Calling for verifiable credentials

The best time to introduce verifiable credentials to make people safe against data breaches would have been 2004 when Microsoft introduced smartcard authentication to all its office and internet products.

The second best time is now.

Cybercrime Inquiry 2009

In 2009, Lockstep made a detailed submission (PDF) to the House of Representatives Standing Committee on Communications launched its Inquiry into Cyber Crime, concentrating on the need for better protection of digital identities. I argued that smartcards and the like [that is, smart phones] have unique potential and yet attract undue anxiety, and I canvassed ways to reduce the political risks.

The techniques I referred to then are now known as verifiable credentials.

Committee Hearing appearance

On 9 Oct 2009, I testified at the Inquiry hearings in Sydney. The Hansard transcript of the hearing is available here.

I testified that ‘We take a lot more care with car keys than digital identity. Electronic services are still very timid about authentication. Convenience trumps all else. [So now] cost of ID fraud every year far exceeds the cost of car theft.’

Other topics covered during my appearance included the limitations of biometrics in the cybercrime context, overseas learnings from programs such as Estonia’s multi-function smartcard, the risks of not using intelligence authentication to safeguard health identifiers, and the parallels between smartcards and SIM cards which make very few people anxious.

Highlights from Lockstep’s written submission

“It is no exaggeration to characterise the theft of personal information as epidemic. Personal information in digital form is the lifeblood of banking and payments, government services, healthcare, a great deal of retail commerce, and entertainment. But personal records―especially digital identities―are stolen in the millions by organised criminals, to appropriate enormous financial assets, as well as the fast growing intangible assets of ‘digital natives’.

“Credit card fraud over the Internet is the model cyber crime. Childs play to perpetrate, and fuelled by a thriving black market in stolen details, online card fraud represents 50% of all card fraud, is growing at 50% p.a., and cost A$71 million in 2008. The importance of this crime goes beyond the gross losses, for some of the proceeds are going to fund terrorism, as recently
acknowledged by the US Homeland Security Committee.”

“[the] most recent cyber criminal attacks show that even if consumers do their best online, their personal details can still be taken over in massive raids on merchant databases.”

“Stolen identity data is traded on a thriving black market, and used in a range of criminal enterprises including terrorism. The most overt
identity crime is Card Not Present (CNP) payment fraud, where stolen account details are replayed against unsuspecting e-merchants.”

“We submit that the most important new technology for preventing digital identity theft and therefore cyber crime in general is to be found in smartcards and related intelligent personal authentication devices such as smart phones …”

“Smartcards [or smart phones] can be used by individuals as secure “containers” to hold one or more personal identifiers, pseudonyms, log-on credentials and so on. When accessing a particular service, the card can work out precisely which identifying information is relevant in that context; the card will then release just the right amount of information to authenticate the user, and no more. Controlling the release of identity information is an important key to privacy, and limits exposure of personal data to identity thieves.”

“Please note carefully that what we propose is that Australia can implement digital identity security measures nationally without any semblance of a national identity system. To avoid a national identity, intelligent technologies should be deployed according to principles such as:

  • existing purpose-specific identifiers and relationships with service providers should be preserved
  • different digital identities should be dedicated to banking, commerce, healthcare, government …
  • no new multi-purpose identifiers need be created
  • businesses and agencies should remain autonomous in how they transact with users
  • no new central registries are necessary to improve the pedigree of digital identities”