Submission

21 November 2003

Queensland Smart Card Driver Licence Proposal

This submission is in response to the Queensland Smart Card Driver Licence proposal issued by Queensland Transport for public comment in October 2003.

"Involvement in any smartcard scheme should be non compulsory. This is often a significant test of the scheme intent, compulsory schemes are most commonly found in totalitarian societies."

Graeme Freedman, The Open Society and its Enemies, 1999

Contents:


About EFA

Electronic Frontiers Australia Inc. ("EFA") is a non-profit national organisation representing Internet users concerned with on-line rights and freedoms. EFA was established in 1994, is independent of government and commerce, and is funded by membership subscriptions and donations from individuals and organisations with an altruistic interest in promoting online civil liberties.

Our major objectives are to protect and promote the civil liberties of users of computer based communications systems (such as the Internet) and of those affected by their use and to educate the community at large about the social, political and civil liberties issues involved in the use of computer based communications systems.

EFA has long been an advocate for the privacy rights of users of the Internet and other computer based communication systems. EFA's Executive Director was an invited member of the Federal Privacy Commissioner's National Privacy Principles Guidelines Reference Group and Research Reference Committee during 2001. EFA participated in NOIE's privacy impact assessment consultative group relating to the development of a Commonwealth Government Authentication Framework in 2003 and is currently participating in the ENUM Privacy and Security Working Group convened by the Australian Communications Authority. EFA has presented oral testimony to Federal Parliamentary Committee inquiries into privacy related matters, including amendments to the Privacy Act 1988 to cover the private sector, telecommunications interception laws, cybercrime, etc.

Up ArrowGo to Contents List


Introduction

EFA thanks Queensland Transport ("QT") for directly drawing the smart card driver licence proposal to our attention and inviting EFA to lodge a submission. We take this opportunity to commend QT's willingness to commence public consultation at a relatively early stage of the project and QT's previously undertaken work towards identifying and addressing the privacy and security issues and risks inherent in the proposal.

In the process of considering the new driver licence proposal, EFA has reviewed the consultation paper, attended a briefing at QT's office, reviewed the privacy information papers provided at that briefing and subsequently participated in a teleconference with QT's senior policy advisor on the project and QT's smartcard consultant with the aim of obtaining technical details.

Nevertheless, it is not apparent from the information provided to date how the use of smartcard technology as proposed could solve or significantly reduce the problem of use of fraudulent driver licences. Moreover, the proposed system would introduce a range of new security and privacy risks, most of which have not been addressed.

EFA strongly doubts the proposed system can work as described. We believe it is essential that the proposal be subjected to a complete technical re-evaluation by independent and expert IT security consultants who are not involved in promotion and/or marketing of smart card technology. In this regard, we consider QUT's Information Security Research Centre is an example of an appropriate organisation that has the necessary level of expertise. We also consider that, after a re-evaluation has been undertaken, it is essential that a full technical proposal for any then proposed implementation be made available for public comment to maximise the chances of exposing design flaws. The success or failure of the scheme may depend on the technical details.

We are particularly disturbed by statements in the consultation package, and made verbally, that indicate inadequate knowledge about the security risks of using smart card technology and about the operation of digital signature certificates and related keys.

In our view the proposal has the hallmarks of a solution that has found a problem. Although smart cards have been around for some twenty years, smart card marketers have been unable to develop a large demand for their products. It would seem that the identified solution is for Queensland Transport to drive development of the market by mandating purchase of smart cards in the form of a driver licence.

In the remainder of this submission, we provide comments on some aspects of the proposal. However, we wish to stress that there are very many more issues and actual and potential problems than those addressed herein. We have not had sufficient time during the consultation period to prepare a comprehensive written analysis dealing with all of the issues and matters of concern that came to light during the course of our review of the proposal. In addition, it is not possible to provide useful comments on some aspects of the proposal until more detailed, clearer and technically accurate information is made available.

Up ArrowGo to Contents List


Smartcard Security

1. Security features
What do you think about:
a) the proposed privacy protections for storing digital 
   photographs?
b) the requirements for accessing stored photographs and 
   signatures?
(Please indicate whether you prefer Option A or Option B for 
photograph access.)

EFA is concerned that the consultation package implies that the only security issue is related to storing photographs and that there are no security issues associated with the proposed use of smart card technology.

Tamper Resistant not Tamper Proof

According to documents in the consultation package:

Smartcard technology allows information to be stored on the computer chip or "smartchip". The technology is well tested, reliable, and meets rigorous security and integrity standards. (QT Project Snapshot leaflet)
Any attempt to crack the 'keys' of this type of smart card technology would be extremely expensive. A would-be hacker would need to invest in several millions of dollars in technology just to crack one card... The layers of security available with smart card technology will ensure licence holders can be confident that their information is extremely secure. (Attachment to Minister's media release dated 29 Sep 2003)

EFA draws to QT's attention that the above statements misrepresent the facts concerning security of smart cards. While smart cards may be tamper-resistant, they are not tamper-proof.

Methods by which the claimed security of smartchips can be breached, without investing in expensive technology, have previously been publicised including newly discovered methods as recently as last year. Given the costs involved in overcoming such known security flaws, it is very likely those flaws exist in some, perhaps all, chips currently being sold.

Furthermore, we note that the June 2002 report "Introducing New Driver Licence Technologies - A Smarter Licence for Victorians", issued by VicRoads, includes a list of potential risks of a multi-application smart card driver licence, one of which is "a potential major security breach, e.g. hacking, emulation, differential power analysis" (page 57). Indeed, a differential power analysis attack was successfully undertaken by a Sydney university student last year (see later herein).

We also draw to QT's attention that the assumption that the cost of cracking a security device is relevant to the adequacy of protection of information on a smartcard driver licence is incorrect. This is because the expenditure necessary depends on the timeliness of the protected data. For example, although it might take several million dollars of technology to crack a security device in less than one day, it may take only a few thousand dollars to crack it in six months. If the data is still valuable in six months' time (e.g. individuals' identity information), then it does not matter if it takes six months to crack it.

Information on known security flaws is freely available, for example, see:

  • Smart cards also open to attack, Australian IT, 19 November 2002
    "Sydney University engineering student Ryan Junee has demonstrated a smart card attack for his final year thesis, using a method called 'differential power analysis'. Using software he developed and a cathode ray oscilloscope (CRO), Mr Junee showed that cards using Data Encryption Standard (DES), or even triple-DES, could be interrogated to reveal secret information such as keys and PINs."
    (http://www.ee.usyd.edu.au/~rjunee/site.cgi?page=ausitarticle)
  • On a New Way to Read Data from Memory, David Samyde, Sergei Skorobogatov, Ross Anderson and Jean-Jacques Quisquater, First International IEEE Security in Storage Workshop, USA, 11 December 2002
    "This paper explains a new family of techniques to extract data from semiconductor memory, without using the read-out circuitry provided for the purpose. ... The goal of this work was to explore new ways of recovering data directly from the memory of smartcards and other security processors without using the read operations provided by their vendors for that purpose, thereby circumventing any access controls and reading out secret data directly."
    (http://www.cl.cam.ac.uk/ftp/users/rja14/SISW02.pdf)
    • Camera flash opens up smart cards, New Scientist, 13 May 2002
      "Sensitive information stored on a smart card microprocessor can be revealed with a flash of light, say UK researchers.
      Sergei Skorobogatov and Ross Anderson of Cambridge University have discovered that firing light from an ordinary camera flash at parts of a smart card microchip can assist an attacker in determining the sensitive information stored on the card. This might include, for example, the cryptographic key used to gain access to a building or to secure internet transactions."
      (http://www.newscientist.com/news/news.jsp?id=ns99992273)
    • Lasers crack the key to smartcard chip secrets, EE Times, 20 May 2002
      "Dr Anderson said: 'Sergei's work will trigger a generation change in smartcard technology. The immediate effect of his work is that many attacks on computer systems that were developed as theoretical possibilities by the research communities in the 1990s have suddenly become practical.'"
      (http://www.eetimes.com/sys/news/OEG20020517S0016)
  • Smart Card Security - Defining 'tamperproof' for portable smart media, Stefano Zanero, Dipartimento di Elettronica e Informazione, Politecnico di Milano, 2001
    (http://securenetwork.it/szanero/scsecurity.pdf)
  • Tamper Resistance - a Cautionary Note, Ross Anderson & Markus Kuhn, Cambridge University Computer Laboratory
    (http://www.cl.cam.ac.uk/users/rja14/tamper.html)

Firewalling

According to the consultation package:
The information for each application [on a chip] is stored separately, allowing only authorised access to each section.
...
Security functions in the computer chip ensure that a reader can only access authorised information. Modern operating systems 'firewall' applications on the smartcard, ensuring one application cannot access another application's data.

Information provided to EFA during a teleconference with QT gives rise to a number of concerns and questions regarding the proposed methods of controlling access to information on the chip.

We were advised that access to each application on the chip would be controlled by a challenge response mechanism between the card and a card reader. Card readers would contain a "key" and the smart chip would only allow access to an application if a card reader presented the relevant key. We were also advised that the proposed smart card would not have a PIN for each application, but would have a "global PIN" used to permit access to both driver licence information and all other applications on the chip. Hence, apparently the licence holder would have to enter their global PIN and would have no choice but to trust that the card reader only contains the key to the application to which the licence holder believes they are permitting access.

EFA considers such a system requires too much blind trust on the part of the licence holder. Furthermore, that issue aside, it is not clear how, or even if, the above system could operate securely in conjunction with other aspects of the proposed card. For example, the consultation paper states:

Licence holders would be able to check their own licensing information stored on the smartcard using a self serve terminal or if they have a reader attached to their home computer.

If licensing information such as address and expiry date were to be stored on the chip, in the future, licence holders would be able to give permission (for example, by using their own PIN {Personal Identification Number}) for other organisations such as car hire companies to access it.

In order to read their own licensing information on the chip, the licence holder would need to use a card reader containing a key that permits access to the licensing information section of the card. Furthermore, it was stated by QT during briefing sessions that licence holders would also be able to read all information on their card, that is, including that associated with the proposed optional applications.

A licence holder would therefore need to use a card reader that contains keys for each of the applications. Will special card readers have to be purchased from QT or a QT authorised sales outlet? If not, how would relevant keys get put into the card reader? What will be the cost to the licence holder of the special card reader and/or keys?

If licence holders are able to obtain card readers containing all the keys, then so could any individual, business or government agency. What would prevent a business or agency from using such a card reader to read all information on the chip, without the licence holder's knowledge or consent, when they enter their global PIN?

It has been suggested that a licence holder's address may not be printed on the face of the card. However, if it is not and a government agency or commercial entity wished to verify a person's address they would obviously have to put the card in a card reader. What will prevent them from capturing and recording other information such as date or birth, licence number, etc. at the same time?

Presently it appears that the proposed system is incapable of providing adequate security and privacy protections due to the use of a global PIN and readily available keys in card readers.

Whether it is capable or not, the proposed system described to date will not provide sufficient transparency to licence holders to enable them to be confident that they have control over the release of personal and other information on their card.

EFA would oppose a system that does not give licence holders access to all the information on their own card and/or that does not give licence holders full control over who is able to access particular information on their card chip.

Queensland Police Service could use readers containing special access software to access driver licensing and emergency contact information.

We understand from QT that police and emergency service workers would be able to over-ride the global PIN in order to access emergency contact details when the licence holder is unconscious. It is of concern that enabling access to a section of the chip without use of a PIN is likely to introduce a security weakness that could be exploited to gain unauthorised access to other information on the chip. Similar technical security issues arise in relation to enabling police to access driver driver licence information without input of the PIN.

Furthermore, if police and emergency service workers are to have card readers capable of over-riding a licence holder's PIN, the security risks relevant to potential theft or loss of those card readers needs to be addressed and made publicly known. For example, apart from a law, what would prevent a business from using a stolen police reader to secretly capture driver licence information when the card is presented to them?

Fact Sheet Three states:

Smartcards can be either contact or contactless cards. ... No decision has been made in regard to the type of card to be used for the proposed driver licence project.

We cannot see how a contactless card could be used to implement the proposal because, for example, contactless cards do not involve use of PINs to access information on the chip. If QT is considering the use of the more expensive combi cards, detailed information needs to be made available concerning what applications would be contactless so that privacy and security issues can be considered as well as the merits, if any, of increased cost. Unless they are entirely anonymous, contactless cards involve even more privacy and security issues than contact cards.

Hardware / Software Malfunction

The use of a smartchip raises the potential for a chip to malfunction, the chip to become infected by a virus, etc. What will be the situation if the smart chip is malfunctioning and the person does not realise that prior to presenting the licence to, for example, a police officer? Will the licence be regarded as valid or not? What level of inconvenience (and potential trauma or harassment) would a licence holder be subjected to if they handed over a faulty licence? It is of serious concern that many people, including some law enforcement officers, assume that technology always works correctly and so if it is not working it must be the user's (e.g. licence holder's) fault.

Up ArrowGo to Contents List


Preventing Fraud

The Consultation Paper states on page 4:

The most frequently presented document for establishing fraudulent identities are driver licences, with identity fraud costing Australians approximately $2.4 billion* every year. (*Australian Crime Commission 2002)

We note that the citation above must be incorrect as the Australian Crime Commission did not exist in 2002. It also appears that the $2.4 billion figure may be an error, given the QT Fact Sheet Two states:

The most frequently presented document for establishing fraudulent identities are driver licences, with identity fraud costing Australians an estimated $1 billion every year.

We expect the estimated figure of $1 billion is reasonably accurate as it is supported by the AUSTRAC commissioned Securities Industry Research Centre (SIRCA) report entitled Identity Fraud in Australia: An Evaluation of its Nature, Cost and Extent (dated September 2003, released November 2003). The SIRCA study found the costs of identity fraud to Australia in 2001-02 to be an estimated $1.1 billion. This comprises 45% spent in anticipation of identity fraud, 12% spent in reaction to specific identity fraud attacks, 38% incurred in identity fraud losses and 5% in lost opportunity.

It is interesting to note that 45% ($494.1m) of the estimated costs of identity fraud are comprised of the costs of attempting to prevent, deter and detect fraud. Hence, the more money that is expended on technology and systems intended to prevent fraud, the higher the costs of identity fraud become. The increased figure then fuels claims that yet more money and more privacy invasive measures are necessary to prevent identity fraud.

Given the $60 million estimated cost of the proposed new Queensland driver licence scheme, EFA considers information should be made publicly available concerning the percentage of the nation-wide $612.4 million (incurred in reaction to specific identity fraud attacks and in actual losses) that is attributable to forged Queensland driver's licences, together with details of the type of fraud and how the use of smart cards would prevent those instances. In this regard, we note that the VicRoads report referred to earlier herein states "The incidence of fake licences and fake identity is at a relatively low level (VicRoads discovers about 200 cases a year)" but does not provide any indication of resultant costs.

The findings of the SIRCA study, as its authors state, challenge existing views about the cost and extent of identity fraud in Australia, suggesting it is markedly less than has previously been claimed. It also points out that the interdependencies of proof of identity issuers and users needs to be considered if levels of identity fraud are to be reduced and not displaced to different and new parts of the Australian identification system. In view of the study's findings, it seems it would be appropriate for QT to conduct, or review any previously conducted, cost/benefit analysis of the proposed new driver licence scheme.

ID verification

According to the consultation paper:

Smartcards are more difficult to forge or alter than a plastic card. They also allow verification of the information on the face of the licence with the information on the chip, making it difficult for anyone to assume another person's identity.

Whether or not the above is true depends on the way in which the capabilities of a smart card are used. According to information provided by QT to date, the use of a smart card as proposed seems unlikely to make it any more difficult to use another person's identity than would the use of other plastic cards.

According to information provided, when a person presents their licence as proof of identity:

  • the other party would view the photo printed on the card, the same as with the existing licence;
  • if the other party has a card reader, they could use the card reader to check the validity of the card, that is, ascertain whether the chip contains the proposed "public information" digitally signed by QT. However, this does not verify identity of the person using the card.

Hence unless licence holders will be required to enter a PIN for the purpose of checking that the card was issued by QT, the only identity verification method is the printed photo, the same as the existing licence.

It is unclear from the consultation package whether a PIN will be required to simply check validity of the card. We hope not because it would be impractical and undesirable to require entry of a PIN for such a purpose. People who are not frequently asked to show ID are very likely to forget the PIN. Forgetting a PIN should not place an individual under suspicion of using a fake licence.

Digital photograph

The consultation paper asserts that "a driver licence with a digital photograph is more difficult to fraudulently copy". However, no information has been provided to support that assertion. The 'digital' photo printed on the sample proposed card does not appear to make any difference to the ease with which a licence could be fraudulently copied. In any case, a more important aspect is whether or not the photograph could be replaced.

It appears the photograph printed on the sample proposed card would be able to be over-printed using readily available and inexpensive smart card printers. Further, a photo on very thin material pasted under the overlay may pass muster in, for example, dim lighting such as on the road at night, in bars and nightclubs, etc. We note advice from QT during a teleconference that police on the roads at night currently have difficulty ascertaining whether the photo matches the driver and the smart chip would enable the police to check the validity of the card using a card reader. However, that will be of no assistance in ascertaining whether the photo on the card matches the driver.

If the photo and other information printed on the card could not be over-printed, then what is the reason for also using a transparent overlay containing holograms?

While replacing the photograph would require removal of the proposed transparent overlay, this could be replaced with a forged copy. We understand from advice from QT during a teleconference that one of the reasons for the proposed use of a card containing a chip, as well as a transparent overlay, is that overlays containing holograms as proposed can be forged using readily available and not particularly expensive equipment. We understood from advice during that teleconference that QT is aware of at least one instance of the NSW licence containing a hologram having been forged.

In summary, it is not clear how, if at all, the inclusion of a chip on the licence would prevent the use of a driver licence containing someone else's name, any more than would the use of other plastic cards with photos printed on them.

Electronic Photograph Storage System

According to the consultation paper:

[S]ecurely storing a copy of the photograph [in a centralised database] would allow Queensland Transport to visually confirm a licence holder's identity if necessary, when renewing their licence at a service outlet. This would minimise the use of fraudulent documents to obtain a driver licence in another person's name.

EFA questions the above justification for storing photographs. Currently a licence holder is required to present their existing licence when renewing it and QT is able to check the licence number and name in its database and view the photo printed on the licence.

It therefore seems that the only possible means of renewing a fraudulent licence would be to present a forged licence containing the licence number and name of the real licence holder but someone else's photo. Presumably the real licence holder would also apply to renew their licence and so two renewal applications would draw the problem to QT's attention. If there have been instances where QT staff have renewed forged licences because they have not been able to see that the licence is fake, and the licence has not already been renewed by the real licence holder, the number of such instances should be made publicly available in support of the claim that electronic storage of photographs is necessary. EFA seriously doubts that a person capable of producing or obtaining such a forged licence in the first place would risk attempting to renew it rather than just producing/obtaining another forged licence with a new expiry date.

With regard to stolen or lost licences that have been altered to show someone else's photo, it seems most unlikely such a licence would be presented for renewal because by the time of the expiry date, the licence would most probably have been reported stolen or lost. We note that photograph storage would be of no assistance in relation to replacement (as distinct from renewal) of stolen or lost licences because the QT proposal is to allow replacement of such licences without requiring a visit a service centre.

Furthermore, a database of licence holder photographs would make no difference to the ease with which fake primary documents (e.g. birth certificates etc which are easier to forge than the existing and proposed licence) could be used to obtain a new licence (as distinct from renewing an existing licence). It is probable that criminals would apply for a new licence rather than applying to renew a forged licence. EFA notes the many ways in which criminals obtain fraudulent identification documents, including driver licences, as reported in the article Passport to fraud by Gary Hughes, The Age, 6 July 2003.

As an added protection against fraud, an audit system would cross check photographs at least once a year to ensure the same person is not holding a licence in more than one name. Any match identified would then be further investigated.

EFA would be interested to know what remarkable technology QT believes to be capable of operating effectively on a database of 2.5 million images.

The results of the Face Recognition Vendor Test 2002, issued in March 2003, indicate that the probable error rates would be so high as to make the audit system in effect useless, unless a vast amount of human resources are to be expended in manually examining the results.

The FRVT report states:

"In the identification task, an image of an unknown person is provided to a system. (In the identification task, we assume that through some other method we know the person is in the database.) The system then compares the unknown image to the database of known people.
...
Our analysis has also shown that a system's identification performance capability is dependent [among other things] upon the size of the database. For the best system, the top-rank identification rate was 85% on a database of 800 people, 83% on a database of 1,600, and 73% on a database of 37,437. For every doubling of database size, performance decreases by 2% to 3% points."

The report also states:

As the elapsed time between the database and new images increases, performance decreases. For the better systems, identification performance decreases at 5% points per year. This makes sense intuitively, since we expect that as the face changes over time, face recognition algorithms cannot as easily model these facial variations.

According to the report, various other factors also affect the accuracy rates of face recognition technologies, including illumination, camera angle, gender, age, etc.

EFA considers QT should not expend public funds on face recognition technology while tests by independent analysts demonstrate that the technology is not as far advanced, and may never be, as marketers would have governments believe.

The consultation package indicates that one of the reasons for the proposed centralised database of electronic photos is to enable licence holders to apply to renew their licence (if it is less than 5 years old) or replace their licence (if it has been lost, stolen, damaged or re-classified) using "using self serve automated systems, such as the internet or applying over the phone, rather than visiting an outlet in person" because QT "would be able to use the stored photograph and signature to produce a replacement licence".

EFA questions how such a system could operate without introducing security risks associated with attempting to verify the identity of the applicant and subsequent mail out of the licence.

The "Privacy Information Paper" (page 8) states that the centralised storage of photos "opens up possibilities for [licence] renewal or replacement [if lost, stolen, damaged] over the telephone or online, subject to strong authentication processes".

EFA initially assumed that "strong authentication" meant use of a digital signature certificate. However, obviously if a licence was stolen or lost, one would not be able to use the certificate on it when applying for a replacement licence. On querying this aspect, we were advised by QT that "strong authentication" did not mean use of a certificate. A replacement licence would probably be able to be ordered if the applicant knew a PIN or answered some questions about themselves based on info in QT's database, for example, about demerit points, road rule infringements, etc.

With regard to a PIN, EFA points out that each of the 2.5 million licence holders would need to be provided with a PIN that is not the same as the PIN applicable to the smart card. It is essential to the security of the smartcard that no-one other than the licence holder know the PIN. EFA is doubtful as to the general usefulness of asking drivers questions about their demerit points and road rule infringements. This would certainly not be of any use to law-abiding drivers.

EFA also has concerns about the proposed issue of licences by mail, especially if they include a digital signature certificate. This matter is discussed later herein.

The consultation package states:

Electronic storage of licence photographs is in place in most other Australian states. Information from these states has shown that photograph storage is an effective tool in deterring and detecting fraudulent driver licences.

Information substantiating the above claim should be made available for public scrutiny.

In summary, EFA considers the justification for storing photographs would need to be stronger than the reasons advanced to date. EFA opposes the proposed centralised photograph database. It is an invitation to function creep given the increasing prevalence of mass surveillance by way of cameras on the roads and in other public spaces.

Law Enforcement Access

A fundamental privacy principle recognised in Australian and international law is that personal information should only be used for the purpose for which it was collected. EFA does not support either Option A or Option B as set out in the consultation paper because both options permit the use of photographs for purposes that have nothing to do with a licence to drive a motor vehicle.

At most, permitted use of photographs should be limited to dot points 1 and 2 of Option B on page 9 of the consultation paper. Dot point 3 concerning court orders and warrants should be discarded because it permits the release of photographs to a vast range of government agencies, businesses and individuals for purposes unrelated to a licence to drive.

We observe that the consultation paper fails to inform the public that driver licensing information is currently disclosed by QT to AustRoads' national NEVDIS database, and whether or not photographs would be made available to AustRoads either initially or at a later date. This matter is discussed in the section Function Creep later herein.

Up ArrowGo to Contents List


Obtaining, Producing and Delivering Driver Licences

What do you think about:
a) producing driver licences in a central location?
b) mailing a driver licence to you instead of collecting 
   it from a service outlet?
(Please indicate whether you think these processes are 
appropriate.)
The consultation package states:
One of the enhanced security features being considered is the manufacture of driver licences in a central location and mailing them directly to the licence holder, similar to the process currently followed for credit cards. Using this scheme, centralised production would replace the current system of licences being produced at each service outlet.

EFA considers that central production and mail out would be a backward step in that it would decrease security.

We cannot see how QT could avoid the same problems as those experienced by the Australian Passport Office. As reported in Passport to fraud, by Gary Hughes, The Age, 6 July 2003:

"The Sunday Age last week reported continuing concern about dozens of new Australian passports that were continuing to be lost or stolen in the mail, despite attempts to tighten procedures after more than 2000 were lost in the mail in 12 months. More than 14,000 Australian passports - a prime identity document under Australia's 100 points Proof of Identity system used by government departments, agencies and financial institutions - were reported lost or stolen in the five months to May this year."

Furthermore, we consider the proposed issue of paper receipts to licence applicants for use while their licence is produced and sent by mail to be incredible. What will prevent the use of fraudulent paper receipts? Further, if a piece of paper is sufficient to permit a person to drive a vehicle on Queensland roads, why is it necessary to have any type of card at all?

In addition, some organisations require individuals to hand over their licences, for example, as security for provision of a visitor pass to a secure building. It is most unlikely such organisations will accept a paper receipt. While it is acknowledged QT proposes to allow renewal in advance of the expiry date, this will be of no use to an individual whose licence is unexpectedly lost or stolen, and whose daily work involves visiting secure buildings, e.g. contractors and consultants. While EFA considers driver licences should not be used for purposes unrelated to driving, individuals are in effect forced to allow their licence and associated personal information to be used for numerous other purposes. Existing uses therefore need to borne in mind in relation to any new licence proposal.

Licence materials and equipment could be housed in one location, rather than in many locations throughout Queensland. This would limit the potential for the theft of licence materials and equipment.

We observe that there is no indication in the consultation package to suggest that licence materials and equipment have been stolen from QT's existing licence issuing premises. However, we also note that since the consultation paper was issued for public comment, it was reported in the Courier Mail on 14 November 2003 that "Queensland Transport has been forced to suspend one of its officers suspected of being the key insider of a safety certificate scam" and that Transport Minister Steve Bredhauer "said the scam had been orchestrated by a highly informed group with the help of insiders". Similarly, misuse of licencing materials may occur as a result of the activities of staff of QT and/or of the proposed outsourced commercial manufacturer of licences. EFA considers it doubtful that an outsourced central production facility would be more secure than QT's existing licence issuing premises.

Responsibility for managing driver licensing information would remain with Queensland Transport. This includes ensuring strict access controls are employed in the printing facility and that no data files are retained by facility operators.

It is difficult to see how QT could in fact ensure strict access controls. This would obviously be contractual matter and in the event of any security breach, QT would in effect be able to absolve themselves of responsibility because QT would not have had managerial or physical control of the production facility.

The proposed outsourcing of licence production to a commercial entity carries significant risks to privacy and security. There will be tension between adequate security and profit making. It is unclear what sanctions and penalties would apply to a commercial entity in the case of security or privacy breaches and whether any such sanctions would be adequate. There is severe risk that QT would in effect become hostage to a monopoly supplier with inadequate security. It is a matter for speculation as to how long it would take QT to find an alternative supplier and for that supplier to establish adequate systems and production facilities.

EFA cannot see any benefit to centralised production that is not outweighed by the security and privacy risks. It appears to us that the principle reason for proposed centralised production is that it is the only practical way that proposed outsourced provision of commercial applications could be implemented.

Up ArrowGo to Contents List


Optional Facilities

Emergency contact information

What do you think about:
a) storing emergency contact information on the licence 
   smartchip?
b) the proposed privacy protection mechanisms to support this 
   possible new service?

EFA has no objection in principle to the storage of emergency contact information provided that is a voluntary choice of the licence holder.

However, we would oppose the inclusion of this facility if it would weaken the security of information on the chip. We understand that police and emergency service workers would be able to over-ride the licence holder's global PIN in order to access emergency contact details when the licence holder is unconscious. Enabling access to a section of the chip without use of the global PIN seems likely to introduce a security weakness that could be exploited to gain unauthorised access to other information on the chip. In addition, the risk of loss or theft of police and emergency services card readers needs to be addressed.

Digital Signature Certificate - Secure on line transactions

What do you think about introducing:
a) a digital certificate to enable secure online transactions 
   with Queensland Transport?
b) a digital certificate to enable secure online transactions 
   with other Queensland Government agencies?
The Queensland Government is committed to improving customer convenience. New driver licence technologies offer high levels of security for online transactions. These new technologies could enable some transactions that previously required face-to-face interaction to be undertaken online using the licence as a secure authentication of the licence holder.

EFA advises that the relevant technologies are not "new driver licence technologies" nor are the technologies new. The technologies could be used for online transactions without their incorporation into a driver licence card.

Digital certificates may be added to the licence's computer chip to provide verification and security mechanisms for secure online transactions.

EFA considers the proposed inclusion of digital certificates on drivers licences should be subjected to a comprehensive technical re-evaluation. Information in the consultation package and stated verbally to EFA suggests there is considerable misunderstanding about the operation and use of digital certificates and the related security and privacy issues.

In addition, there are a number of important aspects that have not been addressed in the consultation package. For example, how would a lost or stolen private key be able to be revoked? Who would be responsible for managing the relevant system and ensuring that revoked keys would not be relied upon?

In EFA's view, the inclusion of digital certificates on drivers licences will introduce an unnecessary level of complexity, security and privacy risks and cost to licence holders. We understand that the type of smart chip necessary to support digital signing is significantly more expensive than a chip that does not. Licence holders should not have to pay, via mandatory payment of a driver licence fee, for technology that they do not wish to use.

We believe that many people who understand the security issues associated with public key encryption would not want a digital certificate on their driver's licence. As the licence holder's private (signing) key would/should be on their drivers licence card, it would be a security risk to leave the licence in another person's possession. However, licences are not considered to be particularly important/sensitive items to many people. For example, some secure buildings require visitors to leave their drivers licence in the possession of another person while they are in the building, as a means of ensuring the visitor returns their visitor pass. Similarly, people are asked to hand over their licence when they rent golf clubs for a day, or a baseball bat at a batting cage, etc.

It is of even greater concern that many members of the general public have no understanding of the digital signature technology and therefore will not be adequately aware of the security and privacy issues and risks. It is doubtful whether even a comprehensive and widespread public education campaign would be successful given many members of the public still do not even use hard to guess passwords. Further, inclusion of such a capability on a licence is likely to ultimately result in discrimination against and disadvantage to persons who do not wish to identify themselves when engaging in transactions online where there is no legitimate need for provision of identification.

For added security, licences containing digital certificates will be sent to the customer via registered post.

If digital certificates are sent by post, registered or not, they will not be able to be used to verify the identify of the licence holder with certainty because someone else (whoever produced the certificate and placed it on the chip) will have had, and may still have, a copy of the licence holder's private key and associated password.

EFA also notes that Australia Post normally asks for a driver licence to be presented in order to collect a registered post item. Therefore, during the first 5 years of a smart card licence roll out, if one can forge the current licence, one could collect someone else's licence containing their digital certificate (e.g. if the registered post item for collection notice was stolen from a letter box). Further, a telephone call to Australia Post during preparation of this submission resulted in the advice that if a person does not have a driver licence or any other photo ID, then Australia Post would "have to" accept a document such as a rates notice as evidence of identity. This indicates a person could simply claim not to have photo ID and use a more easily forged document.

To make use of a digital certificate, the licence holder would need to have access to a personal computer with an internet connection and a smartcard reader/writer. ... Another benefit of using a digital certificate is that there would be no difference to the level of security when conducting transactions using a computer at home, an internet cafe or at a service outlet.

EFA recommends QT seek expert technical advice concerning the difference in level of security risk when using a smartcard containing a digital certificate in an internet cafe or at a service outlet, as compared with using their own computer hardware and software at home.

In summary, EFA is opposed to the incorporation of digital certificates on driver licence cards. If Queensland Transport wishes to provide services online that require strong verification of identity, digital certificate technologies can be used without incorporating it into driver licence cards.

Commercial services

What do you think about:
a) the option of accessing commercial services using the 
   driver licence (including involving possible private sector
	 partners)?
b) the proposed privacy and security protective mechanisms to 
   guide the implementation of a possible partnership with the
   private sector?

EFA considers the incorporation of optional applications will distract QT from its core objectives, and result in use of public funds and resources for, at least, managerial and administrative purposes unrelated to transport and road safety.

We are very doubtful that there is a business case for the inclusion of applications such as an e-purse on a smartcard driver licence. Public concern regarding privacy may limit the uptake of such applications because businesses would be able to record every transaction along with identity information. In our view, an e-purse smartcard is unlikely to be popular unless the card itself is anonymous so that it can be used in the same way as cash. The prevalence of EFTPOS and credit card facilities in Australia suggests there would be minimal demand for another card that could be used to track consumers' purchasing habits and whereabouts. It will not be possible to use the driver licence card in an anonymous manner because, we understand from QT, the proposed method of checking the validity of the smart card itself (using a card reader) involves disclosure of personal/identifying information about the licence holder.

There is also a range of issues that would need to be addressed relation to who would be responsible and liable, in law, for what (QT, outsourced provider, application owners, etc) as well as general consumer rights and protection issues. More detailed information on those aspects of the proposal needs to be made publicly available if a multi-application smartcard licence is to be introduced.

The use of smartcard technology could also enable licence holders to have ongoing access to optional features even where they may be suspended from driving.

What would prevent a driver from using a suspended licence to hire and drive a motor vehicle? When placed in a car hire company's card reader, the smart chip on the suspended licence card would show the licence to be current.

Up ArrowGo to Contents List


Privacy Protections and Legislation

EFA is not able to provide detailed comments on the proposed contractual and legislative privacy protection mechanisms until detailed information is provided in relation the technical operation of the proposed system (as discussed earlier herein) and the relationships between the parties that would be involved.

However, we are of the view that it would be essential for the Queensland Parliament to enact comprehensive privacy protection laws covering both the public and private sectors and the government to commit to adequately funding a Queensland privacy commissioner's office.

Furthermore, we believe that statements in the consultation package concerning existing privacy laws are incorrect. In this regard, for example, the privacy management strategy paper states (page 13):

The Commonwealth Privacy Act 1988 (Cth). The Act covers commercial partner's activities in respect of personal information held by the commercial partner in any records (including databases).

As the commercial partner would be providing services under contract to QT, the commercial partner would have no legislated obligation to comply with the National Privacy Principles ("NPPs"). The Commonwealth Privacy Act 1988 (section 7B(5)) exempts the acts and practices of contracted service providers for a State or Territory government contract (whether or not the organisation is a party to the contract) when those acts or practices are directly or indirectly related to meeting obligations under the contract (OFPC Information Sheet 12). Therefore, a person who believes their privacy has been breached would not be able to complain to the Federal Privacy Commissioner.

Queensland Transport will make appropriate referrals where complaints are received by Queensland Transport staff that would be more appropriately handled by commercial partners or external agencies such as the Office of the Federal Privacy Commissioner.

We draw to QT's attention that, even if the Federal Privacy Commissioner would have jurisdiction (which we do not believe to be the case), the Commissioner's office is already receiving so many complaints that they are unable to deal with complaints on a timely basis due to funding constraints. There is no prospect in the foreseeable future that the Commonwealth Government will change its stance on this matter and decide to provide adequate funding to the Commissioner's office.

Irrespective of the type of privacy protection legislation that would be in place, it is also of paramount importance that strong security and privacy protection mechanisms are built into the technical design of the systems. Legislation serves to deter privacy infringement but it cannot take back an individual's personal information from someone who has obtained it, nor restore a person's privacy situation to the state it was in before a breach.

Up ArrowGo to Contents List


Function Creep - The Road to an Australia Card

EFA has major concerns about the very high probability of function creep that will be facilitated by the proposed new driver licence scheme.

While QT has acknowledged the "importance of preventing future expansion of the purposes for which driver licensing information is collected and accessed" (QT Privacy Information Paper, page 9), the proposed means of doing so are in adequate.

Moreover, the QT discussion under the heading "Function Creep" deals principally with the matter of disclosure and use of driver licence information. It fails to address function creep in the form of:

  • additional government mandated uses of the smart card;
  • additional mandatory personal information and applications being loaded onto the chip;
  • card reader linkage to one or more centralised databases;
  • increased business insistence on presentation of a driver licence ID as a condition of provision of goods and services, in part, because the card is computer readable and so enables automated capture of data;
  • disclosure of digital photographs to NEVDIS.

With regard to driver licence information, we consider amendments to the Transport Operations (Road Use Management) Act 1995 ("TO(RUM) Act") would need to be more extensive than proposed by QT. For example, strict limitations should be placed on the purposes for which government agencies and businesses would be allowed to require presentation of a licence. These should comprise a narrow range of circumstances where there is significant risk of major loss or damage in the absence of verification of identity (e.g. application for other ID documents, application for a credit card).

However, regardless of changes that may be made to the TO(RUM) Act prior to smart card roll out, it remains of concern that legislation can readily be changed and/or new over-riding laws enacted by either the current or a future Queensland Government/Parliament. QT's assurance that in the case of proposals to amend legislation, it would "argue that access should be restricted to the purposes identified under the TO(RUM) Act or to circumstances where consent or an appropriate court order has been obtained" is not comforting given changes to the TO(RUM) Act in 1999.

The QT 'Privacy Information Paper' (page 9) states:

At present, Queensland Transport controls and manages the collection, storage and release of driver licensing information. This information is stored in a driver licence database (i.e. TRAILS). Access to this database is protected by strict security measures and information contained in the database is only released in accordance with the provisions set out in the Transport Operations (Road Use Management) Act 1995. Queensland Transport has a strong track record in controlling access to the database.

We understand that as a result of amendments to the TO(RUM) Act in 1999, driver licensing information contained in TRAILS is disclosed by QT to AustRoads' national NEVDIS database. EFA notes that Queensland drivers were not asked whether or not they consented to that expanded disclosure and use of their personal information, nor to EFA's knowledge was there any public consultation on the matter.

It was reported last year that AustRoads was intending to provide Baycorp with access to NEVDIS for commercial datamatching and disclosure purposes. (It is not known to EFA whether Baycorp was given access.) A Communique issued by AustRoads Registration & Licensing Reference Group, 16 May 2003, states:

The data and information generated by NEVDIS provides significant potential for commercial use. The R&L Reference Group is currently managing a project to evaluate the benefits and risks associated with the commercialisation of registration and licensing data.

EFA questions whether QT is involved in the above; whether QT is currently arguing against commercialisation of registration and licensing data and what, if any, means QT has of preventing Queensland driver licence information being sold or otherwise disclosed to businesses and government agencies by AustRoads.

We observe that the consultation package fails to mention NEVDIS and whether or not QT intends that electronic photographs would be provided to AustRoads' NEVDIS database. We understand NEVDIS does not contain photographs at present but it has been proposed in some quarters that photographs be added. We are of the view that the TO(RUM) Act would need to be amended to prohibit the disclosure of photographs to AustRoads/NEVDIS.

The QT 'Privacy Information Paper' (page 10) states:

There are perception risks about chip technology such as remote and secret reading or scanning of information. Demonstrations of the new licence and its operations, public education campaigns, security features and legislative and contractual protections will be used to address these issues.

We draw to QT's attention that they are not "perception risks" they are actual risks. Moreover, it is largely irrelevant whether or not information is read secretly. The issue is whether the licence holder voluntarily consents to use and disclosure of their personal information. We do not doubt that QT has good intentions in relation to an initial roll out of a smart card driver licence, but we are concerned that QT may not have adequately considered the potential for unintended consequences.

EFA considers a smart card driver licence, especially a multi-application card with digital certificate capability, has an extremely high potential to become an 'Australia Card'.

The smart card industry makes no secret of the fact that smart card technology itself facilitates function creep and some, perhaps all, suppliers are readily able to explain to governments how they could roll out an Australia Card equivalent to a largely unsuspecting public by stealth. SchlumbergerSema, for example, said in their January 2003 submission to the UK Home Office:

"Getting there - An iterative process

The well understood sensitivity of the [ID card] issue indicates the need to progress gradually rather than by 'big bang'. Because of the history and tradition of the British people, we believe that arriving at a universal entitlement [ID] multi-application smart card may be an iterative process stretching over a number of years.
...
We believe that trying to move from where we are now to a sophisticated smart card solution without one of these interim steps would underestimate the business process and social attitude changes that would need to take place".

SchlumbergerSema therefore suggested either of two paths, comprising a smart card containing minimal information, from which it would be possible to migrate "to the sophisticated smart card at a later date, once the concerns over entitlement [ID] cards have been addressed".

An iterative process was also recommended in the June 2002 report prepared for VicRoads which, in effect, sets out a blue print for an Australia Card equivalent. The authors state:

"Since the proposed Australia Card in 1986/87 [sic] the development of smartcard technology in Australia has lagged behind may other countries, including much of Asia.
It is now recognised that the Australia Card experience delayed the introduction of smartcards by some ten years.
"

The report notes that a multiple application smartcard driver licence "may be perceived by some as a latter day 'Australia Card'" and "has technology, project and privacy risks, but these can be addressed by: ... phased introduction, i.e. start with the basic driver licence and gradually expand as customers become ready". Among other things, a key aim of the study was to "adopt a simple solution initially but build in capacity to expand to multiple applications as users become ready to accept new applications" (emphasis in original).

EFA considers it is extremely unlikely that the many Australians who opposed the Australia Card and those holding similar views about their privacy now would ever "be ready" to accept the future "new applications" proposed in the VicRoads report. For example, health/medical data, other licences (business, marine, fishing, wildlife and game, firearms), whole of life events, electronic voting, public transport ticketing, road tolling, parking, bank credit card (co-branded with driver licence), etc.

However, as SchlumbergerSema pointed out in the submission previously mentioned "once people have smart cards in their hands, those cards and the chips on the cards are easy to upgrade...".

It is also pertinent to note that once smart cards and card readers are in wide use, there is no technical impediment to linking card readers to centralised databases run by either government or business which records all interactions with government agencies and/or businesses together with identity and location information. For example, as the VicRoads report point outs "Smart card interoperability can incorporate ... driver licence card utilizing the EFTPOS network and a government concession network".

In our view, there is a significant prospect of the QT driver licence smart card travelling along the road to an Australia Card.

In that regard, for example, we note that QT plans that the smart card driver licence and associated digital signature certificate be used for identification purposes in dealings with other government agencies (and perhaps businesses). QT plans to only "prohibit the commercial partner from using the driver licence number as the key reference number to identify licence holders" (Privacy Management Strategy, page 6). Evidently government agencies and businesses would be permitted to use the licence number as a key identifier.

Furthermore, it is important to note that expanding the purpose of a driver licence to a general purpose ID document for dealings with other government agencies would discriminate against people who are unable to drive due to a disability, or who choose to use public transport, etc. To avoid discrimination, it seems inevitable that QT would need to issue ID smart cards, substantially similar to the driver licence, to non-drivers. In effect, QT would become the ID registration authority for Queensland.

Moreover, we understand that QT intends that the smart card/chip will be interoperable with other government (Commonwealth/State/Territory) systems.

For the above and other reasons, the proposal has the hallmarks of the first stage of a new road to an Australia Card.
Up ArrowGo to Contents List


Conclusion

6. Are you generally in favour of the new Queensland driver
   licence proposal?

No. As discussed earlier herein, the consultation package and related information fails to make a persuasive or convincing case for the proposition that use of a smartcard as proposed would be effective in improving road safety or significantly, if at all, reducing use of forged licences.

In the foregoing regard, we also note that the June 2002 VicRoads report states:

"Most States have conducted feasibility studies on smartcard based driver licences and have generally concluded that as a single application the business case is probably not justified.
Several State and the ACT Governments have recognized that a smartcard driver licence could be justified if the card is used for other government and non-government applications.
The Queensland Government is expected to release a tender shortly for a multi-application smartcard driver licence
". (emphasis in original)

The proposed centralised production and mail out of licences would be a backward step; it would introduce many new security and privacy risks. The principal reason for proposed centralised production is apparently to enable outsourcing of the provision and administration of proposed commercial applications.

The sole reason for the proposed inclusion of commercial applications is apparently so that QT can seek to share the cost of smart card roll out with commercial enterprises because the potential benefit, if any, of using a smart card solely for a driver licence does not justify the costs.

In summary, it appears that many of the privacy and security risks inherent in the proposal arise because there is insufficient benefit in using a smart card for the purpose of a licence to drive to justify the use of smart cards for that purpose.

In EFA's view, unless QT is able to provide a convincing business case to justify the use of a single application smartcard for a driver licence, then smartcard technology should not be used. The privacy and security risks inherent in the roll out of a smartcard as proposed outweigh any potential benefit put forward by QT to date. The vast majority of the possible benefits put forward are unrelated to a licence to drive and, in any case, do not in fact require use of a smart card. They could be provided by other means.

We reiterate our appreciation for QT's interest in addressing privacy issues to date and related willingness to consult with privacy and consumer advocates. We urge QT to undertake a complete technical re-evaluation of the current proposal and develop a different proposal that contains an appropriate balance between the dual needs to ensure that privacy is protected and that the opportunity for identity fraud is minimised.

We would appreciate QT keeping EFA informed of developments in relation to the new driver licence project and would be pleased to provide further comments on request.

Up ArrowGo to Contents List


References

Queensland Transport New Driver Licence Proposal Consultation Package, October 2003
(http://www.transport.qld.gov.au/new_driver_licence)

The Open Society and its Enemies - Sociopolitical Issues and Smart Card Market Development, Graeme Freedman, 1999
(http://www.dotindot.com/Download/ScrdTechInt99b.PDF)

VicRoads: Introducing New Driver Licence Technologies - A Smarter Licence for Victorians, March Consulting Pty Ltd, June 2002
(http://www.egov.vic.gov.au/pdfs/final200102%20report.pdf)

Smart cards also open to attack, Kate Mackenzie, Australian IT, 19 November 2002
(http://www.ee.usyd.edu.au/~rjunee/site.cgi?page=ausitarticle)

Power Analysis Attacks :: A Weakness in Cryptographic Smart Cards and Microprocessors, Ryan Junee, Thesis, November 2002
(http://www.cs.usyd.edu.au/~ryan/thesis/ryan_dpa.pdf)

Smart Cards and Side-Channel Cryptanalysis, Ryan Junee, Ruxcon Security Conference, Sydney, April 2003
(http://www.ee.usyd.edu.au/~rjunee/sc_side_channel.pdf)

On a New Way to Read Data from Memory, David Samyde, Sergei Skorobogatov, Ross Anderson and Jean-Jacques Quisquater, First International IEEE Security in Storage Workshop, USA, 11 December 2002
(http://www.cl.cam.ac.uk/ftp/users/rja14/SISW02.pdf)

Camera flash opens up smart cards, New Scientist, 13 May 2002
(http://www.newscientist.com/news/news.jsp?id=ns99992273)

Lasers crack the key to smartcard chip secrets, EE Times, 20 May 2002
(http://www.eetimes.com/sys/news/OEG20020517S0016)

Smart Card Security - Defining 'tamperproof' for portable smart media, Stefano Zanero, Dipartimento di Elettronica e Informazione, Politecnico di Milano, 2001
(http://securenetwork.it/szanero/scsecurity.pdf)

Tamper Resistance - a Cautionary Note, Ross Anderson & Markus Kuhn, Cambridge University Computer Laboratory
(http://www.cl.cam.ac.uk/users/rja14/tamper.html)

Identity Fraud in Australia: An Evaluation of its Nature, Cost and Extent, Securities Industry Research Centre (SIRCA), September 2003
(http://www.sirca.org.au/news/releases/2003/0302FraudBook.html)

Passport to fraud, Gary Hughes, The Age, 6 July 2003
(http://www.theage.com.au/articles/2003/07/06/1057179212905.html)

Face Recognition Vendor Test Results 2002, P.J. Phillips, P. Grother, R.J Micheals, D.M. Blackburn, E Tabassi, and J.M. Bone, March 2003
(http://www.frvt.org/FRVT2002/documents.htm)

Move on suspect official in car scam, Steven Wardill, Courier Mail, 14 November 2003
(http://www.thecouriermail.news.com.au/common/story_page/ 0,5936,7859440%255E3102,00.html)

Information Sheet 12 - 2001, Coverage of and Exemptions from the Private Sector Provisions, Office of the Federal Privacy Commissioner.
(http://www.privacy.gov.au/publications/IS12_01.html)

National fraud database may be linked to RTA records, Andrew Colley, ZDNet Australia, 8 July 2002
(http://www.zdnet.com.au/newstech/enterprise/story/ 0,2000048640,20267383,00.htm)

Austroads database hits privacy snag, Andrew Colley, ZDNet Australia, 14 August 2002
(http://www.zdnet.com.au/newstech/enterprise/story/ 0,2000048640,20267383,00.htm)

Communique, Ausroads Registration & Licensing Reference Group, 16 May 2003
(http://www.austroads.com.au/programs/rum/ referencegrp_RUM_text.html)

Just Another Piece of Plastic for your Wallet: The 'Australia Card' Scheme, Roger Clark, 1987
(http://www.anu.edu.au/people/Roger.Clarke/DV/OzCard.html)

SchlumbergerSema Response to the UK Government's consultation paper 'Entitlement Cards and Identity Fraud', January 2003
(http://www.schlumbergersema.com/ukn/publicsector/entitlement/ response/response09.htm)

Up ArrowGo to Contents List