Thursday, April 13, 2023

IDENTITY VERIFICATION WITHOUT COPYING

Introduction

The verification of identity seems to be a highly flawed process, which every organisation appears to believe involves copying, including the Australian Tax Office. Yet no copying is needed, nor sighting, further more if the selected documents are used for identification purposes it hinders their proper use. The processes are also contradictory, as they require the same data to be both public and private at the same time. Everyone needs to stop building repositories of identity data, which are ripe for harvesting by thieves. The need is to verify identity, not acquire a copy of identity data. Not the least of which is, more traditionally, copying of such documents was considered illegal.

Security Key

To me the Australian Tax Office MyGovID application is fundamentally flawed. I don't have an issue with its use as a security key, other than a mobile phone, the purpose of which is spoken communications, is an overly expensive security key. Which item is treated with more care, house keys or mobile phone? A low priced USB security key on keyring with house keys likely more secure than a phone. The phone is only more secure assuming its security features used to prevent anyone else accessing. These features have tendency to interfere with use as a phone the primary purpose of the device. A smart phones security features may make it good in theory, but not in practice, it is not a quality robust design solution. Given such may as well make other options available: it is poor design if there is no alternative or backup technology.

Verification of Identity

However, the major  flaw with MyGovID, is the process of verifying identity to use with the security key. The process involves copying, creating pristine digital images of identity documents. Pointing a camera on a phone at an identity document may be convenient, but it is also foolish and irresponsible. Around two or more years before MyGovID was introduced, I refused to give Paypal such copy of my identity documents, and I am surprised that the government is following such path of collecting copies. Especially surprised as I'm reasonably certain it was corrupt government employees during 80/90's who first exploited colour photocopiers to forge identity documents. To now give them pristine digital copies is insane.

Token Evidence of Identity Check

Maybe in the first instance as a consequence of World War 2 , and the cold war and the iron curtain, it was apparent employees could be corrupted and false identity documents created. So taking black and white photocopies of documents introduced, along with stamping these as copies, with the date and the signature of the agent taking the copy. Such copy providing token evidence of having viewed something resembling an identity document. If originals need sighting then these copies clearly not suitable substitutes. But as copying technology has improved, such copying no longer acceptable and should have been abandoned during the 1990's. For such copying to be continued using digital technologies is unacceptable.

The Optus breach would be less significant, if identity data had not been collected. It seems "as a tax office requirement", businesses are building repositories of identity data littered all over the place. Would expect the government to take the lead and demonstrate that do not need to copy identity documents or sight them, to verify identity.

Privacy Policies

Such copying is unacceptable and unnecessary. Whilst it is nice that the tax office and other businesses have privacy policies. Such policies are unfortunately no consolation to people who have their identity stolen. Most especially when the verification system is poorly designed and contributing to the theft of identity, due to predictable design flaws.

Identity Tasks

I'm aware of  at least  two different identity tasks. The first is verifying dealing with a real person, and real address, and opening an account and issuing an on going unique customer number (ID1) for the name and address. And attempting to connect an actual person (ID0) to that identity. The second issue is ensuring all future transactions (ID*) are with this same person (ID0), Most organisations issue plastic membership cards, with the unique membership number on it. These membership cards are not proof of identity, they simply allow transactions against the membership number: that is transaction ID* connected to ID1, not to ID0. One  problem is ID1 can be stolen, but everything still points to ID0, as they are the one at the address or a previous address if the thief (IDx) has changed the address. If a problem occurs then seeking to find an actual person at an address. Not checking validity of addresses, and not checking occupation of the address, in the first place is a major defect.

Public Facing and Private Data

We can consider there is public facing data and non-public facing (private) . By  public facing I mean the information is shared with a multitude of people: friends, relatives, businesses and government departments. Information on membership and identity cards have to be public facing to operate: the data cannot be private. Name and address are public facing but their association with other things is private.

Government Registers

All special documents/cards issued by the government are associated with a register and for a specific purpose. Use for any other purpose has the potential to hinder the proper use of the document. Presence on the register is based on a name, which may not be unique, but is made unique by an assigned number, and other data placed in the register. For on going transactions a physical address is typically required, where if we chose to look, expect to find the person inside the house at the address.

Interrogating Legitimacy of Documents

The government typically chooses to keep other information collected by each department, private and confidential to that department, unless there is good reason to share. Therefore all interrogation of the legitimacy of a document should only occur between the department which issued it and the person claiming the benefit conferred by the document. Exchange of data with any other party puts information where it does not belong. Collecting the data simply because do not have the imagination to consider how verification can be done otherwise, is not acceptable.

If a person does not have an original document, then they need to apply to the keeper of the register for a transcript. This transcript and copies should never be passed onto anyone else. It is clear that the keepers of the registers have to be able to interrogate an individual to the extent necessary to be convinced the person can uniquely identify themselves on the register: That is connect ID1 to ID0. However, possession of an original or transcript provides little evidence of anything useful: it is not proof of ID1 connected to ID0.

Therefore the registers and the keepers of the registers are important to defining identity (ID1), but have a problem connecting to the person (ID0). Keeping ID1 connected to ID0 is thus part of the problem to be dealt with.

Associating ID0 Activity with ID1

Our primary concern is that ID1 is unique within the community and all transactions by that identity are those desired by ID0. Therefore an important task is to get ID0 to associate all their activity with ID1, and will typically involve reference to transactions ID*.

Presence of Name on Available Registers

Since a name is on all the registers, it is clear that all the registers can be checked for presence and uniqueness of a name on the available registers, without disclosing any other information. If address is available then it can be checked, if and only if  the name is not unique. As knowledge of presence on some registers may be a matter of privacy in itself., an individual needs to grant permission to check all the registers, When granting permission to check the register the person can also identify whether they expect to be on the register or not. For example not on Australian registers of births or deaths: because alive and born overseas.

Having checked multiple registers we know the name is in common use, but not that all uses are by the same person, or by the person (ID0) currently being checked. We therefore need the person (ID0) to get confirmation from the keeper of each register that they are able to defend their unique presence on the register. Also if necessary demonstrate they are not the person on a register.

For any organisation to get more information from the person to check against the registers would be unacceptable. The keeper of the register has to exchange the information. The keeper of the register has access to the information, the information is private to that register. It should be kept private to that register. There is no value to the data for identity and security purposes if it is littered all over the place.

Identity Confirmation Tokens

The individual therefore needs to apply to the keeper of each register and get a confirmation token of some description that they are able to defend their unique presence on the register. The collection of tokens are then linked to a single identity token. This token ultimately being a public facing identity card, potentially eliminating need for 100 point identity check as the identity represented by the card is routinely updated by an increasing number of checks against the use of the identity. 

An identity card being created as it is a time consuming and inconvenient activity for all parties involved therefore only want to pursue the activity once.

Identity Check

So notionally defined an identity and assigned to a single identity card, and whilst built on checks against multiple registers, the card can be stolen or faked. It can contain a photo and a data strip, and a personal identification number(PIN) can also be associated with the card. The data strip contains information about all the checks made, the more checks made the more robust the identity. For person to person transactions, an 100 point ID card is likely good enough. Multiple organisations can be involved issuing ID cards complying to common standards, on condition no organisation ever takes a copy of identity documents. The only general purpose public facing identity data is that  made available on the 100 point ID card. All other data is kept private, only shared with those organisations which issue the documents.

No Computers

A system could be designed which does not require computers or smart phones. The system needs either paper confirmation certificates or could use plastic/metal confirmation tokens/coins. However, the registers can be searched faster by computer, and restricted access to the data better enforced. Digital tokens also have potential to be more secure.

Remote Transactions

Remote transactions pose a problem as cannot see a plastic ID card, though it could have a built-in USB key, employ or employ NFC technology as in smart cards and stickers and tags. However, unlike face to face transactions cannot check face against the ID card: not that this is helpful if the card is fake. So problem is that ID1 is not permanently attached to ID0 and no one really wants the world of Cyborg 2087 and implanted trackers.

It seems drivers licences, and other identity documents are being used for over the phone verification. This is not sensible, it is a contradiction. Either the information is private or it is public, it cannot be both at the same time. If every business is making copies, then it is public. The original purpose of most of the documents also makes them public facing.

For traffic control purposes, it is likely that people will communicate required exchange of information by way of their drivers licences. Therefore one way to get information is through a minor car accident: the thief already using a fake identity. Such information is therefore not suitable for remote identification purposes.

Biometrics

Biometrics instead of implanting a tracker, make use of data already nautrally embodied in a person. However in the world  of 3D printers it is questionable as to how robust these systems are. Furthermore there is still the issue of the data being collected and littered all over the place. So copying a persons features is no more acceptable than copying their personal identity documents. There is a difference between fallible human memory connected to multiple sensors, and a permanent machine record based on a myopic perception from limited sensors.

Using biometrics stored on single device belonging to the owner, and used as a key for multiple devices and systems is more acceptable. In this manner identity/biometric data is not scattered amongst multiple organisations nor on multiple devices. The one device is unlocked and activates a key to unlock other systems.

Transaction History

As indicated above if an organisation has a history with a client, there are therefore multiple ID* transactions which can be used to verify a person remotely. Most recent transactions not necessarily the best transactions to use as the use of such maybe the cause of a recent identity theft. Unfortunately historical transactions may not be readily available to individuals, consequently may take a few days to dig old information out and verify. The purpose being to determine a history of interaction between ID1 and an organisation, as recognised by ID0 and the organisation.

Computer and Smart Phone Technology

Increasingly smart phones and computers are acquiring increased security features which restrict access to the device or an account on the device. The tax office assumes one phone one user, which is some what unreasonable and doesn't reflect the real world. Many families just have one mobile phone and a landline, there is no need for everyone in the household to have their own mobile phone. Businesses have landlines, most businesses are small business, and they didn't have one phone to one person. If anyone in the business has a mobile, it is most likely their own, and not supplied by the business. So have two issues individual not wanting their phone contaminated with business software. Business owners not having control over individuals personal devices.

Tax Office Problem

The tax office's problem appears to be that any individual can log onto a computer and onto tax office systems. This is because in many businesses, employees likely do not have their own computers, nor do they have their own computer accounts/profile on a computer. So once a person had access to a computer a person had access to the Auskey granting access to the tax offices data. Unless using an Auskey on a usb stick, in which case only the person with the USB stick should have been able to access. Of course anyone could be granted access to use the key. But had the advantage that the usb stick could be taken back and the Auskey cancelled. Thus usb sticks a visual reminder of how many Auskeys a business was using. Though I'd hazard a guess the contents of the USB stick could easily be copied, but as long as the Auskey cancelled once an employee changes roles, should not have been a problem.

However, the expectation with MyGovID is that only one person using the security features of a smart phone is able to unlock the phone and gain access to the security key provided by MyGovID. However it does seem like the security features of a computer, laptops especially, and system accounts, could equally well be used to limit access to the tax office systems.  One computer with multiple users, and each account having its own digital key. In large organisations people not always using the same computer, they can log onto any computer, and their profile follows them, therefore the digital key would have to follow, it cannot be machine dependent.

Irritating 2 Factor Authentication Using a Smart Phone

So enter the irritating 2 factor authentication either using a mobile phone and codes sent by SMS, or other methods such as using symantec VIP on a desktop or google's backup codes. At least google recognises may not have phone with you or switched on and provides an alternative. The tax office suggests that the SMS messages are not secure, and that new smart phones have improved security for the communications.

So once MyGovID is setup we supposedly have a secure digital key for remote transactions. Using a smart phone we don't need a special reader for a keycard, and unlike a simple usb key supposedly only one person can use the key. All seems reasonable for on going transactions and especially remote transactions.

MyGovID Primary Defect

The big problem however is that to set up MyGovID everyone foolish enough to do so, or otherwise coerced by the tax office, has given their identity away, and the tax office servers are now ripe for harvesting. No point harvesting them when little data there.

Copying and collecting of identity data is not verifying identity, it is not making transactions more secure, it is creating more sources of identity data and making peoples identity data easier to find and steal. So MyGovID would be good if it didn't place our futures at risk.

MyGov Primary Defect

On the other hand MyGov connects multiple government accounts to a single account, but otherwise fails to confirm and create a single secure identity. Furthermore various government departments may still ask for copies of documents to conduct a 100 point identity check. Thus creating even more repositories of identity data.

Use of MyGov to Interrogate Government Registers

Yet MyGov should be carrying out adequate interrogation to connect a government account to a single user account, and as it does so generating a firm identity for a given user. In other words MyGov needs more government accounts available for connection so that can generate a firm identity. That is so that a user of MyGov can check themselves against the various government registers, be appropriately interrogated by the keepers of the registers and receive an appropriate confirmation token against such register. The more government accounts a person can link or otherwise confirm against, the stronger their identity.

So in the first instance, simply create an account, such account is not associated with anyone. Just a user name, and/or email address and a password. Once the user provides their full name, approval can be granted to search all registers for their full name. At which point they can be notified as to their presence on the register and as to whether they are unique or not. If not unique then they can do further checks against those registers to uniquely identify themselves. Once uniquely identified on 3 or more registers then the user can proceed to the process of unlocking access to the various accounts and linking them to their one MyGov account.  {3 or more := birth/migration + electoral roll + medicare + taxfile } Those registering for services for the first time may have problems, but they likely have an education, and the education department should know they have attended school. So it maybe necessary to connect both federal and state government departments to the one account, and possibly certain private enterprises. Thus MyGov creates a confirmed identity with out ever copying or sighting issued documents. This identity then needs to be secured and usable: that is making the identity usable as a security key the way MyGovID is meant to be.

Flawed Verification Process

The tax office approach requires they, banks and various other organisations acquire copies of identity documents such as birth certificates, drivers licences, passports, citizenship certificates, Medicare cards. If they acquire copies the document is no longer unique, and the data is no longer private. And as they are now largely acquiring and checking digital copies, it is possible that no original is ever required. So the process is flawed. It may be believed that not possible to inject fake data into the communication stream, but it does seem feasible to by pass a phones camera and inject into the camera's memory. I believe a criminal organisation would only need to modify one phone, and swap sim cards to create multiple identities. If they cannot get digital images then they cannot do that. If digital images of identity documents are not used then they cannot do that. If the documents selected as identity documents are not used then they cannot do that.

The system described above is not using identity documents it interrogates the individual once to create an multi-use identity card/token. That identity card can be questioned requiring further confirmation of the connection of ID1 to ID0. But under no circumstances does the party requiring the confirmation get to see the other identity documents.

General Use Identity Card (100ID)

To clarify further the 100 point ID card (100ID) can be checked by anyone for any purpose. The police can check the drivers licence and 100ID card if they wish, or just the drivers licence. Customs can check passport and 100ID or just the passport. But no one else can check a drivers licence or a passport, as these are not general use identity documents, they are created and issued for specific control purposes, and such purpose should not be hindered by alternative uses.

So confirm identity but do not contribute to theft of identity by building repositories of identity data and passing such off as verification.

Arresting People

Who is the tax office going to arrest for failing to confirm identity or acquire an identity token. Either a person is not identified or they are. If they are not identified then cannot arrest as do not know who the person is that is to be arrested. If can arrest then have identified and confirmed the persons identity, if confirmed the persons identity then no just cause to arrest. Whilst can arrest someone, take a photo, assign a reference number and leave all other details blank. However it is not acceptable to arrest someone simply because they do not have any form of  identification. Nor is it acceptable to arrest someone because happen to be an arrogant all powerful organisation which is only capable of confirmation of identity by creating a copy of identity.



Related Posts

Revisions:
[(13/04/2023)] : Original