INCA Blog
Sunday, 08 September 2019 23:01
Australia is finally putting some ‘runs on the board’ in the area of identity information. This is good news because collecting, storing and using identity information is becoming more important for a variety of reasonsAustralia is finally putting some ‘runs on the board’ in the area of identity information. This is good news because collecting, storing and using identity information is becoming more important for a variety of reasons:
  • There is a heightened concern about the privacy of personal information as we rad about another breach or unsolicited sale of identity information.
  • We are becoming increasingly uncomfortable with what’s been called ‘object based media’ which tailors our on-line experience and modifies what we read depending on our interests, gleaned from our searches and ‘likes.
  • Organisation providing consumer or citizen services seek to improve the user experience by eliminating username and password logins but at the same time gather as much information as possible about their clients.
So how has our government stepped up to the task of acquiring, managing and protecting our identity? The federal government’s approach is built around the MyGov initiative. It’s taken many years to get to this point.

The two main agencies working in this space are the Department of Human Service (DHS) and the Australian Tax Office (ATO), each following their own paths for their own purposes. The Digital Transformation Office, expanded and renamed The Digital Transformation Agency (DTA) was charged with managing the differences between these two and setting policy as to how a common identity management environment was to be deployed. They started out following the UK Verify model but that was eventually dropped. Political pressure made it impossible for an independently developed identity management solution to be deployed. Common wisdom and multiple consultant’s recommendations suggested a federated environment that would incorporate state-based identity providers such as Queensland’s CIDM service and Service NSW so that citizens with a registered identity with their state government would be able to use that identity to log onto federal systems.

But DHS won. The MyGov system is a closed authentication environment that requires service providers to register their system on the MyGov platform. While the platform has been opened-up to support other identity provider services, AustPost being the first, there is little incentive to sign up to any other service if you already have a MyGov account. Queensland is already decommitting from CIDM and focussing on the driver licence and 18+ card registrations that will be incorporate into an identity broker framework.

What’s more, the DTA is now working with the National Exchange of Vehicle and Driver Information (NEVDIS), originally established to facilitate cross-state sharing of driver licence and vehicle registration information with law enforcement officials, to allow them to get access to driver licence information. They particularly want access to the photo so that they can reach a level 3 assurance level; something the ATO wants for citizen access to more sensitive services. Driver licence photos are getting better, in Queensland they meet ICAO standards, which facilitates three factor smartphone authentication as smartphone manufactures open up their facial recognition technology.

But sharing or photos should be a concern for all Australians. State government are being required to contribute photos, provided for the purpose of getting a driver licence. to a central databased for another purpose to which we have not consented, This contravenes Australian privacy legislation.

The irony is: this is not required, we can avoid breaking the law.


Facial recognition simply needs a facial (visage) template that measures information such as the distance between the eyes, width and length of the nose, the mouth position and chin shape. This enables facial recognition but not image reconstruction. It’s also a lot less data to transmit and store.

So – it’s good that the federal government is finally moving ahead with an on-line authentication service, it’s just too bad it’s not a truly federated system, it requires service providers to be exposed via the MyGov environment and it’s breaking privacy legislation.

Oh – on the topic of privacy, Australia has some of the best privacy legislation. It’s a shame the Australian Office of the Information Commissioner (AOIC) has not been funded to investigate and charge the many organisations flagrantly abusing consumer privacy every day. We are continually asked for more information than is necessary for the services we’re requesting, and they’re not deleting information when they can’t be bothered to update it, they are not capable of responding to a person’s request for access to data and correct errors.

Many company privacy policy statements, a requirement under the legislation, are very poor and the number of breaches, with notification finally a legislated requirement, indicates that  companies are not safeguarding the data they keep on us.

It’s also a shame that the Attorney Generals Department has not moved ahead with the Cross-Border Privacy Rules (CBPR). We need to plug and play in Asia yet we spend more time on Europe’s General Data Privacy Regulation (GDPR). Don’t get me wrong GDPR is the gold-standard when it comes to privacy practices, but Asia consists of sovereign states that each set their own privacy regulation, nothing like Europe’s nation states that adhere to a common regulation. Again, AOIC’s role in CBPR needs funding.

So it’s a mixed report card for Australia; we’ve done some things right, we’re finally going to have an authentication system to access federal government services. It’s too bad that I must setup a MyGov account to do so, I can’t use my QGov account.

But that’s the reality we live with - political factions seem to trump logical decisions. 

 

Tuesday, 22 January 2019 00:00

One of the latest topics to be selected for media-mania is facial recognition. Can we of sound mind and technical education please provide a balance to the self-serving journalists who seek to promote their names through social media hype?

There are three areas of confusion that have surfaced over the past six months:

  • Privacy issues surrounding facial images

There are no privacy issues surrounding facial recognition. There are, of course, concerns regarding the storage and sharing of facial images that persons allowing themselves to be photographed as part of a registration process should question. But facial recognition uses facial templates (sometimes called facial signatures) and does not require transmission or storage of facial images.

  • Concerns regarding CCTV cameras

This item supposes that local councils are mapping our movements when we are caught on cameras in public spaces. The technology is not currently available to do this. It requires one-to-many matching and requires ICAO-grade images.

  •  Comparisons with the Chinese social credit program

Whatever you think of Beijing’s initiative to promote social harmony it has nothing to do with facial recognition – that just happens to be one of the technologies they purport to use. The only issue is whether or not democratic countries want to go down that route.

It’s important that technically competent people help to quell fear-mongering and ensure a level-headed approach as new technology becomes mainstream.

In helping people understand the technology it is important to differentiate between the two main types of facial-recognition, they are vastly different:

1. One-to-one

This is the area in which most change is occurring and where we are benefitting the most from a better user-experience. There are multiple use-cases, for instance:

-  SmartGate immigration stations. These are the automated devices used at border crossings that allow you, if you’re lucky, to enter a country without talking to a border-control officer. They work best in Europe where passports from a wide number of countries are accommodated. There are two steps to the process: you present your passport allowing the system to retrieve your facial template, and then a camera verifies that it is actually you travelling.

-  Windows Hello. After registering your face with your PC, and creating your facial template, subsequent logins will turn on the infra-red camera to verify your facial image even in low light.

This type of facial recognition is the future of authentication. Most new smartphones have strong graphic-processing capabilities and are able to positively identify you to a high assurance level. Many governments and commercial organisations want a higher level of assurance than most PIN-based or push-authentication systems can provide so this type of facial recognition has a bright future.

2. One-to-many

This is usually the type of facial recognition that garners the most interest and criticism from members of the public. It is widely used in criminal investigations where a visual image of an alleged perpetrator can be compared with police files of stored facial templates in order to identify a suspected criminal.

This type of facial recognition takes time and processing power; it is not suitable for authentication purposes. It has been trialled in multiple airports, to attempt to identify people on watch lists or individuals with red flag indicators from leaving or entering into a country. These trials have had very limited success because of high false negative rates.

So what should the technical professionals be recommending to our clients?

  1. When we allow ourselves to be photographed as part of a registration process i.e. obtaining a driver license, we should ensure we are satisfied with the privacy statement of the organisation involved. In most western countries privacy legislation allows companies and government to only collect the information they need for the transaction that a user is undertaking. They can’t collect information that just might be needed in the future or would be useful for their demographic analysis program. An organisation cannot collect a facial template if they don’t need it for authentication; and they can’t ask for a photograph unless it’s needed for the requested business process e.g. application of a driver license. If a facial template or a facial image is collected it can only be used for the purpose for which it was collected. Government cannot use driver license photos to authenticate citizens to government services, unless explicit consent is collected.
  2. We need to identify the current limitations of the technology. Much has been written about the ability to “fool” facial recognition systems with a modified photograph. It seems that a suitably “doctored” image can be used to cause a false positive. We would be remis, as with any authentication mechanism, if we did not assist our clients in identifying situations in which a technology does not provide the required level of security.
  3. Perhaps the most important advice we can give, however, is the potential for facial recognition to radically change user experience in the future. Users of Windows Hello won’t go back to passwords, PINS or fingerprints. Facial recognition is so simple and exceeds most security requirements that it is the future for authentication on PCs and laptops, and it will be the authentication tool of choice on smartphones too, with the FIDO Alliance supporting a facial recognition certification program.

No – passwords aren’t dead, but facial recognition is one more nail in the coffin.


Thx.
Graham

Monday, 24 July 2017 14:11
Most developed countries have enacted privacy legislation with the intent to protect their citizens from bad corporate practices that may either deliberately or inadvertently release their personally identifiably information (PII) to unauthorised persons. While this is obviously a well-intentioned activity it does have a commercial impact. Companies wanting to transact across sovereign borders must ensure they adhere to privacy legislation in the countries in which they do business and individuals providing their PII to foreign companies need to be confident that their private data is being adequately protected in the foreign jurisdiction.

Europe has addressed these issues via the General Data Protection Regulation (GDPR) initiative which harmonises privacy legislation across European Union countries. The main driver for the GDPR is protection of individuals’ privacy. The legislation requires organisations to establish data controllers for repositories of PII and to seek consent for the use of PII within their business processes. GDPR also provides for recourse in the event of contravention of the regulation. Indeed the penalties can be quite severe with enforcement agencies in each country ready to investigate, and if necessary prosecute, those that violate the legislation.

In the Asia Pacific Region the approach has been quite different. It is unrealistic to expect a harmonisation of privacy regulation across countries in the region so the Asia-Pacific Economic Cooperation (APEC) established the Cross-border Privacy Rules (CBPR) system. Countries joining the CBPR must evaluate their privacy legislation against the 9 principles of the APEC Privacy Framework and then provide a mechanism for companies to be ‘certified’ by an Accountability Agent as being compliant with the CBPR.

While both initiatives seek to protect private data they are very different in their approach. GDPR relies on a legislative mandate that enjoins member countries in a prescriptive solution. It is based on homogenised legislation that ensures similar treatment of infractions regardless of where they occur in the European Common Market. By contrast participation in the CBPR system is entirely voluntary, it is based on self-assessment with 3rd party verification. It relies on negotiated settlement of alleged contravention and imposes no restriction on member countries regarding their local privacy laws. In order to participate a country must have enacted privacy legislation; it is a pre-requisite because member countries must map their local law to the CBRP Privacy Framework as a step in their application to join the initiative. Some Asian countries are not in a position to consider CBPR because they lack the legislative framework to participate.

So – GDPR is predicated on tight coupling between member states that enables a strong legislative response to the task of data protection. CBPR accommodates a loose coupling of member countries imposing a framework that enhances cross-border trade and provides some recourse for individuals in the case of privacy regulation contravention by a foreign participant.

 

GDPR

CBPR

Program Characteristics

Tight-coupling of European member states

Loose-coupling of APEC member countries

Legislative Framework

Prescriptive, based on a single privacy legislation

Guidance, accommodating multiple privacy laws

Recourse for contravention

Punitive, with significant penalties

Negotiated, with local agreements for redress

Table 1 - Comparison GDPR & CBPR

While GDPR and CBPR, by necessity take different approaches, both serve to raise awareness of privacy issues and raise trust in the Internet as a vehicle for digital commerce.
Wednesday, 26 April 2017 07:18
Most governments are rushing to deploy on-line services. The have no choice: it’s too expensive to maintain other channels, and millennials would have it no other way.

This means that there is a need for an authentication service that will provide access to government services and most governments are addressing the issue by developing a central facility that becomes a ‘one-stop-shop’ providing access to services across multiple departments or ministries.

There are basically two frameworks being adopted: a persistent ID system that establishes an identity store and a transitory ID approach in which no government ID store is required. A summary of the benefits of each approach are:

Persistent ID

This approach is by far the most widely deployed. In this instance a government agency establishes a central identity provider service to authenticate all users access government on-line services. Governments have a large amount of information that they necessarily store on their citizens. They issue driver licences so they know where we live, our age, what we look like and our driving history. They track medical expenses so they know how healthy we are and if we have any chronic illness. Tax returns advise on how much we earn and details such as our investments. But while government hold a wealth of information on citizens it’s quite fractured with each department or ministry maintaining their own records. There is typically little ‘sharing’ of information which means that identity data cannot be leveraged to the degree it could be. One issue is privacy legislation which restricts data-sharing without consent.

That means that, to develop an authentication mechanism for citizen access across multiple departments, government typically establishes a purpose-specific repository, to authenticate users before redirecting them to the requested service. The issue then is to associate an authenticated user to their record(s) within the department or ministry they are accessing. If a citizen is renewing their driver licence, either the authentication facility needs to pass through the driver licence number, if it’s available, or the target department will need to employ other attributes to establish the relationship. Another issue is harmonisation of common data. For instance, when a citizen moves house there is a need for a ‘change it once’ approach whereby an address change is propagated to the departments that maintain address detail. Another approach is to federate the identity data across departments, and levels of government, but this requires a level of co-operation within government that typically does not exist.

Transitory ID

The alternative to a persistent ID system is what we call a transitory ID framework in which the government does not create a data store of citizen identity information on their citizens, they rely on third parties who specialise in providing such services. The major benefit of a transitory ID facility is the elimination of the liability associated with maintaining a data repository of PII. In most jurisdictions there are severe penalties for unauthorised release of identity information and this represents a significant risk that is avoided if government relies on third-parties. It also allows citizens to select the service provider of choice for the storage and maintenance of their identity data.

But there are some drawbacks:
  • Since there is a reliance on third parties there is a need to establish rules; and a need for some form of conformance testing to ensure adherence to the rules.
  • There’s a cost component in that third-party identity providers typically want to be compensated, so some form of payment system is required and some subsidisation in the commencement phase is required, until a sustainable level of transactions has been reached,.
  • Since the third party will typically not have identity attributes to allow departments or ministries to establish relationships i.e. vehicle registration numbers, the target agencies need to match a user to their record(s) within the department so that the required service can be provided.
The most successful deployment of a transitory identity provider system is in the UK. There are several reasons for this:
  • They have a large enough population to support multiple third-party suppliers.
  • British citizens are fiercely protective of identity information and don’t want government to have any more of their identity data than they have to.
  •  The UK has a centralised form of government that makes it easier to enforce across government (there’s already been a large ministry that tried to establish their own authentication mechanism but they were encouraged not to).
Citizen identity management is an interesting area to watch. It will only grow in importance because on-line services continue to grow in importance and some innovative use of AI is expected that will make our experience with government more pleasurable. Won’t that be refreshing?
Saturday, 01 April 2017 21:45

For the past 5 years cloud services have grown to be ubiquitous, secure and high-performance. Yet just yesterday I was talking to a friend who was lamenting the decision he had to make at work regarding deploying a Microsoft Project server on AWS or Azure. He needed to provide access to team members from two organisations and his company would not allow external people to access their on-premise project server. The cloud is the only way to go for such an application. But while that's so obvious there are some caveats that need to be observed. 

It's important that my friend select a cloud service provider (CSP) appropriately. He needs to evaluate prospective suppliers from a operational risk viewpoint - can you get your files back when you part ways with the CSP, technical viewpoint - does the CSP provide adequate security and a legal point of view - are the licence terms suitable? 

Then a decision needs to be made on the identity service to authenticate users to the site. Is an access control list going to be maintained on the CSP's site (bad), will there be a synchonisation to AD (not much better) or will the company establish an identity provider service in the Cloud? In this instance a cloud-based federation service to which the other company can interface would be a good idea.

The technolgy is here folks - let's just use it.

Thx.

Graham