A cost effective approach to improve identity security

The Federal Government has numerous programs to improve the handling of citizen’s identities. Major initiatives include the Access Card and the new AML/CTF anti-money laundering legislation. The majority of these programs are based around organisational control and allowing organisations to better know their clients. Such approaches are necessary, but could be enhanced through the introduction of a complementary strategy that increase the identity security of individuals at the same time as reducing opportunities for criminals to perpetrate identity crime.

The proposal is:

If a physical document is used for identification then other approved organisations can confirm with the originating organisation that the record actually exists.

Most identity fraud is perpetrated by criminals forging paper or plastic documents, or by stealing legitimate documents and changing them in some way. This proposal would reduce this method of identity fraud as criminals would have to change both the physical documents and the database records of the issuing organisations. This would be extremely difficult to achieve, virtually eliminating a major method of identity fraud – that created by changing or forging physical documents.

Privacy implications

Australian organisations are subject to the Privacy Act 1988 which, according to Commonwealth Government guidelines, requires that:

Under IPP 5.1, an Agency must take reasonable steps to allow any person to find out whether it has any records that contain personal information, and if so, the nature of that information; the main purposes for which it is used; and the steps that a person should take if they want to obtain access to it.

A person requesting an organisation to respond yes or no to the question of whether certain personal information is held about them would appear to be a minimum requirement for any organisation to meet this guideline. For example it appears that the Passport Office should be required tell a citizen if it holds a passport in that person’s name with a particular passport number, a given birth date and place of birth. This information is printed on the passport and if the holder of the passport gives permission for an organisation to check with the Passport Office, then the request should be honoured. This will enable the passport holder to prove that the passport is genuine.

The organisation requested can allow registration of the request so that if any change is made to the document the requestor is notified. This simple measure will enable an individual to detect whenever someone attempts to take over their identity through changing existing information. It can also strengthen the electronic identity of an individual through the electronic confirmation of relationships a person has with organisations and with other people.

It is not an invasion of privacy as the person holding the passport (or any other document that can help confirm their identity) is the person requesting the information. That is, it is the person themselves requesting that the originating organisation confirm the validity of an identifying document to a third party.

It would appear that if an organisation was not prepared to offer this facility – which is simple, cheap and easily implemented – it would be unreasonable violation of the privacy principles which state that a person has the right to find out if information is held about them.

How this could be implemented cheaply and simply

There is an industry standard SAML protocol that allows assertions to be made and answered between computer systems. To verify information on a physical document the originating organisation simply implements one or more requests for Yes or No answers.

To ensure the right to privacy is maintained, only organisations that can prove that the request was made with the permission of the individual would be allowed to register with the providing organisation.

Standard templates to implement such a scheme are not difficult and can be made available. If necessary the requests could be processed through registered Identity Providers. The cost of such a service is very low and even for the most secure and private of organizations, would involve minimal cost.

Implications of this facility being available

As well as reducing the incidence of identity fraud based on false documents this approach will enable the rapid creation of verified electronic identities. This is achieved by an individual establishing that confirmed records exist about them in a variety of organizations (for example, a student may have verified records at the Passport Office, a bank and educational institution).

Extending the concept, the individual could then choose to have other people with whom they are acquainted verify that a photograph of them is a true representation. Reliable and proven technology also exists to enable the individual to record their voice and have this verified in the same way.

As an individual establishes verified organisational relationships based on documents and also establishes verified personal relationships, so the strength of the individual’s electronic identity becomes more reliable.

Organisations using the facility would be required to offer the same access to any physical documents that they produce relating to the person’s identification. This will encourage rapid deployment of the system, continually making the process stronger and further removing any opportunity for fraud. For example if the Passport Office provided the facility, every organisation using passports for identification would become part of the system.

Recommendation

It is recommended that

  1. All organisations which produce physical documents for identification purposes should provide an electronic facility for the yes/no verification of the information appearing on the physical document.

  2. All organisations wishing to use the facility for identification must provide the same facility for documents they produce.

These two steps will help reduce identity fraud at the same time as establishing a framework that protects the individual’s right to privacy, particularly in the growing area of electronic identify verification.

Leave a comment