Slashdot Mirror
Australia Scraps National ID Plan
IPU = Imaginary Property Unicorn writes "The proposed Australian 'Access Card', a universal ID that would be required for any Australian wishing to use Medicare, Centrelink, the Child Support Agency, or Veterans' Affairs, has been scrapped by the incoming Rudd Labor Government. The card would have contained an RFID tag with the person's name, date of birth, gender, address, signature, card number, card expiration date, and Medicare number, but there were also provisions to add more personal data later on. It seems that Rudd Labor is not eager to copy the American REAL ID Act."
As costs rise (the UK ID card scheme is now expected to cost between 10 and 20 BILLION pounds over 10 years) the government arguments become more and more vague and frantic rather than more solid and sensible.
ID cards seem to be more about giving huge IT contracts to the usual suspect systems companies than actually solving real-world problems.
So, how much Mega-$$$ were spent, eg, on feasibility studies...
...despite that University of South Australia and SA's
that might have been spent on improving Australia's
Internet access.
Even costly residential developments (eg, Mawson Lakes, SA)
include many houses, that cannot get ADSL, let alone ADSL2+
"Technology Park" are located immediately adjacent to it.
An RFID card that can be read can fill in all that data for you, but is also intrusive. Can't have the best of both worlds.
I prefer the manual filling in of forms. Makes sure I get it right. Can you see the unwashed hippy behind the counter saying that the CARD says I'm a female lion trainer because some tit miscaptured the data? And refusing to change it because "the computer can't be wrong"
Given the magnitude of errors South Africa already comes up with, changing gender, ethnic group, wrong photo to wrong ID number, wrong details etc, can you imagine the crap when they try to do more? I doubt this country is that unique either.
Trying to become famous by taking photos. Visit my homepage please.
The reason behind this? - Yes, if you are trying to do something on an international basis some kind of nationally recognized ID is required for some transactions - and if you have an ID card for one country it won't work in another. It's a business issue more than a privacy issue.
The ID is also to prove that you actually are the person you claim that you are. If you want real privacy you can always hire someone else to do the job of registration or perform transactions in cash.
Some may say that passports are internationally recognized as ID:s but that's not really good for two reasons: 1. They are in a very inconvenient physical format. 2. They are easily forged.
As for identity theft - it's already a fact and no matter on which scale you do the identity data it is always a risk. It is even worse if it is on a state level than on a national or international level since the variations in the ID papers and registration data makes it harder to validate.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Actually not quite so.
There are plenty of ways to provide identity that do not require online access to a database. X509 at your service. Tried, tested, works, scales to the size of a population (most continental EU ID cards are actually smartcards wich hold an x509 cert). The only thing the ID reader needs to do is verify that the cert on the card is correct and show the information. This can be done by a sub-10$ mass produced device nowdays. It can also be completely standalone for less important apps and for the more important it needs to check for revoked certs via OCSP. It does not really need access to a centralised database. In fact it is better for an ID like this to hold your photo and your biometric because the verification is done through cryptographic integrity. If it holds them it does not need central database access in 99.99% of the cases.
Issuing the ID is a completely different ball game. There you need a database if you want to avoid identity fraud. The bigger, the nastier, the more comprehensive - the better. As a matter of fact such the databases already exist in most countries, they are reasonably well maintained and they work. These are the taxation system databases and all countries with successful ID systems use these as a primary source of information. A good example of database nations like this is any Scandinavian country and Bulgaria out of the ex-Soviet block.
There is a crucial difference here - the database is accessed only on issuing IDs and on updating/checking tax records. It is not accessed by every wannabie wanker in a small quango office who has declared himself the supreme owner of your identity. This is also the crucial difference between RealID, The UK ID, the Australian ID and working ID projects. These all aim to sneak a provision for tens of thousands of wankers to access your data and they do not try to build on the tax system data (which the tax system office rightfully denies them access to). This is also doomed to be abject failures long before they have even been started because they have to build a database for the whole country from scratch.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
I'm not really surprised that Labor has pulled back from this. It's not exactly a popular move. And they did just get in thanks to a massive working-class movement that rose to overthrow their 'workchoices' industrial relations bullshit, so they know they can't smack people with this kind of thing at the moment.
But only a couple of minutes ago, I watched an ABC ( the public broadcaster in Australia ) news report on the push for widespread use of tasers in policing. It will be interesting to see if they cave into the pressure from the police and conservatives ( as the report hinted ). For me personally, it's difficult to say which is worse out of the RFID devices from Satan, and tasers. As an activist, I'm a little worried about being shot ( and killed, as has happened to 297 others already ). I've already witnessed some absolute atrocities committed against peaceful activists around me.
but PLEASE learn from our mistakes.
The thing with the US is no matter how bad it gets, your culture has within it a tendancy to say 'screw you' to anyone that's in power, and throw them out. Either that or make things so tough that people quit.
I've been surprised at the no-cons apparent ability to just take over and start the conversion to a police state (facism?) though. Why there hasn't been soime sort of mass revolt is beyond me. You're apparently just sitting back and letting them re-institute a pro rich/powerful people nation.
I have a lot of respect for Americans, but as a country your starting to look a bit, well, stupid. Quite aside from the political situation, its what, 80% of your population beleive the earth is less than 10,000 years old? This does not fill me with confidence. I was considering paying for my son to spend his univeristy years in the state, now I have a doubt.
How long is this going to go on do you think?
In WWII the Germans introduced the mandatory ID card here in Belgium and in several other countries too. With the liberation of Belgium our government decided to keep the ID card as they thought is was a good idea.
A few years ago the "Eid" was introduced, which is an ID card with limited personal information (name, address & picture) digitally stored onto the chip. Till this day I am not aware of any mayor privacy rights being broken, or identities being stolen or whatnot. Mind you I am the typical paranoia person when it comes to privacy and anonymity.
You can check the official website here: http://eid.belgium.be/en/navigation/12000/index.html
Actually the software to read the cards is open-source and you can make a cheap entry check system with only a card-reader, an embedded system and a database server.
Za Rodinu
Maybe it'a a matter of country size, but here in Chile we implemented a national ID number decades ago, ONE number and one ID card for almost everything, my ID number is the same as my passport, same as my driver's licence, same as my Medicare, same as my social security, etc. Even private companies, like banks, insurance, telephone, cable, etc. identify you with this number. Easy! and very convenient. The number is given to the new born when registred. Our IRS (SII) tracks your taxes with this number. Companies are assigned with an ID also (much higher number than individuals). Even foreigners can ask for an ID number. (needed if you want to work in here) Again, it's a very convenient system! I don't know how you guys can keep a whole big country running without this. Just my two cents.
Most of Europe has ID cards, and nobody ever heard it's police states.
...), where you don't need an ID card, there aren't ID cards. ...) and it is disallowed by the law (for anyone, including the state), to make a database that references all those id numbers.
The thing is to emit cards, you need a database. So the card becomes a key to your entry in the ID database. So far, so good.
Now, if you use it also to pay your taxes, the same card has become a key to your tax records and earnings. The same if you use it for your medical insurance, and so on.
Here's the privacy breach: the "one card does all" scheme is really very bad, because it allows easily to retrieve personal data from different databases.
Take France. There is one of the most advanced computer-related privacy law (IT and Freedom Act):
- there is a "national" ID card, that is connected to nothing, except maybe the passports database
- there is a medical state insurance ID card (Vitale card), that is connected to nothing, except other medical insurances, and your record at your doctor's
- for the rest (taxes,
All the systems have different unique identification numbers ("national" ID card number, medical state insurance number, tax payer number,
So where's the problem there ? (except that it's for sure more expensive that having a "one card does all", but privacy has its price).
DISCLAIMER: I am an Access Card Taskforce member
It's been an interesting ride.
To begin with we had the standard 'moving target with secret agenda'.
Then we had a whole bunch of clueless vendors who were each trying to tie the country up into their own foreign-controlled solution ('the mechanism and algorithms for encryption are not detailed here for obvious reasons' Yeah right - like your particular crypto card ain't worth shit and you don't want anyone to know about the technical details of your patent-applied-for 31tor system. I kid you not gentle readers.)
Then we had all the 'Smart Card Smart Card Yeah Yeah Yeah!!' people who didn't understand that you still have to implement solutions, having a CPU card doesn't automagically make things happen just because you want them to be so.
The original concept for the card was a pretty good idea - replace 26 other cards with a single card to simplify the access to Government services. As planned it would not work as an ID card as there was to be no information printed on the card to identify you other than your name. This also made the card completely impractical. For example, tho card was going to simplify concession access to public transport. The catch was that the driver had no way of telling from the face of the card whether tho]e cardholder was eligible for concession fares. This meant that every bus, taxi, tram and ferry in Oz needed a WiFi enabled reader, and that every passenger using their card enter their PIN into a reader as they entered the bus (etc). This was clearly not going to save time, as most of the elderly that would use buses would do that slowly.
The finals hurdle we had was the previous Government trying to sneak RealID type facilities into the card. Fortunately several members crossed the floor, and those amendments never got up.
I got the impression that Prof Fels was not going to let the card get through unless he was happy with our work, and he very early in the process seemed to realise that we could easily come up with something very bad for Oz. I have the utmost respect for the man now that I've worked with him.
This is true. I actually spent a couple weeks working on IBM's bid, mostly reviewing the security and privacy aspects of the design, so I got to understand the focus pretty well. The primary purposes of the card were to replace some 17 different government-issued ID cards with a single card, and to reduce benefit fraud. It was really about efficiency, not increasing government control. Not only that, the Howard government's RFP did take the privacy aspects pretty seriously -- they wanted strong guarantees that sensitive information on the card could only be read by authorized government personnel, that those personnel would only have access to the portions that they were suppose to read, and that the back-end databases had fine-grained access control and detailed and indestructible audit trails. One option that I recommended be added to IBM's proposal was to avoid, wherever possible, retaining any data in the back-end database. One of the ways a smart card can enhance privacy is by allowing the database to be effectively dispersed into millions of tiny, un-cross-referenceable pieces.
Arguably, it would have been *better* for privacy to put a comprehensive, well-designed system in place rather than letting government departments integrate their data in an ad hoc, uncontrolled way.
That said, I'm not particularly unhappy to see this die. Even supposing Australia did an excellent job of implementing this system, so that it improved privacy rather than harmed it, that's not to say that all of those back-end controls wouldn't be quietly removed through a series of "upgrades" (and the option to avoid storing the data in the back end was just that, an option, and it would have increased costs and created some inconvenience).
Most of all, I'd rather not have US politicians able to point to a well-implemented Australian system and say "see, we can do it too!". I have no confidence that a US system would be as well-implemented as what we proposed to Australia.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.