e-Identity - How concerned are You really about privacy?

(Picture from PRISE showing multiple identities for 'John')

This morning the Danish Radio had a new story about the long-delayed travel card, which will provide train and bus passengers with a contact-less card instead of old tickets. The card itself is a bit of a problem as it has been delayed for several years (In spite of other countries that have implemented similar things years ago – Oyster Card in UK was launched in 1999) – but the issue was that the passengers are requested to identify themselves with the personal registration number to get a standard travel card. The card issuer – rejsekort.dk – at their websites explains that this is because it is a personal token, if you want an anonymized version, which you can use between yourself and your friends and family, you will have to pay extra. Also pensioners and students will have to have a personal photo on the card to ensure nobody is getting a discount they are not entitled to. Further the travel card requires that you link it to your bank account via the Dankort, but claims that this is only used when you are re-filling the card, that is, paying money for your upcoming trips. The identity data kept by the rejsekort-organisation is' stored safely at a central database' and access to this is only granted to 'rejsekort.dk and it's business partners'. Partners include a number of bus companies, Danish Railroads and others. And even if you cancel the card 'the data logged describing your trips will be kept for 6 months to analyze travel patterns or as a proof if disputes should arise.' And rejsekort.dk further guarantees that they will stick with the Danish legislation on privacy. (The web page is not even in English, sorry!)

I immediately came to think about this as yet another proof that the Danish population indeed are the most happy people in the World and they have a firm trust in their government as well as in semi-governmental institutions and that nobody will even consider complaining about it, while in other countries this would have aroused protests, strikes and boycotts. (UK, Germany, US ..)

After my participation in the meeting on 'the Internet of Things' it is obvious, that this kind of infrastructure and the logging of the use of it is yet another example of 'Function Creep' in the use of what seems to be an innocent way of identifying persons, the CPR-no. Yet this number and the accompanying name, address and maybe photo may be another source for new ways of identity theft and also a new way of getting money out of people's bank accounts.

In most other European countries the attitude of the citizens would have prevented a thing like this. We have even had several EU-sponsored studies that have been dealing with the concept of having multiple, secure identities, that any citizen has a need to change the e-ID over a life time and across the various sub-domains, where she/he may need an identity. In Denmark we are simply blind to the risks, because we take for granted, that we have secure banks, that our salary system with our employees are safe, that our pension funds are safe so that for instance the tax system works almost without any input from the tax payer, it is close to 'hands free' and has been for some years. Try to explain an Italian why the Government ID should be used for your employer before you can get your salary, or in UK why the insurance company should use the same identifier as you use to receive your social benefits.

This difference in attitudes is also visible in other areas: Denmark has a higher number of CCTV's pr. Capita than any other country in Europe, even including UK. Yet the general attitude is that 'It doesn't matter as long as you have nothing to hide'. But if you look at all the apps for the iPhone or Android that with or without your knowledge register your whereabouts at any given time, the growth of CRM systems capability and tools for analyzing vast amounts of data (Ref. The 'Watson machine' by IBM) then it would become clear, that you need to strengthen the control with who is actually gathering data, what data they gather, how it is protected and how this relates to your 'official e-identity' or is a sub-ID created for just the purpose, for which the data is gathered.

These concerns are getting more weight as hackers, spoofers, fishing attacks etc. are gaining momentum and as more citizens are being exposed to data thefts, not to mention identity thefts.

As I have mentioned other places, the PRISE (Privacy-Security) project funded by EU ended up by a number of recommendations as did the PRIME, later PRIMElife project, that developed prototypes and methods to demonstrate how multiple, yet consistent identities could be maintained and still remain under the user's control. As is clear from the picture above, most people have different identities, and even public ID's need to be changed as technology progresses and as decryption and new, powerful computers demand upgrades of security. But still, an individual will like to shield parts of her/his life from others: Multiple facebook identities? One entity for gmail, one for company correspondence and one for friends and family, one identity and network for people sharing your hobbies etc. If you combine this view with the 'Internet of Things', gadgets, that may or may not contain data about your behavior, whereabouts, messages, pictures etc., then it becomes obvious that whether you trust your government or not, it may not be the brightest idea to use the same, basic and omni-potent e-Identity everywhere you go.

Already in 2005, Kim Cameron developed what he called 'The Laws of Identity', which described the fundamental laws, that any identity management system would have to obey if it should work across domains and survive for a prolonged time. He suggested the following laws:

1. Technical identity systems must only reveal information identifying a user with the user's consent

2. The solution which discloses the least amount of identifying information and best limits its use is the most stable long term solution

3. Digital identity systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship

4. A universal identity system must support both 'omni-directional' identifiers for use by public entities and 'unidirectional' identifiers for use by private entities

5. A universal identity system must channel and enable the inter-working of multiple identity technologies run by multiple identity providers

6. The universal identity metasystem must define the human user to be a component of the distributed system integrated through unambigous human-machine communication mechanisms offering protection against identity attacks

7. The unifying identity metasystem must guranatee its users a simple, consistent experience while enabling separation of contexts through multiple operators and technologies.

These criteria were put to a test by PRIME and later by PRIMElife, that made some exceptional demonstrators to prove the feasibility of these principles.

Also ENISA focused on this topic in the report on 'Managing Multiple Identities' which contains a realm of references to other relevant EU studies on this and corresponding issues.

As EU is now moving on to look into further use of cross-border identities it becomes clear that solutions like this are needed, as countries like Denmark cannot continue to be like the sleeping beauty hiding behind a wall of roses, we need to confront the Nordic faithful citizen with the skeptics of UK and non-believers of benevolent government in other countries. We have to help the Danish citizen with a simple, yet consistent way of controlling her/his own data (law no. 7) which will help us to travel across Europe, get our Government services - like pension, social benefits, while studying abroad - or help us with our medical and health record if we by accident or deliberately turn to hospitals in other European countries to assist us. The days of a magnetic strip card are long past, and while we are waiting for a more intelligent Danish ID-card that the semi-paper based NemID, we need to think out of the box and more important, actively participate in the projects that intend to offer capabilities to use and re-use eID's acroos borders. (See for instance the STORK project based on the idea of the European Interoperability Framework)

Security& privacy in biometrics – how do we ensure proportionality ?

A basic principle in the current European Data Protection Act is to ensure proportionality between the level and amount of personal identifiable data, that you have to reveal to identify yourself has to be proportional to the risk and danger incurred if the identity is faked or stolen.

The recent years have seen a growth in tools for identification, mainly in the biometric area, that has led to the risk of 'overreacting' using easy biometrics where lesser level of authentication could have been used. One of the latest strange cases from Denmark is a night club, that has been allowed by the data protection agency to take customers fingerprints at the entrance as a means to secure against violent behavior. Horror examples of major collection of biometric data is of course U K's collection of DNA profiles for children, a practice that was started 5 or 6 years ago.

The risks involved are related to the kind of threat you are trying to prevent: Do we need the security tool to reveal the identity and all related information? This may be the case if we have a strong suspicion that a person is directly related in crime or an act of terror. Or do we only need to know if a person is 18 years old so it is legal to sell alcohol to him/her? Similarly, within the health area a nurse and a doctor do not need to have full access to a patients medical record if he has lost his consciousness and need a blood transfusion, only the key information of blood type and current medication.

So the use of biometrics in itself is one dimension of the game - and the other dimension is what the biometric identification gives access to reveal of PII – Personally Identifiable Information - at the same time or as a consequence of using the biometrics.

The first question of proportionality is then solely related to the 'strength' of the biometric method used. A weak solution is a quick, convenient solution which is non-intrusive, non-incriminating and non-discriminating in regard to civil rights and color of skin, sex, race and religion. For this purpose simple biometrics like a signature (Analog or digitized) may be better than a fingerprint ( traditional, optical electronic scanning using a template to generate a simple bit stream) - because fingerprints may be seen as incriminating, offensive, police-like. while a face recognition reveals race, color of skin and maybe sex, and thus does not meet the other criteria.

Signatures may be faked, fingerprints (simple fingerprints) can be stolen – in bizarre cases it has been seen that criminals have cut off fingers of owners of Mercedes 300S cars to break the fingerprint starting mechanism. (This risk is probably less in Northern Europe, though.) Or it may be difficult to read the results properly.

When stronger proof is needed, it is acceptable to rely on methods with higher reliability – like the thermal scanning of fingerprints, that measures the distance from the underlying blood, revealing riffs and valleys, again to be transformed by fast fourier transformation to a template consisting of 0's and 1's. This prevents the use of faked fingerprints copied on a strip of tape – and even the rough case of cutting off Mercedes' owner's finger –( presumably the blood has stopped circulating – so no heat difference). Also Iris recognition has been suggested, whereas 3D face recognition at this point still has a higher rate of errors. It has been suggested to use at least 2 types of biometry, like the US border control where you combine fingerprints with face recognition.
In any case the reliability of the identification methodology applied in every case has to discussed and explained before any solution is deployed. (See article about reliability)

It may be OK under well-defined circumstances to use higher level of trusted biometrics, even if they are not 100% proof. The second dimension of the question than is what other PII is stored with the template or the face geometry is stored and how these data are protected. This is a question of data stewardship and again should be in proportion to the use of the data. Taking the example from the Danish night club that has been granted permission to store peoples' fingerprints, these should definitely not be store with any other information than the purpose: Is this guy know to have a tendency to quarrel – NOT his name, address etc. Even if this is kept using cryptography, it is not in proportion to the use of the biometric data.

Other types of biometrics are recognition of moving patterns, voice recognition, pattern of the veins, retina scan – and of course DNA. Whereas the failure rate (both positive and negative) of the first 2 of these types are still relatively high, the 3 other may reveal unwarranted additional details of the health situation of the individual, hence these items should only be used for forensic purposes and not just collected arbitrarily or even – as in the UK DNA case – systematically.

An important aspect of using Biometrics is also how it will be possible to revoke or change the biometrics as the person changes. Whereas fingerprints remain stable for a longer period in life, face geometry changes a lot from childhood to old age, so does walking patterns, voice. And people do have cosmetic operations in their faces, accidents may change the looks and behavior so any system based on biometrics should have a way to allow for changes of this kind and it should be possible to revoke biometrics.

But as the technology improves and computing power is increasing, one solution which could use biometrics and at the same time prevent the data from occurring in the open space or being communicated could be to have an ID card with a number of different domains, each holding the relevant information linked to the person: one domain simply stating the age, another for the bank including bank account numbers, one for driving license use, one for medical/health care use, one for insurance use, one for credit cards, one for public identification purposes.
If this identity card can be activated by a fingerprint reader plus a pin code, the citizen could then select exactly how much PII he wants to reveal in the situation. This is in line with the PrimeLife recommendations from IBM Zürich Lab, that has just got the German award for forward think identity management solution. This type of solution has the advantage that the user is in full control and that no central database is required for the biometric data.

In a few days I will discuss the use of video surveillance, what we know about it as a crime prevention tool and what may be a more intelligent way of using it.