WS>>(1)Chip-Based ID: Promise and Peril

carl william spitzer iv cwsiv_2nd at JUNO.COM
Fri Feb 1 10:59:15 MST 2002


                             by Roger Clarke

            Principal, Xamax Consultancy Pty Ltd, Canberra

          Visiting  Fellow, Department of Computer Science,  Aus-
     tralian National University

          Version  of 27 September 1997 (improvements  made  from
     the  version of 10 September primarily in the final,  Design
     Features section)

          ) Xamax Consultancy Pty Ltd, 1997


          Invited Address to a Workshop on 'Identity cards,  with
     or without microprocessors: Efficiency versus confidentiali-
     ty', at the International  Conference on Privacy,  Montreal,
     23-26 September 1997

          This paper is at
          http://www.anu.edu.au/people/Roger.Clarke/DV/IDCards97.html

          Abstract

          Multi-purpose  identification schemes in  general,  and
     national identification schemes in particular, represent the
     most  substantial  of information technologies'  threats  to
     individual liberties.

          This is because they concentrate information, and hence
     power;  and  because it is simply inevitable that,  at  some
     stage, even in the most apparently stable and free  nations,
     power  will be exercised against the interests of  individu-
     als, and of the public generally.

          Miniaturised  computer processors (chips),  mounted  in
     such  carriers as 'credit-cards', coins, rings and  watches,
     are an important tool. They are now entering widespread  use
     as a means for identifying inert objects such as goods on  a
     production-line and in a logistics-chain, and living  things
     such as valuable animals.

          Chips  are  being proposed as a  means  of  identifying
     people  as well. They present an opportunity to  devise  and
     implement highly repressive identification schemes; and many
     corporations and countries are in the process of  harnessing
     those potentials.

          Chips also offer great scope for designing schemes that
     are  privacy-sensitive, and that balance  privacy  interests
     against  other  social and economic interests  and  law  and
     order  concerns. Unfortunately, that scope has to date  been
     almost  entirely  overlooked or ignored. This  paper  argues
     that the simplistic approaches being adopted by the  propon-
     ents  of  identification schemes are in the process  of  de-
     stroying  public  confidence, and hence of  undermining  the
     intended return on investment.

          This  paper  builds on the author's  substantial  prior
     research and publications in the area. It reviews the social
     and  political risks involved in identification schemes.  It
     then  identifies ways in which chip-cards may be applied  to
     address those risks, and achieve balance between the  inter-
     ests of individuals, on the one hand, and of the society and
     State, on the other.

          Privacy-sensitive design options include:

          'electronic  signature  cards'  rather  than   'id
          cards';

          no central storage of biometrics;

          two-way device authentication;

          less identity authentication, and more eligibility
          authentication;

          fewer  identified  transaction  trails,  and  more
          anonymity and pseudonymity;

          multiple  single-purpose ids, rather  than  multi-
          purpose ids;

          separation  between  zones  within  multi-function
          chips;

          androle-ids as well as person-ids.

          Public  concerns about privacy-invasive and  repressive
     applications of information technology must be reflected not
     only  in  the designs implemented by scheme  operators,  but
     also  in policies implemented by governments. It  is  argued
     that  the focus on 'data protection' that has  been  adopted
     during the period 1970-1995 needs to be rapidly matured into
     a  new  orientation towards protection of the  interests  of
     people.

          Insensitive application of intrusive information  tech-
     nologies (including consumer and citizen profiling, matching
     and  linkage among personal  databases,  video-surveillance,
     intelligent highways, as well as chip-based  identification)
     is resulting in heightened public concern about the exercise
     of control over individuals by governments and corporations.

          Failure to appreciate the intensity of public concerns,
     to  adapt to it, and to apply chip technologies in  privacy-
     enhancing  ways,  will result in  further  cleavage  between
     people and their institutions. This will result in decreased
     compliance  by  people  with schemes about  which  they  are
     justifiably suspicious, and failure of chip-based and relat-
     ed technologies to deliver on their potential.

                               Contents

     Introduction
     Human Identification
     Identification, Anonymity and Pseudonymity
     The Assault on Anonymity
     Dataveillance Risks
     Threats in Chip-Based Schemes
     Threats in Multi-Purpose Identification Schemes
     Threats in Chip-Based Multi-Purpose Identification Schemes
     Public Policy Options for Chip-Based ID Schemes
     Design Features for Chip-Based ID Schemes
     Conclusions
     References to Other People's Works
     References to the Author's Own Works
     Introduction
     This paper is concerned with:

          the technology of miniaturised integrated circuits
          (chips);

          the  identification of humans in information  sys-
          tems;

          andthe  use of chips to support human  identifica-
          tion.

          Chip  technology has been improving for a  quarter-cen-
     tury,  and  can now support  moderate  storage-capacity  and
     processing  power. Chips are now capable of being hosted  in
     plastic cards, coin-sized tokens and watches, and in  goods,
     and  the  cartons and pallets whereby goods  are  delivered.
     Chip-cards  are  now being issued in  considerable  numbers,
     particularly  in public transport and stored-value  applica-
     tions.  For  a  positive perspective on  such  schemes,  see
     Clarke (1997c).

          In  many circumstances, it is useful, and  even  neces-
     sary,  to  identify people.  Many  different  identification
     techniques are used, including appearance, social behaviour,
     names,  codes,  knowledge,  tokens,  bio-dynamics,   natural
     physiography and imposed physical characteristics.

          Chips  are capable of being used as a form of  enhanced
     token.  They may be embedded in a carrier such as a  plastic
     card,  a watch, a ring, a bracelet, or an anklet.  ID  chips
     are already being directly implanted in animals, commonly in
     the ear or the neck of valuable ones like pets and  breeding
     stock.  It is unlikely to be long before embedded chips  are
     seriously proposed as a means of identifying humans.

          This  section  firstly provides some  examples  of  the
     application  of chip-based ID to humans, and  then  explains
     the purpose and structure of the paper.

          * South Korea

          Building  on  the present national photo-id  card,  the
     Korean  ID  Card Project involves a chip-based ID  card  for
     every  adult  member  of the population. It  is  to  include
     scanned  fingerprints, and is intended to support the  func-
     tions  of a multi-purpose identifier, proof of residence,  a
     driver's licence, and the national pension card. Its  impact
     is reviewed in Kim (1997).

          * Malaysia

          Malaysia's  Multimedia Super Corridor (MSC)  initiative
     features  a number of 'flagship' applications. One of  these
     is  a 'National MultiPurpose Card' (MPC), which is to  be  a
     chip-based multi-purpose identification card, with  specific
     support for driving licence, immigration status, and  health
     data. It is expected that its uses will be extended to other
     electronic government projects.

          Of  particular significance for other countries is  the
     voluntary and gratis participation in the initial phases  of
     the  MPC  project of most of the world's  major  smart  card
     technology  developers. They would appear to perceive  great
     advantages  to themselves in being involved in the first  of
     what  they  hope  will be a wave  of  such  implementations,
     throughout at least Asia.

          * Thailand

          Chip-based  technology  is bound to  be  attractive  to
     government agencies that already have substantial databases,
     in  countries  whose  population is already  subject  to  id
     schemes.  Thailand  is an example of a market ripe  for  the
     plucking.

          "The  Thai Ministry of Interior maintains  the  second-
     largest relational database in the world ... In  conjunction
     with  the Central Population Database project, the  Ministry
     of  Interior introduced a new identity card issuing  project
     in early 1994 ... An image of the person's right  thumbprint
     is  scanned and stored in the national database at the  time
     of  card  creation. The card contains  printed  biographical
     information  and an identification photograph on  the  front
     side, and a magnetic strip containing biographical  informa-
     tion and a reference to the person's thumbprint on the  back
     side" (technology-provider LSC Inc.'s promotional material).

          * Warm Water and the Frog

          It is conventional for intrusive, dehumanising technol-
     ogies  (such  as genetic testing, genetic  manipulation  and
     eugenics) to be first harnessed in contexts that are econom-
     ically  beneficial,  and difficult to  resist.  The  popular
     metaphors for this process are 'the thin end of the  wedge',
     and  the frog placed in warm water that is gradually  heated
     to boiling point.

          The  initial  applications of chip-based ID  in  Anglo-
     American  and  European  countries appear likely  to  be  to
     institutionalised  people, who are expensive to  administer,
     and  whose human rights are in any case subject  to  greater
     than usual qualifications. The most obvious examples are:

          prisoners, particularly those who are being grant-
          ed  a degree of freedom, such as  relatively  open
          'prison  farms',  andday-release  schemes.  In   a
          timely  statement on 10 September 1997, the  newly
          re-elected Northern Territory Government announced
          that  'selected'  children (not  necessarily  just
          those  with  prior convictions)  would  be  banned
          fromroaming  the streets at night,  and  monitored

          via  a computer-linked electronic device  strapped
          to their wrists or ankles;

          andsenile   dementia  patients,  whose   movements
          within a retirement home can be tracked, and whose
          non-movement in anunusual location can be reported
          to carers.

          People afflicted by the slow processes of other  insti-
     tutions may be readily attracted to voluntarily  participate
     in such schemes. Since 1995, the Immigration and Naturalisa-
     tion Service Passenger Accelerated Service System (INSPASS),
     based  on  a card bearing a measure of  the  holder's  hand-
     geometry,  has been in use at New York's International  Air-
     ports  as  a means of expediting the clearance  of  frequent
     travellers.

          The official information available on INSPASS does  not
     appear  to even mention privacy matters. Indeed,  the  chal-
     lenge is seen as merely "How then do we balance the needs of
     enforcement;  the prompt identification and denial of  entry
     to  persons we, as a nation, do not want to allow  into  our
     country,  with the needs of facilitation; the prompt  admis-
     sion of those we want to welcome?". The scheme is  justified
     with the hilariously incorrect statement that "In the  past,
     the right of travel was only paid lip service in most  coun-
     tries.  Only  recently, with the convergence  of  democratic
     trends  around the world and the advent of relatively  cheap
     international air travel, have people been able to  exercise
     the right to travel" ( Ronald J. Hays, 4 January 1996).

          Immigration officials in other countries, many of  them
     with  the same cavalier, even imperious, attitude  of  their
     U.S.  equivalents,  are understood to be  trialling  similar
     technologies.

          * The (Suspended?) British Project

          Comprehensive chip-based ID schemes are not  restricted
     to Asian countries. The United Kingdom differs significantly
     from  its Continental European partners in that it does  not
     have a general-purpose ID card. The Conservative  Government
     spent  some  years developing a proposal  for  a  chip-based
     scheme,  but  this  was abandoned  by  the  recently-elected
     Labour  Government. The primary impulse for the scheme  came
     from  within  the  ranks of the civil service;  so  it  will
     doubtless  re-appear  as a Labour initiative, once  the  new
     Government  becomes  tired  and begins to  depend  on  civil
     servants for ideas.

          * The (Emergent?) U.S. Project

          Driver  licensing authorities can generally see  little
     benefit  in  upgrading their existing  cards  to  chip-based
     technology.  On  the other hand, such a development  can  be
     readily  harnessed  to multiple purposes. According  to  The
     Winds (1997), the U.S. Illegal Immigration Reform and  Immi-
     gration  Responsibility  Act of 1996  contained  an  obscure
     passage  amending Title IV, section 656(b) in order to  con-
     vert  state drivers' licences into a national ID card.  Com-
     prehensive information on this matter is to be found in  the
     National  ID Archives of the Electronic Privacy  Information
     Centre.

          * Emergent Canadian Projects

          Attempts  have been made to generate  momentum  towards
     general-purpose  inhabitant  identification  schemes  in  at
     least Canada as a whole, Ontario and Quebec. Several of  the
     initiatives have centred around health insurance and  health
     applications. A trial of a chip-based ID card has been  held
     in Quebec.

          * The Plan of This Paper

          To  what extent does a chip-based ID  scheme  represent
     merely  a confirmatory identification method,  with  limited
     privacy-invasiveness,  and to what extent is it a basis  for
     comprehensive  surveillance,  and for  authoritarian  rather
     than democratic society?

          This paper first reviews the notions of identification,
     anonymity and pseudonymity, and the threats that  identified
     data and transactions represent to individuals and to socie-
     ties. This leads into an assessment of multi-purpose identi-
     fication and inhabitant registration schemes.

          Chips are shown to create opportunities for  designers,
     such  that chip-based ID schemes can deny privacy  outright,
     or can be implemented in a privacy-sensitive and even priva-
     cy-protective  manner.  An assessment is undertaken  of  the
     likelihood of public concern forcing governments and design-
     ers  to be extremely careful with  this  society-threatening
     technology. Specific proposals are provided, in relation  to
     both public policy and technical design.

          Human Identification

          Human identification is the association of data with  a
     particular human being ( Clarke 1994c). It is used in  rela-
     tion  to historical data held on files, and to new  transac-
     tion data that captures aspects of real-world events.

          A  number  of bases are available to assist  in  formal
     identification. None of them satisfies all of the  desirable
     characteristics. Organisations therefore combine identifica-
     tion  techniques in order to achieve an appropriate  balance
     between  the harm arising from false-inclusions (i.e.  asso-
     ciating  data with the wrong person), and from  false-exclu-
     sions  (i.e.  failing  to  associate  data  with  the  right
     person).

          An approach that is commonly adopted when an  organisa-
     tion  first establishes a relationship with a person, is  to
     seek a variety of information about them, from a variety  of
     sources.  In the absence of inconsistencies or 'bad'  refer-
     ences,  the person is accepted as being identified  by  that
     loose set of data.

          To facilitate identification during subsequent interac-
     tions  between the organisation and the individual, a  token
     (typically a card) is issued to the individual. To  engender
     sufficient confidence in the person's identity, an organisa-
     tion may seek not only production of the token, but also  of
     knowledge  that  only the individual would  be  expected  to
     have, such as a password or 'personal identification number'
     (PIN).

          Dependence on documents, tokens and knowledge produce a
     system of at best moderate reliability. With developments in
     technology, some organisations are increasingly attracted to
     biometrics.  This  is the identification  of  an  individual
     through  a  measure  of some part of  their  person,  or  of
     something that the person does.

          Identification, Anonymity and Pseudonymity

          There  are some kinds of transactions that cannot  rea-
     sonably  be performed without the  disclosure,  verification
     and  recording of the parties' identities. This is  usefully
     referred to as 'identity authentication'. An important class
     of circumstances in which identity authentication is  needed
     is where an undertaking is given by a person to perform some
     action in the future, e.g. repaying a loan; or appearing  in
     court, in return for the granting of bail.

          There  are further kinds of transactions in  which  one
     party wishes to satisfy themselves as to the appropriateness
     of the other party participating in that particular class of
     interaction  (e.g.  by  virtue of  their  age,  affiliation,
     authority  to represent a particular organisation, or  qual-
     ification  for a concession). One convenient way to  perform
     such  'eligibility authentication' is for one party to  pro-
     vide  evidence of identity, but for the other to  record  no
     more  than  that satisfactory evidence  was  provided  (e.g.
     recording  'driver's  licence  sighted',  rather  than   the
     licence-number).  A special case of this is where  a  person
     collects  a  privacy-sensitive  document  (such  as  medical
     information),  or a token intended to serve as  evidence  of
     identity (such as a passport).

          Anonymous data is data that cannot be associated with a
     particular person. There is a vast range of transactions for
     which  identification is not a logical  prerequisite.  These
     include  cash  payments of all kinds,  barter  transactions,
     telephone and counter enquiries, and inspection of  publica-
     tions on library premises.

          Depending on the context, identification may assist  in
     protecting  the interests of one or both of the parties,  or
     of  third parties, or of society as a whole. It also  threa-
     tens  the  identified party, for reasons summarised  in  the
     following  section.  Anonymity satisfies  the  interests  of
     individuals in avoiding the accumulation of data-holdings by
     others  about  them; but may compromise interests  of  other
     parties.

          An  alternative  exists, that represents  a  compromise
     between  the  extremes of identification  and  anonymity.  A
     pseudonym  is  an identifier for a party to  a  transaction,
     which is not, in the normal course of events, sufficient  to
     associate the transaction with a particular human being. The
     data may, however, be indirectly associated with the person,
     if particular procedures are followed.

          The  simplest  (although by no means the only)  way  to
     implement a pseudonymous scheme is to maintain an index that
     correlates  the pseudo-identifier with a reliable  identifer
     for  the person, and to subject it to  technical,  organisa-
     tional  and legal protections. Hence individuals may be,  in
     practical  terms,  anonymous,  except  where   circumstances
     justify access to the index, e.g. where a search warrant  is
     issued to a law enforcement agency.

          The  principles  of pseudonymity are  reasonably  well-
     known,  yet they have been remarkably under-applied.  Clarke
     1995c  examines the technique and its importance as a  means
     of achieving balance between conflicting interests.

          The Assault on Anonymity

          There  already exist large numbers of data trails  that
     individuals  leave  behind them; and  new  technologies  are
     resulting in new trails being created ( Clarke 1995d).

          During much of the current century, organisations  have
     been seeking to reduce the costs involved in the administra-
     tion  of their relationships with individuals, by  replacing
     the  human  touch with automation. This has resulted  in  an
     incentive  for greater 'data intensity' in  those  relation-
     ships (Rule 1974).

          Organisations are seeking to exploit the ongoing  tech-
     nological  revolutions, and are trying to  convert  hitherto
     anonymous  transactions into identified ones.  Examples  in-
     clude:

             the  conversion of anonymous cash into  identi-
          fied credit-card, debit-card and stored-value-card
          transactions;

          the application of Calling Number Display (CND)  /
          Calling-Line Identification (CLI) in telephony, in
          order  to  identify(initially) the area  and  even
          location from which a call is made, and  (progres-
          sively) the identity of the individual making  the
          call;

          loyalty schemes to identify all transactions  each
          individual has with a particular organisation;

          and  extended 'loyalty' schemes, to  identify  the
          intensive  stream of transactions each  individual
          has with a range oforganisations.

          Government  agencies  are frequently in a  position  to
     legally impose on individuals the condition that they  iden-
     tify themselves when performing particular kinds of transac-
     tions. Corporations may use a combination of inducements and
     market power to achieve the same end.

________________________________________________________________
GET INTERNET ACCESS FROM JUNO!
Juno offers FREE or PREMIUM Internet access for less!
Join Juno today!  For your FREE software, visit:
http://dl.www.juno.com/get/web/.



More information about the Rushtalk mailing list