Smartcards, digital identity and black holes
A presentation to the 5th Annual Smartcard Summit, Canberra, October 2009.
Abstract
Recent history shows it is difficult to discuss digital identity, authentication and smartcards without being drawn into the black hole of an identity card. This presentation is chiefly concerned with breaking the nexus between smartcards and ID cards. Plenty of other commentators have questioned the fundamental needs for identity cards. Here we’ll come at the issue from the other side: what good is smartcard technology in online security and privacy? And how do we design smartcard systems to avoid creating a new ID card by default?
We do a good job today of identifying people. In a few cases like banking, identification is regulated. But for the most part, identification is a local issue. Most business transactions are based on specific qualifications and credentials. The rules are not worked out centrally, but vary from one sector to another. Different identities apply in different contexts, such as when a lawyer signs off on a piece of conveyancing, or when a doctor signs a prescription, or when a customer signs a credit card purchase. A small business owner might have their personal and business bank accounts with the same institution, but they exercise different identities (that is, distinct cards and accounts) when she does business banking and personal banking. In the real world, all these different identities are well managed.
The pressing problem in cyber security is to be able to use real world identities online, without fear of theft, cloning, replay attack and impersonation.
