Principal, Xamax Consultancy Pty Ltd, Canberra
Visiting Professor, Baker & McKenzie Cyberspace Law & Policy Centre, University of N.S.W.
Visiting Professor, E-Commerce Programme, University of Hong Kong
Visiting Fellow, Department of Computer Science, Australian National University
Submission of 20 November 2003
© Xamax Consultancy Pty Ltd, 2003
This document is at http://www.anu.edu.au/people/Roger.Clarke/DV/QTDL0311.html
Mr G. Mahon
Director (Strategic Policy)
Queensland Transport
Dear Gary
Thank you for taking the trouble to seek my comments on the Department's proposal for a smartcard-based driver's licence. I make this brief submission on the matter, confirming some of the points that I made during our meeting on 14 November.
As I mentioned, I've performed consultancies in this topic-area for over a decade, and am not prepared to provide my expertise gratis. On the other hand, as a privacy advocate for over 30 years, I'm also not prepared to say nothing.
In my roles as a Board-member of both Electronic Frontiers Australia (EFA) and the Australian Privacy Foundation (APF), I'm aware of the arguments and submissions made by members of those organisations, and by the Australian Consumers Association (ACA). The privacy aspects have been well-addressed in the arguments presented by them, which I support. In the circumstances, it seems appropriate that I address some of the design issues.
Since 1988, I've conducted in-depth studies of half-a-dozen multi-purpose smartcard pilots, and followed from a distance the short lives of many more. Like so many before it, this proposal has a number of flaws that are so serious that the project as currently conceived is doomed to failure.
It's challenging enough to get a single-organisation/single-purpose scheme to work. Every extra player and every extra purpose adds more requirements which inevitably conflict with one another, and the necessarily multilateral negotiations soon bog down. The number of roles increases rapidly, and the number of data-clusters that need to be accessed by the various roles does too, leading to the need for a complete access control system on a chip. In short, a multi-function scheme quickly becomes overloaded, and collapses.
Successful schemes restrict their scope, have tightly defined goals, and involve a small set of closely-related participants, all of whom have strong incentives to ensure the scheme's success. In the case of tokens that carry driver's licences, I have serious doubts about the practicability of any extension of scope beyond the driver licensing authority and the police.
The specifics of the scheme as presented in the published documents are also seriously problematical. Firstly, as drawn to your attention by many people you've consulted with, the security design is very badly flawed. It is critical that the Department acquire the services of one of the several specialist security consultants capable of re-working that design.
One example of this is the mistaken assumption that comparisons between a person's appearance and a photograph are an effective security measure. In fact it is an extremely low-grade technique, whether carried out by humans or by so-called 'facial recognition' technologies. Another serious concern is the vagueness about what the PIN protects, and whether there is one PIN protecting one set of stored data, or multiple PINs protecting multiple data-sets.
The information presented on digital signature applications suggests serious problems in this area as well. The explanations suffer from lack of clarity about key-pair generation, about the contents of the digital certificate, about where the private key is stored, and about how the private key is to be protected. There continues to be considerable uncertainty about warranties and indemnities offered by QT to relying parties (or, indeed, imposed by the law).
The business process design and business case are also seriously inadequate at this stage, with many aspects documented insufficiently clearly to establish the necessary foundation for a reliable design. This is a further area in which specialist assistance is vital.
It doesn't seem to be clear what other uses QT might make of the card, nor what other agencies might use the card. There appears to be no analysis available of the use of driver's licence cards as generic 'evidence of identity', despite the interest in this topic shown by Commonwealth-State working groups. The suggested 'emergency information' use appears to be embryonic, despite the fact that it has been widely discussed since the late 1970s. It is very difficult to perform a privacy impact assessment of a proposal whose scope is as yet undefined.
The notion that a private-sector partner might fund a considerable portion of the costs involved is very dangerous indeed. The benefits that a corporation would seek from participation would inevitably involve use of the identifier for additional purposes, of the card for additional purposes, and of the personal data for additional purposes. It is critical to the privacy interest that independence among organisations, identifiers, tokens and data be sustained. It would seriously compromise the credibility of government systems if the Department's powers to demand information from and impose requirements on individuals were seen to benefit a corporation.
A further concern is the provisional nature of so much of the information provided. The functional requirements of the various kinds of card-readers remains unclear, as does the means whereby card-chips and devices would authenticate one another. Personal, hand-held card-readers seemed to be being added to the mix when needed.
In addition, practicalities that are very important to licence-holders appear not to have been addressed. For example, interstate policemen were assumed to able to quickly understand that addresses and licence-classes on the face of the new-style Queensland licences aren't up-to-date. Drivers will feel very uncomfortable if forced to answer 'no, that's not my current address'.
Because of the many problems that are apparent, it would be highly unwise for the Department to proceed with the project as currently framed.
I would appreciate it if you would keep me informed of developments in relation to the matter.
Once again, thank you for inviting me to participate in this consultation.
Yours sincerely
Roger Clarke
My papers on relevant topics are indexed in the following locations:
The papers of most direct relevance include:
Go to Roger's Home Page.
Go to the contents-page for this segment.
Created: 20 November 2003
Last Amended: 20 November 2003
These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content). |
The Australian National University Visiting Fellow, Faculty of Engineering and Information Technology, Information Sciences Building Room 211 | Xamax Consultancy
Pty Ltd, ACN: 002 360 456 78 Sidaway St Chapman ACT 2611 AUSTRALIA Tel: +61 2 6288 1472, 6288 6916 |