that not only government makes it difficult for them and delays payment, tax refunds or whatever, but also that industry is already starting denial of service, if you like: if you don’t use Internet banking, you wait in a queue longer.

But worse than that, they will also use identification and e-authentication to say whether or not they want to actually let you to have the service. They may or may not allow you into the web site, or access for that particular kind of service. You may not be profitable to them. And if we push everybody down without anonymous, to do business anonymously, we run the risk that there’s an unprofitable group in the community that won’t get access to service or will be denied service.

So I really want to follow on quite a lot from about what Nigel’s been saying and what Graham’s been saying about the importance of having anonymous e-transactions; but also dealing with this issue of making it illegal to deny service, because that is an issue which is coming in at the moment.

Keith Besgrove

It should. At the moment you have to have a pensioner’s card to claim a pension basically. If that pensioner’s card works electronically, fine. Same with Medicare. You’ve got to have a Medicare card to claim Medicare.

Julie Cameron

I’m talking about business practice.

Keith Besgrove

You’re talking about private sector.

Julie Cameron

I’m talking about private sector business practice.

Keith Besgrove

Ok, well, maybe in the private sector you have a case, but from a government point of view, it probably makes sense, it’s cheaper from a customer’s point of view, and more convenient, and better from a government’s point of view to deal electronically, and there is very little additional overhead, in providing a token which works on the Internet as well as it does in one of these things.

Julie Cameron

But doesn’t it depend on whether they need to identify you prior to giving you services?

Keith Besgrove

Well, unfortunately it does, but that is there, that is a given, they’re not just going to give me anything if I’m not entitled to it, which is right. You’ve got to have entitlement to begin with.

After that, it becomes simply a question of ways and means, and if the electronic method is better for me and them, then let’s go, that’s fine.

David Heath

Two comments that grow out of this short argument here, which leads into my point that I was trying to make about 10 minutes ago.

If you had to use a bank to store your banking payment, what if no banks think you’re not profitable?

Secondly, and very similarly, just how many certs can you fit on one PC in a nursing home?

And the point I really want to make is why can’t we have a zero information identities? You’re born, you start with zero, why can’t you start another one? By the chain of transactions that that identity does, you establish a level of trust, a level of proof. I’m throwing up a full discussion, but it seems to me that you don’t have to start with anything. Start with absolutely nothing.

Catherine Higgins

[someone]

It depends on what benefits flow to that identity.

[someone]

If we can take 100 identities, and pick off 100 sets of benefits… !

Nigel Evans

Can I say this is the fundamental difference between doing business with government and doing business with private sector. The private couldn’t give a rat’s hoof – governments are about rationing. Governments want to know who they’re dealing with because many of the things they deliver are rationed, in the sense that there is entitlement and so on and so forth. On the whole, governments want to know who they’re dealing with, the private sector couldn’t give a rat’s hoof. That is an important difference between the two.

Nigel Evans

Can I just go back 10 or 15 minutes and picking up on privacy and connecting it to biometrics.

Graham Greenleaf

A quick one, because I then want to hand back to Tom to show if he has any remaining questions left that he wants to ask everyone.

Nigel Evans

I’d observed that all the privacy principles they started with are the ones from the OECD, and I’m not quite sure how much scope they’ve got to tinker with those, whether the OECD agreements are under treaty –

Graham Greenleaf

No, they are not, they have no effect on anything.

Nigel Evans

One of the things we’ve done is to pick up the European practice of identifying sensitive personal information, and that’s I think been embodied in both the Commonwealth and NSW State legislation, Section 19, one of the things in there is health, and this takes us to the biometrics of DNA and so on.

The point to remember in biometrics is that it doesn’t record the raw data. It records a digest, and that I think brings us to an important principle: if that raw information is destroyed after processing at capture time, who gives a stuff, and as long as that digest, that numeric digest, which may be a fairly complicated number (I don’t use ‘complex’, the difference between is a mathematician’s problem), as long as that cannot be reverse engineered back to the raw data, and as I understand it, none of them can, and someone correct me if I’m wrong –

Roger Clarke

Proper ones can’t.

Nigel Evans

Proper ones, what you then have is a number that can’t be reverse engineered.

So there’s clearly no implications of some physical characteristic of you. It is like a representation, a short hand representation, but then you’ve got a number, and the number can be very easily stolen. You’re not stealing a picture, you’re not stealing a fingerprint, you’re stealing a number that is a digest of that characteristic.

The issue then is how easy is it to inject that number into a system to represent somebody else? And that’s really what the issue has become.

Michael Milne

Yes, it gives you a number. But when you put your finger down, or you get your face recognised, or your voice, or whatever it is, it doesn’t give you an absolutely identical […], so there is no 100% match. So what you’re saying is true is from the sheer point of view that yes, this is a proper thing, and you want to look at it and identify it, but it isn’t as easy than if I switched that number, and I can reproduce it.

David Heath

Because any reasonable system will reject exact matches, in an electronic context.

[ back to top ]

Conclusion

Graham Greenleaf

Well, we’re going to finish off by going back to Tom and Catherine. The question I want to ask Tom is: what do you want to receive submissions on? What are the questions that haven’t been answered tonight as far as you’re concerned, but you want to get those cards and letters rolling in.

Tom Dale 

Some concluding remarks. Those of you in the room who like me are past the age of 45 years and have a plane to catch in the morning will realise that we don’t want to drag out proceedings of these discussions. I wouldn’t presume to try and summarise the discussions, for some of you rather amusingly suggested before. So just some concluding remarks, Graham I do appreciate the opportunity to have the last few words.

I’m very concerned about Stephen’s very loose use of the term ‘electronic passport’ in a room reasonably replete with legal practitioners. As far as I’m aware, electronic Passport with a capital P is traded by a large software company which will remain nameless, so don’t do it again. It’s not that sort of Passport, OK?   [laughter]

One consistent message coming through from people in the group this afternoon and this evening is the need that the advice that the government receives on this matter doesn’t make too many assumptions.

It does go back to what is usually termed first principles - not first principles of how PKI works by any means, but first principles about what authentication actually means. I agree with about 60% of Roger’s views on that, but that’s a good start.

Nigel Waters

That’s the highest rating he’s ever had. [laughter]

Tom Dale

Can I say comparing the proceedings this evening with those that we’ve had in Canberra a week or so ago, clearly in terms of that discussion about first principles on authentication as opposed to particular methods of authentication, I think the discussion here has been far more open and in some ways far more useful, but to some extent that was no surprise.

People did bring a certain amount of baggage, history or whatever to the discussions in Canberra, whether they worked for the government or they were vendors of particular issues or solutions. And to some extent, on this issue we can go digging up the past a little bit too much, and I don’t know that it helps future debates on public policy to be quite honest. Some of it is almost ancient history in Internet years, and really who cares.

The discussions about first principles that we’ve taken away have been helpful, yes they will be part of our advice to the government on the way we’re going at the moment, and no we’re not starting out with too many preconceived views. I think there’s a clear message about settling some of those fundamentals before worrying about fine details of governance.

Governance structures for authentication only matter when you’ve got a clear understanding both commercially and in public policy terms what authentication is for, and that’s a long way, and therefore you get to technologies and technology governance structures. So we’ve got a few things to worry about before, if I recall right, Appendix C and the governance structures are worried about too much.

PKI, some useful discussions. I think, Roger, the point you’ve got to bear in mind from our point of view, there are a lot of legacy structures we’ve got to deal with there, gatekeeper or no gatekeeper. PKI exists, rightly or wrongly, and there are some digital certificates out there, and decisions by the government have to take account of what’s there as opposed to what ought to be there. I don’t know what the answer is, but I found the contributions to be helpful.

Gatekeeper: we didn’t get a lot of guidance on that one way or the other; I didn’t expect to. We had some specific questions about the follow-up order process for CAs and RAs under gatekeeper. Yes that is behind schedule, you’re right, I signed off earlier this week on an audit tendering process to take that forward, and we should see some results on that within about 3 months or so. It’s behind schedule but it’s a resources issue, not a sinister policy choice, as is the usual case in governments.

Biometrics: I believe that the most interesting and the more controversial and the more important area in the long term, not just coming out of this evening’s discussions, but things that we quite consciously put into our discussion paper relate to the biometrics issue. At the domestic issue, I think that it’s clear that the full scope and potential of the existing privacy act and the forthcoming review process need to be explored fully before people start talking about reinventing regulatory structures that may not exist at the moment. We have no particular mandate from the government to become a focal point for a domestic policy debate, on biometrics regulation, on the other hand we’re not afraid of it either. And we’ll certainly be putting some fourth-rate advice to the government and taking some further views on that issue, I hope, because as I said  there are concerns there that in my view make the PKI debate look academic, and I say that in a non pejorative sense.

Couple of quick comments. At the international level of biometrics, I think there is some scope for commissioning the OECD to do some policy work on biometrics at a comparative level between countries. We are involved with a number of OECD bodies, including the Working Party on Information Security and Privacy, I would welcome people’s views on an Australian government proposal, it has to be government proposal, to commissions and further work on that over the next 12 months. The staff at the OECD are wholly capable and professional in doing that work, but we need to into support in some other countries.

In terms of public interest involvement in those processes, it’s not quite a closed door Roger. Yes, you have to find your own way to Paris, but some recent work of that working party has involved bodies with fairly impeccable "soppy Pinko" credentials. The Electronic Privacy Information Centre has been involved in some recent discussions in security guidelines there as a full member of that working party, and we’d be happy to provide more information to that to anybody, it’s not a secret.

We talked about the geographics of these seminars, we’ve got a number to go, and if anybody has any unfinished business, we’ll see you in Melbourne on the 6th. I guess I didn’t get my wish to hold one of the seminars in my own home town which is Newscastle.

Thank you for your contributions, we found it a useful exercise. I’ll ask Kate and Catherine to conclude in a moment, because they have put a lot of work into not just the paper itself but in the follow up work on the list server and in working with the Cyberspace Law and Policy Centre in what I hope has been a successful joint function tonight. No, but if I had too many unanswered questions Graham, there is still a period for further formal submissions, we still have the proverbial open mind on the issue. And I thank you again for your time and efforts.

Kate Boyle

With regard to follow up and what we’re doing next, I’ll give you the web address, it’s www.noie.gov.au/authentication_policy/index . We’ve got a list that you can sign up to and it’s low volume, we’re just sending out information on an event or a paper that’s being put out for discussion or comment, and we’ll be sending out the follow-up to these workshops so you might be interested in signing up to that.

Graham Greenleaf

As a final comment, I’d just like to particularly thank Baker & McKenzie for providing once again a very nice venue, all sorts of assistance and providing a really good location for these events. I’d like to thank David and Than for organising it so well once again, and I’d like to thank all of you for being good long stayers, five and a half hours worth of symposium, and I’d particularly like to thank NOIE for once again collaborating with us on putting on one of these symposia.

Over the first year of the Centre’s operation, I think perhaps the single most successful thing that we’ve managed to do is establish such a good working relationship that’s provided a lot of really helpful discussion and information to a lot of people and involved a very considerable number of people with high levels of expertise such as everyone around these tables in some high level discussions.

Before we started the Centre, this was one of our sort of two or three benchmark things that we wanted to do and we didn’t know if it’d work. It has probably turned out to be, I think, the single most successful thing that we’ve been involved in, these symposia. A lot of the credit for that goes to NOIE for their willing participation. It’s a very nice example of a very open and participatory consultative process.

So thanks Tom, thanks Kate and Catherine. And thanks everyone here tonight for making this a successful event.

 

­­­

[ back to top ]