Thursday, April 13, 2023

IDENTITY VERIFICATION WITHOUT COPYING

Introduction

The verification of identity seems to be a highly flawed process, which every organisation appears to believe involves copying, including the Australian Tax Office. Yet no copying is needed, nor sighting, further more if the selected documents are used for identification purposes it hinders their proper use. The processes are also contradictory, as they require the same data to be both public and private at the same time. Everyone needs to stop building repositories of identity data, which are ripe for harvesting by thieves. The need is to verify identity, not acquire a copy of identity data. Not the least of which is, more traditionally, copying of such documents was considered illegal.

Security Key

To me the Australian Tax Office MyGovID application is fundamentally flawed. I don't have an issue with its use as a security key, other than a mobile phone, the purpose of which is spoken communications, is an overly expensive security key. Which item is treated with more care, house keys or mobile phone? A low priced USB security key on keyring with house keys likely more secure than a phone. The phone is only more secure assuming its security features used to prevent anyone else accessing. These features have tendency to interfere with use as a phone the primary purpose of the device. A smart phones security features may make it good in theory, but not in practice, it is not a quality robust design solution. Given such may as well make other options available: it is poor design if there is no alternative or backup technology.

Verification of Identity

However, the major  flaw with MyGovID, is the process of verifying identity to use with the security key. The process involves copying, creating pristine digital images of identity documents. Pointing a camera on a phone at an identity document may be convenient, but it is also foolish and irresponsible. Around two or more years before MyGovID was introduced, I refused to give Paypal such copy of my identity documents, and I am surprised that the government is following such path of collecting copies. Especially surprised as I'm reasonably certain it was corrupt government employees during 80/90's who first exploited colour photocopiers to forge identity documents. To now give them pristine digital copies is insane.

Token Evidence of Identity Check

Maybe in the first instance as a consequence of World War 2 , and the cold war and the iron curtain, it was apparent employees could be corrupted and false identity documents created. So taking black and white photocopies of documents introduced, along with stamping these as copies, with the date and the signature of the agent taking the copy. Such copy providing token evidence of having viewed something resembling an identity document. If originals need sighting then these copies clearly not suitable substitutes. But as copying technology has improved, such copying no longer acceptable and should have been abandoned during the 1990's. For such copying to be continued using digital technologies is unacceptable.

The Optus breach would be less significant, if identity data had not been collected. It seems "as a tax office requirement", businesses are building repositories of identity data littered all over the place. Would expect the government to take the lead and demonstrate that do not need to copy identity documents or sight them, to verify identity.

Privacy Policies

Such copying is unacceptable and unnecessary. Whilst it is nice that the tax office and other businesses have privacy policies. Such policies are unfortunately no consolation to people who have their identity stolen. Most especially when the verification system is poorly designed and contributing to the theft of identity, due to predictable design flaws.

Identity Tasks

I'm aware of  at least  two different identity tasks. The first is verifying dealing with a real person, and real address, and opening an account and issuing an on going unique customer number (ID1) for the name and address. And attempting to connect an actual person (ID0) to that identity. The second issue is ensuring all future transactions (ID*) are with this same person (ID0), Most organisations issue plastic membership cards, with the unique membership number on it. These membership cards are not proof of identity, they simply allow transactions against the membership number: that is transaction ID* connected to ID1, not to ID0. One  problem is ID1 can be stolen, but everything still points to ID0, as they are the one at the address or a previous address if the thief (IDx) has changed the address. If a problem occurs then seeking to find an actual person at an address. Not checking validity of addresses, and not checking occupation of the address, in the first place is a major defect.

Public Facing and Private Data

We can consider there is public facing data and non-public facing (private) . By  public facing I mean the information is shared with a multitude of people: friends, relatives, businesses and government departments. Information on membership and identity cards have to be public facing to operate: the data cannot be private. Name and address are public facing but their association with other things is private.

Government Registers

All special documents/cards issued by the government are associated with a register and for a specific purpose. Use for any other purpose has the potential to hinder the proper use of the document. Presence on the register is based on a name, which may not be unique, but is made unique by an assigned number, and other data placed in the register. For on going transactions a physical address is typically required, where if we chose to look, expect to find the person inside the house at the address.

Interrogating Legitimacy of Documents

The government typically chooses to keep other information collected by each department, private and confidential to that department, unless there is good reason to share. Therefore all interrogation of the legitimacy of a document should only occur between the department which issued it and the person claiming the benefit conferred by the document. Exchange of data with any other party puts information where it does not belong. Collecting the data simply because do not have the imagination to consider how verification can be done otherwise, is not acceptable.

If a person does not have an original document, then they need to apply to the keeper of the register for a transcript. This transcript and copies should never be passed onto anyone else. It is clear that the keepers of the registers have to be able to interrogate an individual to the extent necessary to be convinced the person can uniquely identify themselves on the register: That is connect ID1 to ID0. However, possession of an original or transcript provides little evidence of anything useful: it is not proof of ID1 connected to ID0.

Therefore the registers and the keepers of the registers are important to defining identity (ID1), but have a problem connecting to the person (ID0). Keeping ID1 connected to ID0 is thus part of the problem to be dealt with.

Associating ID0 Activity with ID1

Our primary concern is that ID1 is unique within the community and all transactions by that identity are those desired by ID0. Therefore an important task is to get ID0 to associate all their activity with ID1, and will typically involve reference to transactions ID*.

Presence of Name on Available Registers

Since a name is on all the registers, it is clear that all the registers can be checked for presence and uniqueness of a name on the available registers, without disclosing any other information. If address is available then it can be checked, if and only if  the name is not unique. As knowledge of presence on some registers may be a matter of privacy in itself., an individual needs to grant permission to check all the registers, When granting permission to check the register the person can also identify whether they expect to be on the register or not. For example not on Australian registers of births or deaths: because alive and born overseas.

Having checked multiple registers we know the name is in common use, but not that all uses are by the same person, or by the person (ID0) currently being checked. We therefore need the person (ID0) to get confirmation from the keeper of each register that they are able to defend their unique presence on the register. Also if necessary demonstrate they are not the person on a register.

For any organisation to get more information from the person to check against the registers would be unacceptable. The keeper of the register has to exchange the information. The keeper of the register has access to the information, the information is private to that register. It should be kept private to that register. There is no value to the data for identity and security purposes if it is littered all over the place.

Identity Confirmation Tokens

The individual therefore needs to apply to the keeper of each register and get a confirmation token of some description that they are able to defend their unique presence on the register. The collection of tokens are then linked to a single identity token. This token ultimately being a public facing identity card, potentially eliminating need for 100 point identity check as the identity represented by the card is routinely updated by an increasing number of checks against the use of the identity. 

An identity card being created as it is a time consuming and inconvenient activity for all parties involved therefore only want to pursue the activity once.

Identity Check

So notionally defined an identity and assigned to a single identity card, and whilst built on checks against multiple registers, the card can be stolen or faked. It can contain a photo and a data strip, and a personal identification number(PIN) can also be associated with the card. The data strip contains information about all the checks made, the more checks made the more robust the identity. For person to person transactions, an 100 point ID card is likely good enough. Multiple organisations can be involved issuing ID cards complying to common standards, on condition no organisation ever takes a copy of identity documents. The only general purpose public facing identity data is that  made available on the 100 point ID card. All other data is kept private, only shared with those organisations which issue the documents.

No Computers

A system could be designed which does not require computers or smart phones. The system needs either paper confirmation certificates or could use plastic/metal confirmation tokens/coins. However, the registers can be searched faster by computer, and restricted access to the data better enforced. Digital tokens also have potential to be more secure.

Remote Transactions

Remote transactions pose a problem as cannot see a plastic ID card, though it could have a built-in USB key, employ or employ NFC technology as in smart cards and stickers and tags. However, unlike face to face transactions cannot check face against the ID card: not that this is helpful if the card is fake. So problem is that ID1 is not permanently attached to ID0 and no one really wants the world of Cyborg 2087 and implanted trackers.

It seems drivers licences, and other identity documents are being used for over the phone verification. This is not sensible, it is a contradiction. Either the information is private or it is public, it cannot be both at the same time. If every business is making copies, then it is public. The original purpose of most of the documents also makes them public facing.

For traffic control purposes, it is likely that people will communicate required exchange of information by way of their drivers licences. Therefore one way to get information is through a minor car accident: the thief already using a fake identity. Such information is therefore not suitable for remote identification purposes.

Biometrics

Biometrics instead of implanting a tracker, make use of data already nautrally embodied in a person. However in the world  of 3D printers it is questionable as to how robust these systems are. Furthermore there is still the issue of the data being collected and littered all over the place. So copying a persons features is no more acceptable than copying their personal identity documents. There is a difference between fallible human memory connected to multiple sensors, and a permanent machine record based on a myopic perception from limited sensors.

Using biometrics stored on single device belonging to the owner, and used as a key for multiple devices and systems is more acceptable. In this manner identity/biometric data is not scattered amongst multiple organisations nor on multiple devices. The one device is unlocked and activates a key to unlock other systems.

Transaction History

As indicated above if an organisation has a history with a client, there are therefore multiple ID* transactions which can be used to verify a person remotely. Most recent transactions not necessarily the best transactions to use as the use of such maybe the cause of a recent identity theft. Unfortunately historical transactions may not be readily available to individuals, consequently may take a few days to dig old information out and verify. The purpose being to determine a history of interaction between ID1 and an organisation, as recognised by ID0 and the organisation.

Computer and Smart Phone Technology

Increasingly smart phones and computers are acquiring increased security features which restrict access to the device or an account on the device. The tax office assumes one phone one user, which is some what unreasonable and doesn't reflect the real world. Many families just have one mobile phone and a landline, there is no need for everyone in the household to have their own mobile phone. Businesses have landlines, most businesses are small business, and they didn't have one phone to one person. If anyone in the business has a mobile, it is most likely their own, and not supplied by the business. So have two issues individual not wanting their phone contaminated with business software. Business owners not having control over individuals personal devices.

Tax Office Problem

The tax office's problem appears to be that any individual can log onto a computer and onto tax office systems. This is because in many businesses, employees likely do not have their own computers, nor do they have their own computer accounts/profile on a computer. So once a person had access to a computer a person had access to the Auskey granting access to the tax offices data. Unless using an Auskey on a usb stick, in which case only the person with the USB stick should have been able to access. Of course anyone could be granted access to use the key. But had the advantage that the usb stick could be taken back and the Auskey cancelled. Thus usb sticks a visual reminder of how many Auskeys a business was using. Though I'd hazard a guess the contents of the USB stick could easily be copied, but as long as the Auskey cancelled once an employee changes roles, should not have been a problem.

However, the expectation with MyGovID is that only one person using the security features of a smart phone is able to unlock the phone and gain access to the security key provided by MyGovID. However it does seem like the security features of a computer, laptops especially, and system accounts, could equally well be used to limit access to the tax office systems.  One computer with multiple users, and each account having its own digital key. In large organisations people not always using the same computer, they can log onto any computer, and their profile follows them, therefore the digital key would have to follow, it cannot be machine dependent.

Irritating 2 Factor Authentication Using a Smart Phone

So enter the irritating 2 factor authentication either using a mobile phone and codes sent by SMS, or other methods such as using symantec VIP on a desktop or google's backup codes. At least google recognises may not have phone with you or switched on and provides an alternative. The tax office suggests that the SMS messages are not secure, and that new smart phones have improved security for the communications.

So once MyGovID is setup we supposedly have a secure digital key for remote transactions. Using a smart phone we don't need a special reader for a keycard, and unlike a simple usb key supposedly only one person can use the key. All seems reasonable for on going transactions and especially remote transactions.

MyGovID Primary Defect

The big problem however is that to set up MyGovID everyone foolish enough to do so, or otherwise coerced by the tax office, has given their identity away, and the tax office servers are now ripe for harvesting. No point harvesting them when little data there.

Copying and collecting of identity data is not verifying identity, it is not making transactions more secure, it is creating more sources of identity data and making peoples identity data easier to find and steal. So MyGovID would be good if it didn't place our futures at risk.

MyGov Primary Defect

On the other hand MyGov connects multiple government accounts to a single account, but otherwise fails to confirm and create a single secure identity. Furthermore various government departments may still ask for copies of documents to conduct a 100 point identity check. Thus creating even more repositories of identity data.

Use of MyGov to Interrogate Government Registers

Yet MyGov should be carrying out adequate interrogation to connect a government account to a single user account, and as it does so generating a firm identity for a given user. In other words MyGov needs more government accounts available for connection so that can generate a firm identity. That is so that a user of MyGov can check themselves against the various government registers, be appropriately interrogated by the keepers of the registers and receive an appropriate confirmation token against such register. The more government accounts a person can link or otherwise confirm against, the stronger their identity.

So in the first instance, simply create an account, such account is not associated with anyone. Just a user name, and/or email address and a password. Once the user provides their full name, approval can be granted to search all registers for their full name. At which point they can be notified as to their presence on the register and as to whether they are unique or not. If not unique then they can do further checks against those registers to uniquely identify themselves. Once uniquely identified on 3 or more registers then the user can proceed to the process of unlocking access to the various accounts and linking them to their one MyGov account.  {3 or more := birth/migration + electoral roll + medicare + taxfile } Those registering for services for the first time may have problems, but they likely have an education, and the education department should know they have attended school. So it maybe necessary to connect both federal and state government departments to the one account, and possibly certain private enterprises. Thus MyGov creates a confirmed identity with out ever copying or sighting issued documents. This identity then needs to be secured and usable: that is making the identity usable as a security key the way MyGovID is meant to be.

Flawed Verification Process

The tax office approach requires they, banks and various other organisations acquire copies of identity documents such as birth certificates, drivers licences, passports, citizenship certificates, Medicare cards. If they acquire copies the document is no longer unique, and the data is no longer private. And as they are now largely acquiring and checking digital copies, it is possible that no original is ever required. So the process is flawed. It may be believed that not possible to inject fake data into the communication stream, but it does seem feasible to by pass a phones camera and inject into the camera's memory. I believe a criminal organisation would only need to modify one phone, and swap sim cards to create multiple identities. If they cannot get digital images then they cannot do that. If digital images of identity documents are not used then they cannot do that. If the documents selected as identity documents are not used then they cannot do that.

The system described above is not using identity documents it interrogates the individual once to create an multi-use identity card/token. That identity card can be questioned requiring further confirmation of the connection of ID1 to ID0. But under no circumstances does the party requiring the confirmation get to see the other identity documents.

General Use Identity Card (100ID)

To clarify further the 100 point ID card (100ID) can be checked by anyone for any purpose. The police can check the drivers licence and 100ID card if they wish, or just the drivers licence. Customs can check passport and 100ID or just the passport. But no one else can check a drivers licence or a passport, as these are not general use identity documents, they are created and issued for specific control purposes, and such purpose should not be hindered by alternative uses.

So confirm identity but do not contribute to theft of identity by building repositories of identity data and passing such off as verification.

Arresting People

Who is the tax office going to arrest for failing to confirm identity or acquire an identity token. Either a person is not identified or they are. If they are not identified then cannot arrest as do not know who the person is that is to be arrested. If can arrest then have identified and confirmed the persons identity, if confirmed the persons identity then no just cause to arrest. Whilst can arrest someone, take a photo, assign a reference number and leave all other details blank. However it is not acceptable to arrest someone simply because they do not have any form of  identification. Nor is it acceptable to arrest someone because happen to be an arrogant all powerful organisation which is only capable of confirmation of identity by creating a copy of identity.



Related Posts

Revisions:
[(13/04/2023)] : Original

COPYING IDENTITY DOCUMENTS IS NOT A VERIFICATION PROCESS

I have an issue with the general copying and collecting of identity data passed off as an identity verification process, by all businesses (eg. Paypal, banks, Certsy), and especially government departments such as the Australian Tax Office (ATO), and Centrelink. The reference to its a tax office requirement could also be considered and coercion or abusive use of power. The ATO is potentially responsible for all data breaches such as the Optus breach.

Centrelink Identity Check

After an heart attack in 2018 I was advised to seek a health concession card, centrelink required my identity documents be submitted, this could be done via MyGov. I reluctantly and unwillingly submitted via MyGov, I submitted "everything but the kitchen sink", the response was not enough information. It currently indicates there is no history of my ever submitting documents. I don't trust them. As far as my memory goes, sometime back in the 1980/1990's the DSS/CES introduced A3 colour photocopiers with collation memory, that collation memory was used by corrupt employees, after hours, to produce passable replica's. This copying activity should have stopped back in the 1990's, instead it seems to have increased.

Traditional Copying

My understanding is that attempting to copy official documents issued by the government whilst not itself illegal the potential use of the documents in a fraudulent manner is illegal. The original A4 black and white (B&W) copies taken by DSS/CES, stamped in red ink with the word "COPY" , dated and signed by the representative of the DSS/CES who witnessed the original, was acceptable, as originals need be sighted and the B&W copy was not passable as an original. The copy, basically being taken because employees not trusted and the copy is token evidence of having seen something resembling an identity document.

Copying Technology

However, once copying technology had reached the stage of being able to produce passable replica's the copying of identity documents should have ceased, that is some time around the 1990's. Instead today pristine digital copies, which can be used to produce passable replica's, are being littered all over the place. {AI technology detecting fakes is irrelevant}

Paypal

Around 2 years prior to the ATO introducing MyGovID, Paypal requested digital copies of my identity documents, indicating it was a tax office requirement. I refused to provide, and provided them with explanation why and informing about the traditional B&W copies. I also explained they had already verified my account through my linked bank account, which already required a 100 point ID check in person, to get. They indicated they would verify my identity by other means. I still have two Paypal accounts, though the business account I'm not certain is fully operational, but I have little use for it, so not overly concerned at the moment. {I did have a few dollars seemingly trapped in the account, but I have recently transferred.}

ATO Secure Access

The ATO introduced MyGovID and discarded Auskey. As the application is not compatible with my phone, and to me a mobile phone is a useless piece of electronic junk running poorly written bloated software, its only purpose is spoken conversation, I have no intention of updating it simply to use as a security key. Consequently I lost access to the ATO business portal and processes became inefficient as now I need to operate via an accountant. Apparently accountants, financial advisers and tax agents are not very responsible as they appear to have mindlessly complied and verified their identities with MyGovID. Needing to use a smart phone as an over priced security key, is irritating but something I could ignore and detour around.

Though lost faith in accountants ability to act in the best interests of their clients. On an accountants forum all the accountants seemed to  be concerned about was updating the phone, the cost of the phone, and the security features of the phone, no thought of how the phone is used. It seems anything on a mobile phone is seen as "cool!" and convenient, rather than stupid and irresponsible.

Smart Phones and Software

The need to use a mobile phone in conjunction with a computer is getting to be annoying. Quite frankly I have little use for a phone, and consider it an unnecessary expense and have little intention of replacing when my current phone stops working. It spends the majority of the time switched off. I like computers, but I hate phones of all descriptions. When I got a smart phone, I thought it had potential as a portable computing device, it has however never demonstrated any value as a computer. Not the least of which there is generally only one way to get software onto the device. The constraints imposed by Google and Apple are unacceptable. A smart phone should be a personal computing device, and not require software from a public repository, nor require software be placed in such public repository.

The constraints on the public repositories operated by Google and Apple is the one major reason why the ATO MyGovID application is not acceptable, since if it is not compatible with your phone and cannot be installed then google play will not permit comment. But MyGovID is an imposed piece of software by a government department and its very concept and nature is flawed and needs to be discussed, criticised and interrogated, and has little to do with whether the software does or does not work. To a certain extent the ATO covertly introduced this infringement of rights: theft of data from other departments which they would otherwise not be granted access to. Copying documents is not verification.

There are other means of multifactor authentication with out need of a smart phone: such as googles backup code numbers and symantec vip access, and usb security keys.

ATO Directors ID

Then the ATO introduced the Directors ID, this requires MyGovID to "verify" identity. Now I cannot avoid  the issue. There was a voice phone option, so I was willing but reluctant to go along. I tried the phone option, and got an extension of time as phones busy. There's a telling clue. I eventually get through, and over the phone they failed to verify my identity, But they did collect data from my citizenship certificate: suspicious. Which all seems likely an highly defective process, since it suggests only need data from the document, which could come from anywhere. As failed to confirm over the phone I was sent letters requesting I send certified copies.

Copying Identity Documents & Exchange of Data

I am not placing my identity documents anywhere near a photocopier, scanner, or camera. The only scanner acceptable to me is that operated by the department which issued the documents, and only with respect to the purpose for which the document was issued. The only exchange of data acceptable to me is with the department which issued the document.

Legitimate Access to Data

The various government departments do not share data,. If the ATO had a legitimate reason for such data then they would have it already. They do not have legitimate reason for the data, and they are not getting it from me.

Verification Process

This verification of identity process is total nonsense. They are copying identities they are not confirming or verifying anything. They are simply building repositories of identity data ripe for harvesting and thus contributing to the theft of identity. {eg. Optus breach}

The 100 point ID check does not require copying or sighting any of the specified documents. Furthermore possessing the documents is not proof of anything useful. Whilst sighting of the documents by persons not involved with the intended purpose of such documents is also not proof of anything useful.

AI Technology

Customs and immigration using AI technology to detect fake passports at border crossings is a reasonable use of AI technology. This is because fake passports along with corrupt employees diminishes the value of the passport and interferes with its proper purpose. The department/s which issued and otherwise employ the document are doing the checks to fulfill the proper purpose of the document. Consequently their activity does not interfere with the proper use of the document.

Furthermore given the number of people processed daily, it is unlikely they would waste resources storing the scans long term, and have little need to do so, as they already hold the information which is on the passports they issued. They really only need to keep a check on arrivals and departures, in each direction, and keep for a short time afterwards, and only data about suspicious persons retained for longer periods.

Other organisations scanning the document is not acceptable.We have no control over their use of the digital image generated, and they do not otherwise hold the data on the document, and have no "right" to such data. The digital image generated has potential for use in producing fake documents and therefore interferes with, and hinders, the proper use of the document.

The proper use of a drivers licence is traffic control, the police scanning it for such purpose is acceptable, anyone else scanning it is unacceptable as hinders the proper use of the document. It is also to be noted that data cannot be public facing and private at the same time. During an accident the required exchange of information is likely to occur via the use of a drivers licence, the information is therefore public facing. As the data on a drivers licence is public facing it is no value for confirmation of identity over the telephone. Copying the licence with a smart phones camera is not a transient observation and is not acceptable.

Identity Cards

 If other organisations have issues with identity then they should issue their own identity cards, and security keys, to suit their purposes, not hinder the proper use of those cards issued by others.

Tax Office

If the ATO is not happy with tax file numbers (TFN) attached to just about everything, and wants a photographic identity card then it should issue one. Or simply issue a card similar to the Medicare card, with TFN on it.. Instead of useless piece of scrap paper with TFN on it.

Identity Checking

So the ATO is not in the business of identity checking. In which case why was it permitted to introduce MyGovID? Other businesses for which the 100 point identity check has been imposed are also not in the business of identity checking.

National Identity Cards

As I recollect back in the 1970's the population opposed the introduction of national identity numbers and photographic identity cards. The government got around this by having the TFN assocaited with various customer accounts with coercion of increased tax if do not do so. The state governments introduced photographic drivers licences, with explicit disclaimer on them that for traffic control purposes.

Smart Phones

It was clearly apparent with the introduction of mobile phones, that an alternative national and international ID number had been introduced (the phones number), followed by GPS tracking and audio/video surveillance of a person becoming possible. But this is not simply an invasion of privacy, it places the security and uniqueness of a persons identity at risk. All this abstraction of identity is not the person. {Biometrics is just another abstraction, and 3D printers are liable to make that unreliable.}

Secure Identity

So we need secure identity and we need an organisation to trust to create and secure such identity. But at the same time we do not want national identity cards. The issue is that certain information should be private and confidential to certain organisations and should not be shared by anyone. Only name and address are public facing: with an hopeful expectation we can find a person with the given name at the associated address inside the main dwelling.

So the 100 point ID check, and MyGovID are all hazards to the security of individuals unique identity, rather than safeguarding identity, the processes currently employed are defective and contributing to the theft of identity and these defective processes need to be stopped. That includes terminating the use of MyGovID for identity checking, its use as a security key is another matter. Similarly it is unacceptable for justices of the peace to provide certified copies. Copying is not acceptable.



Related Posts

Revisions:
[(13/04/2023)] : Original