Smart Cards - Threat or Panacea?

1
Smart Cards - Threat or Panacea?
Round-Table SeminarSmart Cards
Society Chulalongkorn University -Bangkok 11th
November 2004
Prof. Jim Norton Senior Policy Adviser UK
Institute of Directors Former Director UK Cabinet
Office PIU e-Commerce team www.profjimnorton.com
2
Issues to be covered

• Setting the scene - technological growth
  outstripping social absorption?
• Why might we be interested in ID and data
  sharing?
• What do we mean by Identity and Smartcards
• A look at the challenges in more detail.
• A risk analysis.
• The weak link - binding identities to
  individuals?
• Biometrics - reliable for which purposes?
• Some final thoughts.

3
The second half of the chessboard
Original idea George Gilder at the
Cato-Brookings Institution conference "Regulation
in the Digital Age," held in Washington D.C. on
April 17-18, 1997.
4
The cost-performance of electronics doubles every
18-24 months (Moores Law)
33 Doublings
Source Analysys
5
Moores Law in ActionIntel Microprocessors
2T/18
Source Intel Silicon Image
6
Opto-electronics follow the same path (Moores
Law operates in telecoms, too)
31 Doublings
Source Analysys
7
Gigabit Ethernet installed base growth
Millions
Source IDC Silicon Image
8
The cost-performance of magnetic storage doubles
roughly every 18months
26 Doublings
Source Silicon Image
9
Disk storage density is growing exponentially too
Source IDC Silicon Image
10
Coopers law for wireless
42 Doublings
Coopers Law, (after ArrayComm Chairman, Martin
Cooper), states that the number of conversations
(voice and data) conducted over a given area, in
all of the useful radio spectrum, has doubled
every two and a half years for the last 105
years, ever since Marconi discovered radio in 1895
Source ArrayComm
11
But we have seen this before in the context of
the telegraph
Source Tom Standage, The Economist, The
Victorian Internet
12
The first half of the chessboard has already
delivered some surprises
13
We are drowning in data.
Where is the life we have lost in living? Where
is the wisdom we have lost in knowledge? Where is
the knowledge we have lost in information? T S
Eliot, Choruses from The Rock, 1934
And a codicil for the 21st century Where is the
information we have lost in data?
The World produces more than 2 Exabytes (2
Billion Gigabytes) of unique information per
year, more than 250 Megabytes for every man,
woman and child on earth
14
Technology of course makes an excellent servant
but a poor master
As an engineer and director my strong concern is
with the process by which increasingly rapid
change in technological capability diffuses out
into society and the economy
Source Jim Norton, COGS Network Meeting,
University of Sheffield, 20/01/03
15
Riding the information tiger
Networked information systems can be either (or
both!) a benefit and a curse

• Major scope to improve quality and lower cost in
  both public and private sectors
• Potential to greatly simplify citizen - state
  interactions
• Potential to tailor private and public sector
  services to individual consumers

• But poor track record in building systems which
  align people, systems and processes.
• But to whose benefit and under what agreed
  privacy constraints?
• But major absence of the trust required to
  permit the holding and use of personal data.

Source Jim Norton, COGS Network Meeting,
University of Sheffield, 20/01/03
16
A framework for analysis..
The UK is the leading centre for e-commerce
activity within a strong Single European Market,
based on openness and innovation by suppliers and
customers, light touch regulation, and
Government-Industry partnership
Access
Trust
Understanding
Source UK Cabinet Office PIU Report
e-commerce_at_its.best.uk Sept 1999
17
Issues to be covered

• Setting the scene - technological growth
  outstripping social absorption?
• Why might we be interested in ID and data
  sharing?
• What do we mean by Identity and Smartcards
• A look at the challenges in more detail.
• A risk analysis.
• The weak link - binding identities to
  individuals?
• Biometrics - reliable for which purposes?
• Some final thoughts.

18
Why might the information sharing agenda be
important?
The e-business scope compass

• The private sector has demonstrated very real
  improvements in service quality (and reductions
  in cost) based upon information sharing and
  e-business tools

When I took a look at Boeings interaction costs
and discovered that e-enabling the business could
save as much as 50, I became an instant
believer Phil Condit Chairman CEO The Boeing
Company - 2001
The e-business scope compass source Mohanbir
Sawhney - Kellogg Management School Northwestern
University Chicago
19
Developing enterprise integration is a long climb

• In many ways local government has demonstrated
  more rapid adoption than central government.
• For example, much UK central government work is
  stuck on the bottom two rungs of this ladder.
  The upper rungs need strong identity
  authentication

The ladder of e-business initiatives, source
Mohanbir Sawhney - Kellogg Management School
Northwestern University Chicago
20
Govt. information sharing a SWOT analysis
Strengths
Weaknesses

• Avoid multiple data entry
• Some clear personal benefits - e.g. in health
  care
• Simplified, personalised interaction.
• Major service improvements (e.g. Electronic
  conveyancing)

• Over centralisation
• sharing creep e.g. through poorly anonymised
  research.
• Poor understanding of how to maintain overall
  integrity
• Potential for access demands from law enforcement.

21
The need for informed open debate

• Political leadership is required, coming out of
  the bunker and promoting broad debate on areas
  such as

• What Vision and Values underpin the
  Governments Mission in data sharing?
• What are the tangible benefits to citizens from
  Government information sharing?
• What are the risks inherent in such sharing and
  what processes will be put in place to manage
  these?
• How will information sharing be regulated? What
  forms of redress will there be against
  inappropriate sharing?

22
UK Government ID card objectives
The UK Governments stated aims are to

• tackle illegal working and immigration abuse
• disrupt the use of false and multiple identities
  by organised criminals and those involved in
  terrorist activity
• help protect people from identity fraud and
  theft
• ensure free public services are only used by
  those entitled to them and
• enable easier and more convenient access to
  public services

Source UK Home Office Command Paper 6359 - Oct
2004
23
Issues to be covered

• Setting the scene - technological growth
  outstripping social absorption?
• Why might we be interested in ID and data
  sharing?
• What do we mean by Identity and Smartcards
• A look at the challenges in more detail.
• A risk analysis.
• The weak link - binding identities to
  individuals?
• Biometrics - reliable for which purposes?
• Some final thoughts.

24
Attributes of Personal Identity (PI)
Elements required to prove identity or
eligibility

• Data contributing towards the validation of
  identity, e.g. does John Smith exist?
• Data contributing towards the verification of
  identity, e.g. is this John Smith?
• Data contributing towards the assessment of
  eligibility to attain the product or service.

Three dimensions of identity evidence

• Breadth - the number of evidences?
• Depth - how far back in time does evidence reach?
• Quality

• were robust measures of identity authentication
  enforced when the evidence was established?
• does the evidence emanate from a reliable source?
• are the personal identity attributes maintained
  e.g. address changes?

Source UK/EURIM Personal Identity Management
Group Strawman March 04
25
How do individuals identify themselves to service
providers?
This is achieved (with varying degrees of
confidence) by
Such corroboration can be

• given verbally
• presented through electronic data capture.
• associated with an identity token
• physically presented
• electronically read
• locally authorised
• PIN
• Biometric
• centrally authorised
• PIN
• Biometric
• visually read
• electronically transferred
• centrally authorised

• physical possession of the evidence e.g.
  presenting a utility bill
• visual attributes within the evidence that can be
  connected to the person e.g. a photograph or
• corroboration of attributes associated with the
  individuals personal identity obtained from
  independent sources against those supplied by the
  person on this occasion.

Source UK/EURIM Personal Identity Management
Group Strawman March 04
26
Multiple levels of authentication are required
Method of attachment
KeyW
BioM
Possess
Photo
PIN
PassW
Y
Y
Y
Y
Y
Y
1
Authentication Level
Y
Y
Y
Y
2
Y
3
Source UK/EURIM Personal Identity Management
Group Strawman March 04
27
Tokens can take many forms
Source UK/EURIM Personal Identity Management
Group Strawman March 04
28
Issues to be covered

• Setting the scene - technological growth
  outstripping social absorption?
• Why might we be interested in ID and data
  sharing?
• What do we mean by Identity and Smartcards
• A look at the challenges in more detail.
• A risk analysis
• The weak link - binding identities to
  individuals?
• Biometrics - reliable for which purposes?
• Some final thoughts.

29
What challenges are we seeking to address?
From the citizens perspective

• For the citizen to be able to protect their own
  identity from high-jacking and abuse.
• For the citizen to be able to protect the
  identity of deceased or vulnerable relatives.
• To reduce the impact of identity fraud on
  society.
• For the citizen to have more than one identity
  e.g. married and maiden names.
• For the citizen to have confidence in whom they
  are dealing with.
• For the citizen to have control over their
  personal data.
• For the citizen to have control over who has
  access to their data.
• For the citizen to have choice re methods
  channels to select to obtain products and
  services.

Source UK/EURIM Personal Identity Management
Group March 2004
30
What challenges are we seeking to address?
From the service providers perspective

• To be able to employ trusted, secure, cost
  effective methods of providing products and
  services to their customers .
• To attain the highest degree of confidence re
  who they are dealing with in relation to the risk
  of the service or product offered to their
  customers.
• To allow the citizen to be able to obtain a copy
  of their personal data used in a specific
  transaction via the Data Custodian where the data
  has been procured from source and then assembled
  and passed to the service provider by the Data
  Custodian.
• To enable the citizen to report identity fraud
  against themselves via a single point.
• The service provider has a responsibility and
  vested interest in ensuring that to carry an
  identity token provides the citizen with
  worthwhile benefits in terms of the services made
  available, the speed and effectiveness of the
  service, the reduction in personal data requested
  and the associated general convenience.
• To recognise that the citizen has the right to
  utilise a number of identities associated with
  themselves.

Source UK/EURIM Personal Identity Management
Group March 04
31
Consent - Circle of Trust
Source UK/EURIM Personal Identity Management
Group Strawman March 04
32
Issues to be covered

• Setting the scene - technological growth
  outstripping social absorption?
• Why might we be interested in ID and data
  sharing?
• What do we mean by Identity and Smartcards
• A look at the challenges in more detail.
• A risk analysis.
• The weak link - binding identities to
  individuals?
• Biometrics - reliable for which purposes?
• Some final thoughts.

33
Identifying the risks in Smartcard ID systems

• Risk is an essential element of any innovation.
  The key to success is how those risks are
  identified, managed and controlled

34
Segmenting smartcard risk - PEST
Economic
Political

• Seeking instant at a stroke solutions to
  intractable problems?
• Lack of willingness to explain and debate genuine
  benefits versus liabilities?
• Inappropriate applications (e.g. counter
  terrorism)?
• Function creep?

• Creating new single points of vulnerability in
  National Critical Infrastructure?
• Placing excessive trust in a single mechanism?
• Costs of ensuring high integrity in unambiguously
  identifying individuals prior to issuing card?
• Deployment risks/costs?
• Costs of false positives and negatives?

Social
Technological
Developing, and maintaining the integrity, of
very large databases? Quality of existing
data? Confusion between absolute identification
and confirmatory authentication? Widespread use
of biometrics under real world conditions?
Lack of trust of Government motives and
plans? Poor visibility of potential benefits
compared to clear civil rights and privacy
concerns? Unconstrained data sharing? Concern
over cost/benefit balance?
35
Still more risk segments
Operational
Legal
Potential for subversion of junior staff in the
card issuing process? Need for exceptionally high
overall system availability 24x7? Vulnerability
to Distributed Denial of Service (DDoS) attack?
Fallback plans in the event of major failure?
In Europe - relationship to human rights
legislation? Admissibility of evidence based
solely on computer data. Ensuring forensic
integrity of identity data in the legal
process. Potential for false positives, poor
general understanding of statistics? Data
protection legislation?
Sometimes it takes awhile to work out just how
deep in the mire we are
36
Issues to be covered

• Setting the scene - technological growth
  outstripping social absorption?
• Why might we be interested in ID and data
  sharing?
• What do we mean by Identity and Smartcards
• A look at the challenges in more detail.
• A risk analysis.
• The weak link - binding identities to
  individuals?
• Biometrics - reliable for which purposes?
• Some final thoughts.

37
The weak link - binding identities to individuals?
Im convinced that the technology for a smartcard
based ID system can be made to work, however I
have real concerns about the people and
process aspects. In particular

• What documentary proofs will be required to
  establish an individuals identity before it is
  bound to a card?
• How thoroughly will these proofs be checked?
• How vulnerable will the system be to subversion
  of junior staff?
• How secure will the process be for maintaining
  the link between the individual and the ID card
  on say name change at marriage, or in giving a
  power of Atourney during incapacity?

38
Issues to be covered

• Setting the scene - technological growth
  outstripping social absorption?
• Why might we be interested in ID and data
  sharing?
• What do we mean by Identity and Smartcards
• A look at the challenges in more detail.
• A risk analysis.
• The weak link - binding identities to
  individuals?
• Biometrics - reliable for which purposes?
• Some final thoughts.

39
Biometrics - reliable for which purposes?
Striking a balance between false positives and
false negatives?

• It is unsafe to use for example DNA
  fingerprinting simply to trawl a national
  database for matches without any other linkage of
  an individual to say a crime scene. It is
  however safe to use DNA finger printing to
  corroborate an existing link
• Retina scanning offers a high probability of
  successful identification in a population of
  millions with miniscule probability of false
  positives
• Facial recognition is an immature technology with
  a false negative rate underreal world conditions
  of 20

History will show that certain assumptions
involving biometrics will prove to be ill founded
- If biometric-related initiatives were poorly
conceived, States risked the alienation of
responsible citizens - Dr Julian Ashbourn giving
evidence to the European Parliament Committee on
Civil Liberties Justice and Home Affairs 6th
October 2004. More on http//www.avanti.1to1.org
/
40
Issues to be covered

• Setting the scene - technological growth
  outstripping social absorption?
• Why might we be interested in ID and data
  sharing?
• What do we mean by Identity and Smartcards
• A look at the challenges in more detail.
• A risk analysis.
• The weak link - binding identities to
  individuals?
• Biometrics - reliable for which purposes?
• Some final thoughts.

41
Some final thoughts

• A broad, informed, debate on ID cards and
  Government data sharing - shaping its overall
  Vision, Mission and Values - is necessary.
• Such data sharing represents a very complex
  process involving both people and technology plus
  regulation and legal controls at national and
  international level.
• The past track record generally of Governments
  with such technology mediated business change
  projects gives cause for concern
• Blind faith in technological solutions is
  unlikely to lead to successful outcomes.
• Authentication of eligibility rather than full
  personal identification may often be more
  appropriate.
• Biometrics are an important, evolving, technology
  but must be used appropriately.
• An incremental approach and peer to peer linkage
  might offer a more predictable environment than
  hierarchical mega-systems.

42
But always remember that major change can
sometimes have unexpected impacts.
Oh dear!
43
Questions Answers
Slides can be downloaded from www.profjimnorton.
com/jnthaiv3.ppt