235 - Rs 1cr fine for UID data theft ?

Rs 1cr fine for UID data theft ?
Mahendra Kumar Singh, TNN, Jun 30, 2010, 02.31am IST




NEW DELHI: With the UPA government keen to roll out its ambitious plan of giving unique identity numbers to nearly a billion people, the Unique Identification Authority of India (UIDAI) is ready with a draft legislation to ensure data security and confidentiality of information. It has also proposed strict punishment for impersonation and breach of privacy, with fines ranging upto Rs 1 crore.
The draft bill proposes to make UIDAI a statutory body and provides for strict penalty for offences like disclosing identity information, impersonation, giving wrong biometrics and unauthorised access to data.
The draft law says that if any person "intentionally discloses, transmits, copies or otherwise disseminates any identity information collected in the course of enrolment or authentication to any person not authorised", he will be punished by imprisonment for a term which may extend to three years or with a fine which may extend to Rs 10,000.
In the case of a company, the fine may extend to Rs 1 lakh. Any person not authorised by UIDAI caught accessing Central Identities Data Repository (central databank) will be punished with imprisonment for a term which may extend to three years and will be liable to a fine which shall not be less than Rs 1 crore.

234 - Secretary DOPT to head group of Officers to Develop framework on data Protection and Concerns on Privacy

Secretary DOPT to head group of Officers to Develop framework on data Protection and Concerns on Privacy
Friday, June 25, 2010 

The Government has constituted a Group of Officers under the Chairmanship of Secretary, Department of Personnel and Training to develop a framework that could balance the country’s interests and concerns on privacy, data protection and security and which could respect the domain legislations on the subject. The framework developed by the Group would include legal provisions, principles and elements of data protection, security and privacy. While developing the framework, the Group will keep in view the existing provisions of various laws regarding protection of data and privacy of individuals.

The Group is supposed to submit its report within three months. The Group would welcome the suggestions from all interested / knowledgeable persons / observers in this regard.

Suggestions, if any, may be sent to Shri K.G. Verma, Director, Department of Personnel & Training, North Block, New Delhi – 110001 [ kgverma52@yahoo.co.in ], within 10 days of publication of this press release.
 

233 - Bourgeois Inspirations- UID Resources - Ruchi Gupta

Bourgeois Inspirations UID Resources - Ruchi Gupta

There is little discussion or clarity about the UID project in mainstream media. Most newspaper reports are essentially excerpts from the draft approach document with little critical analysis. However, many people in the civil society are raising important questions about the project. These concerns are around two main themes: the potential use of the database by the State for repressive and undemocratic ends; and the monetization of the database for private profit. There are multiple issues under each that should have been debated in the public domain before going full steam on the project. Following are some critiques that discuss some less publicized aspects of the UID project. If you have any other resources, please email me or add in the comments section.

Reimagining Citizenship, Ravi Shukla (EPW)
The Personal is Personal, Usha Ramanathan (Indian Express)
High cost; high risk, R. Ramakumar (Frontline)
The Politics of Identity, Ruchi Gupta (Indian Express)
The Tips of Your Fingers, Jay Griffiths (Orion)
UID Critique
A Gathering Storm – How UID Will Transform India Into A Police State
Implications of Registering, Tracking and Profiling, Usha Ramanathan (Hindu)
An evaluation of biometrical fingerprint systems, Ton van der Putte and Jeroen Keuning
UID Numbers – A Discussion
Eyeing IDs, Usha Ramanathan (Indian Express)
Prof. Kundu on the exclusionary use of the UID project
A National ID Card Won’t Make Us Safer (Bruce Schneier via Nikhil Tripathi) (Talks about ID cards but most logic holds)
UID Debate in Bangalore – Agenda, Panelists and Videos
UIDAI Documents here

An archive of all news reports, blog posts on UID here

UID related tweets here

While the very concept of the UID project should have been discussed and debated in the civil society, given the advanced stage of the project (first #s expected between August 2010 – February 2011), complete transparency around the following questions is essential to ensure democratic end-use and rationalize costs.

Update (March 6, 2010): Response from Deepika Mogilishetty (Legal Advisor, UIDAI) in italics below

What is the primary purpose of the UID number – to improve delivery of government services or improve security (which could help identify illegal immigrants, purported naxals etc)? If the purpose depends on the organization, are there any in-built constraints to limit end use?

The primary purpose of the UID is to provide the infrastructure that will enable better delivery of services and benefits. The UID System is envisioned as a means for residents to easily establish their identity, anywhere in the country. The UID can have a significant impact on service delivery. In the UID system , each new entry is de-duplicated consequently, residents can only have one UID number, which is mobile and can be used anywhere in the country. The lack of duplicates, and accuracy and mobility in identity verification, would reduce opportunities for fraud and enable agencies across the country to provide residents with targeted, effective services and benefits.

Over the last week, there have been several policy statements such as the Economic Survey, Finance Commission Report and the Budget Speech of the Finance Minister, all of which clearly reflect the intent of improving services and the vision for the UID as an enabling infrastructure for targeted delivery of services.

Further, the information collected by the UIDAI is limited and does not throw light on where a person has come from and what they do.

What are the terms of the Mou’s signed with the different states so far?
The MOU’s are being discussed with State Governments once finalised will be made available as public documents.

What are the legislative and design safeguards to ensure that state and central governments do not use UID numbers to selectively track individuals/communities, and/or withhold/withdraw essential services?

The UID system has some basic features that will safeguard individuals and will be reflected in the legislative and regulatory framework:

information on the UID database about the individual is limited and the sole purpose is to establish identity of the UID holder,
authentication services of the UIDAI will respond with a yes or no in relation to queries about a UID holder,
UID database will not hold information on religion, caste, community, etc.
UID database will not be able to confirm anything else about the person other than their identity in relation to their UID number.
there will be no data flow out of the UID database, except under due process of law (e.g. court order).
UID database will not contain any transaction data.
As regards delivery of services, this is the responsibility of the service provider, if there is unjust denial or withdrawal of service that is a matter to be resolved with the service provider.

If there is a denial of service due to authentication problems, UIDAI will have sufficient support systems in place to resolve the matter in a quick and effective manner so as to avoid any inconvenience to the individual.

The legislative and regulatory framework for the UIDAI is being developed and will be put up for discussion, comments and input from the public.

What are the incentives (in addition to the ~100 as registration fee) provided to private operators (insurance, telecom and banks) to share their customer database with UIDAI? Additionally how will the Authority prevent data convergence by these registrars and other private organizations?

Anyone who wishes to have a UID number can approach a Registrar and enrol as per the procedure prescribed. People who choose to enrol give their information with the full knowledge that it is for the UID number. The UIDAI is not paying Registrar’s to share their customer databases. Registrar’s who partner with the UIDAI are doing so with the intent of providing enrolling services to people.

The mechanisms to compensate Registrars are being examined and will be made available once a final decision is taken.

The data collected by the UIDAI is for establishment of identity and authentication, the UID database will be secure and there will be strict protocols in place to protect against unauthorised access and use. Convergence of existing databases will need to be addressed and governed under a larger data protection regime applicable to the whole country and therefore this is a matter beyond the mandate of the UIDAI.

The approach document estimates annual savings of Rs. 20K crore by eliminating duplicates in state welfare schemes. What are the underlying assumptions and calculations for this number?

The sum of Rs 20,000 crores is an assumption which has been arrived at based on reports of the Planning Commission and Comptroller and Auditor General which have quantified leakages in the PDS system (food and fuel subsidies), NREGS.

Various reports peg UIDAI cost at Rs. 15K-30K crore. What are the Authority’s internal calculations and what are the measures/processes in place to ensure rationalization of expenditure incurred? Where has the money allocated last year been spent, and what is the targeted expenditure for the Rs. 1900 crore allocated in this year’s budget?

The accounts for last year will be finalised by the end of March and will be published as soon as it is available. We propose to put into the public domain a detailed plan for spending RS 1900 crores allocated in this year’s budget.

The complete budget of the UID project is in the process of being formulated and will be made public when the exercise has been completed.

Update (March 3):Ravi Shukla argues that the UID will be be used “as a node point bearing citizen data and therefore capable of operating  as a  facilitator and mediator of  market  information [...] [to move the definition of a citizen] to debt legible consumer citizen as opposed to the relatively more inclusive idea of the political citizen.” (Reimagining Citizenship, EPW). The following news report in Economic Times supports his contention. UID #s will form the basis of collecting resident/citizen credit history to “score” their credit worthiness. This history is developed by information sharing by banks, telecoms, insurance etc companies thus essentially killing the individual’s right to privacy. Relevant excerpts below.A host of new credit information companies (CICs) are coming up to provide banks with a comprehensive database of borrowers’ track record. [...] Helping link the borrowers to their credit histories will be the Unique Identification Authority of India (UIDAI) with its social security-like number, which has received a government support of Rs 1,900 crore in the recent Budget. [...] Last week, the Reserve Bank of India (RBI) gave operating licence to Experian Credit Information Company [...] Experian is the first credit information company to receive operating licence after the Credit Information Companies (Regulation) Act was passed in May 2005. [...] Earlier in 2009 the central bank had given in-principle approvals to two companies — Equifax Credit Information Services and High Mark Credit Information Services. Both are expected to get full-fledged operational licences before the end of FY10. [...] CICs maintain a centralised database on borrowers and rate their creditworthiness based on the information on their existing liabilities and past repayment record. The scoring is based on the analysis of the information provided by banks, which have already extended credit facilities to the borrowers. If a borrower goes to multiple lenders, then new lenders will benefit from these scores while making a lending decision and pricing the loan appropriately. The success of the model is based on information sharing between members [emphasis added] — NBFCs and banks. While Cibil enjoys a patronage of 200 credit grantors as members and has a database of about 1.5 million credit accounts, Experian has already obtained commitments from 39 lenders, even before starting full operations. Though the CIC Act has similar provisions for telecom and insurance companies, these are yet to take off commercially.
Update (March 19)

UIDAI MoUs with MP and AP read section 9 (i), (j) and 10.

9 (i) states that the registrars can collect any additional information they may require in order to provide services. This renders the UIDAI assurance that only basic identity information will be collected (to prevent discriminatory profiling) useless.

9 (j) states that the registrar can charge the user a fee for UID enrollment. This is wrong because the beneficiary is essentially coerced into sharing the colossal costs of the UID project since service delivery will likely be made contingent on enrollment.

10 states that if UID is unhappy with the registrars (if processes and standards for enrollment are violated), then the Authority will make some attempt to work things out, failing which UIDAI “will have the option”  de-register registrar or demand replacement. What will happen to the users who are enrolled through this “de-registered” registrar? Will they need to be enrolled again? What about the services they are using in the meanwhile? Also, registrars will likely get some financial benefit for providing enrollment services – if a registrar is de-registered, what about the penalties?

Update (March 14)

Get fingerprinted or pay Rs. 1000 fine

Census, NPR and UID Related queestion: UIDAI is using the Census as a registrar. However, information in the Census will be recorded as given, without documentary proof or other verification checks. On the basis of this information, the UIDAI will de-duplicate the NPR and issue UID numbers. How will the verification and enrollment standards of UIDAI be met?

Update (March 15)

This surprised even me – apparently biometric readers accept even photocopied fingerprints.



Update (March 18)

Census to skip Naxal controlled villages This news is significant because the Census will feed into the NPR, which will then be used to issue ID cards and also a UID #. In fact Nilekani calls the Census an “important registrar“. Another news report above talks about a Rs. 1000 fine for refusing to participate in the Census. The two combined together will essentially criminalize those individuals who are left out of the Census/NPR exercise as evidenced by the ID card/UID #. In Chhattisgarh especially, a villager without n ID card can easily be labeled by the police as a Maoist.

Update (May 4)

Significant differences between UIDAI’s PR speak and their actions. Some examples below.
Stated Position  ->       Actual

1. Constitution by Parliament Act -> Plan Comm Notification
2. UID # will be voluntary -> Conflated with mandatory Census and NPR; registrars may mandate enrollment before providing service
3. UID # to improve delivery of welfare services -> UIDAI not responsible for any improvements/leakages. Home Ministry launching a fingerprint database for criminals (Rs. 15K fingerprint reader in each police station of 22 states)

4. Data collection restricted to basic identity info -> MoU with AP/MP states that registrars can collect additional info required by them
5. Individual privacy will be protected -> We have no privileged information since the data already exists in many public databases
6. UID # will be random with no intelligence in # itself -> 12 digit number with 4 hidden digits (for pin/residence)
7. UIDAI will ensure data quality -> Registrar responsible for data quality; UIDAI and registrar not liable in case of intentional fraud by user

Update (May 5)

“The UIDAI would be proposing a UIDAI Act to provide for statutory powers and responsibilities to the authority. This Act would address the issues of privacy and data security of the UIDAI database,” Mr Nilekani said. This Act if it is to be meaningful and truly intended for regulation and not just parliamentary sanction for UIDAI must include certain safeguards to preemptively block certain types of usage, and protect the public in case of misuse or implementation glitches. Some draft UID-LegislativeSafeguards

Update (May 11)

UIDAI CSO meeting in Delhi on May 6h. Discussion was around three main areas: potential misuse (privacy, security etc); implementation ((in)efficiency of registrars; exclusion of marginalized groups like homeless, remote rural etc); and technological (feasibility; open-source software etc). Since there were around 35 people with diverse interests, the discussion wasn’t focused; however the following was agreed upon:

- UIDAI will share draft of UIDAI Act before submitting to govt (news report here)

- UIDAI will redesign website for RTI Section 4 compliance

- Future CSO meetings will be organized around specific interests – technology, economics, security concerns etc

- UIDAI will list concerns raised in previous CSO meetings and actions/decisions taken for each on their website

Update (May 12)
PM okays NATGRID despite opposition by Pranab (violation of privacy) and Antony (existing Joint Intelligence Committee satisfactory). Chidambaram, our resident human rights advocate says  “The NatGrid will provide a system of information to all the agencies about any person the moment a button is pressed,” and “country can’t pay price in name of privacy”

UK moves to cancel National Identity Cards and National Identity Register: Both Parties that now form the new Government stated in their manifestos that they will cancel Identity Cards and the National Identity Register. We will announce in due course how this will be achieved.

Update (June 02)

Committee comprising officials from the Prime Minister’s office (PMO), home ministry, planning commission and the UIDAI to review UID.
“Even if iris leads to de-duplication with 99 per cent accuracy, given the fact that close to 60 crore people to be given the UID number, will this level of accuracy be acceptable especially in matters related to security?” said the source.
“Therefore, the planning commission has to keep in mind that over the next five years, the cost of the UIDAI to be borne by the public exchequer would be in the range of Rs 35,000-40,000 crore (this cost is estimated for enrollment of 60 crore people -> total cost of project at least Rs. 70-80K crores). Before deciding on enhancing the scope of the UIDAI and prescribing the most stringent standards, the government’s ability to finance such an exercise also needs to be considered,” an official in the planning commission said.
Update (June 02)

UIDAI CSO Meeting on May 6th – Minutes
Update (June 21)
Responses received from Raju Rajagopal and Srikanth Nadamuni
Raja Rajagopal
1. All the CSO meeting notes are now up on the UIDAI website. As for action taken, I am not sure that the earlier meeting action items were specific enough to track point by point, but I do plan to write a consolidated action taken report soon. We will, however, start with the May 6th meeting notes for a point by point update as action is taken.
2. We have been striving to get the UID draft law into shape for public comment and expect it to be available very soon. FAQs will be updated once the UID Law is out for comments.
3. Srikanth Nadhamuni heads up the technology group (he was at the May 6th meeting, as you may recall). You may reach him at srikanth@egovernments.org. By copy of this e-mail, I am forwarding to him the technology/biometrics related questions you have asked.
4. Re:NPR and UIDAI, as our DG mentioned on May 6th, there is a joint institutional mechanism set up to go into the details and we will update our FAQs as we get better clarity on the interfaces.
5. I understand that a third party vendor is about to commence work on redesigning the UIDAI website soon. If you have a specific list of criteria to make the website RTI compliant, please do share them with us so we can discuss them with the vendor. At some point in the next few weeks, I do plan to come and meet Nikhil, Shekar and other MKSS folks for a follow up discussion of the May 6th dialogue.
6. As for your questions related to budgets and other matters, responses to which will involve several disciplines with UIDAI, I plan to internally discuss practical mechanisms to respond to questions from CSOs and citizens, and I will get back to you. That aside, UIDAI has not been routinely responding to news reports such as the one you have referred to.
Srikanth Nadamuni
UIDAI is using the Census as a registrar. However, information in the Census will be recorded as given, without documentary proof or other verification checks. On the basis of this information, the UIDAI will de-duplicate the NPR and issue UID numbers. How will this verification and enrollment standards of the UIDAI be met?
The FARs and FRRs have to be tuned as the system is operationalized for best results.
A very good question, The NPR exercise does incorporate a verification check, although it is not based on documentary proof. The process of verifying enrolments in the NPR is based on public display of the name and other fields with photograph at the village, any corrections that gets reported will get incorporated and only the verified list is sent to UID for enrolment.
As per the Iris Paper, 10 fingerprints would yield de-duplication accuracy of 95%; the addition of iris scan will improve accuracy up to 99% (though the committee declines to make an accuracy prediction). Even assuming a 1% error rate, on a population size of 1.2B, this is still 12M errors (the incidence of error will be likely highest in poor rural areas given the quality of data collection and bad fingerprints). The UIDAI position seems to be that corrections/updation will be initiated by the user – are there any supplementary mechanisms?
There are 2 kinds of errors that can exist in such a biometric system:
1) FAR – False Acceptance Rate – The system falsely accepting person A for person B since their biometrics are very similar.

2) FRR – False Reject Rate – The system falsely rejects the biometrics from the same person as not matching.

The FAR and FRR of a biometric system are inversely proportional to each other (if you try to get better FAR, the FRR increases and the vice versa). In order to maintain a high level of accuracy as well as to reduce vendor lock-in we are designing 2 different sub-systems for ‘enrolment’(needs better FRR) and ‘authentication’(needs better FAR).
As you will see from the “UID Biometric Design Standards” report page 44( biometric accuracy) that with 10 fingerprints the FAR error is close to zero, this is relevant during ‘authentication’ another important consideration is UID authentication takes the UID number and the biometrics, which means we pull up the resident’s record and simply match the captured fingerprint against the 10 for that person only – a lot simpler problem, WE ARE NOT COMPARING THE FINGERPRINTS AGAINST 1.2BILLION PEOPLE during authentication.
During enrolment when we de-duplicate the enrolment records to maintain uniqueness, here the FRR become more important(don’t want to accept 2 duplicate biometric records as different and hence not catch a duplicate enrolment), but since the enrolment sub-system is quite separate from authentication we can try and improve FRR without any need to keep FAR low.
 

232 - How to make Fake Finger Prints

How to Make Fake Finger Prints

231 - Lone UIDAI representative vanishes from the UID meet

Lone UIDAI representative vanishes from the UID meet

June 25, 2010 07:46 PM


With concerns related to privacy and security, attendee of a recent seminar thought, they would get to hear from a lone representative of UIDAI. But, in the middle of the seminar, the UIDAI representative just vanished from the seminar, leaving behind unanswered questions.
Following the concerns raised by experts, Bengaluru-based Ecumenical Christian Center (ECC) organised a seminar on the unique identification (UID) programme of the union government. However, to the surprise of everyone, including the organizers, a lone representative of the Unique Identification Authority of India (UIDAI) vanished in the middle of the seminar. This has raised questions about the seriousness on part of the UIDAI to discuss issues related with the ambitious UID project.
There were about 75-80 experts including some from IT companies like Wipro and Infosys present for the seminar. Sunil Abraham, executive director, Centre for Internet and Society and Mathew Thomas of Citizens Action Forum, addressed it.
According to Dr M Mani Chacko, director, ECC, the Center organised the seminar in a hope to create more awareness about the UID project. "We need more information related with the project which involves privacy and security concerns. We wanted either Mr (Nandan) Nilekani or someone from his core team to address us in the seminar. But they sent an intern, who did not speak a single word and was rather observing the proceedings, Dr Mani Chacko said.
The audience was apprehensive about the UID project, especially in light of cancellation or rejection of similar projects across the world. The UIDAI should come forward and should provide all information, answer all concerns of people, the audience felt. However, by sending an intern, who was nowhere to be seen after a sometime, the authority is not presenting an impressive picture, some of the attendees said.
"I also wanted to ask some question to the UIDAI representative, but when I turned back, I could not find him there in the audience," said Dr Mani Chacko.

230 - Malaysian ID Card by Roger Clark

Malaysian IDCard by Roger Clark


1. Introduction

The Malaysian Government Multipurpose Card (GMPC) or MyKad is a standard credit-card-sized plastic token with an embedded microchip. It has been issued progressively since 2001, with the intention of being obligatorily used by the entire population of 18 years and over by the end of 2005 (or perhaps 2007).

The card displays several items of data, carries several categories of data in the chip, including a biometric, is used by multiple government agencies, and has been designed for extensibility and 'function creep'. It is subject to highly inadequate protections.

Various reports state that versions of the card have been issued bearing respectively a 32Kb and a 64Kb EEPROM (Electrically Erasable Programmable Read-Only Memory) chip, using the M-COS operating system. The larger version supports a digital signature key and digital signing (often mistakenly referred to as PKI). It is unclear to what extent each of the various applications is used.

This document provides some background resources related to MyKad.

2. The 'New Scientist' Report on the Launch of MyKad
'Malaysia pioneers smart cards with fingerprint data' New Scientist, 21 September 2001


The world's first national smart card scheme to store biometric data on an in-built computer chip has been introduced in Malaysia. The cards are compulsory for Malaysia's citizens and are encoded with a copy of the owner's fingerprints.


Pressure is growing in other countries for improved identification schemes, especially since the recent terrorist atrocities in the US.


"A lot of governments including the US will be looking at better identification systems to monitor the movement of people within their countries after the terror attacks," said Wan Mohamad Ariffin, smart card project director at Malaysia's National Registration Department. "We are willing to share our technology. It could be part of the solution to the security issue."


Although the strongest opposition to such schemes will probably come from civil liberties groups, technical experts also say that such measures will not thwart criminals or determined terror groups.


Identity theft


Ross Anderson, an expert in computer security at Cambridge University, says that smart cards may make forging ID cards harder but they are unlikely to provide a complete solution.


"You can maybe exert some downward pressure on identity theft by incorporating machine readable fingerprints of some kind or another," Anderson told New Scientist. "But, in this situation, making identity cards harder to forge is solving the wrong problem."


Anderson says that terrorist groups will simply subvert the system another way, by using a stolen birth certificate, for example. He also points out that, unless an individual has been identified by the authorities as a threat, smart cards will not help.


Nevertheless, smart cards should make fraud more difficult. Although most cards will give up their digital secrets to a determined expert, combined with digital signatures they make forgery more complicated.


This is important because the Malaysian government has said that the new cards are likely to be used to authorise financial payments and withdraw cash, as well as identify individuals to the authorities.
Digital signature


Markus Kuhn, also at Cambridge University's computer science department, says that the biometrics stored on a modern smart card will be authenticated by a central authority when the card is created, in the form of a digital signature.


This means that even if a card is stolen and a new fingerprint data inserted, anyone with a government scanner could recognise it as fake. "You can put a new fingerprint on the card but not forge its overall signature," Kuhn says.
But opposition to this type of smart-card system remains from civil libertarians. "I don't think that these will stop terrorist acts," says Yaman Akdeniz, director of Cyber-Rights & Cyber-Liberties. "They are more controlling measures. They let a government track you and know more about you."


The US government is currently increasing its capacity to track citizens. The Combating Terrorism Act of 2001, proposed shortly after the devastation of New York and Washington DC, would increase the powers of federal agents to wiretap individuals.


3. The Privacy International Report
Extract from Privacy International's Country Report for Malaysia (November 2004)


Since 1999, the Malaysian government has begun gradually phasing in a multi-purpose national ID smart card, that it intends all Malaysians to adopt by 2005.[31] The card, known as "MyKad," incorporates both photo identification and fingerprint biometric technology and is designed with six main functions: identification, driver's license, passport information (although a passport is still required for travel overseas), health information (blood type, allergies, chronic diseases, etc.), and an e-cash function.[32] The card can also function as an ATM card, although it is MyKad's least attractive feature and banks have discouraged customers from using the card for such purpose.[33] There are plans for adding additional applications for digital signatures for e-commerce transactions.[34]


The Malaysian government originally proposed placing the religious affiliation of all citizens on the cards, but complaints from the country's non-Muslim ethnic groups prompted the government to limit identification to Muslims only. In January 1999, it was announced that Islamic religious authorities in the capital, Kuala Lumpur, would be equipped with portable card readers in order to instantly verify the vows of Muslim couples found in "close proximity." In his 2002 budget speech, the Prime Minister proposed adding marital status and voting constituency information to the cards for the benefit of religious authorities and to minimize electoral fraud, respectively. Both proposals were sharply criticized by opposition Member of Parliament Teresa Kok as being an unnecessary invasion of privacy.[35] The anonymity of balloting is already a matter of concern for privacy advocates, even without MyKad. Traditional ballots are marked with a serial number that can be matched against a voter's name. While there is no evidence that the government has ever tracked individual votes, some opposition leaders allege that the potential to do so has had a chilling effect on some voters, particularly civil servants.
With so much personal information stored on the MyKad, even proponents of the card have acknowledged inherent privacy risks: "[h]aving the smart card will probably increase theft . . . because the attraction is there. There is a lot of personal information stored [on the card], including buying patterns which would attract (card cloning) syndicates," according to industry analyst Jafizwaty Ishahak. Recently, the National Registration Department (NRD) admitted that the practice of surrendering identity cards to security guards before entering certain premises may need to be changed because of privacy concerns.[36] The Consumers Association of Penang has argued that the cards make individuals' personal and confidential information too vulnerable and has recommended that the proposed Personal Data Protection Act address these risks specifically.[37]


The Federation of Malaysian Consumers Associations criticized the government for not implementing clear guidelines or consulting with the public on how MyKad is to be used, by whom and for what purpose. The Federation also challenged the security of the system, contending that the storage of personal information in a centralized database makes it vulnerable to tampering and sabotage. Later, in 2004, the Bar Council chief severely criticized the security and privacy risks related to the use of MyKad, and sought strong privacy laws to protect card holders against potential misuse, pointing out that personal data contained on the card could easily be accessed.[38] It is widely known that anyone with a card reader can access all information contained in the card.[39] In response to such critiques, the government is now reportedly drafting a bill to ensure the privacy of MyKad users and protect the information stored against unauthorized use.[40]


Users can access personal information on their cards at government kiosks and offices, after biometric authentication of their fingerprint. Access to personal information by others is hierarchical or compartmentalized. For example, only certain medical officers have access to sensitive health information. However, access to some personal information held in the MyKad system seems to be available, remotely via a network, to a wide range of third parties, including hotels, restaurants and ticket agents. Determining who has access to what information and for what purpose remains opaque for Malaysians.


MyKad is currently optional, but it automatically replaces other forms of expired identification and is quickly becoming a de facto requirement to access certain government and private-sector services. In December 1998, the government began requiring cyber cafés to obtain name, address, and identity card information from patrons. However it lifted this requirement in March 1999.[41] In some cases there may be penalties for not carrying the card. In 1998, the government announced that persons not carrying identification cards risk being detained by immigration authorities.[42] It is the government's intention that all of Malaysia's population over the age of 12 will be registered in the MyKad system by 2005. Those under the age of 12 are encouraged to apply for a junior version of the MyKad, which differs only in its lack of a photograph and thumbprint biometric.


[31] "Privacy of MyKad Holders to Be Protected by Law," New Straits Times, May 19, 2004, at 6.
[32] "Wise Up to Role of Smart Card," The Star, December 15, 2002.
[33] "Privacy of MyKad Holders to Be Protected by Law," supra. See also "Free Upgrade of MyKad to 64K," New Straits Times, June 16, 2004, at 5.
[34] "Card Sharps," The Bulletin (Australia), May 14, 2003; Joe Celko, "The Road to Dystopia: How much Information Can the Government Control?" Intelligent Enterprise, May 9, 2002. See also Rozana Sani, "Utilising PKI Applications in MyKad," New Straits Times, December 18, 2003, at 4.
[35] News Release, "Government Proposal to Add Marital, Constituency Information to MyKad Should Be Debated," MP for Seputeh Teresa Kok, September 27, 2002.
[36] Rosnazura Idrus, "Leaving MyKad at Guardhouse under Review," New Straits Times, July 9, 2003.
[37] "Smart IC Open to Abuse," The Star, April 18, 2001.
[38] "Bar Council Chief Seeks Laws to Protect MyKad Data," New Straits Times, April 3, 2004, at 8.
[39] "Privacy of MyKad Holders to Be Protected by Law," supra.
[40] Id. See also A. Shukor Rahman, "Evaluating Risks in MyKad," New Straits Times, October 20, 2003, at 21.
[41] "Cabinet: Cybercafes not Subjected to Restrictions," New Straits Times, March 18, 1999.
[42] Annie Freeda Cruez, "Malaysians Told: Carry ICs or Risk Detention," New Straits Times (Malaysia), May 14, 1998.
4. A Report from Justice, UK
Extract from 'Information Resource on Identity Cards' Justice, London (November 2004). Warning: The document was prepared by interns and some caution is needed.


49. Malaysian Identity Cards, known to its citizens as ICs and to the Government as the `MyKad', were first introduced by the British in pre-independent Malaya to help control the communist insurgency. Today, the card has a multi-purpose smart chip and looks very much like an ordinary credit card, incorporating a host of technological features. Malaysia's technological development has far out-paced the development of the legal system, and identity cards provide such an example. The advances in data storage technology have not been matched with adequate legal protection and safeguards.


50. The Malaysian Constitution does not provide for the issuance of ID cards. The National Registration Act 1959 (the 1959 Act) provides for the establishment and maintenance of a registry of all persons in Malaysia (Section 4 of the 1959 Act) and that every person in Malaysia be registered under the Act (Section 5 of the 1959 Act). The Register extends to all residents of Malaysia, and includes noncitizens who work or reside there. More importantly, the 1959 Act gives the Minister in charge of the National Registration Department, historically the Home Affairs Minister (the equivalent of the British Home Secretary), extremely wide and discretionary powers in respect of virtually every aspect of the national identity system under Section 6.


51. Under the 1959 Act, Malaysians citizens and permanent residents above the age of 12 years are eligible to apply for and ID card. Because an ID card is required for many legal activities, including opening bank accounts or dealing with the state, most Malaysian apply for an ID card when the reach the age of 12. Under the National Registration Rules 1990, every citizen or permanent resident over the age of 18 is required to apply for an ID card, and late applicants are fined a nominal sum.


52. The new ID cards are `smart cards' with an embedded 64K chip in each card that carries the personal information of the holder. The face of the card no longer has the holder's thumbprints, but has his or her ID number, full name, address, nationality, sex, and photograph. These cards are called the Government Multipurpose Card (GMPC) and were introduced as part of the Government's IT initiative, the Multimedia Super Corridor. The GMPC was marketed to the public as `MyKad'. Significantly, the Government sees the card as an interface device with not only government agencies, but also the private sector. The MyKad project is run by five different agencies, all of which have access to the data on the card - the National Registration Department (NRD) as the lead agency; the Road Transport Department (RTD); Royal Malaysian Police (RMP); Ministry of Health (MOH); and the Immigration Department (IMM).


53. The new ID cards replace the old identification cards and, if individuals choose, the driving license. In addition, it uses chip and biometrics identificationtechnology to identify individuals, can allow the Police and the Road Traffic Agency to access its information (driving license version only), and supplements the Malaysians International passport to facilitate efficient exit and re-entry from Malaysian Immigration checkpoints. Currently, even Malaysian passports are chip based. The new cards will be used for intra-Malaysia travel and by Malaysians when leaving or re-entering the country. Basic and critical medical information, such as allergies and blood type, are also stored in the chip. The new card, once registered with a local bank, can be used as an ATM or debit card [not recommended by banks], and once registered with the national transportation payment system, Touch n' Go, can be used to pay for things like bus tickets or road toll fares. The card can be used in lieu of three different bankcards.


54. The Public Key Infrastructure (PKI) in every MyKad [sic - the 'infrastructure' is external to the card] enables users to conduct secured e-commerce and transactions using a digital certificate over networks such as the Internet. Authenticity and integrity of the data is protected and inaccessible to anyone, apart from the relevant government agencies and the owner of the MyKad. Information contained in the chip can be accessed using three different devices, all of which are largely inaccessible to the public, but will soon be carried by the police.


55. Issues relating to the cards can be divided into legal and technological categories.


56. The Personal Data Protection Act was passed in 2002 and provides similar safeguards as the UK's Data Protection Act 1998, including the appointment of a Data Protection Commissioner. However, the Act has yet to come into full effect, on the grounds that it will be a burden to businesses. There are no other safeguards against the abuse and privacy of data in the new ID cards. Even the Malaysian Constitution does not provide for the protection of privacy.


57. The Malaysian Government asserts that the new ID cards employ state-of-the-art technology that incorporates multiple layers of security features: `these features include the card authentication using symmetric key cryptography, a multi applications Operating Systems with firewalls and a secure chip platform.' However there is real concern that there are no adequate protections for personal data. The smart card readers can be used by virtually any government agency. Further, the willingness to share data with the private sector without the prior consent of the citizen concerned is worrying.


58. A joint survey by the Electronic Privacy Information Centre in Washington and Privacy International in the UK summed up the risks: Users can access personal information on their cards at government kiosks and offices, after biometric authentication of their fingerprint. Access to personal information by others is hierarchical or compartmentalized. For example, only certain medical officers have access to sensitive health information. However, access to some personal information held in the MyKad system seems to be available, remotely via a network, to a wide range of third parties, including hotels, restaurants and ticket agents. Determining who has access to what information and for what purpose remains opaque for individual Malaysians. 40


59. Malaysia leads the world in the frequency and scope of everyday use of ID cards. However, the system employed is not without problems. Although the issuing and scanning procedures appear to be sound, there are significant concerns over the lack of legal and technological provisions to ensure data protection; a fact which is particularly worrying considering the wide range of personal information stored. Concerns have been voiced about both function creep and access to information with regard to the draft Bill in the UK, and the Malaysian experience highlights the fact that any legislation needs to incorporate strict controls on access to, and subsequent use of, personal information.

229 - Caslon Analytics on Australia Card

Caslon Analytics on Australia Card


One narrative has featured the emergence of an unprecedented peril, with a small band of prescient activists valiantly gaining the attention of the media and a sleepy community in what becomes a successful crusade to defeat opportunistic politicians, ambitious bureaucrats and greedy technology vendors who treat privacy as a low-value commodity. 


( This is worth reading . Please go to the web  site by cicking on the link)

228 - Australia Card by Roger Clark

Australia Card by Roger Clark


Abstract
During 1985-86 the Federal Government developed a proposal for a national identification scheme. Following increasing public concern about the scheme's implications, the Australia Card Bill was defeated in the Senate in November 1986. This paper outlines the proposal, and comments on its technical features, its economics, and its implications.


Background
During early 1985 the Federal Government embarked upon a campaign to address the problems of widespread tax evasion and tax avoidance. The Draft White Paper on Tax Reform which was released in the lead-up to the ill-fated Tax Summit in July 1985 mentioned, in a few words, the possibility of a 'national identification system'.
It appears that a tax lobbyist, Eric Risstrom, President of the Tax Payers' Association, had suggested the idea directly to the Prime Minister, Bob Hawke, in March. The idea struck a chord in the upper echelons of a public service beset with the problems of administering large-scale welfare, tax and social control programmes in a country whose law and customs traditionally provide considerable scope to the individual. It was publicly floated by a senior tax official shortly afterwards, and discussed by Caucus in April-May.
The proposal was passed from the Treasurer to the Minister for Health for further development, presumably because of the success with which the Health Insurance Commission (HIC) had introduced the Medicare scheme in 1983-4. Neal Blewett, in the Ministry but not yet in Cabinet, grasped the opportunity with vigour. With the aid of an advertising agency he dubbed it the 'Australia Card' scheme, decked it out in patriotic green and gold, and promoted it with a glossy brochure and mocked-up Cards for the press gallery.
At the Tax Summit, the invitees were concerned with economic rather than social issues, and reasonably enough regarded the ID scheme as peripheral to the main agenda. Since it was not subjected to any critical consideration, the Prime Minister was able to claim 'consensus' support for it.
The scheme was developed during the period May 1985 to October 1986. The Senate forced the matter to be referred to a Joint Select Committee of Federal Parliament which considered it in the period December 1985 to March 1986. Public comment to that Committee was severely constrained by the failure of the Government to publish its significantly changed and further developed proposals until after the closing data for public submissions. Despite this, a majority of the Committee, comprising members from all parties, concluded that the scheme should not be proceeded with. The Government ignored that conclusion.
During the early months of the campaign, public opinion polls showed significant support for the scheme. The questions were of the form 'The Government proposes to introduce an Australia Card to address the problems of tax evasion, welfare fraud and immigration. Are you in favour of such a card?' The fact that some 25-30% of the samples said no to this heavily biassed question may reflect considerable cynicism in the community about government power.
By the beginning of 1986 the Australian Democrats, through their incoming leader Janine Haines, were committed to oppose the scheme. By late 1986 there was greater awareness in the community concerning the scheme, and a moderate level of concern. This made it possible for the Shadow Health Minister, James Porter, to convince the Liberal and National Parties (some of whose members had originally been attracted by the scheme) to oppose it. This they did, in the Senate in November-December 1986, with great vigour. The combined strength of the Democrats, Liberals and Nationals defeated the Bill.
This paper reports on the scheme as it was understood at the end of 1986. The major official documents are listed in the Bibliography. Those which are currently authoritative are the Bill itself; and the Health Department's 'Toward Fairness and Equity' and the Health Insurance Commission's Planning Report, both of February 1986.
The scheme comprises a number of inter-dependent elements which are identified in Exhibit 1. The Government has been careful to project the proposal as the 'Australia Card' scheme, and has, largely successfully, played down the 'databanks and dossiers' aspects. It has even claimed that the register, the hub of the network, is not a centralised database.
Exhibit 1: Elements of the 'Australia Card' Scheme
a central register containing data about each member of the entire population. This would be maintained by the Health Insurance Commission (HIC), which hitherto has been responsible for the Medicare and Medibank Private health insurance schemes;
a unique identifying code for each member of the population, which would be assigned by the HIC;
an obligatory, multi-purpose identification card for each member of the population, which would be issued by the HIC;
obligations on individuals to produce the card when undertaking a wide variety of dealings with a wide variety of both government agencies and private sector organisations, including all employers and financial institutions, but also hospitals, real estate agents, produce agents, etc;
obligations on organisations to demand the card, record the code, apply sanctions to people who fail to produce it, and report information using the code;
use of the code by a wide variety of organisations. Despite promises to the contrary, it does not appear that private sector record-keepers are precluded from using the code as an internal identifier;
use of the register or information from the register by:
the participating agencies:
the Tax Office;
the Department of Social Security; and
the HIC in respect of both Medicare and the national identification scheme;
other agencies:
the Immigration Department in specific circumstances; and
the Federal Police in specific circumstances.
use of reports containing the code by the Tax Office;
cross-notification of changes to identifying data, particularly address, between the HIC and the participating agencies.
The Objectives
Despite explicitly referring to the matter in May (HIC1, p.3, 2.2), the planning authority was in August 1985 still "not aware of any formal statement of objectives" (HIC2, p.57, D1.2). Even in its February 1986 submission to the Joint Select Committee the Government failed to make its objectives explicit.
The July 1985 advertising brochure included the objective of rationalising all record-keeping about individuals by government agencies. Both the Treasurer's Statement (September 1985) and the HIC's final planning report (HIC3, p.17) assumed that the scheme was general-purpose in nature.
In promoting the scheme, the Government has focussed on tax evasion, welfare fraud and illegal immigration. It claimed large savings from taxation and immigration, but reluctantly accepted a conservative estimate of zero savings from welfare fraud. It also accepted (if somewhat equivocally) that the scheme would have no impact on either organised crime or the 'black economy' of cash and barter.
However, there are good reasons for assuming that the concentration on these 'ideas in good standing' is merely tact or tactics. The Health Insurance Commission was refreshingly frank in its advice to the Government: "It will be important to minimise any adverse public reaction to implementation of the system. One possibility would be to use a staged approach for implementation, whereby only less sensitive data are held in the system initially, with the facility to input additional data at a later stage when public acceptance may be forthcoming more readily" (HIC1, p.4, 2.7. See also IDC2, pp.12-13, 314). The existence of further such quotations is one plausible explanation for the Government's refusal to release the report of the first IDC - the danger that publication of such subversive material poses to the public service's credibility and power is a major reason for its violent reaction against access under Freedom of Information legislation to working documents of all kinds.
During the development of the project, many representations were made for additional uses (in one day, Cabinet considered 37 of them). The proposal at one stage included 13 agencies before being contracted back to three major and two secondary participants.
The Basis of Identification
The HIC proposes a two-step process to recognise identities, and to assign them to individuals. It would first merge or compare data from over two dozen databases from nine government agencies against the Medicare register. Candidate identities which appear on particular combinations of databases would have to be judged to be more or less likely to be valid.
In the second step, individuals would be required to submit an application form. They would then be 'invited' to attend an interview. They may be associated with one (or more?) candidate identities on the basis of information they have supplied on their application form. They may also be required to present such documents as they can find, to demonstrate that they have used a particular identity consistently in at least recent years. They would then supply a sample signature and have a photograph taken for inclusion in digitised form on both the card and the register. They would be required to return at a later date to collect their nominally forge-proof card, which is to be prepared at a secure site in Canberra.
This procedure is to apply to everyone including bishops, swagmen and vagrants, captains of industry, itinerant workers, senior public servants, children, politicians and babies. There are to be special arrangements for the bed-ridden, the institutionalised and those in remote areas (presumably including aboriginals living traditional lifestyles).
Deficiencies in the Identification Mechanism
A secure and reliable identification scheme would have to be based on some physiological characteristic which the individual could not alienate, and which was held on record by the organisation.
At present the only technically effective basis is fingerprints. Fingerprint identification techniques were developed for the express purpose of assisting in criminal investigation, and some qualms would be felt by most people at applying such a technology to the entire population. This approach would also be very expensive. The HIC decided against fingerprints for the time being, but proposes to equip itself with image-capture, -storage and -display capabilities for photographs and signatures. It would therefore be well-prepared to move in the direction of fingerprints when the opportunity presented itself.
The scheme does not incorporate any such 'positive' or physiological identification, although the card and register would contain a small, grainy, black-and-white photograph. Since a person's appearance is variable, depending on the length, style and colour of facial hair, adornments particularly glasses, angle of view, lighting conditions, mood, et cetera, a photograph is an entirely inadequate basis. It would provide a low-integrity check, and might help prevent, or at least detect, a proportion of the more gross errors and frauds.
The merger of over twenty databases promises to be a technically challenging and exciting project. But because of such inaccuracies as out-of-date addresses, and variants and mis-spellings of the prime matching data (address, name and date of birth), millions more candidate identities would be generated than there are people in Australia. It is common knowledge that Medicare cards were issued in respect of 15.8 million at a time when the ABS-estimated population of Australia was15.2 million. In that case, of course, the integrity shortfall was of no consequence: the political objective was to ensure the credibility of the 'bulk-billing' alternative, and the control mechanism was neither the card nor the register, but the doctor's invoice. However in only three years this once low-integrity database has been elevated (at least in the perception of its administrators) to a high-integrity register to be used as the hub of a nationwide identity verification scheme.
Judging whether candidate identities will be deemed valid or not will be a further challenge. The complexity of our society is far too great to permit the specification of a reliable set of a priori rules. The identity validity criteria will be at first arbitrary, later perhaps empirical.
However there are many people in Australia who have not developed a bureaucratically acceptable trail, who would be in limbo until officially recognised, and who would occupy valuable time both at HIC front-counters, and in the regional offices and central office where the difficult decisions would be made. There are many people who lack skills with the English language (no provision appears to have been made for interpreters), and in dealings with counter-clerks.
There are also criminal aliases with impeccable credentials. At the very least there are numbers of drug-runners who have had passports issued to them in multiple names. In order to achieve the critical target of a one-to-one relationship between cards and individuals were to be achieved, the criteria used would clearly have to be even narrower than the recently tightened rules of the Passports Office.
There is also the problem that no reliable documentary evidence of identity exists. Birth Certificates are issued to anyone who has a seemingly good reason - their purpose is to evidence the recorded details relating to the birth of some person, and certainly not to prove that a person is who he claims to be. All documents are derivative from seed documents such as this.
Of the present Australian population, 21% was born outside the country. For them the HIC may accept their Immigration records and/or foreign passports, in which case they will and must issue as many cards to any one individual as he can produce matching entries on the register. Until the last 'flag-of-convenience' in the world closes its doors, or a single world-wide identification scheme is operational, imported false identities will continue to be used.
The Bill also opens up another means of abuse, by allowing 'prescribed persons' (presumably much the same very long list as is applicable to passports) to issue 'certificates of identity' for transmission through the mail. Presumably some additional exceptions will need to be administratively allowed, to cater for relevant financial transactions undertaken using telecommunications.
The concept of 'one-person-one-identity' which underlies the scheme is in any case dubious. It is a concept foreign to British and Australian law, because the use of an alias has never been in itself a crime. Many people 'hide behind' more than one name, variously for psychological, security and sometimes criminal reasons. Users of aliases include creative people like artists, authors and actors, and professional people, particularly females, but also staff at psychiatric and prison institutions, private detectives and intelligence operatives.
The designers of the scheme seem not to have appreciated the need to fit it into its cultural context. Judging by the following exchange between the Joint Select Committee and the HIC's Assistant General Manager for the Australia Card, it is possible that some of them do not even understand what 'cultural context' means:
Senator Puplick:     ... Which countries did you visit which have legal systems based on common law principles? Mr Hazell:    Could you explain what you mean by that? Senator Puplick:    Which common law countries did you visit as distinct from civil law countries? Mr Hazell:    I am afraid I do not understand what you mean.
The Mechanism and the Gains
Everyone would be required to present the card when seeking employment or government benefits, when opening new accounts with financial institutions, and in a variety of other circumstances associated with the receipt of income and transfer of funds.
Each organisation would report to central authorities (at this stage only the Tax Office) using the number. The Government has asserted that gains would arise in a variety of ways from this arrangement, but have offered little explanation of the mechanisms. When challenged by the Joint Select Committee, the Tax Office claimed that their estimates of gains were based on 'qualitative assessment'.
It is clear that interest income to individuals is currently well under-stated in tax returns, and that more tax should be collected. Of course, this could be achieved in large measure by far less extreme means than this scheme. Indeed, if the Tax Office had exercised the power and responsibility given to it in 1932, the high incidence of casual evasion would never have arisen.
The means whereby most of the other gains would arise are unclear, illusory or at worst just plain fraudulent. The Department of Social Security testified that most social welfare over-payment and fraud arises not from mis-identification but from misunderstanding and mis-statement of circumstances. The vast gains from illegal immigration ($1.3bn over 10 years) are based on the implicit and hilariously naive assumptions that all 60,000 illegal immigrants would be promptly and costlessly found and despatched (somewhere - anywhere), and that no more would arrive.
It was also pointed out by John Logan of the Centre for Independent Studies that such benefits as do actually result from the scheme would not be gains. They represent an opportunity either to reduce the government deficit, or to redistribute the taxation load from less honest taxpayers and social security recipients to more honest people. The maximum possible re-distribution (based on the Government's own, very optimistic estimates) is $40 per person per year.
There would be a clear incentive for many more activities to move into the 'black economy' of cash and barter, further enlarging the gap between the official, documentary level of society and reality. There are also arguable cases that some marginal activities would cease altogether and some would migrate offshore. The Government has not addressed these fundamental questions.
The Financial Costs
The official estimates of government costs have varied widely during the course of the campaign. A variety of omissions and under-estimates remain, including the compliance costs of government agencies themselves. There are significant errors in calculating personnel requirements (the overheads of supervision, staff turnover and leave were omitted).
The cost and inconvenience to individuals in complying with requirements are totally ignored. Recent ABS statistics show that at the end of each year 15% of the population are at a different address within the same State, and a further 1.7% are at a new address interstate. After allowing for international movements, and multiple moves by the same family, the volatility of the 16 million addresses on the Register would appear to be above 20% per annum.
Costs to the private sector would be vast, since every company in the country would need to change complex and, in many cases, ancient payroll and creditors systems, and every investment system in the country's banks, building societies, credit unions, trusts, insurance companies, solicitors' offices and even real estate agents would have to be modified. Both during the issue phase and subsequently, many employees would need time off from work to attend interviews, collect cards, advise change of address and lost cards, and collect original and replacement cards. These costs were entirely omitted from the Government's considerations. Remarkably, there was an attempt by an academic economist to justify the exclusion of all non-government costs from the cost/benefit analysis.
Information Privacy Protections
In Australia there has been a history of neglect of privacy matters. Over ten years have elapsed since the Whitlam Government instigated a study, and, in keeping with its tradition of undertaking the minimum possible law reform at the latest possible time, Australia still lacks data protection laws, and lags behind the rest of the advanced Western world.
In tandem with the national identification scheme, the Government finally introduced its long-delayed data protection regime. It comprises a new agency, and a privacy law, heavily worked over by the Federal bureaucracy, embodying 'principles' of data protection which are qualified almost out of existence.
The Government's degree of interest in the Privacy Bill was made abundantly clear firstly when it was introduced a day later than the Australia Card Bill, and secondly when debate in the House of Representatives was gagged after a mere 70 minutes. Its attitude might be summed up by a statement by Health Minister Neal Blewett which was much used in the parliamentary debates. During a party conference in 1986, this ex-President of the South Australian Council for Civil Liberties said that:
" ... we shouldn't get too hung up as socialists on privacy because privacy, in many ways, is a bourgeois right that is very much associated with the right to private property."
A variety of individuals and organisations, including the peak legal professional body, the Law Council, and the Australian Computer Society, have submitted to the Government that the sequence in which it is proceeding is inappropriate. They argue that consideration should not be given to a national identification scheme until after a data protection regime has been both enacted and established.
The specific controls proposed for the 'Australia Card' scheme are very weak. The Data Protection Agency created by the legislation would come into existence over two years after planning of the scheme commenced, and could only influence activities within the predetermined framework. It could give directions to the HIC, but not to the participating agencies, other government departments and instrumentalities, or the private sector. It would be bound by a great deal of 'red tape', and its energy would be sapped by an entirely unnecessary responsibility to maintain a register of databases.
It would be very easy for the Government to strangle the Data Protection Agency. For example it could choose a President prepared to use his wide prerogatives in a conservative manner, or it could starve it of funds. The Data Protection Advisory Committee has no power whatsoever, and there is no broad community representation despite the Minister's repeated promises.
Broader Social Implications
The scheme is based on large-scale computer matching, and is designed to facilitate, indeed automate, such activities in the future. Matching schemes bring together vast amounts of data about each individual, which was collected by different organisations for quite different purposes and with attention to data quality appropriate to those particular circumstances. The scope for misinterpretation of merged data is enormous.
Ensuring security for the register would be impossibly difficult. As in other, similar countries, there is at present no single, reliable source of names and addresses in Australia. 6% of telephone subscribers pay to keep their addresses and telephone numbers out of the telephone directory. The register would therefore be of interest to many people, variously for good reasons (such as debt collectors are presumed to have), for ambiguous ones (estranged spouses, jilted ex-boyfriends and over-protective fathers and brothers), and for downright sinister reasons (criminals pursuing ex-associates). Every record would be accessible on over two thousand terminals operated by thousands of clerks in the offices of at least three different government agencies, at over four hundred locations throughout the country.
The HIC would be permitted to collect data from a wide variety of sources, including the individual and at least ten government agencies. The Bill would override all existing privacy protection clauses in a dozen Acts of Parliament.
There appears to be no limitation on how long data would be retained by the HIC. Since the Register would contain information on family linkages, it would have potential use well beyond a person's lifetime. The Register is also deemed for such purposes to contain all of the information gathered by the HIC during its establishment phase, from the over twenty databases from nine government agencies. There are no limitations on the retention of this information either.
The Government withdrew from its early positions of 'voluntary' and then 'pseudo-voluntary' use of the card. It would be obligatory for everyone to acquire, to retain and to use a card, and there would be very significant sanctions against a person who failed to do so. Because of the wide variety of circumstances in which the card would be required, and because of the unpredictability of some of them, it would be advisable to carry the card at all times. For most people, it would be difficult to discriminate between organisations authorised to demand the card and those precluded from demanding it. It would also be difficult to resist 'requests' from persons in authority (like policemen) or in a strong bargaining position (like financiers).
There are only loose controls over the acquisition of cards by third parties on behalf of the aged, infirm, bedridden, physically and mentally handicapped and those in institutions. Individuals would have limited rights under the scheme.
Although the matter is beyond the scope of this paper, it is the author's contention that the proposal quite expressly establishes the basis for widespread data surveillance in Australia.
A World First
The Government's claims that similar schemes operate overseas are based on ignorance. Only the Swedish and Danish schemes come remotely close, and the new West German scheme (developed in a context of real and continuing external threat, and occasional extremist terrorism) is far less pervasive. The French, Italian and even the Swiss schemes are far less centralised, and are restricted to fewer uses. The Communist bloc has largely manual systems.
Neither the United Kingdom and New Zealand has or has contemplated such a system, and, at least in respect of its white population, neither has South Africa. The U.S. and Canadian Social Security numbering schemes are low-integrity systems designed for a single purpose, but now used with largely spurious success for a variety of additional public and private sector purposes. Successive Committees established to consider whether the U.S. Social Security Number and Card scheme should be improved or replaced have recommended against such a project on the grounds of impracticality and excessive infringement of human rights.
Conclusions
My conclusions about the Government's proposal are straightforward:
it would not work, because it relies on an inadequate basis for identification;
partly as a result of that deficiency, it would not result in particularly high levels of savings;
it would cost a huge amount more than the Government estimates, in additional bureaucracy, and in private sector compliance costs;
it would be highly inconvenient to the public, because of the new obligations it would create, and the errors, misunderstandings and unjustified suspicions which would result;
it would dramatically change the relationship between individuals and the State, and provide the basis for mass surveillance.
The rejection of the scheme does not deny the Government the ability to address tax evasion, welfare fraud and illegal immigration. Tax administration is in a poor state due to years of neglect of hardware and applications software, and years of increased legislative complication without rationalisation. Welfare fraud is currently being addressed by a major project within the Department of Social Security. Illegal immigration requires other approaches such as accelerated appeals, changes to the laws of evidence, and more enforcement and prosecution staff.
Prospects
Many elements of the scheme can be implemented without legislative approval, and several agencies are proceeding apace, particularly the Health Insurance Commission. In addition, it is common for the Federal Government to proceed with arrangements in advance of the approval of Parliament, and unusual for the Opposition or anyone else to prosecute for such unauthorised activities. The scheme may therefore be presented shortly as something approaching a fait accompli which would be nearly as expensive to cancel as to continue with.
At the end of 1986, the Government was committed to re-introduce the Australia Card Bill. The three opposition parties have expressly decided to oppose it, and they control the Senate. Government Ministers threatened in late 1986 that a second rejection would provide the grounds for a double-dissolution. Within days this was contradicted by the Prime Minister, who confirmed that the Government would see out its full term through until early 1988.
Interpretation
The public service has the responsibility of implementing ever more government programmes which offer ever more opportunity for fraud. These programmes demand ever more funding, increasing the rates of taxation, and making tax evasion ever more prevalent.
If agencies were merely to tighten their existing identification procedures, continuing problems would highlight the many other (in some cases unavoidable) deficiencies in their systems. An entirely new identification scheme run by an independent agency would enable existing agencies to ease themselves out of the firing line, by deflecting the inevitable future criticisms toward the agency administering the scheme. The service therefore has a clear self-interest in promoting the proposal.
The Government, for its part, is attracted by a bold project which it believes will cut through some of the difficulties surrounding it. Its refusal to recognise the scheme's technical inadequacies, and the naively and in part fraudulently optimistic economics are, regrettably but realistically, the normal behaviour of a Government and its agencies after it has committed itself to a course of action.
Rather than assessing the idea on its merits, the scheme's proponents have presumed that information technology is capable of delivering a 'knock-out punch' against the nominated evils. The Government is 'throwing technology' at complex social problems, whose solutions demand a more painstaking approach.
Caveat
This article presents a very brief overview of the scheme and its consequences. It is not possible in such limited space to accurately document the current proposal, its origins and motivations, the many changes which it has undergone, the investigations on which the author's views are based, or the argument supporting the contentions.
Just Another Piece of Plastic for your Wallet:
The 'Australia Card' Scheme
ADDENDUM
Roger Clarke
published in Computers & Society 18,3 (July 1988)
On 2 April 1987, the Australia Card Bill was rejected by the Senate for the second time. The history of the proposal to that point is documented in Clarke (1987, pp.29-31). The Prime Minister had given an undertaking on the morning of April 1 not to exercise the option of a double-dissolution.
As speculated on pp.42-43 of the earlier paper, the Prime Minister withdrew that undertaking in late May, in order to call an election for all seats in both Houses in July 1987, rather than the election of the House of Representatives and half of the Senate which would have been due in any case during the period September 1987 to March 1988. The Labor Government's motivation was that both the conservative opposition parties were facing leadership crises. The uncertainty within the Opposition was deemed by the Government to be a threat to good government and to therefore now justify the exercising of the option.
Although it was the ostensible reason for the election, the Prime Minister's policy speech devoted less than two lines to the Australia Card, and during the entire campaign the major parties barely mentioned it. The campaign was fought largely on the issue of the alternative Governments' records in economic management, and on 11 July 1987 the Labor Government was returned with little change to the majorities in either House.
The Constitution provides that, following such a double-dissolution, if the unchanged Bill were rejected a third time by the Senate, then a joint sitting of the two Houses could be called. The net majority which the Government enjoyed in the two Houses, together with Labor's very tight rules on block-voting (which prescribe expulsion from the Party in the event of a breach, and are very rarely ignored), made it very likely that, in such a joint sitting, the Bill would be passed.
On 27 July 1987, the Government announced that the Bill would be one of the Government's first priorities, and would be reintroduced in September, when Parliament resumed. On 29 July, responsibility for the scheme was passed from Health Minister Neal Blewett to Senator Susan Ryan, who had not been assigned a portfolio in the new Government, but had been retained in the Ministry.
By mid-August, the Government had undertaken a substantial administrative reorganisation to accompany the new Cabinet structure. A Departmental Head displaced during that reorganisation was nominated as the future President of the proposed watchdog body, the Data Protection Agency, apparently for no better reason than that there was no other position available for him. Meanwhile the Minister for Veterans' Affairs announced that he would seek extension of the scheme beyond the original three (or four) purposes of tax, social security and health insurance (and, with qualifications, immigration), to include the administration of repatriation benefits.
A variety of organisations had been established to protest against the Australia Card proposal, but to this point few had had significant impact. The various State Councils for Civil Liberties, particularly in the two major States, had lobbied with considerable energy and some effect, but during the election campaign they had been somewhat hamstrung, because of the declared interest of a significant proportion of their membership in assisting in the Labor Party's re-election.
During the weeks following the election, a lobby organisation of a different kind was formed. The membership of the Australian Privacy Foundation was broad, in terms of occupations, social attitudes and party affiliations. It contained a large proportion of people who had public relations and media experience, it included people with high community standing including judges, Royal Commissioners and retired sportsmen, and it included not a few people who were household names in individual capital cities, throughout States, and in several cases throughout the country.
On 31 August, following fund-raising and lead-up publicity, the Foundation launched its anti-Card campaign in the ballroom of a major international hotel in inner Sydney. The professionalism of the launch, together with its high-profile membership, succeeded in establishing the movement's credibility. With the responsible Minister losing the media battle, the Prime Minister became personally closely associated with the scheme. However his attempts to brand the Foundation as "a funny collection of people" were treated by most media commentators as being as equally unconvincing as his oft-repeated claims to have an election mandate to proceed with the scheme.
Following the wide coverage for the launch, the many members of the media who had long been concerned about the scheme provided sufficient ongoing exposure to 'keep the ball rolling'. By mid-September, the Letters to the Editor columns were overflowing. The Sydney Morning Herald published the ratio as being 9-1 against the scheme. The Australian stated that it received 526 letters between 3 and 15 September, 475 against, 25 for and 26 unspecified - "There has never been a debate like it on the letters page; there has never been such a cry of opposition from the nation over one topic". The Parliament House Bills and Papers Office was unable to keep up with demand for copies of the 130-page Bill.
The opinion polls recorded a turnaround from about 60-30 in favour of the Card in late 1986 to about the same proportion against. There were large meetings, particularly in provincial and country centres. On 23 September, 20-30,000 people marched in Perth. The issue gave every impression of developing into the most divisive social issue at least since the Vietnam War and possibly since the Second World War, but with the additional aspect that demonstrations were not confined to the capital cities.
In late August, the A.L.P. State Conference called on the Victorian Labor Government to boycott the scheme. In early September, the N.S.W. Labor Cabinet, facing an election within six months, expressed overwhelming disapproval of the scheme. Also in early September, rank and file representatives at the trade union congress blocked the intentions of the A.C.T.U. executive to announce support for the scheme, and called for a comprehensive review. The three non-Labor State Governments announced that they would not provide births, deaths and marriages registry data to support the scheme. There was increasing discomfort within the Federal Parliamentary Labor caucus, with many members in marginal seats fearing that their prospects at the next election would be slim, particularly since at that time the issue of Cards would be likely to be in full swing.
With the Prime Minister continuing to take a high profile on the issue, the Bill was reintroduced in mid-September, with 7 October 1987 publicised as the target for the Senate vote. At this stage the Government felt forced to promise a subsequent Bill containing amendments. It did not provide any detail as to what was intended, but likely contenders were matters relating to data security, and the practicability of compliance by financial institutions. The Government could not incorporate such amendments in the original Bill without foregoing the right to a joint sitting. In the press on the morning of 23 September, it was reported that the Bill was likely to be passed in early 1988, after a short Senate enquiry, rejection in the Senate, and a joint sitting.
During Question Time on 23 September, the Opposition dropped a bombshell on the Government by identifying a tactical flaw in the Bill: the date for implementation of the Act was not part of the legislation, but would have to be subsequently passed by Regulation. It was therefore possible for the Government to have the Bill passed in a joint sitting, but for the opposition parties in the Senate to combine to prevent its implementation, by disallowing the Regulation. The Government announced a few days later that it was withdrawing the Bill.
Such a feature, whereby implementation details are deferred to a later time, is standard practice. However its potential to undermine the Government's intentions came to light in a curious way. A previous Deputy Secretary of the Commonwealth Attorney-General's Department, Ewart Smith, who had recently retired from the Administrative Appeals Tribunal (and had thirty years earlier been a cricket team-mate of the Prime Minister's), had written letters to two newspapers opposing the Card. As a result, a retired Secretary of the Treasury, John Stone, who had become a National Party front-bench Senator in the July 1987 election, contacted him to discuss the possibilities for defeating the Bill. Smith communicated to Stone his discovery of the need to set the implementation date by Regulation (Smith, 1988). In effect, then, a proposal devised by and mainly to serve the interests of, senior public servants was scuttled by two ex-senior public servants.
When it announced its withdrawal of the Australia Card Bill, the Government did not even mention that it was also withdrawing the Privacy Bill, and gave no indication of any intention to re-draft that component of the package. It did, however, announce that it would now draft enhancements to the Tax File Number (TFN) scheme administered by the Australian Taxation Office. This was consistent with the recommendations of the Joint Select Committee on an Australia Card, which had recommended strongly against the multi-purpose register, number and card, but had supported the taxation-specific alternative of increasing the reliability with which taxable income could be associated with a specific taxpayer.
Bibliography
Official Material (in chronological order)

Treasury 'Draft White Paper: Reform of the Australian Tax System' A.G.P.S., June 1985, pp. 39-40
HIC1 'An Outline Plan Prepared for the [First] Inter-Departmental Committee on National Identification' Health Insurance Commission, May 1985
IDC1 'Report of the [First] Inter-Departmental Committee on the National Identity System' (or similar) Dept. of Health, June 1985 (unpublished)
Minister for Health 'Australia Card', Advertising Brochure, July 1985
HIC2 'Establishment and Administration of a National Identification System: The Australia Card Program: Interim Planning Report', August 1985
IDC2 'The National Identity System: Report of the Inter-Departmental Committee established to develop legislative requirements and other aspects necessary to complete the detailed implementation of the National Identity System (NIS)' Dept. of Health, August 1985 (published December 1985)
Treasury 'Reform of the Australian Taxation System: Statement by the Treasurer' A.G.P.S., September 1985
Dept. of Health 'Towards Fairness and Equity: the Australia Card Program' 6 February 1986 (305 pp.)
HIC3 Planning Report of the Health Insurance Commission February 26 1986 (221 pp.)
Official Hansard Report of the Joint Select Committee on an Australia Card, 17 December 1985 to 1 April 1986 (21 vols. of Proceedings, Submissions and Incorporated Documents, 5637 pp.). See in particular:
A.C.S., W.A. S.I.G. on Social Implications, pp.3084-3138
A.C.S., Governor, Community Affairs Board, pp.2912; S729-35
A.C.S., President, pp.2913-47, S1064-67
Australians for Social Responsibility in Computing, pp.S1123-28
Barter C.J. (Professor of Computer Science), pp.2948-72
Clarke R.A. (Reader in Information Systems), pp.312-434, S146-344
Confederation of Australian Industry, pp.3994-4024
Costigan F.X. (Q.C. and former Royal Commissioner), pp.1200-1232
Greenleaf G.W. (Lecturer in Law), pp.S879-99,1454-36
Law Council of Australia, pp.3882-930
Lawrence L.G. (Dr., computer security consultant), pp.515-21
N.S.W. Privacy Committee, pp.536-594,S368-525
See also: Groenewegen P.D. (Professor of Economics), pp.3483-543
Report of the Joint Select Committee on an Australia Card, May 1986 (2 vols., 324 pp.). See in particular:
Addendum by Senator Puplick, pp.155-211
Australia Card Bill, 1986 (130 pp.)
Privacy Bill 1986 (27 pp.)
Official Hansard Debates on the Australia Card Bill:
Second Reading Debate, House of Representatives:
22 October 1986
13 November 1986, pp.2996-3019, 3069-3121
14 November 1986, pp.3123-3147
Discussion of a Matter of Public Importance, House of Representatives, 17 November, pp.3207-3217
Second Reading Debate, Senate:
17 November 1986, pp.2305-2311
9 December 1986, pp.3590-3622, 3628-3646
10 December 1986, pp.3659-3691, 3703-3762
Other Publications

Clarke R.A. 'A National Identification Scheme for Australia?' Xamax Consultancy Pty Ltd, July 1985
Clarke R.A. 'The National Identification Scheme: Costs and Benefits' CIS Policy Report 2,1 February 1986
Clarke R.A. 'Information Technology and 'Dataveillance' Proc. Symp. on Comp. & Social Responsibility, Macquarie Uni. Dept of Comp. Sci., September 1986
Clarke R.A. 'The Proposed Australian Implementation of the OECD Privacy Guidelines' Working Paper, January 1987. Available from the author
FACFI 'The Criminal Use of False Identification' U.S. Federal Advisory Committee on False Identification, 1976
Graham P. 'The Australia Card: a burden rather than a relief?' Aust. Qtly 58,1 (Autumn 1986) 4-14
Greenleaf G.W. & Nolan J. 'The deceptive history of the Australia Card' Aust. Qtly 58,4 (Summer 1986) 407-425
N.S.W. Privacy Committee Privacy Bulletin 1,2 (July 1985) and 2,1 (July 1986)
N.S.W. Privacy Committee 'Privacy Issues and the Proposed National Identification Scheme - a Special Report' March 1986
Walker G. de Q. 'Information as Power: Constitutional Implications of the Identity Numbering and ID Card Proposal' CIS Policy Report 2,1 February 1986