Monday, 14 May 2007

Myth and Chips

Myth and Chips

"Super Gold Card" Issue

Privacy and security hit the broadsheets briefly as the NZ government introduced legislation including microchips in a new entitlement card. The Press reported:

Senior citizens looking forward to their Super Gold entitlement cards have been warned that microchips in the cards could expose them to identity theft and illegal monitoring.

Privacy Commissioner Marie Shroff said yesterday the possible use of the microchips had "far-reaching implications" that must be explored thoroughly before introduction. "Security is a real issue, both for the data stored on the cards and the risk of identity theft."

Under an agreement with New Zealand First leader Winston Peters, the Government plans to make the cards available from August..

They will be sent to people receiving New Zealand superannuation or a veteran's pension, and will provide what Peters calls "meaningful discounts" on a range of goods and services.

However, Shroff said a comprehensive assessment of privacy impacts should be undertaken before decisions were made on whether to introduce smart card technology as part of the scheme.

"A microchipped card may mean many things, especially if it is also used as an identity card for commercial purposes, perhaps with a unique identifying number for each person."

The actual statement of the Privacy Commissioner is more reasoned:

A possible micro chipped SuperGold card has some far-reaching implications that need to be explored thoroughly before a final decision is made. I understand the government intends to do that.

Our office has contributed to the policy discussions and our consistent position has been that a comprehensive assessment of privacy impacts should be undertaken before decisions are made on whether to introduce smart card technology as part of the SuperGold card.

Micro chipped smart cards have not been widely used by state sector agencies in their dealings with the New Zealand public. I am not opposed in principle to the use of smart card technology, but I believe introduction needs to be preceded by a proper assessment of the implications and an opportunity for public debate on the issues.

A micro chipped card may mean many things – especially if it is also used as an identity card for commercial purposes, perhaps with a unique identifying number for each person. There is the potential for ‘function creep’ - where the card ends up being used for far more than was originally intended. Security is a real issue – both for the data stored on the cards and the risk of identity theft.

There appears to be special emphasis being placed on micro-chipped or smart-cards. Introduction of an identifying card that is to be widely used by a large proportion of the population (approximately 1 in 8) has serious privacy issues regardless of the smarts in the card. That proportion of the population is also clearly segmented by age making the effect of identity information more significant. Numbers like those appearing on credit cards would meet the undesirable criteria of a unique identifying number but in a small population like that of New Zealand even the full name with a narrowing of the age-range implicit in a pension entitlement will provide a good opportunity for correlating usages of the card without application of a number. The widespread use of a national identity cards within New Zealand does not have much support. Introducing an identity card with national coverage for a significant proportion of the population seems likely to have the same perceived downside.

Technical Issue

Technically, the micro-chip provides the means to secure the data and protect the privacy of the holder. Only with micro-chips and a selective disclosure regime is the privacy, that is apparently an issue for a few politicians around here, going to be maintained.

Selective Disclosure is a cryptographic means of ensuring that the individual retains control over personal identifying data. Ben Laurie provides a useful technical overview of the subject in his recent paper[LAURIE].

If the requirement is for the card to demonstrate that an entitlement exists, a micro-chipped card can provide confirmation of the entitlement without revealing any other data that could be used for correlating the use of the card with an individual. That is, the use of the card says it represents a pensioner and not that a uniquely identified person is a pensioner nor is the usage necessarily associated with a uniquely identified individual.

Barbara Stewart, MP introduced the subject in parliament (available in this podcast Question Time for 10th May). Reference was made by the minister (Rt Hon. Winston Peters) to the use of micro-chips in NZ Passports protecting the individual. By inference, the usage in passports was held to justify their use elsewhere. Actually, the technology in passports only assures the integrity of the data within the passport and provides no protection of the individual nor of the identifying information within the passport.

Call for Wider Debate

Listening to the issues discussed in parliament does not give me confidence that a reasoned approach will come from there. Judith Collins, MP even confused the issue of physically inserting microchips into dogs with the use of microchips in the super gold card. However, I am sure that wider discussion of both the personal privacy issues and the technological protection of personally identifying data is required before unnecessary exposure becomes routine.

  • Citizens should be opposed in principle to identity cards without smart card technology.
  • The smart card technology should be implemented to utilise selective disclosure where identity cards are implemented electronically.
  • Reference can usefully be made to Kim Cameron's Laws of Identity [CAMERON] to review the usage of identity information in the context of the super gold card.


[LAURIE] Laurie, B;Selective Disclosure (v0.2);;May2007

[CAMERON] Cameron,K;

Tuesday, 8 May 2007

Secure User Identification

Secure User Identification

Stefan Brands tackles the thorny problem of user identification without unnecessary privacy loss in a very readable paper (with pictures here ). It seems to offer a greater level of privacy than, for example, the New Zealand Government Logon Service which is targeted at the same risks of exposure.
Apart from Government, there are other arenas where there are compromises to user privacy. In the Health Sector, collating health records into a common picture may be seen as an administrative convenience, a medical necessity and for the 'common good'. However, labelling everyone with a common identity (in NZ the NHI ) has the same potential for privacy loss and the consequential bad things happening as it does within the wider government arena.
There are of course laws covering who has access to what information in the government and health sectors but that does not prevent accidental exposure or covert action.
There are legitimate reasons for the statistical correlation of data about people (especially in the health sector) allowing this without a common identifier is probably worth a bit of study. Otherwise, the potential need for statistics will be an overpowering argument for a single digital identity.