An inexpensive, privacy friendly, robust, secure system for the production of the proposed Access Cards
Section 1.2 of the draft exposure bill states
1.2 The objective of the access card is to cut the red tape involved in obtaining health and social service benefits, while providing a more convenient, efficient and secure system for delivering such benefits to the Australian community. The card will also be a key mechanism in preventing fraud in the social welfare system.
To achieve this objective every person in Australia who needs a card must be able to easily obtain one. A person must only be able to obtain one valid card and must not be able to obtain multiple cards with different information so that they can purport to have different identities.
The critical factor is to establish a data base of identification information in such a way that a person can be represented in the database once and once only. If a database exists with this property then the production and distribution of tamper-proof cards is a relatively straightforward process.
This proposal presents a method of creating such a data base in a privacy friendly, simple and inexpensive way that builds on existing associations that individuals already have in the community. These associations may include government authorities, utilities, financial institutions, associations or any other commercial interests. Associations are any where an individual identifies themselves to an organisation. Typical examples are becoming a member of a club, opening a bank account, paying income tax.
The approach is not to build a single centralised database but to build a system that allows an individual to be able to link existing records in existing databases in such a way that the individual – and only the individual – controls access to his/her complete collection of associations. If the individual holds control over access and can produce this information as required there is no need to establish a new, separate database for the production of an Access Card. The Access card can be produced from these existing associations as and when required by the individual.
How the system operates
Most people already have many forms of electronic identification. At present this identification is kept with organisations – for example, the ATO. The system envisaged provides an individual with a way that only they and the authority involved can access the information.
This is done by the person registering to be given access to the information held by the organisation. They prove they have the right of access by supplying information to the ATO such as their name, address, how they can be contacted, their tax file number and a sequence number from their last tax assessment.
If this is the first time a person has registered a association with an organisation, then an “access” electronic record is established which contains methods that the person can use to prove they have the right to access the information. Initially this might be a simple numeric pin, or the person’s voice print, or the possession of a mobile phone, or a combination of all these items.
The person may now register additional associations with other organisations or people as required. For example, the person asserts that they have a birth certificate with certain information on it that was registered with a Birth Deaths and Marriages agency. If the birth certificate has not been registered before, it will now be marked as being registered with a notation as to where the registration is held. A person can also assert that they have an association with another person and if the other person agrees with the assertion then it is verified.
If a person has an electronic identity with an organisation like a bank then the person identifies themselves in the normal way to the bank and can request that their association with the bank be registered. That is, they log on to the bank system, prove they have access to their other records and prove that the information held about them by other organisations matches the information held by the bank.
This same process can be carried out by the person for all organisations with whom the person has associations. Once a certain number of associations are established new associations can be automated and may be initiated by the organisations holding records on people.
Ultimately all associations that a person has with all organisations can be recorded in a private place. This “private place” holds none of the data about the person, but it becomes a central record of the right-of-access to a multitude of associations. In effect the record is an electronic access card and it is controlled by the person.
It should be noted that the system gives a practical way for the existing law on privacy to be implemented. The privacy law states that organisations must provide access to information held by them about a person to the person if requested.
Who controls the database of associations
A critical issue for public confidence in the system is the control and operation of the database of associations. If the government controlled it then it would be a defacto Australia Card and so would be unacceptable. If it is controlled by a private organisation then it would suffer the same problem and the public might see it as worse than a government controlled database.
It is suggested that at least one database of associations be run by a not for profit organisation controlled by the individuals who have their electronic identities in the database. This is achieved by the board of the organisation being elected by the verified individuals represented in the database. Electronic Elections would be cheap and inexpensive because of the nature of the system.
There could be many databases run by different organisations and an individual can opt to join whichever databases they wish. The organisaitons running the databases would have to cooperate and an individual could have an identity in each provided the identities were linked. The only other rule to keep the system integrity is that an association can only be recorded once.
Participating organisations would have to agree to a set of conditions on the operation of their systems and would be subject to ongoing independent audits. Non complying organisations and individuals would be subject to criminal charges.
A system to significantly reduce fraud
As stated earlier, a critical factor in reducing fraud will be to establish a data base of identification information in such a way that a person can be represented in the database once and once only.
The complexity of recording multiple associations means that it will be extremely difficult for one person to hold more than one electronic access record. For an individual to have two distinct sets of registration records would require the collaboration of many other people. It would also demand comprehensive physical disguise to ensure any biometric details (e.g. voice recording or photographs) on separate registrations did not cross-match.
If a person had two distinct sets of registration records then they would need to have the collaboration of many other people and they would need to be able to disguise their face so that the two faces in their records are unmatched.
Births and Marriages registrations for example not only register an individual but also the association between parties. Thus when a person is married and the marriage is registered, both parties are registered as married and there is also an association implied between the two parties. When a birth is registered there is an implied association between all members of the family and the extended family. For example if someone tried to register themselves as a person who had died, all the other members of the family would be sent an email that the registration had been made.
When a person registers with an organisation that requires photo identification, the photograph can be cross-matched against all other photos held by the organisation and an automatic alert raised if any two photos appear to be the same. Thus, if a new immigrant tried to create a new identity for study purposes with false but valid documents (for example she uses one foreign passport to enter the country but use a fake one to establish a driver’s license) then the photographs of the person could be matched. Voice prints could also be used in the same way as photographs. This is likely to reveal attempts to create a new identity.
A person can register their “face” by putting in a face into their records, which could then be verified as belonging to that individual by someone such as the person’s accountant, tax agent, lawyer, school teacher, lecturer, minister of religion etc.
If a person records their voice print for verification purposes, matches can be made against suspicious people and if any similarities are found, authorities can be alerted.
Why it is difficult to steal an electronic registration.
For a person to steal an electronic registration they will have to take over all the associations and alert all parties to a association change.
For example if a person managed to somehow gain access to a person’s registrations, to gain control would require changing the photo-image and all the different associations. If a photo-image is changed, each person or organisation with whom a association has been established would be asked to verify that the change is still the same person. This is necessary because as people get older their images will change or their image may be altered through an accident.
When a person dies, an association is established with the Death Certificate Registry and it will be impossible to then change the various associations or act on those associations.
A replacement for up to 17 cards
The proposed system thus meets the primary aim of the Access Card by replacing all existing government services cards. Furthermore, it makes it a simple matter to add new associations with government departments, facilitating an individual’s access to the range of government services that will be required over his or her lifetime. It provides the Government with immense flexibility, allowing the establishment and recording of associations for new, as yet unimagined services simply and easily whenever required.
Not an identity card
As this system builds on existing associations, there is no need for the government to establish a separate database of information. Each person becomes the “owner” of his or her complete collection of access to data. Each government department has access only to the information relating to its specific interactions with the person. No other individual, organisation or authority is authorised, or has the ability, to access a complete individual’s data.
With no single database behind it, the proposed system can not be used as an identity card, thus removing many of the privacy concerns currently surrounding the introduction of an Access Card. An additional benefit to this approach is that it removes the need for a new parliamentary bill.
Are there people who do not have electronic registrations
There are some people in society who do not have existing electronic associations or who have difficulty establishing associations. These people can be accommodated by having others maintain and create electronic associations on their behalf, in just the same way that a power of attorney or guardian currently manages the affairs of someone in their charge.
For example, a person may have Alzheimer’s and have no relatives. In this case a caregiver such as an administrator in a nursing home can take responsibility for the person and act on their behalf. associations can be established with the nursing home, with the Department of Social Security, with other inmates and with old acquaintances.
Similarly children will have associations but a parent or guardian will act on their behalf.
What happens when people act in roles?
Organisations require recognition of roles rather than individuals, such as the positions of director, secretary, bookkeeper, salesperson etc. The approach suggested enables an organisation to give responsibility to individuals to take on those roles and to act for the organisation. A person may also assign someone else to act on their behalf, such as when the person is unavailable for a period of time but wants their affairs to continue.
Why is the system privacy friendly?
The system is privacy friendly because associations are established with a person and not with a number. There is no concept of a universal identifier as suggested for a general purpose ID card.
All associations require the approval of both parties and each association will have a different code typically assigned by the organisation. Thus a person is known by their tax file number to the tax department and by their account number to a financial institution. Other people are known by their name or by their email address. In many cases in the broader market there is no need to identify people by an identifier but by their characteristics. When making a purchase, the purchaser only needs to be able to prove they have the funds. When gambling the person only needs to identify they are over 18 years of age – not who they are.
How can the system help the idea of general purpose Access Card?
A person requiring an Access Card may simply register an association with the Access Card. Following verification of their identity including photo ID or voice print, and verification of their right to be issued with one, the card can be printed and sent to the person through the mail. The card may can then be authorised and activated by the owner the first time it is used.
What will it cost?
The recording of associations will not cost the government any funds except for associations between citizens and different departments. The cost is likely to be of the order of $1 per year per association. As this is much less than the cost of existing methods of recording associations the government will save money.
The only cost will be the cost to produce and distribute cards. The cards can be produced to be usable in ATM machines and other point of sale devices and so the cost of use could be covered by existing systems. The cost of cards will be low because distribution costs will be minimal, as will the activation of cards.
Is it practical and can it be done?
Currently our company is working with a large Telco to produce a demonstration to show how a large government department can get its clients to register and to record their voice prints. Once the voice print has been recorded the client can use it in future interactions with the department (and with any other department that wishes to let the client register with them). The voice print can be used over the phone to prove that a person is who they say they are. The first application is for Call Centre operations. Instead of a person having to identify themselves by providing their birth date, address, secret pin or an answer to a secret question, they simply state their name. There are many other applications of the technology including signing consent forms, signing forms submitted electronically to the department and telling the department of changes of address.
A large bank may also be involved in the demonstration and the demonstration will show how the voice print recorded for one organisation can be used with another organisation, without either organisation being aware that the other is involved – unless the client approves.
The system can operate through phone access only. That is, an individual will be able to prove their identity if they have access to a touch telephone.
The system can be implemented incrementally with government departments joining when they are ready.
The system ensures control of an individual’s information remains with the individual, no matter how many associations are registered. In addition, the use of the voice print as an identifier facilitates the individual’s ability to request that the department or bank supply all information currently held on the individual. This requirement is built into the Privacy Act yet is rarely operated on because the logistics of proving identity are too great.