Submission
31 July 2006
Health and Social Services "Access Card"
Below is EFA's submission to the DHS Access Card Consumer and Privacy Taskforce in response to their Discussion Paper No. 1 on the Australian Government Health and Social Services "Access Card".
Contents:
- Executive Summary
- Introduction
- A National Identity Card
- Centralised Database and Single Identity Document
- Function Creep
- Establishing Benefits to Consumers
- The Question of Balance
- Establishing Prevention of Fraud
- Alternative Means of Improving DHS Systems and Service Delivery
- Responses to Discussion Paper Questions
- Recommendations
- References
- About EFA
1. Executive Summary
- EFA is deeply concerned by the planned rollout of a so-called Access Card smart card linked to a centralised database containing identification, and other, information about almost every adult Australian and Australian residents.
- EFA is highly concerned by the government's failure to provide adequate and clear information about the card and associated systems to enable informed public consideration and debate.
- Although the KPMG 'business case' document was eventually made publicly available, it is of great concern that it has been heavily censored by the government, resulting in a document that asserts, but does not demonstrate, that a business case exists. It is of further concern that information concerning the technological architecture of the planned system has also been deleted.
- The government's refusal to make available the Privacy Impact Assessment, that was based on the same model as the KPMG document, suggests that it would have revealed that the proposed system entails a high level of risk to individuals' security and privacy.
- On the basis of information made available to date, EFA recommends that Australians reject the so-called Access Card and related centralised database for substantially the same reasons as the Australia Card was rejected.
- EFA is not opposed, in principle, to the issue of smartcards by government agencies. Our position on use of smartcards depends on the particular model, after taking into consideration a range of matters including whether or not the model is appropriately adapted to serve a legitimate and justified purpose. The currently planned Access Card system does not pass this test.
- EFA rejects the notion that the planned card is not an ID Card. On the basis of information made available to date, it is clear that the primary purpose of the card is to prove one's identity. All indications are that the card will also be, or be extremely likely to become, a "national identity card".
- The Access Card system poses the same risk of increased identity fraud as a national identity card because it involves centralising all personal information on one database and issuing a single form of identification.
- The proposal is flawed because it produces a "honeypot effect" - a highly attractive and richly rewarding single target for criminals engaged in identity theft.
- EFA believes that, consistent with fundamental privacy principles, personal information should only be accessed and used for purposes directly related to the purpose for which the subject individual provided the information. Accordingly, law enforcement agencies should have no access except for the purpose of investigation of offences directly related to use of a card, that is, fraudulent use of a card and fraudulently obtaining benefits.
- EFA is adamantly opposed to the introduction of an effectively compulsory government issued card with inbuilt capacity for function creep.
- EFA considers that benefits of the Access Card to consumers have not been identified, particularly the 5.5 million consumers who are Medicare-only clients.
- EFA submits that the Government has not discharged the onus of proving that there will be an overwhelming public benefit in the form of a substantial reduction in fraud to justify private rights being eroded.
- EFA is concerned that the use of a photograph on the proposed card will facilitate its use as proof of identity in situations where there is no means of electronically ensuring that that card is not a fake.
- The government has failed to prove its case that substantial welfare fraud will be defeated by the introduction of the card, and some of the claimed benefits in this area cannot be sustained.
- The KPMG report failed to consider the option of separate cards for health services and welfare services, which in EFA's view poses far less risk to privacy and security.
- EFA does not support mandatory cards. People should still have the right to choose to provide other methods of identification.
- EFA opposes the plan to collect and store biometric information, on the grounds that the technology is not accurate and the need to store facial templates and photographs in a government database unjustifiably increases security and privacy risks.
- The existing Privacy Act is totally inadequate for dealing with the privacy risks and issues raised by the planned Access Card system.
- EFA is of the view that members of the public should have a choice about whether or not they wish to have a photograph on the card, and a digitized copy of that photograph stored centrally.
- The government needs to provide detailed technical information about the operation of the chip, and PIN access capabilities available to various officials and government agencies, before any judgement can be made about likely risks to security and privacy arising from the use of a chip.
- EFA considers that the the public has cause for concern about the number of public officials who would have access to the information on centralised databases.
2. Introduction
01. EFA is deeply concerned by the planned rollout of a so-called Access Card smart card linked to a centralised database containing identification, and other, information about almost every adult Australian and Australian residents.
02. While Government representatives have been at pains to argue that the so-called Access Card is not an ID card, our analysis of the Department of Human Services ("DHS") 2006 Budget documents[1] and the (censored) KPMG Access Card Business Case document[2] reveals that the planned card/system is almost identical to the Australia Card rejected by the Australian public. Further, the so-called Access Card/system is even more dangerous to individuals' security and privacy than was the Australia Card due, in part, to the planned use of a multi-purpose smart card electronically linked to a centralised database.
03. Government claims that the Access Card is not an ID Card are in our view an implementation of "the Goebbels technique" referred to by Prime Minister John Howard during the Australia Card debate:
"...the Goebbels technique - that is, if one says something that is untrue frequently enough, sooner or later the public will start to believe it. That is what the Government has been doing on every single public issue of any controversy. The ID card issue has been no exception."
(The Hon John Howard MP, Australia Card Bill 1986: Second Reading, House of Representatives Hansard, 16 September 1987[3])
04. EFA is highly concerned by the government's failure to provide adequate, and clear, information about the card and associated system to enable informed public consideration and debate. Information made available to date has in many instances been contradictory, and/or has indicated components that are likely to be impractical and/or unworkable in the overall context. Although the KPMG 'business case' document was eventually made publicly available, it is of high concern that it has been heavily censored by the government, resulting in a document that asserts, but does not demonstrate, that a business case exists. Moreover, sections that would be of particular interest to EFA, concerning the technological architecture of the planned system, have also been deleted. Such information is critical to the question of whether the public will be able to trust the system to secure and protect their personal information. The deletion of those sections suggests they contained information that would increase public concern about the risks posed by planned system. Similarly, the government's refusal to make available the Privacy Impact Assessment that was based on the same model as the KPMG document, indicates that it would have revealed that the proposed system entails a high level of risk to individuals' security and privacy.
05. EFA shares the following view expressed by John Howard during the Australia Card debate:
"...On each and every occasion it is a question of balancing the public interest against the private right. ...I start from the assumption that the private right is superior to the right of the state. That must always be the starting assumption. Anybody who seeks to erode the private right must carry the onus of proving that there is an overwhelming public benefit in that private right being eroded. It is just not good enough, as this proposal assumes, to say to a government, 'We have a problem. We cannot collect enough tax', or 'We cannot stop enough welfare cheating'. In other words, to use what will become a memorable phrase of the Minister for Transport and Communications (Senator Gareth Evans), we have a systems failure under the present system so we have to turn everybody into a card subject to deal with that systems failure."
(The Hon John Howard MP, Australia Card Bill 1986: Second Reading, House of Representatives Hansard, 16 September 1987[4])
06. In the case of the Access Card-ID Card, publicly issued documents make clear that the Department of Human Services has (more than one) systems failure and so the Government intends to turn everybody into a card subject. However, government issued documents do not show, let alone prove, that there is an overwhelming public benefit in the private right being eroded, nor that the system failures can or will be solved by the planned system without resulting in more problems requiring further unjustifiable erosion of individuals' security and privacy rights. Indeed, any information that might have been in the KPMG document concerning how turning everyone into an identity card subject would reduce welfare fraud has been deleted. EFA believes this is because the vast majority of welfare fraud is of a type that will not be impacted by turning people into card subjects connected to a back-end centralised identity database.
07. On the basis of information made available to date, EFA recommends that Australians reject the so-called Access Card and related centralised database for substantially the same reasons as the Australia Card was rejected. The Access Card-ID Card system poses greater risks to security and privacy than did the Australia Card proposal and will not prevent welfare fraud any more than the Australia Card might have done.
08. EFA is not opposed, in principle, to the issue of smartcards by government agencies. Our position on use of smartcards depends on the particular model, after taking into consideration a range of matters including whether or not the model is appropriately adapted to serve a legitimate and justified purpose. The currently planned Access Card system does not pass this test.
3. A National Identity Card
09. According to the Taskforce Discussion Paper[5]:
"A national identity card system would include the aspects of its being compulsory, producible on demand by certain authorities, a requirement for people to carry it at all times, its linkage with a unique identifying number and the fact that it is the sole form of identification recognised by Government authorities."
10. The above definition of a "national identity card" shows that the so-called Access Card has almost all the hallmarks of a national identity card. The card will be "producible on demand by certain authorities" (at the least, DHS personnel); it will be linked "with a unique identifying number"; and it will be the "sole form of identification recognised by Government authorities" (e.g. at the least DHS, and possibly some State/Territory Government agencies).
11. The so-called Access Card will in effect be compulsory because without that card the Government will refuse to pay Medicare refunds and welfare benefits to persons who would otherwise be (and are currently) entitled to receive such payments. Hence it is ingenuous to claim that the card is "voluntary", or that people have a voluntary choice about whether or not to claim such payments, especially in the case of taxpayers who do not have a choice about paying tax to fund Medicare refunds and welfare benefits, nor about whether they pay the additional special Medicare levy/tax when their annual income is above a specified amount.
12. Insofar as the criteria of "a requirement for people to carry it at all times" is concerned, no such requirement was planned to apply to the Australia Card but Australians plainly considered that card to be a national identity card.
13. EFA rejects the notion that the planned card is not an ID Card. On the basis of information made available to date, it is clear that the primary purpose of the card is to prove one's identity. All indications are that the card will also be, or be extremely likely to become, a "national identity card".
... It becomes important to ensure that the health and social services access card does not become, now, or in the future, a national identity card by any other name. ...What are the best administrative, legislative or technological guarantees which can be put in place to prevent this from happening?
14. There are no administrative, legislative or technological means of ensuring the currently planned card will not be, or become, a national identity card by any other name. The only means of ensuring that the planned card does not become a national identity card is to abolish the current plan. The government should go back to the drawing board and design system/s to resolve the system failures within DHS instead of introducing a card with all the components of an identity card linked to a centralised national identity database.
4. Centralised Database and Single Identity Document
4.1 Increasing the Risk of Identity Theft and Fraud
15. Whether or not one considers the so-called Access Card system to be a national identity card system, the Access Card system poses the same risk of increased fraud, including identity fraud, and identity theft because it involves centralising all personal information on one database and issuing a single form of identification to replace the existing health services card (Medicare) and the existing welfare and social service cards (Centrelink and Department of Veterans' Affairs). An unprecedented amount of personal information about some 18 million Australians will be placed in one centralised database and people will be issued with a single form of identification required to be used to prove identity in order to obtain Federal and State/Territory Government benefits and services and that may also be voluntarily used to prove identity to businesses.
16. Such a plan is fundamentally flawed because it produces a "honeypot effect" - a highly attractive and richly rewarding target for criminals[6]. Instead of needing to gain entry to a number of databases containing identity information and produce fake copies of a number of identity documents, there is a single target. That such centralisation is likely to increase identity theft and fraud has previously been pointed out by the Federal Attorney General:
"There have been recent suggestions in the media that the Government is going to introduce a national identity card.
I can assure you that this is not the case.
We do not support the approach where all personal information is centralised on one database, and a single form of identification is issued.
This could increase the risk of fraud because only one document would need to be counterfeited to establish identity.
Instead, we support the use of a range of acceptable documents, with the ability to verify those documents quickly and simply.
This approach strengthens our proof of identity process and mitigates the risk of identity fraud."
(Philip Ruddock, Attorney-General, Opening Keynote Address to Australian Smart Cards Summit 2005, 29 June 2005[7])
17. The Age reported similar warnings by Justice Minister Chris Ellison:
"Private ministerial correspondence obtained by The Age reveals that a week after the bombings, when Mr Howard called for ID cards to be considered as a possible way to improve Australia's security, Justice Minister Chris Ellison wrote that they would 'pose a number of security and privacy problems'.'The Government does not believe a national identity card is the best way to increase the security of all Australians,' Senator Ellison wrote in two letters to members of the public.
'A national identity card could also increase the risk of identity theft, as only one document would have to be counterfeited. A single database containing everyone's personal details would also be at risk from hackers, no matter how well it was secured.' "
(Cabinet split over ID security[8], Richard Baker, The Age, 22 April 2006)
18. In addition, the Minister for Human Services, Joe Hockey, admitted on PM, ABC Radio, 27 April 2006[9], that the government cannot guarantee security of personal information:
"MARK COLVIN: We live in an era of hacking. How are you going to be sure that people's data can't be hacked into?
JOE HOCKEY: Oh, look, Mark, I mean, there is no guarantee against any hacking, and I'd be foolish to suggest there is."
19. Obviously the risk of hacking applies to both the centralised database and the chip on the card.
20. Furthermore, in relation to the security of information on the chip in card, it is of concern that this will be expected to have a life of seven years before card replacement. As the the SmartCard Alliance, an industry group, points out:
"Smart cards are tamper resistant and NOT tamper proof. When implementing any system that uses smart cards, the designer must ensure that every link in the security chain is 'secure enough' when comparing the risks of compromise versus the costs to secure. It is a balancing act that every designer faces.
...
An important benefit of smart card technology is that it includes a renewable security element. If appropriately used, smart cards can change their cryptographic keys and/or algorithms as required. For instance, if a particular cryptographic algorithm is compromised one day, then a back up algorithm in the card could be activated. Another point to remember is that smart cards typically carry some company logo or brand and, for marketing reasons, they are replaced every 2 to 3 years. During this renewal process, new countermeasures can be designed in."
http://www.smartcardalliance.org/industry_info/security.cfm[10]
21. Obviously in the case of smart card that is not to be replaced for seven years, there will be less opportunity for new countermeasures to be designed in.
22. We are aware that some proponents of the Access Card contend that there is no security or privacy problem in relation to the chip because it is claimed the mandatory information on the chip will be the same as information on some other cards people have. However, the fact that some other cards, such as Drivers Licences, have address and date of birth on them without security protection, does not justify the introduction of yet another card with such information included in a way that cannot be guaranteed to be secure and private. One would hope that such existing cards will be replaced with appropriately designed and fit for purpose cards that disclose less personal information. EFA sees no justification whatsoever for address, date of birth, signature, photo, etc, to be mandatorily included on the face of, or in the chip on, a so-called Access Card.
4.2 Access to the Centralised Database
23. According to the Discussion Paper:
"It would be unrealistic not to recognise that law enforcement and national security services may have cause to seek authorised access to the SCRS including its biometric components. However, if there is to be public support for and trust in the new access card system, then those rights of access must be clearly stated pursuant to statute and subject to independent oversight. This is clearly already the case as far as federal law enforcement and national security services are concerned-they operate under their respective statutes and they are subject to independent monitoring. The Taskforce understands that there are no proposals being considered by the Government to vary any of the procedures which are now in place to deal with any such requests that may be made."
24. EFA does not accept that it is unrealistic to expect that access to data provided compulsorily to a centralised government database be restricted to authorised DHS agency personnel. Consistent with fundamental privacy principles, personal information should only be accessed and used for purposes directly related to the purpose for which the subject individual provided the information. Accordingly, law enforcement agencies should have no access except for the purpose of investigation of offences directly related to use of a card, that is, fraudulent use of a card and fraudulently obtaining benefits.
25. If the Government wishes to have a national identity database accessible by law enforcement authorities, it should rename the Access Card to "Australia Card Mark II" and facilitate a properly informed parliamentary and public debate about such a proposal.
5. Function Creep
26. The Taskforce Discussion Paper strongly indicates that the card/system will be designed to facilitate function creep, that is, so that it can evolve or morph over time to serve quite different purposes and usages from the originally stated purpose. Further, according to the Discussion Paper:
"The issue is not whether additional functions could develop for the access card, but the means by which any such additional functions should be considered and decided: by stealth, by incremental function creep or by a process of open and public debate."
27. EFA does not agree with the above. We are adamantly opposed to the introduction of an, in effect, compulsory government issued Access Card-ID Card with inbuilt capacity for function creep. The issue is not the means by which function creep should be allowed, but whether there is any means by which function creep could be prevented.
28. Additional purposes and uses for a government issued smart card have already been proposed, including but not limited to:
- 26 May 2004: Advance Australia card[11], The Bulletin.
- "Peter Solomon, the head of a company pioneering smart-chip technology in passports and a former senior Liberal who helped preselect John Howard for the seat of Bennelong 30 years ago, has told The Bulletin ...
...
According to Solomon, an Australian ID card will also be implemented in stages over the next few years, beginning with the introduction of a new health card capitalising on the revolution in smart card technology. ...
Solomon...adds: 'Once we have the health card in place, we can add Medicare details, tax file number, driver's licence and police data, superannuation details, all aspects of social security - the basis of a truly multifunction card.' ..."- 11 Nov 2004: Smart card push to ensure welfare's not wasted, Belinda Hickman, The Australian.
- "Smart cards that link welfare payments to the purchase of clothing, electricity or food are being considered by Aboriginal leaders, and could be available within 12 months with sufficient government support."
- 12 Nov 2004: Welfare plan reeks of 'apartheid'[12], Mark Metherell, Sydney Morning Herald.
- "Among proposals put forward in a confidential cabinet paper were that parenting payments be conditional on children attending school and receiving health checks, and the introduction of smart cards that prevent the use of government benefit payments to buy alcohol."
- 24 Jan 2005: Tackling tax and welfare, The Gold Coast Bulletin.
- "Yesterday the Federal Member for Moncrieff, Steve Ciobo, outlined his bold and controversial blueprint for redrawing Australia's welfare system including 'smart cards' in lieu of payments. Here is an edited version of his speech to the Federal Young Liberal Convention in Tasmania
...
Today I, and others in the Coalition, are steeled in our resolve to have wide ranging tax and welfare reform introduced in this new Parliament so future generations of Australians can better enjoy the spoils of their enterprise and recognise their responsibility for self sufficiency.
...payments would be via a rechargeable smart card, less a small proportion which would continue to be credited to the recipient's bank account. This smart card would then permit the recipient to still continue to have purchasing choices, constrained however, by not having access to cash withdrawals or to certain facilities and stores, for example casinos, electronic gaming machines in pubs and clubs etc. Additionally, there could be provision for apportioned credit on the smart card if appropriate - for example, amounts reserved for utilities and groceries and the like.
...
Over time, if successful, this model may also have application to recipients of single parent payments once the recipient's youngest child attains school age. ..."- 12 May 2006: Commercial access on the cards[13], James Riley, The Australian.
- "Minister Joe Hockey's Human Services department also said the smart card could be used in future to allow welfare payments to carry restrictions, such as allowing the purchase of groceries, but not cigarettes or alcohol."
- 2 June 2006: Child ID cards in swipe at fraud[14], Stephanie Peatling, Sydney Morning Herald.
- "Every child will be tracked through the child-care system, allowing the Federal Government to simultaneously map places and shortages and crack down on fraud.
Within two years parents will be issued either swipe cards or PINs. These will allow their children to clock in and out of child-care centres in a policy given '100 per cent cabinet support', government sources said. ...
It has not yet been decided if this will be done through the welfare smart card formally announced this month, which the Government eventually wants to use to administer all its payments."
29. EFA believes the above are highly publicly controversial. However, once the infrastructure of the planned Access Card-ID Card is in place, it would be even easier for the Government, and/or government agencies, to introduce additional uses and purposes notwithstanding widespread public opposition. Additional applications and data could simply be automatically loaded onto a person's smart card by the back-end system when it is placed in a card reader connected to the back-end system, e.g. at a pharmacy, doctor's surgery, DHS agency office, etc.
30. Hence, EFA is of the view that any compulsory government-issued smart card must be designed with prevention of function creep built in, in order to minimise the potential for function creep without the opportunity for prior parliamentary and public consideration and debate.
6. Establishing Benefits to Consumers
31. The Discussion Paper states:
"The Government states that its access card places the highest priority on providing benefits to consumers by upgrading the level of services which they receive as a result of introducing improvements in technology.
...
However where the Government claims that the access card will benefit consumers, then this is a matter to be tested. The question of exactly how consumers will benefit needs to be addressed, and in this respect the Taskforce expects its views to be largely shaped by the submissions which it receives from consumer and advocacy groups and from individuals."
32. A card that would genuinely benefit "consumers" would not need to be made compulsory. Obviously if it provided benefits that individuals wished to receive, they would apply for a card without compulsion.
33. EFA has yet to hear of any benefits to "consumers" that justify the introduction of a compulsory Access Card-ID card and related national identity database. The so-called benefits mentioned in government issued documents generally refer to matters that require enhancements to government agencies back-end systems or that could be, or already are being, made available with existing technological infrastructure.
34. With regard, for example, to enabling people to view and update their own information, as the Minister stated in a speech to the National Press Club in April last year:
"Already over 500,000 Australians have registered to use Centrelink services online. They can check the timeliness of their payments, note when the next payment is due and customers can update some of their personal information. The Centrelink site is now receiving 3.3 million page hits per month but given that they deal with 1.3 million customers a week it remains a very small part of their business and it still has a long way to go.
This is simple customer communication through direction interaction. Based on projections, there will be growth over the next twelve months in the use of online services. This will result in a reduction of nearly 5 million letters over the next financial year."
(Joe Hockey, Minister for Human Services, Speech to the National Press Club, 20 April 2005[15])
35.
A long list of what people can already do/update online themselves is available on Centrelink's web site at:
http://www.centrelink.gov.au/internet/internet.nsf/online_services/index.htm[16]
36. Furthermore, as at 25 July 2006, the above page states:
"New Service: Centrelink has added a new online service which will allow you to change your address and contact details. Look for Update Your Address, Contact or Accommodation Details in the Personal Details option on this page."
37. The above new service has apparently been added since 18 May 2006, that is, after the government's budget announcement that "When the [access card] system is established people will be able to change their address online from their home computer" (DHS Access Card - Fact Sheet Technology, 9 May 2006[17]).
38. In addition, while it has been claimed that the centralised database/registration system is necessary to "ensure this basic [registration] information is kept up to date across Medicare, Centrelink and the Department of Veterans' Affairs (DVA)" (DHS Access Card - Fact Sheet Technology[18]), information subsequently revealed shows it is not necessary for that purpose:
"Geoff Leeper, deputy secretary of the Department of Human Services, said...his team had developed a website that was a single point of access for Centrelink, Medicare and child support services. It will be launched in September with features such as a single sign-on, the ability to send a change of address and circumstances notification to all three agencies at once, and a link to the tax office."
(Smartcard not so clever: fraudster[19], Nick Miller, Sydney Morning Herald, 16/5/2006)
39. While the web site facility to made available in September this year will only be useful to clients with Internet access, the ability to notify several agencies of changes depends on agencies' back-end systems and procedures. There is no obvious reason why DHS staff, e.g. telephone call centre staff, would not be able to use the same system to notify changes to several agencies on behalf of clients who telephone to advise of change, or send information by mail.
40. In short, anything that can not already be done online, or easily, is only because Centrelink and/or Medicare do not want to provide the facility, or have not yet set up their back-end systems to facilitate it. A new Access Card-ID Card is not necessary.
41. That there are few, if any, benefits to a large proportion of the population is apparent from the KPMG "business case" document. It puts forward only a very weak case (p.61) regarding alleged benefits to 8 million people (over the age of 15) who receive Centrelink payments, none of which justify a compulsory card.
42. Furthermore, the KPMG document makes abundantly clear that there is no benefit whatsoever to at least 5.5 million adults who receive no form of social security payment, that is, they are Medicare only clients (p.62). It recognises that such people "may see less value in registering, and claim that the card has little appeal for them". It also makes clear that there is no benefit to the 3.5 million people who, according to KPMG, are "highly likely" to have a current Medicare card but did not access any Medicare services in the past twelve months. The KPMG document claims that the benefit to Medicare only clients is that when they retire, or if they have a child, and then wish to access Centrelink payments, they will not be required to prove their identity to Centrelink because they will "already be in the system" (because they would have been forced to register with "the system" in order to continue to be entitled to receive Medicare payments). That a person's circumstances may change in the future does not justify compelling them to provide identity documents and other personal information to become registered in a new system, just in case they might need to access a service in the future.
43. We note that the KPMG document proposes that people "may elect not to get a smart card until such time as they want to start accessing health and social service benefits. There will be no penalty if people take this option" (end of p.62). However, the page immediately following the foregoing statement has been deleted for "cabinet in confidence reasons" (p.63). This gives rise to questions including whether there will be a penalty if people who do not need to access benefits decline to register for a smart card.
44. In addition, the KPMG case appears to have been based on insufficient facts. As one example, the KPMG document states:
"KPMG is conscious that if electronic patient claiming from medical practices is introduced, mail claiming is likely to be largely redundant." (p.44)
45. Electronic patient claiming from medical practices has been available for at least several years. The patient's Medicare card is swiped through a terminal (that appears to be an EFTPOS terminal) in the doctor's office and the patient only pays the doctor the difference between the doctor's fee and the Medicare rebate that the doctor will receive direct from Medicare. While this service is apparently not available in all medical practices, EFA considers it highly unlikely that doctors who to date have chosen not to purchase and install the existing technology/system will purchase and install the new technology/system that would be necessary if a smart card Medicare card is introduced. In any case, the introduction of a smart card may increase, rather than reduce, the amount of mail claims due to concerns about what information the chip may disclose, without the patient's knowledge and consent, when it is swiped.
7. The Question of Balance
46. The Discussion Paper states:
"Any new system such as the health and social services access card changes existing ways of doing things and alters established balances between customers and service providers.In all these circumstances there remains a clear need for competing interests such as those which may exist between privacy protection and Government efficiency, or between consumer autonomy and Government accountability to be recognised, debated and resolved.
On several occasions the Taskforce has mentioned that the Attorney General's Department is working on the development of a new document verification system. The document verification system and the access card are being developed for different purposes. However, there is great benefit to the Australian community in being able to establish questions of personal identity with the highest degree of certainty.
It must be recognised that any high level document verification system may make it particularly difficult for the most disadvantaged in our community (e.g. indigenous people, immigrants from certain countries, the homeless etc) to have their documents (if indeed they hold any) meet the tests for verification being established. Very often the provenance or physical condition of the documentation which they have in their possession will be less than optimal. Since the purpose of the access card is to improve people's ability to obtain the benefits to which they are entitled, care must be taken to balance the need for identity verification at the highest level with the possibility that this could exclude access by those most in need. This again is a matter which the Taskforce will take care to examine."
47. EFA does not agree with the Taskforce's statement that "the purpose of the access card is to improve people's ability to obtain the benefits to which they are entitled". As discussed in the previous section, to date the government has not provided any evidence that a new card/system will benefit card subjects nor improve people's ability to obtain health or social service payments to which they are already entitled. In our view, all indications are that the planned system will disadvantage the people most in need (some, perhaps many, of whom would also be issued a card containing a "low confidence POI flag" according to KPMG (p.52)) and will result in increased security and privacy risks for everyone.
48. In our view the KPMG document makes clear that the purpose of the card is to attempt to reduce fraud. This is the only reason put forward for the introduction of what is, in effect, a compulsory ID card. According to KPMG, "a sound value proposition" exists only "if it is not an option for people wishing to claim Medicare rebates, concessions and Centrelink entitlements" (p.10) because "KPMG believes any assumption about fraud savings (short or medium term) would be negated if the system were voluntary" (p.15).
49. Although KPMG contends that "fraud savings could range from at least $1.6 billion to $3 billion over a ten year period" (p.12), no information has been made publicly available to support KPMG's contention and the government has deleted relevant sections from the KPMG document.
50. In the absence of evidence that a substantial, if any, proportion of the assumed fraud savings pertain to identity fraud, EFA is not persuaded that a compulsory identity card is necessary.
8. Establishing Prevention of Fraud
51. To date, the Government has not discharged the onus of proving that there will be an overwhelming public benefit in the form of a substantial reduction in fraud to justify private rights being eroded. In fact, as detailed earlier herein, senior government ministers have acknowledged that centralisation of personal information in one database, and a single form of identification, is likely to result in increased fraud.
8.1 Identity Fraud
52. According to the government:
"The inclusion of a digital photograph on the access card will significantly enhance the identity security elements of the card, protecting the cardholder's identity and reducing opportunities for fraud. So if your card is lost or stolen it can't be used by anyone else." (Media Release, Minister for Human Services, 9 May 2006[20])
53. The above is apparently intended to prevent a person from presenting another person's e.g. Medicare card as an evidence of identity document when applying for other government services, bank accounts, credit cards, etc. EFA believes that persons who do not feel they can keep their own card secure should be entitled to voluntarily choose to have their photo on their card. A photo should not be mandatory. Further, people should have the option of having a PIN, without use of which the chip would not be able to be accessed. A PIN would serve the purpose, not only of preventing access to the information on the chip without the consent of the card subject, but would also prevent lost or stolen cards from being used by another person. Hence, there would be no need for a mandatory photo to be on the card for that purpose.
54. Furthermore, whether the use of a photograph may be effective would depend on the security elements of the card, details of which have not been made public. For example, whether the photo can be fraudulently replaced, and whether other government agencies and businesses who may accept the card as proof of identity will be able to verify that a card that looks like a so-called Access Card is not fake. Such verification would require access to the centralised government database, or would require government agencies and businesses to have card readers with government provided software installed capable of verifying that a card chip had, in fact, been issued by the government and had not been tampered with. However, there is no mention in government issued documents of the latter.
55. However, at the same time the establishment of a centralised government database containing all identity information about individuals will increase the risk of identity fraud because it produces the "honeypot effect". It will only require breach of one database to obtain all information about a person necessary to produce forged identity documents of other types.
56. The security risks inherent in a centralised government identity database are exacerbated by the government's plans to store scanned copies of key identity documents such as birth certificates which contain information often used by banks etc as a 'secret' answer. That such scanning and storage is deemed necessary makes a mockery of the (considerably more security and privacy protective) Document Verification Service ("DVS")[21] developed by the Attorney-General's Department. Moreover, the risks relate not only to the potential for the database to be hacked into by identity thieves, but also the potential for misuse of the information resulting from bribery and corruption of government staff who have access to the identity information in the database.
57. Although it is claimed by the government that the card will reduce fraud, no information has been provided as to how the Access Card-ID Card would achieve this. The "case study" on fraud in the DHS 2006 budget documents[22] states:
"Fraud is a multi-billion dollar problem in Australia and is on the increase. Australian Government health and social services fraud alone is some $2 billion annually. The media is full of cases of people who have been caught and prosecuted for various types of fraud related to health and social services benefits....[three examples allegedly reported in the media, one of which does not appear to involve a fake identity]...
With the access card, people would have to register for the card in order to claim any benefits. The registration process would require them to provide proof of their identity and would involve a photograph being taken which is stored on the front of their access card, in the chip on the card and within the secure customer registration system. The registration process will be based on the work the Government is doing to achieve nationally consistent approaches to validating a person's identity across Federal, State and Territory government agencies.
If the people in these cases had then tried to register for another card under a false identity, the registration system-and the requirement to be photographed-would have detected that they had already registered under a different name and this would then be flagged for follow up by fraud investigators."
58. However, it is not the compulsory smart card that will prevent people registering under a false identity, but a new registration system and process involving rigorous checking of key identity documents such as birth certificates that will be facilitated by the Attorney General's Department's Document Verification Service to prevent people registering with false documents or documents belonging to other people who are already registered. Presumably the DVS will be able to be used to check the validity of key identity document information already provided to DHS agencies, giving rise to questions about why it will be necessary for everyone to re-register and provide details of those same documents again.
8.2 Health and Welfare Fraud
59. Further, while the budget documents refer to three media articles, EFA has been unable to find any indication in media reports that "health and social services fraud alone is some $2 billion annually". Media reports during the past twelve months have attributed the following claims to unidentified Medicare and Centrelink personnel:
"A doctor who billed dead people is one of many ripping off taxpayers by millions of dollars, it was revealed yesterday. ...
Every year, Medicare delivers health benefits worth more than $21 billion.
Audits show about 1 per cent of those payments -- or more than $200 million -- are 'inappropriate' and are paid to people who are not entitled to them.
Of that $200 million, some is deliberate fraud."
(Doctor billed dead people - Medicare fraud cases revealed, Alison Rehn, The Daily Telegraph, 10/01/2006)
"Medicare card frauds included organised crime syndicates using cards to obtain free medical treatment, News Ltd newspapers said today. Medicare was quoted as saying that less than one per cent of the $9 billion worth of claims a year it paid out were fraudulent - equating to $90 million."
(Medicare card fraud costs $90 million a year, AAP Australian National News Wire, 24/02/2006)
"Centrelink's Tony Marcelline heads up a team of nearly 60 investigators across Australia, whose sole job is to track down the most likely people to commit fraud, investigate them and undertake surveillance.
Illegally claiming welfare benefits is becoming a growing industry.
Last year, there were nearly 3500 convictions for welfare fraud, involving more than $40 million in fraudulently obtained payments."
(Dole police wade through sea of personal files to nab cheats, Nicolette Burke, The Courier Mail, 30/09/2005)
"A group of Brisbane taxi drivers has been exposed as benefit fraudsters costing taxpayers almost $1 million a year. ...
Investigators say the Brisbane rort is part of a thriving nationwide cash economy, with fraudsters making hundreds of dollars a week in cash and then fronting up to Centrelink for unemployment payments.
It is estimated the cash economy costs the taxpayer more than $100 million annually, with investigations last year unearthing $70 million worth of unlawful Centrelink claims."
(Brakes put on taxi fraud - Centrelink bust exposes Brisbane drivers' $1m cash scam, Edmund Burke, The Sunday Mail, 11/06/2006)
60. Such figures provide no support for the contention that the much larger amount $3,000 million could be saved over ten years by the introduction of an Access Card-ID Card.
61. Furthermore, no details have been made publicly available concerning the claim in the Department of Human Services budget documents (quoted above) that "health and social services fraud alone is some $2 billion annually" nor what percentage of the $2 billion pertains to identity fraud. The alleged amount in relation to health and and social services alone is double the total stated in the Attorney General's Department Budget Related Statement, 9 May 2006[23]:
"Identity theft and fraud costs the community an estimated $1 billion every year"
62. The AUSTRAC commissioned Securities Industry Research Centre (SIRCA) report entitled Identity Fraud in Australia: An Evaluation of its Nature, Cost and Extent[24] issued in November 2003 found the costs of identity fraud to Australia (across both government and business sectors) to be an estimated $1.1 billion. This comprised 45% spent in anticipation of identity fraud, 12% spent in reaction to specific identity fraud attacks, 38% incurred in identity fraud losses and 5% in lost opportunity.
63. The vastly higher figure being claimed in relation to solely health and social services fraud probably arises because the vast majority of such fraud is not identity theft or identity fraud and hence will not be prevented by the new Access Card nor the new identification registration process. As the Auditor-General's Audit Report No. 54 2004-05 Administration of Health Care Cards[25] states:
"Fraud in the Australian Government context is defined as: 'dishonestly obtaining a benefit by deception or other means'. It is often difficult for agencies such as Centrelink and HIC to distinguish between fraud and instances where customers have inadvertently gained benefits."
64. Hence so-called welfare fraud includes cases where people have inadvertently or unintentionally failed to notify the government agency of relevant changes in their circumstances. This is why Centrelink television advertisements etc warn and remind people to tell Centrelink when their income increases and/or other details change. If they do not remember to do so or do not realise the change is relevant, Centrelink goes on paying identified persons money that they are no longer entitled to receive. Other types of welfare fraud involve identified persons intentionally providing false information to Centrelink concerning their employment status, their income level, their marital status, how many children they have, etc.
65. The above types of welfare fraud cannot be solved by a compulsory ID card. The government has long been well aware of this and in the 2006 budget has allocated additional funding to deal with the issue. As the Human Services - Fraud and Compliance Budget document[26] states:
"The social security system relies on people disclosing information about their circumstances, including their relationship status, earned and unearned income, assets and rental liability. Failure to report changes, unintentionally or fraudulently, leads to incorrect payment and represents a key risk to the system. This package [of $282.3 million over five years] includes a range of initiatives aimed at detecting and reducing social security fraud, minimising incorrect payments, improving compliance with the system and identifying new and emerging risks."
8.3 Fraudulent claims in times of disaster
66. Although government documents claim the access card would help prevent fraudulent claims in times of disaster, the basis of this claim does not stand up under scrutiny.
"The access card would also help prevent fraudulent claims in a time of disaster, such as were reported as a result of Cyclone Larry. The Cairns Post highlighted people making false claims using drivers' licences showing an old address to prove they resided in the area. As licences are valid for a number of years, this outdated information was used to gain access to government benefits.
With the access card, address and contact details will easily be updated over the phone, internet or the counter, once the system is established. This means that the likelihood of an address being years out of date is greatly diminished and helps reduce the incidence of this type of fraudulent claim." (DHS Access Card - Case Studies[27])
67. However, given the card holder will be able to change the address themself including "online from their home computer" (apparently without verification by a government agency), the address on the chip or in the database will not prevent fraudulent claims using a false address. People could continue to not update their address, and they could also change the address to a false address, collect the benefits, then later change the address again.
68. Also, as mentioned earlier herein, Centrelink's web site already enables people to change their address and contact details online. Therefore, one of the claimed benefits of a new card does not exist. We consider others are also likely to be available, with existing technology, before 2008.
9. Alternative Means of Improving DHS Systems and Service Delivery
69. We observe that KPMG was asked to consider whether there were any other approaches which could achieve similar outcomes and benefits. KPMG identified several alternatives:
- "Maintain the existing system and continue to implement various individual agency service improvements and reforms already underway
- Replace the Medicare card with more advanced smart card technology and leave the other agency cards and systems as they are
- Improve the POI and registration processes in DHS agencies, particularly Centrelink and Medicare but retain the existing cards" (p.23-24)
70. The discussion of the above alternatives in the KPMG document indicates that they were discarded by KPMG without adequate consideration, analysis, and comparison to KPMG's preferred Access Card system. Further, a number of assumptions appear to have been made about how such alternatives would be implemented which are not the only options.
71. Moreover, it is disturbing that KPMG apparently failed to consider one of the options presented for consideration at a July 2005 meeting convened by the DHS-chaired Smart Technologies and Services Inter-Departmental Committee. EFA's Executive Director was an invited attendee at that meeting. The options under consideration were:
"Option One: Improve current Medicare card
Description:
New, improved smart Medicare card
Access health services
Family based card
Optional photo on card or on chip
Capacity to include additional information - optional
Ability to use card as 'key' to information stored elsewhere
Ability for young people over the age of 16 to apply for their own card
...
Option Two: Improve Medicare card and introduce a new second, government services card
Description:
New smart Medicare card (as above)
Additional, new smart DHS / Government services card (optional)
Individual or family based card
Optional photo on card or on chip
People over the age of 16 able to apply for own card All other DHS related cards rationalised
Phased implementation of new approach
Immediate focus on upgrading of Medicare card
...
Option Three: No Cards
Description:
Discontinue all government service cards - Medicare, DVA etc
Proof of identity required on an interaction by interaction basis, using appropriate identity documentation, eg driver's licence
..."
72. None of the above options included establishing a new "honeypot" centralised identity database.
73. Inexplicably, KPMG's document did not consider an option anything like Option Two above.
74. EFA considers that, if there is justification for issue of new cards (and EFA believes there possibly is, although certainly not a full-blown identity card as planned), Option Two above (or a substantially similar model) would be the most fit for purpose alternative and capable of achieving similar outcomes and benefits without as many risks to security and privacy as are inherent in the so-called Access Card system. A significant advantage of Option Two is the continued availability of separate cards for health services and welfare services, which in EFA's view is essential. Amalgamation of these two separate types of services onto one identity card, together with the establishment of a centralised identity database, are the core components of the Access Card system that make it completely unacceptable.
10. Responses to Discussion Paper Questions
10.1 Issue 1 - The Right Of Choice
Noting that the Government has decided that Australian Government health and social services benefits will be paid only on production of the access card and that the consumers' right to authenticate their identity by other means may be removed, is this consistent with the required observation of the relevant Information Privacy Principles? Should people continue to be eligible to receive such benefits by establishing their identity by other means?
75. Yes. People will have to establish their identity by other means in order to obtain a so-called Access Card in the first place. Obviously the purpose of the so-called Access Card is to be an additional identity document. It should not be compulsory for people to obtain an additional identity document in order to receive Medicare refunds or other benefits to which they are entitled. DHS will have to have processes in place to deal with situations where people have lost their Access Card or it has been stolen. Such procedures will have to involve accepting the initially provided identity documents. EFA sees no justifiable reason for removing individuals' right to use those documents whenever they so choose.
Should people be able to obtain an access card for only limited periods of time and have the right to be removed from the relevant databases when they have completed a particular set of transactions with the agencies in question?
76. Yes.
Should there be any particular rules or limitations about the data which card holders may voluntary chose to have recorded in the chip?
77. It is not possible to answer the above question in the current absence of information from the government about whether, and if so how, people would be able to control and prevent access to 'voluntary' information, nor mandatory personal information. To date, government issued documents indicate people would not have adequate, if any, control over access to the various types of information that would stored.
78. Facilitating adequate control would require multiple PINs that would have to be remembered by the card holder which demonstrates the impracticality of storing sensitive and/or personal information on an, in effect, compulsory multi-purpose government card that will have to be provided to persons other than the relevant government agency (e.g. to pharmacies, doctors, State Government agencies re concessions, etc).
79. Further, we note that the KPMG document states that 'voluntary' information will also be stored in the centralised database, apparently whether or not the individual wants it to be stored in that database. That is yet another aspect of the plan that is totally unacceptable.
80. Moreover as the Discussion paper points out:
At least two issues arise here. The first is the question of how to guarantee the integrity, accuracy and currency of the data which individuals wish to have placed about themselves on the card. The second is that, in order for such data to be useful in emergency situations, especially where a person may be unconscious, the data would need to be stored in the open zone of the card. This zone is accessible by people who have approved readers-but that is not restricted to emergency or health workers, it includes various Departmental officers. They would thus theoretically be able to access or view this sensitive personal health data. There may be a technological solution to this dilemma: for example with emergency personnel having card readers capable of overriding any PIN-protected data. While the decision about whether such personal data should be in the open or closed zone of the card lies with the card holder themselves, they may not be fully appreciative of the privacy consequences of their own decisions.
81. EFA is extremely concerned about proposals to have card readers capable of 'over-riding any PIN-protected data'. Such a capability is likely to introduce a security weakness that could be exploited to gain unauthorised access without a so-called approved card reader. Furthermore, if emergency service workers are to have card readers capable of over-riding the PINs, the security risks relevant to potential theft or loss of those card readers needs to be addressed and made publicly known. For example, apart from a law, what would prevent a criminal from using a stolen card reader, or a business from using a stolen reader to secretly capture all information when the card is presented to them?
82. In addition, EFA is somewhat mystified by the Discussion Paper references to "approved card readers" given that it is also claimed that people will be able to view information on their own card. Plainly if an "approved card reader" is necessary, then everyone who wishes to view the information on their card (without going to a DHS 'kiosk') would have to purchase an "approved card reader", i.e. one with the relevant DHS access software installed in it. A similar situation exists in relation to the proposed Queensland Driver Licence. It appears to EFA that a time is approaching when individuals who wish to have access to personal information about themselves, on cards they are compelled by government to possess, will not only have to have a wallet full of cards, but a cupboard full of special "approved card readers".
83. Issues in relation to PINs, global PIN, over-riding same, approved card readers, etc, are further discussed under Issue 4 later herein.
Since some of this data may be health-sensitive or for use in emergency situations it will be important to ensure that this data is correct at the time of its listing and is kept up to date-how is this to be achieved?
84. Obviously such information cannot be kept up to date unless every card holder is also provided with electronic equipment, and in some cases training in how to use the equipment, to enable them to change the information stored on the chip, or, people take their card to somewhere that has relevant equipment (e.g. a DHS agency office) every time the information on the chip needs to be updated. As it is extremely unlikely that everyone will have the relevant equipment, and having to take the card somewhere to be updated will be highly inconvenient for many people, we believe it will always be doubtful whether the information on a particular chip is in fact accurate and up to date. EFA considers this situation could result in a legal minefield if inaccurate or out of date information is relied on by health workers.
85. EFA is also concerned about potential discrimination against, and disadvantage to, people who choose not to include 'voluntary' information due to concerns about access to it. Will they be placed at the end of the 'queue' in an emergency situation, and/or will they be told 'it's your own fault' if an emergency worker gives them a drug to which they are allergic, etc.
10.2 Issue 2 - The Right To And Protection Of Privacy
What are the fundamental privacy issues which arise in relation to the proposed access card and would the application of the Information Privacy Principles be a sufficient guarantee that they have been addressed?
86. The fundamental privacy, and security, issues which arise are that the government has decided to commence mandatorily collecting additional personal information, sharing personal information among agencies without voluntary consent of the subject individual, and electronically storing personal information and copies of key identity documents in a national identity database that will be a highly attractive "honeypot" for identity thieves and some government personnel capable of bribery and corruption, thereby increasing the risk of identity theft and other misuse of personal information. This situation, of itself, demonstrates that the Information Privacy Principles are completely inadequate in terms of protecting people's right to privacy and security.
87. Moreover, the IPPs do not apply to State Government agencies, nor businesses; the NPPs do not apply to State Government agencies nor most businesses with an annual turnover of under $3 million; and some States/Territories do not have any privacy legislation at all in place.
Are there special and additional matters to be considered given that the access card will involve the collection and storage of biometric information?
88. The plan to collect and store biometric information should be dropped. Facial biometric data matching is not an accurate technology and the plan to store facial templates and photographs in a government database unjustifiably increases security and privacy risks. While storage of only the facial template (not the photograph) would pose less risk (if the template could not be reverse engineered), such an approach would not be practical because the inaccuracy of artificial intelligence facial biometric data matching technology often produces more than one claimed match (and sometimes numerous matches). We understand that is why the government plans to store actual photographs as well, that is, photographs would also have to be stored so that a person can look at all the claimed matches and make a human eye decision about whether or not there is a match. This is an invasion of the privacy of innocent people and is very likely to bring people who have done nothing wrong under government scrutiny and investigation merely because they look like someone else in a population of 18 million.
89. EFA sees no justification whatsoever for the storage of photographs and facial templates by DHS in view of the A-G Department's Document Verification Service that will be available to DHS.
90. The DVS system will prevent people registering twice because they will not be able to use fake birth certificates, drivers licences, passports, etc. Therefore, there is no need for DHS to use inaccurate facial data matching technology for the purpose of attempting to prevent people registering twice. We are aware that some argue that the DVS system would not address the situation pertaining to people from overseas who do not have Australian identity documents. However, the Department of Immigration and Multicultural and Indigenous Affairs ("DIMIA") is responsible for checking identity of people entering Australia and issuing relevant documents such as certificates of residency, etc. A prototype DVS was activated in February 2006 with participating agencies in the trial including DIMIA and the Department of Foreign Affairs and Trade. If, and we repeat if, the documents issued by DIMIA will not able to be used by, and verified by, DHS then that is a problem that should be addressed and resolved by the DIMIA and/or the Attorney General's Department in the context of its National Identity Security Strategy (of which the DVS is part). If any such problem exists in relation to DIMIA documents, it indicates a broad problem for people from overseas in attempting to prove their identity to various Federal and State Government agencies (not only to DHS) which should be resolved. Hence, any such problem does not justify the collection and storage of facial templates and photographs by DHS.
What role should the Privacy Commissioner play in relation to the operations of the access card, and would this role be any different from the role played already in relation to the cards which the access card is proposed to replace?
Similarly, what role, or enhanced role should be played by the Commonwealth Ombudsman?
Should there be a specific body created to oversight all the operations of the access card, including privacy and should this body be sufficiently independent from Government?
91. It is not possible for EFA answer the above questions in the current absence of adequate information from the government about the intended uses of the card and database and the technological architecture. However, we are of the view that the Federal Privacy Commissioner currently does not have sufficient enforcement powers, and quite probably still does not have sufficient funding to enable regular auditing of government agencies. These matters need to be addressed whether or not an Access Card system is introduced. For further information see Section 7 of EFA's submission to the Senate Legal and Constitutional References Committee Inquiry into the Privacy Act 1988[28], 24 June 2005.
Are the existing legislative provisions relating to personal privacy adequate in the light of the access card proposal (both the principles and the proposed technology) or do they require amendment?
92. Existing legislative provisions are most certainly not adequate.
93. The Privacy Act 1988 (C'th) as amended fails to adequately protect and enforce individual privacy, creates a confusing regulatory environment and needs to be replaced, whether or not an Access Card system is introduced. For detailed information, see EFA's submission to the Senate Legal and Constitutional References Committee Inquiry into the Privacy Act 1988[29], 24 June 2005.
94. Furthermore, even if the Privacy Act 1988 were substantially improved, the high level principles approach of that Act, and the fact that it does not apply to State/Territory government agencies, nor to all businesses, nor to individuals, makes it totally inadequate for dealing with the privacy risks and issues raised by the planned Access Card system. Purpose specific legislation would be necessary. This matter is further addressed under Issue 5 later herein.
How should the on-going operations of the access card be measured against best privacy protection practices and observation of the Information Privacy Principles?
95. More clarity and more detailed information about the proposed operations of the access card from the government is necessary before the above matter can be properly considered.
Are there specific classes of people (e.g. people with certain disabilities or religious beliefs) who should be allowed to have some variation in the nature of the access card which they have? If so, what variation would be appropriate?
96. The requirement for a photograph will be especially problematic for people with some types of disabilities (especially given the special strict conditions under which a photograph to be used for facial biometric data matching must be taken) and for people in Australia's multi-cultural society who object to having a photograph taken and/or displayed for religious or cultural reasons.
97. EFA is of the view that rather than making exceptions for such members of the Australian society, the plan to mandatorily collect and store photographs should be dropped. As stated earlier herein, facial data matching is an inaccurate technology and unnecessary in view of the DVS system.
How can Australians be confident that new databases are not being created or new linkages created without their knowledge and consent?
98. Insofar as the Access Card system is concerned, only by rejecting it in the same way as the Australia Card was rejected.
10.3 Issue 3 - Customer Benefit And Customer Control
Does the proposed new access card genuinely enhance service to customer?
99. No. As discussed in Section 6 above, the claimed new/improved services are already available and/or can be made available with existing technology, that is, without a so-called 'smart' card and new centralised identity database.
Does the proposed new access card genuinely enhance the right of customer choice and customer control in relation their own affairs?
100. No, it gives them less choice and control. In this regard the plan is fundamentally flawed because it reduces a person to a single card subject with a single set of personal information. It appears this will, for example, eliminate people's freedom to choose which phone number, or which email address, or which postal address, etc they provide to an agency. There are many legitimate reasons why a person may prefer to give one agency one phone number or email address and a different agency a different number or address, or indeed not grant a particular agency the right to contact the person by phone or email at all.
101. Similarly concerns arise in relation to whether people will be forced to use the name that is, for example, on their birth certificate due to the new POI requirements that will be introduced. It appears that at the least people will no longer be free to choose to use a different version of their name (e.g. nickname, middle name, etc) when dealing with different government agencies within DHS because of the centralised registration process and the automatic disclosure/forwarding of personal information and changes to contact details etc to all DHS agencies, whether or not the person wants all of those agencies to be given the same information.
If there is only one card required, and that card is lost, stolen or destroyed, how can the card holder ensure there is a rapid replacement and no denial of proper benefits and that their benefits are not accessed by some other person in the interim period?
102. The card holder cannot. That is one reason why there should not be a single identity card required for access to more than one agency's services, and why, if there is to be a multi-purpose access card, it should be truly voluntary to obtain it.
Will the arrangements for establishing proof of identity for the issue of the access card in the first instance be of sufficient integrity while at the same time not being unduly burdensome for the vast majority of Australians?
103. The above question cannot be answered until the government informs the public of what they intend to require for establishing proof of identity in the first instance.
What special measures may need to be adopted if primary documents such as birth certificates are not available? In many cases these documents may have been lost or destroyed, or primary records may be held overseas and difficult to access.
104. The above is a question for the government to answer. Presumably, much the same procedures as now would have to be used, which raises serious questions about claims that a new Access Card system could prevent welfare fraud to a greater extent than the existing system does.
10.4 Issue 4 - Making The Right Technology Choices
105. The Discussion Paper states:
All of the data which the Government is proposing will be contained on, or in the access card itself or in the SCRS, is already contained in the various files and records of the participating agencies, with two exceptions. These are the photographs and digital signatures of card-holders. To the extent that this is new and additional information being collected and stored by Government and is sensitive personal data which may represent a risk to privacy, then a robust case for its collection must be made out.
106. To date the government has made out only a very weak case for the collection of photographs, and provided no case at all for the collection and electronic storage of individuals' handwritten signatures. EFA is opposed to the collection and storage of photographs and signatures.
107. EFA is aware that some argue that Medicare and Centrelink already have multiple copies of people's signatures on claim forms, stored in many kilometres of paper filing storage systems apparently, so there should be no issue with them collecting it again. However, since they already have the data, they should not need to collect it again, especially when no reason or justification has been provided. Further there is a vast difference in terms of security risk between the storage of a signature on paper in kilometres of storage systems and placing an electronic copy of signatures in a centralised database and on a card chip from where it can be skimmed/copied very easily.
The Taskforce appreciates that the collection of photographs of what will become in time, the vast majority of the Australian population in the SCRS may be a contentious issue. Particular concerns have been raised about the match of SRCS photographs with records generated by closed circuit television systems (CCTV).
108. EFA has the above concern, and that is another reason why the plan to mandatorily collect and store photographs must be dropped.
This is an area in which certain balances must be struck. If an access card system is to be in operation then all Australians have an interest in ensuring that it is a system which has genuine integrity, is as secure as possible and which provides maximum flexibility and benefit to them as consumers. For example, it is clear that the replacement of lost, stolen or damaged access cards would be much easier were biometric identification held in the SCRS. On the other hand, consumers might have more confidence in a system which is less convenient. Such a balance will only be struck if there is genuine community consultation and input to Government, and it is one of the roles of the Taskforce to facilitate this.
109. EFA is of the view that the only appropriate balance is to enable members of the public to have a genuine choice about whether or not they wish to have a photograph on the card and, if so, whether or not they wish to have that photograph stored in a government database to facilitate easy replacement. Those individuals who do not want their photograph stored in the centralised database for easy card re-issue should be free to have another photograph taken in the event of loss or theft of their card.
At present, the regular photocopying of driver's licences (for example in stores or banks) provides a record which links the consumers name with their photograph, licence number, date of birth, imposed conditions and address, all in one operation. This opens numerous avenues for misuse and fraud.
The Government has announced one decision about the structure of the proposed card which it believes is privacy-enhancing. By having the card holders' name and photograph on the front of the card, but their access card number and digital signature on the reverse, it is much more difficult for unauthorised people to collect this data in one simple operation.
110. EFA considers the above view to be breathtakingly misinformed or misguided. It is no more difficult to photocopy both the front and back of a card than just one side of it.
Similarly, the storage of address and date of birth details only in the chip (which needs a specially designed reader to access) enhances security and privacy.
111. The above is an assertion which has yet to be proven, or even demonstrated, to be true. Since the Government has deleted all information about the proposed technical design of the chip from the KPMG document, and not provided any other information on that topic, it is not possible to know whether the security of address and DOB details will be enhanced, or put at even more risk of collection without consent, or knowledge, than is the case with non-smartcard Driver Licences.
112. The reference above to a "specially designed reader" and the reference in the KPMG document to an "open" and "closed" zone - which indicates only one PIN - strongly suggests to EFA that the technological plan is substantially the same as the Queensland Transport ("QT") Driver Licence proposal. EFA raised a number of issues and questions in relation to that proposal in a submission to QT[30] in November 2003. To date, neither QT nor the Queensland Government have answered the questions or provided any other information to suggest EFA's understanding is wrong. (This includes no information to the contrary being provided some six months later when a senior QT representative and EFA's Executive Director were both speakers at a public forum on the topic).
113. We provide an extract of that submission below, because the same situation appears to be applicable to the proposed Access Card. In the below "licence holder" is the same as an "Access Card holder" and "police officer" is the same as "emergency worker" in relation to the Access Card plan.
"According to the QT consultation package:'The information for each application [on a chip] is stored separately, allowing only authorised access to each section.
...
Security functions in the computer chip ensure that a reader can only access authorised information. Modern operating systems 'firewall' applications on the smartcard, ensuring one application cannot access another application's data.'Information provided to EFA during a teleconference with QT gives rise to a number of concerns and questions regarding the proposed methods of controlling access to information on the chip.'
We were advised that access to each application on the chip would be controlled by a challenge response mechanism between the card and a card reader. Card readers would contain a "key" and the smart chip would only allow access to an application if a card reader presented the relevant key. We were also advised that the proposed smart card would not have a PIN for each application, but would have a "global PIN" used to permit access to both driver licence information and all other applications on the chip. Hence, apparently the licence holder would have to enter their global PIN and would have no choice but to trust that the card reader only contains the key to the application to which the licence holder believes they are permitting access.
EFA considers such a system requires too much blind trust on the part of the licence holder. Furthermore, that issue aside, it is not clear how, or even if, the above system could operate securely in conjunction with other aspects of the proposed card. For example, the consultation paper states:
'Licence holders would be able to check their own licensing information stored on the smartcard using a self serve terminal or if they have a reader attached to their home computer.
If licensing information such as address and expiry date were to be stored on the chip, in the future, licence holders would be able to give permission (for example, by using their own PIN {Personal Identification Number}) for other organisations such as car hire companies to access it.'In order to read their own licensing information on the chip, the licence holder would need to use a card reader containing a key that permits access to the licensing information section of the card. Furthermore, it was stated by QT during briefing sessions that licence holders would also be able to read all information on their card, that is, including that associated with the proposed optional applications.
A licence holder would therefore need to use a card reader that contains keys for each of the applications. Will special card readers have to be purchased from QT or a QT authorised sales outlet? If not, how would relevant keys get put into the card reader? What will be the cost to the licence holder of the special card reader and/or keys?
If licence holders are able to obtain card readers containing all the keys, then so could any individual, business or government agency. What would prevent a business or agency from using such a card reader to read all information on the chip, without the licence holder's knowledge or consent, when they enter their global PIN?
It has been suggested that a licence holder's address may not be printed on the face of the card. However, if it is not and a government agency or commercial entity wished to verify a person's address they would obviously have to put the card in a card reader. What will prevent them from capturing and recording other information such as date or birth, licence number, etc. at the same time?
Presently it appears that the proposed system is incapable of providing adequate security and privacy protections due to the use of a global PIN and readily available keys in card readers.
Whether it is capable or not, the proposed system described to date will not provide sufficient transparency to licence holders to enable them to be confident that they have control over the release of personal and other information on their card.
EFA would oppose a system that does not give licence holders access to all the information on their own card and/or that does not give licence holders full control over who is able to access particular information on their card chip.
'Queensland Police Service could use readers containing special access software to access driver licensing and emergency contact information. 'We understand from QT that police and emergency service workers would be able to over-ride the global PIN in order to access emergency contact details when the licence holder is unconscious. It is of concern that enabling access to a section of the chip without use of a PIN is likely to introduce a security weakness that could be exploited to gain unauthorised access to other information on the chip. Similar technical security issues arise in relation to enabling police to access driver driver licence information without input of the PIN.
Furthermore, if police and emergency service workers are to have card readers capable of over-riding a licence holder's PIN, the security risks relevant to potential theft or loss of those card readers needs to be addressed and made publicly known. For example, apart from a law, what would prevent a business from using a stolen police reader to secretly capture driver licence information when the card is presented to them?"
114. The issues raised above need to be responded to by the Government in relation to the Access Card, with detailed technical information, before it will be possible to know whether or not it is true that storage only on chip enhances security and privacy, or whether it creates a much higher risk that such information will be able to be covertly skimmed off the chip every time it is put in a card reader to check whether the card contains a valid government-issued chip, or for any other purpose. Currently, EFA considers the latter more likely than the former. The same issue exists in relation to the privacy and security of 'voluntary' information, that is, contact details of next of kin, allergies, etc.
Given that technological progress is so rapid these days, how can we best ensure that the access card uses proven technologies-at all levels and all stages of the access card's operations-and does not become outdated quickly?
115. EFA considers the above to be unlikely to be possible.
What is the range of privacy-enhancing technologies which can be identified and incorporated into the access card?
116. EFA is of the view that on a multi-purpose smart card as planned, the only means of enabling people to protect privacy of their personal information is to have multiple PINs applicable to various portions of the chip, so that the card holder can control who is given access to, for example, their address, or particular items of 'voluntary' information, etc. However, EFA also considers this to be generally impractical (due to the need to remember multiple PINs), which is one of the principle reasons why we object to government compelled multi-purpose smart cards.
How can we best ensure that a technology which was designed to do one thing does not get diverted or perverted into doing something quite different?
117. Insofar as the smart card itself is concerned, probably the most likely to be effective method is to make all portions of the chip that do not contain information such as address that will need to be updated, locked/read only, and also to overwrite/burn out all blank space on the chip, as has been done in the case of the chip in Australian e-passports (according to advice from a senior DFAT representative to EFA and Answers to Questions on Notice in the Senate[31], 9/2/2006).
Will the technology chosen be capable of supporting other applications if these are deemed to be desirable at some stage in the future?
118. Prevention of function creep should be built in.
Will the systems supporting the access card be sufficiently robust to do their job while also being sufficiently secure to prevent unauthorised use, hacking or abuse?
119. As detailed earlier herein, the Minister has already stated there can be no guarantee against hacking. Whether the systems can and will be secure from other types of unauthorised use and abuse is a question for the government to answer. EFA considers it unlikely because the centralised database will be a honeypot attractive to criminals hence increasing the potential for bribery and corruption of some government staff.
Will the card be capable of storing additional information which the card holder may wish to place upon it?
120. The above depends on the technological design of the chip. EFA draws to attention, however, that there are security issues involved in a so-called smart chip having blank writeable space on it arising from the potential for data, or a virus, to be written into that space without the knowledge and consent of the card holder when it is placed in card reader in the control of a government agency, or business, or anyone else.
Will the technology chosen be sufficiently user-friendly, e.g. to allow people to view their own records who are not technologically minded, be able to do so?
121. The above is a question for the government to answer. It depends in part on technological design of the chip and availability of relevant, possibly special, electronic equipment necessary to read the chip or the database. Such equipment for reading chips is, at the least, unlikely to be readily available in remote areas unless people can afford to buy it for themselves.
10.5 Issue 5 - Authorisation And Accountability
122. The Discussion Paper states:
"A certain level of public trust in Government is the glue which holds free and democratic societies together. When that trust is weakened or lost, then social cohesion and harmony become impossible to maintain. The level of trust itself is dependent upon many other conditions and arrangements. It cannot be denied that people are more trusting of Government and its operations when those operations are open and transparent, result from public discussion and consensus about issues and are guaranteed and enforceable through the legal system, itself based upon a genuinely independent judiciary."
123. EFA agrees with above view and, on the basis of information that the government has deigned to make available to date, we consider it unlikely that the public will be able to trust the government, or the technological aspects of the Access Card system as currently planned, to adequately protect their privacy and security, whether or not new legislation is enacted.
Should the operation of the access card, or aspects of its operation, be placed specifically in legislation - if so, what aspects?
124. It would be essential for new legislation specific to the operation of an access card and associated systems to be enacted. Such legislation would, as the Discussion Paper tends to suggest, "need to make clear a variety of matters such as the permitted or prohibited uses of the access card (and associated penalties); the rules for who is authorised to access and how access is provided to the card and stored data; and the penalties for improper behaviour related to the access".
125. EFA considers it difficult at present to put forward specific proposals pertaining to legislative provisions, due to lack of adequate information from the government. However, we are of the view that essential legislative provisions include making it a criminal offence for any person (includes government agencies and private sector bodies corporate) to request that the card be provided, or to discriminate against anyone who chooses not to 'voluntarily' offer their card, other than persons who are authorised personnel of legislatively specified DHS agencies requesting the card for a purpose permitted by the new legislation (but not for purposes 'authorised' by all and sundry existing Commonwealth and State/Territory legislation).
126. Furthermore it would be necessary to legislatively ensure that management and staff members of government agencies and private corporations could be held personally liable. In this regard, we note a disturbing decision by the NSW Administrative Decisions Tribunal concerning a parole officer who accessed personal information in the Department of Corrective Services database and disclosed it to other people. As reported in the Editorial of the Sydney Morning Herald ('A question of privacy')[32] on 25 November 2004, the Tribunal:
"found that as a parole officer, Ms [M] was entitled to access the initial information about [the person], even though she was not [his] parole officer. However, it found that she was "acting in her private capacity" in giving that initial information to parents, and again in accessing the information about [the person's] visitors and contacting one. Strangely, it held that these "private" actions were not the responsibility of the department. The department's responsibilities were to put warnings on its computers about unauthorised access and this it had done."
127. It is completely unsatisfactory that a government employee can escape liability when acting in a 'private capacity' and that a government agency can escape responsibility for the actions of its staff by claiming the staff member was acting in their personal capacity in accessing information on the department's database.
128. Furthermore, the Tribunal's decision[33] involved consideration of the "reasonable" security safeguards required by Principle 12(c) of the NSW Privacy & Personal Information Protection Act 1998 ("PPIP Act")[34] which is effectively identical to Principle 4(a) of the Commonwealth Privacy Act 1988[35]. The Commonwealth Privacy Act needs to be amended as a matter of urgency to prevent a Federal Court from coming to the same conclusions as the NSW Tribunal.
Once uses are defined and once specific uses are prohibited, how will adherence be monitored and what sanctions and penalties will be imposed for breaches- how will they be enforced?
What are the appropriate accountability arrangements which need to be put in place to secure the transparency and integrity of the access card's operations?
How will proper records be kept about who has accessed the card so that regular audits can be undertaken to ensure that the card is accessed only for authorised purposes by people who are properly authorised to do so?
What administrative arrangements are best suited to the control and oversight of the access card system and its on-going operations and will such arrangements be sufficiently independent of the participating agencies or the Government itself?
129. To date EFA has not had sufficient time to adequately consider the above questions and we consider that most of them are questions for the government to answer, or at least provide more information about the card's operation, including technological architecture, in order to enable proper public consideration and debate about the government's plans.
130. We note that most of the above questions appear to refer to "the card". Similar questions also apply to the centralised database which poses an even greater risk to individuals' privacy and security than the card itself.
131. With regard to controlling access to, and auditing of access to, information in the database, the NSW Tribunal decision referred to above shows the complete inadequacy of the Privacy Act 1988 in that regard. The relevant clause of the NSW and Commonwealth Acts are effectively identical:
132. NSW Act:
12. Retention and security of personal information
A public sector agency that holds personal information must ensure:
...
c) that the information is protected, by taking such security safeguards as are reasonable in the circumstances, against loss, unauthorised access, use, modification or disclosure, and against all other misuse
133. Commonwealth Act:
Principle 4 - Storage and security of personal information
A record-keeper who has possession or control of a record that contains personal information shall ensure:
(a) that the record is protected, by such security safeguards as it is reasonable in the circumstances to take, against loss, against unauthorised access, use, modification or disclosure, and against other misuse
134. The Tribunal found that merely the display of a "computer flag" informing public servants that information is confidential and must not be disclosed to unauthorized persons, nor accessed for personal reasons, is a sufficient security safeguard. Presumably a Federal Court would be likely to conclude the same in relation to the equivalent provision of the Commonwealth Act.
135. This situation is completely unsatisfactory in this day and age of ready availability of technological measures to prevent access. As the SMH Editorial concluded:
"... the wider issue raised by the case is why Corrective Services records are not restricted to those who need them. That would force others to make their ad hoc inquiries through proper channels. All government departments should encode data so it can be used only for its intended purpose. Anything less is an abject failure to protect privacy - and an invitation to blackmailers and vigilantes. Government departments might cast their minds back to 1995 when the Sydney detective Said Morgan retrieved from a police computer the address of a man who had molested his family, and shot him dead. A jury acquitted Mr Morgan of murder and manslaughter charges."
136. Furthermore, a relatively recent Auditor-General's report gives rise to concerns about access controls on Medicare's existing database. Medicare, formerly named the Health Insurance Commission ("HIC"), is required to establish detailed technical standards specifying access controls and limiting access to each database to those officers or contractors who have a reasonable need for access in order to ensure the effective administration of the particular program, etc. They are also required to file a copy of the Technical Standards Report with the Privacy Commissioner.
137. However, the Auditor General's Report No. 24 2004-05 Integrity of Medicare Enrolment Data[36] states that:
"5.45 ANAO requested HIC to provide a copy of the Technical Standards Report referred to in the Privacy Commissioner's Guidelines. HIC was unable to locate a copy of the Technical Standards Report.
5.46 ANAO approached the OFPC seeking information on HIC's lodgement, or otherwise, of the Technical Standards Report. The OFPC informed ANAO that it was unable to locate a copy of HIC's Technical Standards Report ..."
138. Obviously when no-one can find a copy of the technical standards, neither HIC, the public, or anyone else can know whether or not HIC is complying with same.
139. Moreover, the unknown technical standards were allegedly developed in February 1995. Government agencies should be required to review and update technological security measures far more frequently than once every 10 years.
140. The above situation does not generate confidence, or trust, in the government's ability to appropriately regulate and control access to the planned new national identity database.
11. Recommendations
141. EFA recommends that the Taskforce recommend that the Government abolish the Access Card system plan and go back to the drawing board to develop alternative means of fixing DHS system failures, that do not incorporate turning everyone into a new identity card subject linked to a national identity database.
142. If new cards are considered necessary, separate cards for Medicare and Centrelink services must remain available. Mandatory personal information on cards (whether printed or on a chip) should be no more than is on the current Medicare card, that is, name and Medicare, or Centrelink, number as applicable. Any other personal information such as address, date of birth, signature, photo, etc should be optional.
143. The content of the chip, e.g. name and number, should be signed with a DHS/Government signing/encryption key which would, provided the Government keeps its key secure, prevent the manufacture and use of fake cards (which would not have the government signature).
144. Access to the content of the chip should be able to be controlled by card holder PIN (possibly more than one PIN, depending on types of optional information that may be included). A PIN would serve the purpose, not only of preventing access to the information on the chip without the consent of the cardholder, but would also prevent lost or stolen cards from being used by another person. Hence, there would be no need for a mandatory photo to be on the card for that purpose.
145. For those who do not wish to have to remember a PIN, or in any case wish to have their photo printed on the card but not on the chip (from where it could be copied without the card holder's knowledge), the government should investigate and implement, if found suitable, the photograph technology referred to in the following article:
Identity cards can be forged, says Costello[37], Sydney Morning Herald, 20/07/2005
"... Meanwhile, an international authority on identity security said fraud could be combated and terrorism weakened without introducing a national identity card. Bob Lee, a research director at the CSIRO and developer of Australia's anti-counterfeit bank notes, said the Government need look no further than its own backyard for the necessary technology. Dr Lee has spent two years developing an ID photograph that cannot be copied because it cannot be photographed.'Most, if not all, of the benefits of a national ID card can be obtained by improving the security of existing ID cards, such as drivers' licences, Medicare cards, passports,' Dr Lee said yesterday."
146. No centralised identity database should be established. The establishment of such a database has not been sufficiently justified and would be premature without prior implementation of other means of achieving the same objectives. Such other means include addressing the inadequacy of, and system failures within, Medicare and/or Centrelink's existing registration systems and related POI requirements (which appears to be necessary whether or not new card/s are introduced) and finalising and implementing the Attorney-General's Department's Document Verification Service ("DVS"). The DVS is highly likely to have a major impact on the ease with which fake key identity documents (such as birth certificates, drivers' licences and passports) can currently be used to obtain Medicare and Centrelink cards/benefits. In addition, the DVS appears to be far more likely to be effective in preventing duplicate registration (because fake birth certificates etc would not be able to be used) than the use of highly controversial facial (photo) matching technology which, as the KPMG document acknowledges, is error prone.
147. Furthermore, as mentioned earlier herein, a centralised database is not necessary for the claimed reason of enabling update of change of address details etc to be provided to several agencies at once. That it is not necessary is made obvious by DHS's planned launch of a web site in September 2006 with features such as a single sign-on and the ability to send a change of address and circumstances notification to several agencies at once.
12. References
1. Department of Human Services, Access Card, Budget Documents, 9 May 2006
<http://www.humanservices.gov.au/publications/budget_related/2006_07_dhs_budget.htm>
2. KPMG Access Card Business Case - Public Release (PDF 3,507 Kb)
<http://www.humanservices.gov.au/modules/resources/access_card/kpmg_access_card
_business_case.pdf>
3. The Hon John Howard MP, Australia Card Bill 1986: Second Reading, House of Representatives Hansard, 16 September 1987
<http://parlinfoweb.aph.gov.au/piweb/TranslateWIPILink.aspx?Folder=
HANSARDR&Criteria=DOC_DATE:1987-09-16%3BSEQ_NUM:81%3B>
4. The Hon John Howard MP, Australia Card Bill 1986: Second Reading, House of Representatives Hansard, 16 September 1987
<http://parlinfoweb.aph.gov.au/piweb/TranslateWIPILink.aspx?Folder
=HANSARDR&Criteria=DOC_DATE:1987-09-16%3BSEQ_NUM:81%3B>
5. DHS Consumer and Privacy Taskforce Discussion Paper No. 1: The Australian Government Health and Services Access Card (PDF 178k)
<http://www.humanservices.gov.au/modules/resources/access_card/060615_taskforce_
discussion_paper.pdf>
6. ID cards will lead to 'massive fraud', Gerri Peeve, The Scotsman, 18 October 2005.
<http://news.scotsman.com/index.cfm?id=2103982005>
The UK National Identity Card, Jerry Fishenden, National Technology Officer Microsoft UK, in The Scotsman, 18 October 2005.
<http://ntouk.com/archives/2005/Oct/18.10.2005.htm>
7. Attorney-General, Opening Keynote Address to Australian Smart Cards Summit 2005, 29 June 2005
<http://www.ag.gov.au/agd/WWW/MinisterRuddockHome.nsf/Page/Speeches_2005_Speeches
_29_June_2005_-_Speech_-_Opening_Keynote_Address_to_Australian_Smart_Cards_Summit_2005>
8. Cabinet split over ID security, Richard Baker, The Age, 22 April 2006
<http://www.theage.com.au/news/national/cabinet-split-over-id-security/2006/ 04/21/1145344278219.html>
9. Govt to introduce 'smart card', PM, ABC Radio, 27 April 2006
<http://www.abc.net.au/pm/content/2006/s1625520.htm>
10. Security, SmartCard Alliance
<http://www.smartcardalliance.org/industry_info/security.cfm>
11. Advance Australia card, The Bulletin, 26 May 2004
<http://bulletin.ninemsn.com.au/bulletin/EdDesk.nsf/All/A873239CCE1C3557CA256E9D007931E6>
12. Welfare plan reeks of 'apartheid', Mark Metherell, Sydney Morning Herald, 12 November 2004
<http://www.smh.com.au/articles/2004/11/11/1100131137195.html>
13. Commercial access on the cards, James Riley, The Australian, 12 May 2006
<http://australianit.news.com.au/articles/0,7204,19110742%5E15319%5E%5Enbv%5E,00.html>
14. Child ID cards in swipe at fraud, Stephanie Peatling, Sydney Morning Herald, 2 June 2006
<http://www.smh.com.au/news/national/child-id-cards-in-swipe-at-fraud/2006/ 06/01/1148956480920.html>
15. Minister for Human Services, Speech to the National Press Club, 20 April 2005
<http://www.joehockey.com/mediahub/speechDetail.aspx?prID=44>
16. http://www.centrelink.gov.au/internet/internet.nsf/online_services/index.htm
<http://www.centrelink.gov.au/internet/internet.nsf/online_services/index.htm>
17. DHS Access Card - Fact Sheet Technology, 9 May 2006
<http://www.humanservices.gov.au/modules/resources/reports/2006-07_access_card_fact
_sheet_technology.pdf>
18. DHS Access Card - Fact Sheet Technology
<http://www.humanservices.gov.au/modules/resources/reports/2006-07_access_card_fact
_sheet_technology.pdf>
19. Smartcard not so clever: fraudster, Nick Miller, Sydney Morning Herald, 16 May 2006
<http://www.smh.com.au/news/technology/smartcard-not-so-clever-fraudster/
2006/05/15/1147545264693.html?page=fullpage>
20. Minister for Human Services, Media Release, Access Card to Cut Red Tape for Health and Social Services, 9 May 2006
<http://www.humanservices.gov.au/modules/resources/media_centre/2006/060509
_access_card_to_cut_red_tape.pdf>
21. Attorney General, Media Release, Document Verification Prototype Central to Identity Protection, 7 February 2006.
<http://www.ag.gov.au/agd/WWW/MinisterRuddockHome.nsf/Page/Media_Releases_2006
_First_Quarter_7February_2006_-_Document_Verification_prototype_central_to_identity
_protection_-_0102006>
22. DHS Access Card - Case study on fraud, 9 May 2006
<http://www.humanservices.gov.au/modules/resources/reports/2006-07_access
_card_case_studies.pdf>
23. Attorney General's Department Budget Related Statement, 9 May 2006
<http://www.ag.gov.au/agd/www/budgethome2006.nsf/Page/Media_Statements_Media
_Documents_Protecting_identity_security>
24. Identity Fraud in Australia: An Evaluation of its Nature, Cost and Extent, Securities Industry Research Centre (SIRCA), issued November 2003
<http://www.sirca.org.au/news/releases/2003/0302FraudBook.html>
25. Australian National Audit Office, Administration of Health Care Cards, Audit Report No. 54 2004-05
<http://www.anao.gov.au/WebSite.nsf/Publications/5071D1DA18973B5ACA25702700703D55>
26. Department of Human Services - Fraud and Compliance Budget document, 9 May 2006
<http://www.budget.gov.au/2006-07/bp2/html/bp2_expense-12.htm>
27. DHS Access Card - Case Studies, 9 May 2006
<http://www.humanservices.gov.au/modules/resources/reports/2006-07_access_card_case_studies.pdf>
28. EFA submission to the Inquiry into the Privacy Act 1988 conducted by the Senate Legal & Constitutional References Committee, Section 7, 24 February 2005.
<http://www.efa.org.au/Publish/efasubm-slcrc-privact2004.html#52_45>
29. EFA submission to the Inquiry into the Privacy Act 1988 conducted by the Senate Legal & Constitutional References Committee, 24 February 2005.
<http://www.efa.org.au/Publish/efasubm-slcrc-privact2004.html>
30. EFA submission in response to the Queensland Smart Card Driver Licence Proposal issued by Queensland Transport, 21 November 2003.
<http://www.efa.org.au/Publish/efasubm-qt-nqdl.html>
31. Answers to Questions on Notice: Passports, Senate Hansard, 9 February 2006
<http://parlinfoweb.aph.gov.au/piweb/TranslateWIPILink.aspx?Folder=
HANSARDS&Criteria=DOC_DATE:2006-02-09%3BSEQ_NUM:167%3B>
32. A question of privacy, Editorial, Sydney Morning Herald, 24 November 2004
<http://smh.com.au/articles/2004/11/24/1101219615198.html>
33. NS v Commissioner, Department of Corrective Services [2004] NSWADT 263 (16 November 2004)
<http://www.austlii.edu.au/cgi-bin/disp.pl/au/cases/nsw/NSWADT/2004/263.html>
34. NSW Privacy & Personal Information Protection Act 1998
<http://www.austlii.edu.au/au/legis/nsw/consol_act/papipa1998464>
35. Commonwealth Privacy Act 1988
<http://www.comlaw.gov.au/ComLaw/Legislation/ActCompilation1.nsf/framelodgment
attachments/7AE1755E85DBC184CA2571A00007555C>
36. Australian National Audit Office, Integrity of Medicare Enrolment Data, Audit Report No. 24 2004-05
<http://www.anao.gov.au/WebSite.nsf/0/6fba4dd883a76d69ca256f93006f6a41
?OpenDocument&Click=>
37. Identity cards can be forged, says Costello, David Humphries, Sydney Morning Herald, 20 July 2005
<http://www.smh.com.au/news/national/identity-cards-can-be-forged-says-costello/ 2005/07/19/1121538975677.html>
About EFA
Electronic Frontiers Australia Inc. ("EFA") is a non-profit national organisation representing Internet users concerned with on-line rights and freedoms. EFA was established in January 1994 and incorporated under the Associations Incorporation Act (S.A.) in May 1994.
EFA is independent of government and commerce, and is funded by membership subscriptions and donations from individuals and organisations with an altruistic interest in promoting online civil liberties. EFA members and supporters come from all parts of Australia and from diverse backgrounds.
Our major objectives are to protect and promote the civil liberties of users of computer based communications systems (such as the Internet) and of those affected by their use and to educate the community at large about the social, political and civil liberties issues involved in the use of computer based communications systems.
EFA policy formulation, decision making and oversight of organisational activities are the responsibility of the EFA Board of Management. The elected Board Members act in a voluntary capacity; they are not remunerated for time spent on EFA activities. The role of Executive Director was established in 1999 and reports to the Board.
EFA has long been an advocate for the privacy rights of users of the Internet and other telecommunications and computer based communication systems. EFA's Executive Director was an invited member of the Federal Privacy Commissioner's National Privacy Principles Guidelines Reference Group and the Research Reference Committee (2001) and the Privacy Consultative Group (2004-2005). EFA participated in NOIE's Privacy Impact Assessment Consultative Group relating to the development of a Commonwealth Government Authentication Framework (2003), Centrelink's Voice Authentication Initiative Privacy Impact Assessment Consultative Group (2004-2005), the ENUM Privacy and Security Working Group convened by the Australian Communications Authority ("ACA") (2003-2006), and the ACA's Consumer Consultative Forum meeting (April 2005). EFA has presented written and oral testimony to Federal Parliamentary Committee and government agency inquiries into privacy related matters, including amendments to the Privacy Act 1988 to cover the private sector, telecommunications interception laws, cybercrime, spam, etc.