Discussing the Changes and Advancements in EIV Over the Last Year (Ben McQuillan, National Coordinator, ISST Crime Operations, Australian Federal Police)
- Documents today contain many advanced security features, such as secure paper. People on the front line of identity verification are often not adequately trained to validate using those features, especially for overseas documents. To some extent, this reduces the value of those advanced security features.
- The speaker expressed an opinion wrt biometrics that a facial biometric has a lot of merit because of its applicability to both electronic and human verification. Also, on documents that contain a facial image, it is most likely to represent the person presenting the document, whereas other information is more likely to be false in the case of a fraudulent document.
- Emerging threats identified by the speaker based on his work include malicious activity by insiders, exploit of public data on social networking sites and more cases of bulk identity fraud or stealing of identity information. These all seem quite clear and plausible, consistent with other views I see (and spout).
- One interesting other threat that was raised was with the increase in collecting identity information in industries that are largely unregulated in terms of how they treat identity information. An an example, there is an increase in Australia in scanning drivers licenses at the entry points to pubs/clubs.
Examining How Identity Protection is Enhancing National Security for all Australian Citizens (Wayne Colless, Advisor, Identity Securty Branch, Attorney General Department)
- Wayne spoke about Australia's National Identity Security Strategy and the Document Verification Service (DVS).
- The DVS is a broker of identity verification requests to government documents issued by Commonwealth and State governments. At this stage, use of this service is limited to public sector but the demand and interest from private sector is well recognised.
- It is hoped that access to this service will be extended to the private sector in the future.
- Medicare and Centrelink documents are not currently available via DVS. This would seem to be a large category of documents that would often get presented by somebody in helping to prove their identity, though not as important as passports, birth certificates and drivers' licences.
- Use of DVS is managed by a steering committee, made up of the issuing agencies. At this stage, the governance and policies for use of DVS do not seem to be enforced in the system itself. This is perhaps a point to consider as the set of consumers is extended to the private sector.
Using EV as a Means of Proving Entitlement (Philip Joe-Low, AML/CTF Program Manager, Green ID/Deloitte)
- greenID is a service allows a user to prove their identity online by providing information that can be validated by other sites. (Another vendor, Veda was also present at the conference).
- greenID takes a user centric approach, where the identity verification is chained off what a user knows that they know about themselves.
- There are potential concerns around how frequently/accurately the certifiers (e.g. by a JP) of certified copies of documents are checked.
- Philip also spoke about a New Zealand government initiative named igovt. It seems that this has been stalled and enabling legislation not all through parliament. New Zealand parliament clearly has some higher priorities with the tragic earthquake in Christchurch.
Privacy with Multiple Identities (Dr Kevin Cox, Founder and CTO, Edentity Identification Services)
- edentity's electronic personae technology is part of the greenID offering also described in the previous presentation.
- From Edentity's own study: 20% of addresses on Australian electoral roll are incorrect
- A system along user-centric identity lines was described. This was proposed as an alternate approach to one that requires data aggregation either in authoritative data sources themselves or by the identity verification broker.
- The proposed system did not appear to be based on any particular standards, though some OpenID integration is provided for run-time authentication (not for identity verification).
- Some of the questions from the audience suggested that a clearer distinction between the identity verification, registration/issuance of credentials and run-time authentication stages would have made the presentation even better.
Using OpenID to make Electronic Identity Verification More Convenient (Dr Kevin Cox, Founder and CTO, Edentity Identification Services)
- Overview of OpenID, OAuth and UMA standards.
- Was not presented due to earlier presentations running over time.
Panel Session: How long should an electronic verification be valid? (Moderator: Philip Joe-Low; Panel: Dr Kevin Cox, Tom O'Callaghan, Aub Chapman)
- This session was held in Sydney only
- An Australian passport can be used as a means of identity verification up to 2 yrs after it has expired
- Telephone number is becoming less appropriate for EV as mobile phone numbers are not necessarily listed in online or printed directories. The increasing mobility of the population is also a factor.
- Similar comments were made around the continued relevance of street address, as more correspondance is online.
- Small data sources for EV are not necessarily bad. Successful validation can be a strong statement as there is greater likelihood that there is a strong relationship with the organization.
- Historical data sources, such as history of an individual's residental addresses can be good too. A counter example of a long running identity fraud was offered based on experience within one of Australia's welfare agencies.
- The sections of the Anti-Money Laundering and Counter-Terrorism Financing Act (2006) that deal with electronic verification were written before EV was commonplace. That section of the act was written to be deliberately technology neutral, but as a consequence it perhaps needs rework given the advances in the use of EV.
Reviewing the National Certificate Validation Service "CertValid" (Anne Wooding Giles, Acting Registrar Identity Security, NSW Registry of Births, Deaths and Marriages)
- This session was held in Sydney only
- NSW Registry hosts this service on behalf of equivalent agencies from other states
- Birth certificates in NSW now contain a unique identifier on the certificate paper itself, as well as the birth certificate identifier itself. So if a particular birth certificate is lost/stolen and re-issued, the original certificate, if presented later, can be recognised as no longer current
Managing Identity in the Cloud (Me)One interesting question from the audience was around the relationship between Cloud Computing and the design pattern of Primary / Disaster Recovery sites in on-premise hosting. Redundancy and failover remains important of course. DR and multi-site capabilities should definitely be considered when evaluating Cloud providers. I was also asked who coined the term 'cloud computing'. This was something I did not know, but Wikipedia's article suggests:
The actual term "cloud" borrows from telephony in that telecommunications companies, who until the 1990s primarily offered dedicated point-to-point data circuits, began offering Virtual Private Network (VPN) services with comparable quality of service but at a much lower cost. By switching traffic to balance utilization as they saw fit, they were able to utilize their overall network bandwidth more effectively. The cloud symbol was used to denote the demarcation point between that which was the responsibility of the provider from that of the user. Cloud computing extends this boundary to cover servers as well as the network infrastructure. The first scholarly use of the term “cloud computing” was in a 1997 lecture by Ramnath Chellappa.One of the EV vendors in the room also mentioned that they host in a public cloud now. It's worth noting that the EV vendor is an information broker, and the identity data stores remain with the government and other agencies that are the authoritative sources of that information. Some of the the benefits of hosting in a cloud that I spoke of during my session were evident to this particular EV vendor. It's always nice to receive evidence based feedback like this, whether it completely agrees with my assertions or not.