Counter Terrorism Summit
Panel Discussion: Examining the proposals for identity security
A question of ownership:
Putting the individual in control of the identification process.
By Dr Kevin Cox
Most people agree that there are benefits to having an ID card to establish their identity when the need arises. For example, when boarding an aircraft the majority are only too happy to give out everything they have on themselves as long as everyone else boarding the plane is subjected to the same scrutiny. Similarly, if I have an accident that lands me in hospital, I want the doctors to have a complete history of my medical records.
The privacy problems relating to ID cards do not come from the card itself, but from data collected about an individual by different organisations and then collated using the ID card number as the link between different sets of data.
The concern comes when data about ourselves is collected without our knowledge and is used for purposes of which we are unaware.
In the instance of catching the aeroplane, I want to know that the information I provide is used only for the screening purpose and that it is not stored elsewhere. After my stay in hospital, I do not want my medical records to be available to personnel in Social Security because the fact that I had any kind of ailment is none of their business.
The problem in fact, is in the way in which we view control of identification.
Turning ownership around
Instead of thinking of identification as a process where “authorities” give you ways of identifying people (such as an ID card linked to a central database), what if we turn the ownership around? What if the individual was equipped with the means to control their own identification?
In other words, what if you had the tools to identify yourself whenever you needed to and you were in charge of making the association between your “biometrics” or “secrets” so that others could know who you are with confidence.
Such a process could be set-up in a way that excluded anyone from creating a central file on you and all your activities.
In counter terrorism terms, it means giving people a way of proving they are unlikely to be a terrorist in a privacy-friendly way. This is because the individual keeps all their own data and only hands it out for assessment when about to indulge in some activity where it is important that they be checked.
Designing the system
The key to good information is to build systems where people are confident that the information about themselves is controlled, is “true” and cannot be used by others or other purposes. A solution is to keep information about an individual in separate silos that cannot be used or collated without the individual’s knowledge and approval. A system where the individual has full access to information about him or herself, and can check and challenge that information.
Such a system would achieve the need for a nationally agreed identification process without provoking the privacy concerns felt by many Australians. It would remove the possibility of random data trawling by organisations or agencies, and puts the individual back in control of their own data.
Counter terrorism authorities would still be able to use the normal processes of the law to access information with court orders and after due process, if they have a reasonable suspicion that an individual is a “person of interest”.
1. People want to retain control of the information about themselves;
2. People want to know who has information on them, what information
they have and whether it is correct;
3. People are happy to give out as much information as is needed to do a
particular activity, as long as it is only used for that activity.
We can do all these things if we turn the question of ownership around and think of the individual having control over data, as opposed to allowing public or private organisations to control and build dossiers that may be used against an individual’s interests.
We can build systems with these characteristics if we simply invert the data collection and storage paradigm from organisations holding data to the individual holding data then releasing it.
Dr Kevin Cox is an entrepreneur. Previously he has taught Information Systems in Canberra and Hong Kong, and worked with computers for various multinationals in Australia, the USA and Indonesia. Dr Cox can be contacted at firstname.lastname@example.org
For more information relating to Dr Cox’s view on a privacy-friendly national ID card, see his article at On Line Opinion http://www.onlineopinion.com.au/view.asp?article=3726