Global Mosaic Portal Network
Declaration: Kevin Beck works with Professional Managers and Associates (PMA), Australia.
PMA an Australian (Melbourne) based company has commercial relationships with numerous companies, and interests, engaged in technology, computing, software development, identity and biometrics. As well as consulting, banking and finance
national security, transport, health and medical sectors, mining and resources in Australia and internationally.
Kevin Beck on Linked In
Cyber Map - Fireeye
Cyber Map - Norse
Doomsday: Nuclear Dashboard
World Nuclear Arsenals
Individuals and business have to assist
Australia's agency AUSTRAC is responsible for tracking the movement of financial transactions with a value of $A10,000 or more. Banks are required to report the movement of large amounts of funds. In 2013-2104 some $A35 Billion of unreported financial transactions were uncovered. A small business sent $A21M overseas to undisclosed recipients. Large sums of funds are broken down into smaller packages to avoid detection. Some transactions are being undertaken in community centres and other non profit entities.
Money laundering has been around for years but is blossoming as technology develops to facilitate it.
Money laundering in Australia 2011
Money laundering global high risk
"Money laundering is a critical risk to Australia. It is the common denominator of almost all serious and organised criminal activity. Criminals generate profits from illegal activities such as fraud, drug trafficking, tax evasion, people smuggling, theft, arms trafficking and corrupt practices. They rely on laundering or cleaning this ‘dirty’ money to legitimise or hide its illegal origins.
Money laundering involves processing illicit profits in ways which mask ownership and make the funds appear to have come from legitimate sources. This enables criminals to hide and accumulate wealth, avoid prosecution, evade taxes, increase profits through reinvestment, and fund further criminal activity, including terrorism.
Money laundering is also intrinsic to serious tax fraud/tax evasion and a threat to revenue. Often, money laundering is a transnational crime. Funds are laundered to pay for imported illicit goods and services, distance criminal income from the underlying crime and ‘park’ it offshore, buy property or high-value moveable goods for investment or later return to Australia, and move illicit funds to transnational syndicates’ home-bases.
This international dimension creates opportunities for criminal networks and presents complex challenges for Australian law enforcement and regulatory agencies. Some countries and regions are considered significant money laundering threats because they are source or transit points for illicit commodities and services while others are attractive for money laundering due to preferential tax regimes. Source or transit countries for illicit commodities or services, and places of residence for members of criminal networks, are likely to remain high-risk destinations for money laundering." (Source: Money laundering in Australia 2011, AUSTRAC)
"Ross and Hannan (2007) identified three risk elements, each of which needs to be considered in effective money laundering risk assessments—probabilistic, consequence and vulnerability risks. Probabilistic risk assessment involves the establishment of an association between an observable action and an activity the observer would like to detect. If money laundering and identity fraud have a strong association, to use Ross and Hannan’s (2007) example, then the presence of identity fraud would suggest a high risk of money laundering. The assessment of consequence risk is tied to the potential impact of an activity. A small cash transaction may be illicit but its potential impact may be far smaller than a large illicit transaction. Monitoring large transactions in this example would be a better risk mitigation practice.
Vulnerability risks are those that impede effective monitoring or detection, such as regulatory deficiencies or the presence of opaque transactions. Kini (2006) argues that the high-profile AML/CTF regulatory enforcement activity in the United States around 2006 illustrates the significance of a considered risk assessment program. ABN AMROs correspondent banking business with Russian banks constituted a high-risk activity in a high-risk location; Bank Atlantic’s high net-worth business in Florida also entailed a high-risk business in high-risk locations.
The banks, in both cases, failed to employ adequate AML/CTF controls and FinCEN, the AML/CTF regulator in the United States, imposed large penalties on both banks (Kini 2006). These cases illustrate the need for regulated businsses of all sizes to have an effective AML/CTF plan in place to assess the level of ML/TF risks that face their operations and to respond to such risks appropriately." (Source: Perceptions of money laundering and terrorism financing risks. Australian Institute of Criminology)
The site also contains statistics and views of small, medium and large enterprises and their perceptions of the likely occurrence of money laundering and terror funding within their business and the sectorn at large.
The bulk of enforcement cost is borne by the taxpayer. Investigators are hampered by closed door business attitudes, secrecy and untehical business executives including criminals operating anonymously within big companies and banks.
Meanwhile retailers are selling prepaid debit and gift cards across the counter, in multiples of values up to $A4,000 each, without requiring the identity of the purchaser or the identity of recipient. Bogus names could be presented if no check of an instrument is required. These transactiions appear nowhere after the sale and the card is used. The cards can be used anywhere in the world.
The attitude of the business owners is that to require identity or to repport suspicious behaviour, and transactions, is an impost business should not be rquired to bear. They do not want to intrude into customer's privacy or have their business product sales, revenue and profits, in any way impacted or curtailed.
Big companies, and their distributors and resellers, are selling the technologies, systems and products that facilitate this activity. They are the providers to criminals who are engaging in money laundering, identity theft, fraud, tax avoidance, multiple identities hidden from authorities and regulators and tax offices, and others engaged in terror funding.
These sellers do not want to question why someone is buying a machine capable of producing driver licences, passports, credit card and debit cards, smart cards, when they are not a government entity and are not a bank or corporation that utilises the technologies for valid business. The manufacturers have littlle idea who the distributors, and resellers, are selling to. Business does not want accountability, responsibility or to curb their innovation in the public interest. More and more technology is being released that is supporting "dark web" and "circumventing regulators". Nationaln Security of nation states is threatened.
Amendments to Australian AML/CTF laws now out for consultation woould require compliance officers to be appointed (they are in banks and financial enterprises now) into every major enterprise that is engaged in payments and systems as described above. Company Boards, Executives, and Employees, would be required to monitor their client's activities, ask questions and report their suspicions to AUSTRAC within a matter of days. Failure to do so incurs penalties. The aim is to engage business in assisting with law enforcmenet and national security. They are resisting.
But no big corporation wants to be identified as being "anti-social or engaged in assisting criminals knowingly or not" so they resport to back rom lobbing through associations or spend money to defeat the legislators/regulators intent. They argue legal barriers, and privacy, such imposts are restraining open competition, innovation and development. All things in their favour, nothing in the favour of the public interest other than veiled consumer interests.
Large corporations like utilities, telecommunications, water, energy, transport, banking and finance, and other critical enterprises, do not spend om pysical security beyond the bare minimum. They want the state and law enforcement to protect them for the paltry taxes they may pay or not pay at all.
Below I outline their resistance and the techniques used to influence and thwart legislators and public servants from implementing protection across Australia and internationally. "Amendments to Chapter 4 (customer identification) of the (Australian) AML/CTF (Anti-Money Laundering and Counter Terrorism Funding) Rules, 10 June 2015
These amendments to Chapter 4 of the AML/CTF Rules provide a further version of the electronic safe harbour procedure for customers, broaden the collection of identification information from sources other than the customer, and extend current customer identification exemptions to include beneficial owners and politically exposed persons. A public consultation period is open from 10 June 2015 to 8 July 2015. (Source: Australian Government Transaction Reports and Analysis Centre, Austrac.gov.au)
AUSTRAC's 2014 typologies report is the eighth in the report series.
The 2014 report includes 20 real-life case studies showing how legitimate services offered by Australian businesses have been exploited for criminal purposes, including international drug smuggling operations, people smuggling and human trafficking syndicates and sophisticated overseas tax evasion schemes. By highlighting past examples of criminal activity, the report educates businesses on their money laundering and terrorism financing risks and helps them recognise and mitigate these risks. (Austrac.gov.au)
In one year Austrac identified about $A34 Billion in unreported funds transfer transactionsout of Australia to unknown recipients. $A21,000,000 transferred out of Australia, into Turkey, via a small business in Lakemba NSW Australia. Other instances .... $$ Millions transferred by banks. False identities, breeder documents, prepaid cards (with values of $10 multiples, $100 and so on, up to a single card maximum of $A4,000) are sold in Australian retail outlets requiring no identification. There is no limit on the number that can be purchased over the counter. Changes to AML/CTF laws would seek to impose identity and supicion reporting requirements on the companies and their employees.
$A34 Billion is not the total.
The technology, software and systems, that facilitate criminal activity are manufactured and sold by companies across the world. Many do not ask why someone is buying equipment or software, its purpose and use, sales people and their sales managers are driven to meet corporate revenue goals by Corporate Boards, and Executives, who put business interests first and who show no ethical or moral compass. Most believe that it is the responsibility of Government, police and agencies to catch the crooks. Most believe that the cost of government agencies, like Austrac, should not be borne by them even if they do manufacture the tolls that facilitate the crooks and terrorists. Through their Associations, and by direct lobbying, they seek to avoid and shift accountability and responsibility, to defeat legislators who mght be seeking to make the company executives participate, pay and contribute.
Below is one example of the subtle methods by powerful (big money) interests seeking to influence and place obstacles in the way of the legislators, bureaucrats, regulators and law enforcmenet officers.
Sent: Thursday, 25 June 2015 3:59 PM
Subject: Possible conflict between Anti-Money Laundering and Competition Law
Dear Kevin Beck
As you may be aware, some recent studies found that businesses consider the requirements of the Anti-Money Laundering and Counter Terrorism Financing Act 2006 (AMLCTF - especially the Know Your Customer (KYC) related) to be onerous and could potentially inhibit (or at least affect) the competitiveness of the entity and the sector within which it operates. There is also concern that the regulatory requirements inhibit innovations in the development and provision of financial services, for example uptake of digital payment systems such as Bitcoin.
We are a team of researchers (Milind Sathye + Bruce Arnold + Paula Chadderton) at the University of Canberra investigating whether Australian regulation aimed at encouraging competition and innovation, conflict with requirements for Know Your Customer (KYC), Anti-Money Laundering (AML) and privacy protection..The project is funded by the Society for Worldwide Interbank Financial Transactions (SWIFT) Institute - the global payments system consortium - and will result in a report to be published by them besides academic publications.
Given your recent submission to the Review of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006, the Harper Review on Competition Policy and/or Murray Review of the Financial System, we thought you may be interested in contributing your views on the above issue. We value your expertise in these areas.
Kevin Beck AML Submission
We attach a questionnaire along with a participant information form and consent letter (a requirement of University's Human Research Ethics Committee).
You may like to email your views in using the questionnaire or other format that suit you. Alternatively, if you would like to speak to us, could you kindly let us know so that we can arrange it at a convenient time.
All the information will be held in strict confidence and used only for the purpose of this project. We will not reveal your details or those of your organisation without specific consent to that effect.
We look forward to your participation and cooperation in this important project which may lead to further consideration of how to overcome conflict between AML, innovation and competition law, and improve the business transaction environment. We will be grateful to receive your response by 30 July 2015. The response may be sent to Milind.Sathye ..... Thanks in advance and with best regards
Milind Sathye, Professor of Banking and Finance, (all Email, Address and Phone Contact details have been removed from this copy), Bruce Arnold, Assistant Professor, School of Law, University of Canberra. Paula Chadderton, Government Lawyer and PhD student at the University of Canberra
Participant Information Form - AML officers and other staff dealing with AML and competition law, privacy and intellectual property related matters.
Does regulation aimed at encouraging competition and innovation conflict with requirements for KYC, AML, etc.? Are the two sides compatible?
(1) To identify the challenges faced by Australian businesses in complying with KYC, AML and privacy frameworks (2) To understand what Australian businesses consider to be the areas of non-compatibility between those frameworks vis-à-vis competition and innovation initiatives (3) To prepare a matrix of non-compatibility issues in the frameworks by business types and characteristics (4) To understand what Australian businesses envisage to be the impact of non-compatibility of the frameworks on their business (5) To understand the policy-level and industry level interventions/initiatives necessary to eliminate or reduce non-compatibility in frameworks.
Benefits of the Project
The information gained from the research will be used to inform the development of policies for improving anti-money laundering regime
not only in Australia but globally. The granting agency email states that their governing council unanimously supported our proposal and would also like us to conduct a global study eventually. The present study would serve as a pilot study using Australian data for an eventual global study.
General Outline of the Project.
The SWIFT Institute (Society for Worldwide Interbank Financial Telecommunication) based in Belgium has provided a grant of Euro 15,000 to a team lead by by Professor Milind Sathye University of Canberra and consisting of Asst. Prof Bruce Arnold, University of Canberra, and Paula Chedderton, Government Lawyer (in her capacity as PhD student at the University of Canberra) for a project that aims to investigate whether regulation aimed at encouraging competition and innovation conflict with requirements for KYC, AML, etc.? and whether the two sides are compatible? The research proposes to understand the conflict that arises in the legislations for anti-money laundering (AML) and the competition/innovation and privacy laws and how these could be addressed.
Clients who agree to participate in the research will be asked to:
1) provide information about the various lines of business of the firms in which they work, provide examples of conflict in the AML and competition law/ privacy law and innovation law that they have encountered, what steps were taken to address the conflicts, what amendments are required in the AML regime or the other legislations so that such conflicts could be avoided and such other related issues. Such information would be sought from officers dealing with compliance issues in 'designated businesses' as per AML regime (that is, banks, superfunds, remittance providers, insurance companies and others) though structured questionnaire (More information about the exact nature of information that will be provided to the researcher can be obtained by asking the researcher to explain the details).
2) provide information by filling in the structured questionnaire which would take about 15 minutes to complete. The respondent would be provided with a self-addressed postage paid envelope to return the filled in questionnaire. The questionnaire consists of no more than 15 questions (as attached).
Participation in the research is completely voluntary and clients may, without any penalty, decline to take part or withdraw at any time without providing an explanation, or refuse to answer a question or be not prepared for audio/video recording of responses to interviewer's questions or for being photographed. Note that while it will be evident to the researcher whether a client agrees to participate in the research or not, this will have no effect on the service provided at any time. While the funding agency SWIFT / University of Canberra values and encourages participation, it respects the right of clients to choose not to participate in research. The only potential risks to participation relate to privacy and confidentiality. Please be assured that all the data collected from clients will be stored securely and only accessed by the researcher. Great care will be taken to ensure that any reports of the data do not identify any individual or their circumstances.
Confidentiality Only the researcher will have access to the individual information provided by clients. Privacy and confidentiality will be assured at all times. The research outcomes will be provided in a report to SWIFT Institute and may be presented at conferences eventually leading to publication of a research article. However, in all these reports, the privacy and confidentiality of individuals will be protected.
Due to the need to collect organization information from respondents, it is not possible for the research to be anonymous. However, please be assured that all reports of the research will contain no information that can identify any individual and all information will be kept in the strictest confidence.
The information collected will be stored securely on a password protected computer throughout the project and then stored at the University of Canberra for the required five year period after which it will be destroyed according to university protocols.
Ethics Committee Clearance
The project has been approved by the Committee for Ethics in Human Research of the University of Canberra.
Queries and Concerns
Queries or concerns regarding the research can be directed to the researcher, Milind Sathye whose contact details are at the top of this form. He welcomes answering any queries. (end of attachment)
RQ (1) What are the challenges faced by Australian businesses in complying with Know Your Customer (KYC) , Anti-Money Laundering ( AML) and privacy frameworks?
" When the firm/business/institution for which you work was established?
Less than 5 yrs ago
Between 5 yrs- 10 yrs ago
More than 10 yrs ago
How many people are employed in your business?
Less than 20 people;
20 or more people, but less than 200 people
200 or more people
" Which of the following are the major business lines of your firm?
Managed funds/Superannuation funds
Securities and derivatives
Funds transfers (international/domestic)
" What are the KYC requirements in each of the business lines of your firm?
" Are the KYC requirements similar for all business lines or are they stricter in some areas and less strict in others? if so, why?
" What difficulties are generally encountered in complying with the KYC requirements? How do you deal with these matters?
" Besides the KYC, what are the other AML related requirements that at your level you are asked to comply?
RQ (2) What Australian businesses consider to be the areas of non-compatibility between the frameworks vis-à-vis competition and innovation?
" Have you come across any areas where the Anti-Money Laundering and Counter Terrorism Financing (AMLCTF) legislation and the competition and innovation and privacy legislations are in conflict?
" Examples of how your capacity to be innovative or competitive have been restricted or hampered? Why?
" Could we ask how did you address the conflict?
" How can organisations ensure they don't lose out on business by wrongly assessing the customer?
" Organizations are increasing their AML budgets and their head counts despite this not adding any value to the customer. How can they ensure they leverage this cost and make the most out of the time and resources spent?
RQ (3) Are there differences in the non-compatibility issues in the frameworks by business type /characteristics?
" How do you manage different regulatory requirements relating to each of your business lines?
" Could you explain the AML, competition law, and privacy law issues that arise in your work?
" How frequently do these issues occur?
Neither rare nor frequent
" Competition and innovation law related issues
Neither rare nor frequent
" Privacy law related issues
Neither rare nor frequent
RQ (4) What does Australian business envisage to be the impact of non-compatibility of these frameworks on their business?
" How would you rate the impact of non-compatibility of these frameworks on your business (work) so far? Very-little Little Neutral Significant Very Significant " How would you rate the impact on your business in the future? Very-little
RQ (5) What policy-level and industry association- level interventions/initiatives are necessary to eliminate or reduce to the minimum the areas of non-compatibility in the frameworks?
" In your opinion, what changes are required so that such conflict can be avoided?
" Did you discuss the matter with your team leader?
" What response did you get from the team leader?
" Do you know if the matter was referred by the team leader to senior leadership?
" What was the response from the senior leadership?
" Was the matter referred to by your organisational leadership to the industry association or the government?
" Were you apprised of the response received?
" Where does the matter stand now? What do you propose to do further?
" What technological process changes could assist to overcome areas of non-compatibility? Why and how?
" In your opinion, if regulation is viewed as a burden, does this impede competition? and how does this occur? (End of attachment)
Consent Form - AML compliance officers and others engaged in work related to competition/innovation/privacy law in their organizations
Does regulation aimed at encouraging competition and innovation conflict with requirements for KYC, AML, etc.? Are the two sides compatible?
I have read and understood the information about the research. I am not aware of any condition that would prevent my participation, and I agree to participate in this project. I have had the opportunity to ask questions about my participation in the research. All questions I have asked have been answered to my satisfaction. Please indicate whether you agree to participate in each of the following parts of the research (please indicate which parts you agree to by putting a cross in the relevant box):
Participate in a structured questionnaire survey or interview with the researcher.
Participate in an interview for case study with the researcher.
Agree for audio/video recording of my responses by the interviewer.
Agree for being photographed by the interviewer.
A summary of the research report can be forwarded to you when published. If you would like to receive a copy of the report, please include your mailing (or email) address below.
End of attachment
Evidence research is one of the tools used used by big business along with lobbying through Associationns and direct by companies on legislators. In this case SWIFT Institute, on behalf of its members is using the Consultation Period.
Global tobacco companies commission research from universities to try and influence legislators and also to use in courts of law. During the Global Financial Crisis banks and financial institutions worked hard to protect their interests against those of the ordinary citizens whose interests they are purportedly serving.
The global companies, most notably US member corporations of the SWIFT Institute, may turn to using the US Free Trade Agreement and the Trans Pacific Partnership, between the United States of America and countries such as Australia.
In a democracy all interests, even those of criminals and their Accessories to Crime and their technology and services suppliers all have rights. The one's who pay, in the end, are the taxpayers and ordinary people whose rights are trodden on.
Corporations are, by law, real persons.
Cloud is all the rage. Suppliers offer least cost arguing that clients do not have to maintain their own infrastructure. This can llok very attractive to cash strapped Australian government public sector agencies.
The Australian Department of the Attorney general has released a guideline framework and as is the modus operandi of our national government Departments can decide what they will do. ICT managers in agencies can become largely independent of a coordinated whole of government approach as long as they follow Fiinance Department procurement directives.
While there are a number of benefits to outsourcing data storage or processing to a cloud provider, there are also a number of steps that an agency should take to help ensure that the security and integrity of its data is maintained in the cloud and to ensure that it complies with its privacy law obligations.
Data Security and Protecting Information
One of the most critical concerns of cloud computing is data security. By moving data into the cloud a government agency is relinquishing custody of that data to the cloud provider. Therefore, the agency needs to understand how its cloud provider will protect the data and what security standards and procedures are being applied to help prevent data theft or a security breach. An agency can help reduce security risks associated with cloud computing by ensuring that the following items are addressed in the contract with the cloud provider:
The use of shared infrastructure can create data commingling and segregation issues. For this reason, an agency may choose not to move sensitive or confidential information into the cloud. Further, depending on the nature of the information that is being stored or processed, the agency may need to ensure that its data can be segregated from all other third-party data as part of the cloud-service. The ownership of the data by the agency should be confirmed in the contract and the cloud provider should be required to return or destroy the data in its possession at the end of the relationship.
Location of Data.
A cloud provider’s infrastructure may be located in different jurisdictions which can result in a number of legal issues for the agency. Among other things, if data is transferred to another country it may become subject to the privacy laws of that country. The laws of the European Union are somewhat more onerous than other sovereign states. Therefore, the physical location of the servers where the agency’s data will be stored should be specified in the agreement with the cloud provider. The contract should also restrict the locations where the data may be held (for example, if the cloud-service is provided from a location in Australia, the contract should prohibit transmission of data outside of Australia without the agency’s specific consent).
The level of security and the encryption procedures that will apply to the agency’s data should be identified. If possible, an actual, specific and independent security standard should be identified in the contract.
The specific access security protocols that are being implemented by the cloud provider should be identified in order to help reduce the risk of unauthorised access or data theft.
The contract should include a right for the agency to audit the cloud provider’s security procedures as well as the cloud provider’s compliance with the contract generally. The contract should also include a right for the agency (and the agency’s external auditor and/or the Australian National Audit Office) to access the cloud provider’s data centre or premises where the agency’s data is located.
Notification of Security Breaches.
The cloud provider should be required to provide the agency with immediate notice of any security/data breaches so that the agency can manage these events as effectively as possible.
Agencies will assess the benefits and risks for privacy when considering a cloud solution. Private sector privacy legislation in Australia generally allows an agency to transfer personal information to a cloud provider for processing or storage (including a cloud provider in another jurisdiction eg a state of Australia). However, the agency will remain accountable to protect the personal information and it must remain in control of that information.
Cloud computing and storage can also create new privacy issues for an agency. Specifically, when data in a cloud system is accessed, stored or processed, new “transactional information” is often created which can constitute personal information under Australian privacy legislation. In other words, the new transactional data can be subject to the same privacy law requirements as the primary data.
Further, if information that the agency is sending to the cloud is processed or stored in another jurisdiction then the agency may have privacy obligations in the jurisdiction where it collects personal information as well as the jurisdiction where the data will be located. For example, if data is being stored in the United States as part of a cloud-service then that data may be subject to access by the US government as a result of the USA Patriot Act. Some examples that come to mind may be data and systems overseas belonging to the Australian Defence Department, Australian Federal Police, Department of Foreign Affairs and Trade, Department of the Attorney General, AusTrade, Australian Security Intelligence Service, Australian State Trade Offices, among others.
In light of the above, an agency intending to move personal information into the cloud should do the following:
Implement a privacy compliance program that addresses collection and use of personal information in the cloud.
Determine the type of data that will be sent to the cloud and how the information will be stored by the cloud provider. Outsourcing data storage can create a risk of misuse or unauthorized disclosure and therefore an agency may choose to retain its most confidential information under its direct control.
Ensure that that appropriate consents have been obtained to send personal information to a cloud provider. An agency needs to maintain “control” over personal information that is sent to the cloud provider and prevent secondary uses of that personal information. If the cloud provider will use personal information for new purposes then additional individual consents may need to be obtained.
Review the cloud provider’s contract terms to ensure that personal information received by the cloud provider is treated in a manner consistent with the agency’s obligations under applicable privacy laws. If personal information will be located outside of Australia then the cloud provider must provide a comparable level of data security as would be required under Australian law.
This is not an exhaustive list of the data security and privacy issues that an agency will need to address when considering a cloud computing solution and each arrangement will have its own special considerations.
Further, while data security and privacy risks are key issues that need to be addressed in the agreement with your cloud provider they are not the only risks or legal issues that arise with cloud-computing. If your agency is contemplating entering into a cloud-computing contract we recommend that you seek the advice of an experienced legal advisor.
Author: Kevin R Beck, Melbourne Australia, 2015
Logical and Physical Identities
Data Protection Control Strategies
Policy, Action and Industry Collaboration
The Australian national Broadband Network
This paper represents a contribution to the deliberations, design of and implementation of the Australian Government’s Cyber Security Policy. It serves as an initial information exchange offering a personal perspective to the critical arena of the Australian Cyber Security Policy as mandated in the Review of 2008 and now managed by the Australian Department of the Attorney General. This framework will be impacted, and broadened by the implementation of the Australian National Broadband Network bringing with it a new set of challenges. Australia’s governments (all of them, federal, state, territory and local) handle, process, issue and store vast amounts of information and this should be coordinated, and centred, in a secure facility, or facilities, and operated much like a private bureau that produces driver licences, financial cards and other critical instruments.
Criminals, of all persuasion, effectively use the fractured structures and the disparity in security that exists today across the Australian nation.
This paper poses, and looks at Australia’s security, in a broader world context framing the issue of data security, and document issuance, within the sophisticated activities of criminal networks operating across borders and sovereign states, operating within legitimate, and illegitimate, cohorts and communities, blending in so to speak. I believe a sophisticated global criminal structure has been built in front of us and we do not necessarily see it. Businesses engaged in commercial activities within the arena do not readily accept that their enterprises have been infiltrated or are part of the mosaic of criminal and espionage activity.
THE LOCAL IMPERATIVES
The Australian government, through its own agencies, is a user, and issuer, of secure data, documents, services and systems, evolved out of a myriad of sources of data in-house and external. External source data may be private individual, corporate, other jurisdictions of governments and many others including international.
In terms of the Australian government itself, the question arises as to how this extraordinary amount of data can be filtered, and allocated, a security level according to its purpose. The debate may revolve, inter alia, around what data should be centralised and operated on and what can remain distributed in the field.
However I am posing here a greater and much wider risk and concern, not only with how Australian states, territories and local government manage data storage, privacy and activities but how commercial enterprise manages its own and how the whole is manipulated by criminal elements. Into this I add logical and physical identity used for multiple purposes in parliaments, commercial, government and institutions.
A disparate patch work quilt of policies and actions by government and key sectors of business enterprise (banking, utilities, telecommunications, document issuance and so on) serves to advantage criminal elements here and internationally. Whilst the Commonwealth may be leading the states and territories are lagging behind. They reduce the question to one of cost and when quizzed about their physical security of ports, airports and key assets they dissemble stating it is Commonwealth responsibility. They focus on standard protections of their computer systems and resist sharing information.
In Victoria Australia, for example, police do not have ready access to Transport driver licence, and other databases, and personal data unless the person on whom they are requesting information has been charged with an offence. They are not permitted to do 1:1 or 1:N identity scanning.
Australian states also have a view that a driver licence is not an identity instrument; it is a permit to operate a vehicle. The fact that a driver licence is part of the 100 point identity check to open a bank, or totalisator (TAB), account is somehow lost on this spurious (politically and bureaucratically contrived) proposition.
Anyone seeking to work in, or for some other purpose enter, an Australian airport or port can simply apply for a cheap low grade identity card (known as an ASIC card) through an agent - airport, airline, a shop in a rural location or other, pay a fee undergo a rudimentary identity check by an Australian government agency and then get their card.
Such disparate policies, and activities, undermine national security and policing.
As a minimum, all identities should be categorised according to criticality (logical and physical use), and mandated for not only security, as a logical data set but also as a physical form in terms of topology and security design, construct and issuance. Only assessed, accredited, security cleared and carefully monitored entities should be permitted to sell identity technologies including printers and software.
Australia’s Local Government, Other Agencies and CERT Australia
I acknowledge the Australian government’s Attorney-General’s Department is the lead agency for cyber security policy across the Australian Government and it is the chair of the Cyber Security Policy and Coordination (CSPC) Committee, which is the interdepartmental committee that coordinates the development of cyber security policy for the Australian Government.
One might assume, or external parties in the private arenas described above, may claim they have a similar philosophy as the government in defining measures relating to the confidentially, availability and integrity of information that is processed stored and communicated by electronic or similar means.
They may claim to share the aim of the Australian Government’s cyber security policy in the maintenance of a secure, resilient and trusted electronic operating environment that supports Australia’s national security but only if it does not cost them a lot of money and too much effort.
Australia’s national security, economic prosperity and social well being are critically dependent upon the availability, integrity and confidentiality of a range of information and communications technologies (including ICT). This includes desktop computers, the internet, mobile communications devices and other computer systems, and networks, and may I add products that are provided by external parties such as passports, employee identity, smart cards, tokens, credit cards, prepaid cards gift cards and any other instrument that deals with data.
Gift cards, and prepaid cards, are part of another paper on the dual themes of money laundering and tax avoidance.
We can all cite an increase in malicious code, attacks and criminal activity, on commercial government and personal systems as is particularly the case for financial transactions and sensitive commercial or personal identity including theft thereof, or the creation of one core document to breed others for the purpose of opening a bank account, a social security identity, a driver licence and more.
Many involved in data, privacy and protection are confronted by hysterical misrepresentations around the vexed issue of identity in Australia. Security is undermined by political and bureaucratic expediency and the risk aversion to confronting irate civil libertarians and the right to privacy. Whilst railing against the perception that any attempt to control fraud is a stealth move to introduce an “Australia Card” people are quite free with their private information on social media and other demands of the Internet, quite free with information or disregarding of what retailers and telecommunications providers, Google, Apple et al gather in. Young people particularly do not seem to care.
They may also be somewhat cavalier with the cards, passports, driver licences and other items they treat as every - day tools but which are more, and more the targets of criminals.
I am moving beyond the mere concept of a Cyber Security Centre supporting the government’s objective of cyber safety focused on protecting individuals, particularly children, from offensive content, bullying, stalking or grooming online for the purposes of sexual exploitation to a broader economic and social contexts, requiring coordination of other related policies, programmes and industry participation. There is a role for industry in this scope particular in the federation of competing interests, and knowledge awareness of federal, state and territories.
INFERENCES AND CONJECTURE
A global network of criminal elements have come together, like a new generation mafia, using whole countries (pariah states, states under sanctions and so on) integrating their way into institutional structures (government, banking, financial systems, utilities, technology and telecommunications) across the world, including Australia, to launder large volumes of money, avoid tax, to create fraud and to fund terrorism and other criminal activities.
This is not simply the transactional movement of funds involving the complicity of a bank or other structure it is the actual manufacture of the foundation for that movement beyond data transfer in computer systems and on the internet to physical instruments such as credit cards, chips in mobile devices and identity instruments. The clients of these outputs are those who embrace serious badness.
Every honest business, and person with integrity at their core, would support the National Leadership approach by the Australian government within the federation of a shared responsibility in the communication, and storage, of sensitive information (of all types) and the obligations of mutual respect for the information and systems of other users. However this federation is a reality only on paper and each state and territory wants to be independent doing what is “politically statute and easily done” without spending too much money and political capital.
Not only all of the Australian public service should be engaged, through knowledge leadership and action, in a partnership approach to cyber security across all Australian governments, the private sector and the broader Australian community is seen as essential to this partnership along with our nation’s allies and multi-national global corporations that cross borders. Of course within the partnership we might expect infiltration by “hidden” criminal supporters.
Globalism, and technology, supports many players and is a major fillip for the criminal person and the criminal state. Just as we install systems in government to produce identity and manage data, across a myriad of agencies in Australia, all with varying, minimum or no level of security to speak of, we are now also building a mechanism (the National Broadband Network - NBN) that will be of great benefit to the criminals. Manipulating stock prices, betting odds, moving transactions quickly require high speed communications.
The Australian government, via its agencies along with federal and state Police, Regulatory Agencies, Australia’s states and territories, and companies, that have global operations can support, and add value to, the Australian Government’s international policies, strategies and initiatives.
All business, just like Australia’s multiple governments’ agencies, requires risk management in a globalised world where interoperability, and internet-connected systems, are potentially vulnerable and where cyber - attacks are difficult to detect, there is no such thing as absolute cyber or identity (logical and [physical) security.
However on too many occasions, entities (government and commercial) operate in a state of unawareness of what human, and machine, networks they are in and supporting, knowingly or unknowingly.
In concert with government, and community, everyone must be brought into the policy and the intelligence exchange, and all must apply a risk-based approach to assessing, prioritising and resourcing cyber security activities within the values paradigm of their individual operations.
Many enterprises educates customers, and others, with whom they come into contact (at exhibitions, conferences and seminars, banks on their web sites and at ATMs, the Australian Competition and Consumer Commission on scam watch) as to the cyber risks of instruments that individuals carry and use and the ability of criminals to “phish”, mask web sites to look real and so on.
As a part of their own cyber security they must operate, and maintain, secure and resilient information, and communications, technologies to protect the integrity of operations and the identity and privacy of the customers and end users. This vitally includes corporations engaged in the manufacture, and distribution of critical instruments, applications and identities.
The Australian government, and other jurisdictional agencies, can assist in educating, and empowering, all Australians with the information, confidence and practical tools to protect themselves online and in their financial and other transactions but what of the hidden criminal operations described previously that pray upon ignorance, greed and human nature? What of the criminals within legitimate enterprises and governments how do we identity, and weed, them out?
Australia’s Governments may promote security, and resilience, in infrastructure, networks, products and services across agencies, including parliamentarians, associated people, employees and communities using government portals and entering agencies and parliaments, but this is but one part of the puzzle and vital mosaic of partnership that builds to protect our nation and our cooperation with like - minded sovereign states. Industry will only participate to the point where it is commercially in their interests or it suits their agenda. They like to use policing and other services without actually paying for them.
The private sector, and government agencies, the world over look to the protection of their ICT systems but to what extent do they ponder how criminal elements become embedded and institutionalised as part of those structures?
They take live (or deceased) identities, and create data, to manufacture other things for their needs and then send them out into the legitimate world.
Significant Australian companies and, more particularly, those with global operations can work with CERT Australia to assist the owners, and operators, of critical infrastructure, and systems, of national interest and add support to CERT Australia within the global community of computer emergency response teams (CERTs) to support international collaboration in regards to cyber security issues and also complement the work of the Cyber Security Operations Centre within the Australian Signals Directorate. These collaborative arrangements can also serve to make participants aware that their business can also provide the foundation and tools of crime and terrorism and to incite them to vigilance.
A sort of crime stoppers - corporate and citizen world.
The identity technology providers to which I refer above would claim to support the work of the Attorney-General’s Department, and the Australian Federal Police, in the area of identity security and production but only to the point of commercial expediency. Just as many companies work with CIT integrators who are engaged with key government agencies. They will put people onto committees as part of their interaction but when the situation becomes sticky they tend not to want to be publicly involved.
It is into these legitimate structures, committees, working groups and projects, the criminals enter masquerading as good corporate citizens.
The work of the Department of Broadband, Communications and the Digital Economy in the implementation of the National Broadband Network (NBN) was supposed to, inter alia; raise opportunities for collaborations and of particular focus for my area of interest data is to be sent across the NBN according to the user profile. The change of government from Labor to Conservative, who are focused on cost rather than benefit now clouds what value the NBN may bring and to what extent. The security of the Network itself may well be compromised a bonus for the criminals.
There is obviously an expectation that the private sector will embrace the NBN. The NBN will greatly enhance the transportability of data and the activities of the criminals. We know criminals do not wear black hats and long coats standing out. The fibre is a neutral carrier and therefore there will have to be an extensive education campaign, well beyond that which is currently carried out. If mobile and other technologies are added into the Network then security becomes more problematic.
Policy debates around wireless versus fibre landline belie the complexity of the server capability/availability and the wireless band. It is not enough that we educate citizens, everyone in government and business must be vigilant to the hidden global network that is operating out in the open.
Although the network connection between a user's web browser, and the server, might be believed to be secure, the user data is kept in clear text at rest on the host servers, and can potentially be viewed by anyone with the correct level of access. From this they can take data files to populate the instruments I have referred to which in turn form the mechanism for movement of funds, and people, beyond the horizon of regulatory awareness and that of Australia’s agencies and international allies.
This poses problems for governments, organisations, and individuals who wish to store and exchange sensitive information, patented materials and sensitive private data, such as patient medical records, identity instruments, passports, driver licences, and credit cards, financial security instruments printed or electronic.
Most companies, and agencies, dealing with critical business use, inter alia, plug-in technology that transparently intercepts the user data prior to it being sent to the distribution server and encrypts it. Not everyone wants to encrypt a document but there will need to be options to do so. Sharing documents, and data packages, is a significant consideration in where servers are connected to government and private sectors receiving and transmitting data.
THE INTRUSION OF CRIMINALS
,br> Let us not be naïve. We should assume that criminal elements operate within legitimate businesses of all types (in Australia and internationally) and within the large computer companies, technology support services and other businesses that deal with government, contractors within the Australian government, and all other governments, are a risk also. This includes the chain between Australian banks and their Financial Instrument Fullfillment Providers – Abnote, Gemalto, Giesecke and Devrient, Placard and Oberthur Technologies among other providers. The same chain applies between the providers above and retail stores selling prepaid Visa, Mastercard and Gift Cards along with mobile phones and prepaid sims. These are all tools to money launderers and criminals. Give this they are logically within our banking and financial sectors, telecommunications and other vital infrastructures.
Government cards such as Medicare and Benefits, Licences, Passports and Other Identity Instruments are also in the same chain and valuable to criminals.
What is the mechanism by which commerce and government will become aware of the intrusion of the criminal if their requests are merged in with legitimate packages of data, financial and other activities?
We see banks (knowingly and unknowingly) facilitating the laundering and transmission of large volumes of cash on behalf of drug cartels in Mexico and pariah states and juntas. The people in the drug and criminal businesses use credit cards. They are simply part of a large stream of legitimate issuance by third party providers knowingly or unknowingly. The challenge lies where the illegitimate dress up as legitimate.
Then there is technology installed in criminal nation states where the equipment, and technology, is dedicated to the support of crime and terror. Undermining a nation’s economy is as powerful a toll as bombing and terror.
Criminals are studying all they can about the Australian NBN and its structure and security.
The level and type of encryption cipher (two layer – software and hardware) used will have to be of key consideration in the Australian National Broadband Network as it seeks to provide a fast and efficient transport highway for mass movement of image, voice, data and text.
Business, government and other users want to access their documents from any machine or virtual private network or cloud across the Internet where they have the appropriate plug-in installed. In amongst all the traffic is the parasitic criminal, plying their trade locally, nationally and internationally.
Government will look to user decryption keys and user-chosen passwords or an appropriate level (1 – 4) of authentication which may or may not be mandated. However these are actually aimed at the legitimate and will be irrelevant to the criminal who have embedded their activities into the legitimate world.
Document issuers will develop their own software with extensible functionality to encrypt outputs and transactions. They will manufacture, personalise and encode identity instruments embedding logical, and physical, authentication devices, interfacing to biometrics, public keys and third party issued security certificates. These will be manufactured according to the end user requirements.
Government agencies, and others, utilising government servers, portals and end to end services across the National Broadband Network may be required to use the United States FIPS, HTTP and other protocols including authentication levels of verification. These are freely available, to anyone, and are also used for the production of legitimate, and fake, (logical and physical) identities to serve criminal ends.
Education is vital in implementing a total Australian Cyber Security model in its fullest sense. Education first within the federal, state and territory public services most particularly at the lagging state and territory level who will say this is a matter for the Commonwealth (risk and responsibility shifting) and then education for business and the general public. Business will only participate to the boundary of its risk model at limited cost.
Governments must engage the vigilance of trusted (vetted and competent) industry, and individuals within who are known to have a strong regard for public service and national security and who are willing to share and garner intelligence with them and from them on a scale never before contemplated.
Author: Kevin R Beck, Melbourne Australia 2015
WEAKEN AUSTRALIA'S NATIONAL SECURITY
Apropos of the Harper report into Competition Reform and my reference within it to Public Service Expression Of Interest and tendering practices and processes
“As discussed in Chapter 12 on human services, government procurement processes have often been riskaverse and prescriptive. A submission from Kevin Beck states that tender documents are ‘prescriptively written to place the entire onus on the respondent with risk and accountability deflected away from the agency’ (sub, page 3)”, Part 3, Competition Policy.
The near issuance of the tender for the upgrade (replacement) of the Commonwealth’s primary architecture for Social Benefits (Centrelink – DSS- Family Services) within the above Human Services context will be an opportunity to streamline the RFT processes and policies and also to address matters raised below.
I am questioning the rationale of the APS in relation the myriad of cards being purchased by the APS and why a card is considered to be the best solution and the haphazard manner of purchasing across the whole of government.
By my assessment Australia’s federal government agencies spend over a hundred million every year on a divergent range of cards used for social security, health, identity, access and security.
What is the cumulative cost (by all agencies) and the real effective utility of the following cards? Another question is what stresses arise when suppliers bid so low that the whole contract is not best business practice on either side of the equation, APS or Supplier? How much risk is reasonable for the APS to shed to the Supplier?
I would contend that tens of millions of dollars of opportunity savings are wasted on agencies acting in isolation, doing their own thing, acquiring low grade insecure instruments at the cheapest possible price whilst embedding penalties into contracts that can effectively make the supplier lose all of their margin if they breach the performance benchmarks and the overall outcome which is economically unsustainable in the medium to longer term.
The most prominent example of this latter proposition is the Australian Medicare card, which churns from one supplier to another whilst having very little utility. DHS is moving to an electronic relationship with the consumer and the card is largely irrelevant in that strategy. The DHS web site that combines all of a person’s interactions into the Whole of Government service model puts greater pressure on the justification for maintaining millions of cards.
One need not dwell on the poorly managed and wasted projects that occur so often large and small – Access Card, Australian Passport Redevelopment integration and Defence JP2099 smart card identity.
The cost to government, taxpayer and industry is massive not merely in dollars but in the inability for the respondent’s bids to be used by the APS for future learning and comparison due to an ideological notion of probity effectively losing any opportunity for value out of the exercise.
Among the many in use what is the utility and security of the following cards?
The Medicare card, its utility function is largely 20 points in 100 point identity test, a low grade instrument which facilitates ongoing fraud. Priced by suppliers so low that any failure to meet contract benchmarks puts the economics and the relationship under stress.
ASIC Transport card, another low grade high risk identity access instrument issued across nation by private agents, and port owners, enrollment by a questionable security process and a basic identity check by the Australian Public Service agency, provides access to airports and ports across the nation.
Centrelink (social security agency) pension card, cheap flimsy paper object, low grade low security with no real utility, can be part of a fraud scheme when added to other identifying instruments
Multiple desktop issuance systems of a non-common standard, for identity, and access, from low grade high risk cards to quite high security but very high cost smart cards. Purchasing proprietary cards and laminates ensures the APS is not getting value for money and is locked in. There is no use of economy of scale or common topology design, common software for enrolment and management, for a whole of government utility to reduce the aggregate costs. Could it be that Secretaries like to have a separate card to enter Parliament that denotes their status? Could it also be that contractors and internal information technology divisions want to maintain their relevance and their pet technologies and relationships?
Some instruments (centrally issued) such as the multiple Australian Maritime Services Cards (replacing the seaman’s passport) and the multiple Refugee Status Cards are marginally okay in terms of security relying upon complex art print design, holographic laminates and perhaps a basic chip. The value would be would be better if they were part of a secure topological set (this does not necessarily mean having a chip, which adds exponential costs) perhaps similar to the security quality of the Victorian Driver Licence which is the most secure driver licence in Australia. The Queensland driver licence with chip is not the world leading example of security.
Now the Committee chaired by Australian Businessman Mr Forrest has proposed another financial (social security) benefit control card, a slim line elemental version of the Access Card. I wonder what credentials Mr Forrest and his Committee may have and what expertsthey are drwaing on to propose a benefits card trial? It seems to have been recommended in isloation of industry experts and historical experience.
A lot of work and debate has gone into the exercise of how the benders and shapers of people's lives might again pose an impost upon a disadvantaged group within the Australian community. Many exercises, only to be rejected at the political level or if not then locked into the “competitive world of public sector agencies and Australian Public Service Departments” and the many external (vested interests) who garner influence and often earn their livelihood from poverty and disadvantage. They operate under the cloak of doing good helping those, who in their eyes need help and cannot helpthemselves. They are ably assisted in this regard by the Australian Labor Party (Tanya Plibersek et al) and the Greens (Sarah Hanson Young et al).
A plethora of providers from one man shows to multi-national companies feed on the above scenarios of individual agencies doing their own thing resulting in the government as a whole paying too much for what they are getting in return.
There are millions of Identifiers in Australian Government Programmes including instruments used outside of Australia
All Australian government agencies use identifying cards/instruments for specific elements of their operations
? Employee, and other approved identity and access (physical and logical, various levels of authentication and verification according to security level) to buildings and assets such as computer systems
? Asset identification (barcode, RFID, biometrics and other)
? Benefit eligibility and receipt (Medicare, Pension, AusStudy and the like) – external parties/clients
? Control mechanisms for Centrelink benefit payments (expenditure type controls DSS) – external parties/clients
? Cyber security access authentication and verification ? Portals
? Parliamentarians, Committee Members and others ?
Third party providers eg medical profession, hospitals using system such as e-health patient records, benefit claims and reimbursements
? APEC card ?
Passport identity – books and transit cards (maritime personnel and refugees)
The Australian Department of the Attorney General publishes frameworks for use, design and issuance but these are not mandated by the government nor by Prime Minister and Cabinet for common use. Departments can ignore them or just take them as guidance.
Where do all these cards fit into Australia’s Security Framework?
They quite simply do not. Many are threats to Australia's National Security. They point to a patch work quilt approach and an uncoordinated set of activities carried out by federal, state and territory uneducated politicians in government and their agencies.
Coordinated standard topology and architecture multi-purpose identifiers have particular relevance and a contributing value to Cyber Security.
As agencies decide what goes into the cloud the question of security (cyber and national) and privacy of data takes on new dimensions.
The uncoordinated issue, and multiplicity of use by each agency, is a very costly affair not only in terms of the instrument acquisition and cost (enrollment, software and card printer personalisation chip or non – chip, encrypted or not) but particularly so when coupled with each agency’s back office systems.
Many projects are run within the CIO Divisions of each agency which further adds costs and is often encumbered by self-interested protecting mechanisms such as the information technology group working to maintain their controls and employment.
This equally applies to external information technology integrators and consulting firms who embed personnel in government agencies under contracts.
Trying to justify poor purchasing, excessive cost and questionable processes
The arguments put forward, internally, by various agencies for Identifier Programmes are that identifying instruments for example cards have a number of benefits, such as (a) increasing administrative efficiency and (b) enhancing data accuracy are too often used to override the independent economic evaluation process that would show the current process of discrete acquisition, independent of a common standard and ad hoc, is far greater in cumulative cost across the Whole of Government/Public Service and Agencies than the intangible benefits claimed by the individual agencies when seeking approval to implement their own (island) card or Identifier.
It may be argued that linking a multi-purpose/multi-use common topology card identifier to a name limits the ability of individuals to use different names in different contexts.
For example a bank will identify a client/customer in many different ways – individual, corporation, trust, and so on.
At common law, there is nothing to prevent an individual from operating under various names, provided that he or she does not use different names to engage in unlawful behaviour. Aliases may be used by a variety of people, such as artists, authors and intelligence operatives.
Citizens, and others, have a multiplicity of identifiers in their dealings with the Australian Public Service and their interactions with agencies.
Privacy interests argue against the introduction of multi-purpose identifier cards. According to them such instruments increase the ability of the state to monitor the activities of its citizens. Never mind that Coles Fly Buys in one of the most widely used “’monitoring instruments”, when coupled with Facebook and Cloud they are far beyond the utility perceived by the Public Service.
By recording multi-purpose identifiers during transactions, government agencies and organisations can compile substantial amounts of information about a person, including information about a person’s financial circumstances, family composition, hobbies or health. This could then be used for a variety of purposes, such as to locate a person or to determine a person’s interests for the purposes of direct observation, investigation or other purpose.
The obvious savings to government of combining the data collected about the transactions or activities of particular individuals to create a richer dataset are lost in a spurious argument and climate of mistrust and self - interests.
The process of data-matching is well entrenched in Tax so why not use it elsewhere in a much wider scenario for health and Social Security, National Security and more.
The use of a multi-purpose identifier facilitates a data-matching process. The ability of a government to compile dossiers of personal information about individuals is already profound.
The current disparate and ad hoc approach increases the risks of the likelihood of poor quality, and inaccurate data held within agencies.
Regulation of multi-purpose identifiers in a world of vested interests and political expediency
The Australian Law Reform Commission (ALRC) has expressed views on Australian Government multiple identification schemes, and cards could be said to fall within the definition of ‘identifier’ in the ‘Identifiers’ principle.
If the Australian Treasury (Government) is serious about saving money and achieving efficiencies then it should legislate to effect a common set of principles and technology processes on all APS agencies whilst allowing for privacy impact assessments without cringing every time some critic pops their head up.
Additionally APS agencies should be cognizant of the stresses created by onerous benchmarks, and demand for cheap, that make contracts high risk, acrimonious and unsustainable. I contend that the current situation is not best business or public service practice that is possible.
Author: Kevin R Beck, Melbourne Australia, 2015
INDUSTRY AND GOVERNMENT WORKING TOGETHER
Australian residents, business and vested interest groups, cannot simply stand by and assume that our federal and state governments, policing and security agencies are going to look after our nation's security while they remain detached and oblivious. There comes a time when self interest should be put aside for the national good. Perhaps the most ignorant of all of the groups is Australian business who want to pass the risk to someone else and eschew paying for their own welfare and security demanding that tax payers do it all. Focusing on, and tinkering with their technology, computer systems and firewalls is hardly an holistic approach to security.
The Australian government has a priority to equip the nation for the challenges we face in the every evolving threats of terror within Australia and externally. Such objectives can come with high price tags and lead times. However we are proposing that a foundation intelligence gathering system is proven and in full operation within New South Wales.
This proposal, and its associated conceptual architecture, is conceived from the NSW Police Law Enforcement Software Suite known as EFIMS (Evidence and Forensic Management Information System) which is a customised purpose built system.
This is tracking and information management system giving this law enforcement organisation unrivalled transparency and intelligence on cases, events, incidents, jobs, exhibits, property, electronic briefs and chain of custody. An end to end application supporting the gathering of data, materials, evidence and analysis including forensics, organising complex, diverse and disparate information, into formats, and complying policies, for presentation in court. Imagine the detail, sources of information, warrants, wire taps, other intelligence and analysis that might go into a national security and/or criminal investigation and the ultimate presentation requirements before a court. There is a plethora of sources of information (public and private sector) required well before such court proceedings are contemplated if at all.
The Attorney General’s statement on national security, states inter alia, “that Australia has developed significant national security capability in the fight against terrorism espionage, serious and organised crime, and cyber - crime.
Our challenge is to ensure that, as Australia evolves as a 21st century society and economy, our national security capability similarly evolves with high levels of agility and adaptability and continues to meet emerging threats. As Australia advances, so too do threats to our wellbeing. Meeting the challenges of new technologies and methodologies is a key priority for the Australian Government in the national security sphere. Our law enforcement and security capabilities must keep ahead of terrorists, agents of espionage and organised criminals who threaten our national security and the safety of our citizens. So our law enforcement and intelligence agencies must be equipped with contemporary skills and technologies, and backed by necessary powers – coupled with the appropriate checks and balances and oversight mechanisms society rightly demands.”
The NSW Police system gives substance, in the form of technology, to the above aspiration and challenges. The concept proposed here is to bring together the multi systems of Australia’s government agencies, taking into account reform proposals comprising proposed telecommunications interception reform, metadata, telecommunications sector security reform and the Australian intelligence community reforms. To this reform framework we have added Border Protection, Defence and DSD, ASIO, ASIS, DFAT’s and Attorney general’s operational roles, the Crime Commission, CrimTrac, AFP, state policing, and data interaction and perspectives of the critical utilities such as telecommunications and banking.
The EFIMS technical capability can confront terrorists, agents of espionage and organised criminals head on providing real time intelligence to approved agencies across multiple jurisdictions.
INDUSTRY MUST PARTICIPATE AND PUT IN A CONTRIBUTION
The National Security Committee of the Australian government recognises that Telecommunications interception reform is a significant challenge. It is one thing to make telecommunication providers keep metadata, to gather it and use it matching it to what? Similarly banking enterprises must also contribute to the source information as well as major utilities and even global software and technology companies that expect the Australian government and states to provide secure places to conduct business.
This conceptualization of the NSW Police system to a National Security Inter Connected Architecture has already been presented to officers (CIO Divisions) of Attorney Generals Department, Australian Federal Police and the Crime Commission, in Canberra on Friday 15, August 2014.
The Australian Crime Commission’s “Future of Organised Criminality in Australia 2020” assessment is directly relevant to our concept by proffering working and highly effective software, ciphers and other methodologies to match and exceed criminal capabilities in technology obstruction and their ability to impede detection by law enforcement.
The NSW Police system supports the gathering of multi-source materials, leading, if required, to the prosecution of serious and organised and other technology-enabled crime. However it does not have to be applied specifically for activities that will go to court but can be adapted to track information and assemble case files used to inform decision making and counter terrorism activities.
Within this proposed National Security model I have included threats posed to Australia’s critical infrastructure. The security and resilience of such infrastructure significantly affects the social and economic well-being of the nation.” (AGs op cit)
Australian intelligence community reform is about appropriately equipping and enhancing the operational capabilities of these agencies and also providing a mechanism to gather and synthesise data, events, apparently disparate, and unrelated intelligence, and evidence from anywhere in real time.
To be able to package it as either locational intelligence, national, regional or local in an unallocated sense or to actually attach it to an individual or group of individuals tracking their movements and entering the evidence and reports into a file similar to a NSW Police case ready for the prosecutor.
This concept is a working framework to better manage national security challenges to Australia’s security and the many reforms envisaged by government necessary to enhance it.
Incorporation of Government Reforms, Policies and Processes
The NSW Police foundation could be a hub upon which additional features and models are added and the design takes note of:
• the desirability of comprehensive, consistent and workable laws and practices to protect the security and safety of Australia, its citizens and businesses, including privacy and intrusion issues
• the need to ensure that intelligence, security and law enforcement agencies are equipped to effectively perform their functions and cooperate effectively in today’s and tomorrow’s technologically advanced and globalised environment, and
• the fact that national security brings shared responsibilities to the government and the private sector
The standard practice of the Public Service might be to conduct an environmental study of what is in the realms of technology currently in place and then to write an EOI, RFT or other, taking years, but we offer immediacy covering scalable changing technologies encompassing.
a) the challenges of new and emerging technologies upon agencies’ capabilities b) the requirements of a modern intelligence and security agency legislative framework, and to enhance cooperation between agencies, and
c) the need for enhancements to the security of the telecommunications sector.
The EFIMS system installed in NSW Police is readily adaptable to:
a) contain appropriate safeguards for protecting the human rights and privacy of individuals and are proportionate to any threat to national security and the security of the Australian private sector
b) apply reasonable obligations upon industry whilst at the same time minimising cost and impact on business operations in the public and private sector, in short this is a very economical proposition.
c) and address law enforcement reduction of capabilities from new technologies and business environment, which has a flow-on effect to security agencies.
Government grapples with strengthening the safeguards and privacy protections under the lawful access to communications regime in the Telecommunications (Interception and Access) Act 1979 (the TIA Act) and we take account of this presuming that an operational law enforcement system for one of the world’s largest police forces would, within its design, take account of:
a. privacy protection
b. the proportionality tests warrant issue
c. mandatory record-keeping standards
d. oversight arrangements by the Commonwealth and State Ombudsmen/s
Able to accommodate reforms the lawful access to communications regime, including:
a. reducing the number of agencies eligible (and authorised) to access communications information
b. the standardisation of warrant tests and thresholds
Streamlining and reducing complexity in the lawful access to communications regime.
a. simplifying the information sharing provisions that allow agencies to cooperate using the EFIMS as a hub model (with a central customised (top secret design version) installed in the Commonwealth’s Cyber Security Centre) as the conduit linked to other systems including NSW Police
b. remove legislative duplication
The technical model incorporates the financial layer to enable a cost sharing framework (see Funding section) to:
a. align industry interception assistance with industry regulatory policy
b. clarify ACMA’s regulatory and enforcement role
Further I have taken into account the Australian Security Intelligence Organisation Act 1979
Modernising and streamlining ASIO’s warrant provisions
a. the definition of a ‘computer’ in section 25A
b. enabling warrants to be varied by the AG, simplifying the renewal of the warrants process and extending duration of search warrants from 90 days to 6 months.
Users of the system can be designated by roles and levels of access and authenticity in their work.
Intelligence Services Act 2001
The technical design can incorporate Defence’s Imagery and geospatial organisation’s authority to provide assistance to approved bodies working in unison in real time on the system adding information and intelligence from diverse and disparate sources.
>Telecommunications (Interception and Access) Act 1979
a. the system will be able to handle the creation of multiple or single warrants with multiple TI powers using the EFIMS capability
Cooperative frameworks between governments, agencies, private enterprise and the community are leveraged –
a. Industry interception obligations
b. Ancillary service providers not currently covered by the legislation
c. the three-tiered industry participation model
d community input – crime stoppers and other reporting mechanisms
Australian Security Intelligence Organisation Act 1979
EFIMS is a working example of what is possible for an intelligence operations scheme. Protecting officers and human sources with protection from criminal and civil liability for certain conduct in the course of authorised intelligence operations.
a. Establish a named person warrant enabling ASIO to request a single warrant specifying multiple (existing) powers against a single target instead of requesting multiple warrants against a single target.
b. Align surveillance device provisions with the Surveillance Devices Act 2007
c. Enable the disruption of a target computer for the purposes of a computer access warrant
d. Enable person searches to be undertaken independently of a premises search
e. Establish classes of persons able to execute warrants and track
Establish an agency’s ability to cooperate with the private sector/community and then track that cooperation as part of a file or schema of files in whatever context you want to look at, assemble and expand it.
EFIMS can take into its structure business rules and policies the:
Telecommunications (Interception and Access) Act 1979
The Lawful Access Regime
a. expanding the basis of interception activities and decryption of communications
b. Industry response timelines
c. tailored data retention periods for parts of a data set, with specific timeframes taking into account agency priorities, and privacy and cost impacts
Telecommunications Act 1997
The EFIMS system will address security and resilience risks posed to the telecommunications sector and can be enabled to permit legal authorised access to third party systems monitoring such access.
Australian Security Intelligence Organisation Act 1979
Enabling warrant provisions through interconnection to, and use of,
a. third party computers, and communications, in transit to access a target computer under a computer access warrant.
b. the incidental power in the search warrant provision that authorises access to third party premises to execute a warrant and which are recorded in EFIMS
c. reasonable force recoding during the execution of a warrant, not just on entry.
d. an evidentiary certificate regime.
Intelligence Services Act 2001
Assembling broad or detailed and very specific files covering:
a. persons, or groups, likely to be, involved in intelligence or counter- intelligence activities.
b. recording in detail the Minister of an Agency under the IS Act authorising specified activities which may involve producing intelligence on an Australian person or persons where the Agency is cooperating with ASIO in the performance of an ASIO function pursuant to a section 13A arrangement.
c. Enable ASIS to provide training in self-defense and the use of weapons to a person cooperating with ASIS. Systems currently installed in many Australian state police regimes can also track the issuance of such weapons against an individual or event and prescribed use and circumstance.
The overall impacts are:
1. The National Security Centre piece is built in months, not years
2. The hub cost design upon which the National Security system is concepted is already built and paid for by NSW Police (base design circa $AUD6M - $7M) plus encryption-cryptography protection costs depending upon design and suite chosen and whether it is a Cloud or In House System.
3. Agencies gain from increase operational efficiency
4. In turn the nation gains from these efficiencies
5. Reduction of manual effort in managing the chain of custody process for exhibits
6. Increased number of positive and linked identifications
7. Prioritisation of jobs based on real time data from multiple sources 8. Reduced effort tracking exhibits and property
9. Performance improvement mechanisms
10. Secure (access can be controlled by biometric identification systems nay of which are owned now by agencies) for audit ability across all entities within the system
11. Manage the complete life cycle of cases, events, incidents, jobs, exhibits and property
This National system can incorporate or eliminate manual brief construction (manual might be used for extremely high security where limited access is required, for cases, events and incidents and can balance valuable resources with back room and front line operations
INTERCEPTION AND THE Telecommunications Interception Act (TIA)
Interception of telecommunications content and data is a powerful and cost effective tool for law enforcement and security agencies to reduce threats to national security and to assist in the investigation and prosecution of criminal offences. [Report of the Review of the regulation of access to communications (2005) (the Blunn Report)]
Access to interception is tightly regulated and, in relation to content, is limited to the investigation of serious offences under the authority of an independently issued warrant and subject to a range of oversight and accountability measures. EFIMS capabilities assist users to document instances.
The National Interconnected Architecture proposed will:
Meet privacy protection objectives, and the proportionality test for issuing warrants, mandatory record-keeping standards, and oversight arrangements by the Commonwealth and State Ombudsmen
Control the number of agencies eligible to access communications information and the system’s files
Standardise warrant tests and thresholds
Simplifying the information sharing provisions that allow agencies to cooperate
In real technology terms align industry interception assistance with industry regulatory policy
Create a single warrant with multiple TI powers
Implement detailed requirements for industry interception obligations
Implement whatever tiered industry participation model you envisage and
Immediately accommodate an expansion of the basis of interception activities
Document in evidentiary form the offence for failure to assist in the decryption of communications
Immediately apply tailored data retention periods of parts of a data set, with specific time frames taking into account agency priorities and privacy and cost impacts
Strengthen the safeguards and privacy protections of the interception regime in line with contemporary community expectations;
lawful access regime for agencies;
Streamline and reduce complexity in the lawful access regime; and
• Modernise the cost sharing framework. See the Funding Section of this proposal the core hub is already funded by the NSW Police and enhancements are being made now.
Arrange data in a form to enable prosecution (as used by NSW Police)
Reliably identify communications of interest and to associate them with telecommunications services;
Reliably and securely access communications and associated data of interest within networks; and
Provide tools to effectively interpret the communications to extract the intelligence or evidence
A National EFIMS will swiftly enable the Commonwealth to Implement a standard threshold for both content and stored communications warrants (assuming that enabling legislation has been passed) removing the complexities inherent in the current interpretation of what is a serious offence, recognise the growing number of online offences and provide consistent protection for ‘live’ and ‘stored’ content.
In House, Cloud, Location, Privacy and Encryption
Government agencies may decide to outsource at least some IT functions to third party service providers attracted to the potential cost savings and enhanced flexibility that cloud computing services can offer. While there are a number of benefits to outsourcing data storage or processing to a cloud provider, there are also a number of steps that an agency must take to ensure that the security and integrity of its data is maintained (for presentation on a court of law here in Australia and Internationally) in the cloud and to ensure that it complies with its privacy law obligations here and in accordance with the European Union directives for interchange of systems between nation states and the countries within the EU.
Data Security and Protecting Information
One of the most critical concerns of cloud computing is data security. By moving data into the cloud an agency is relinquishing custody of that data to the cloud provider. Therefore, the agency needs to understand how its cloud provider will protect the data and what security standards and procedures are being applied to help prevent data theft or a security breach. An organisation can reduce security risks associated with cloud computing by ensuring that the following items are addressed in the contract with the cloud provider:
Data Segregation and Ownership. The use of shared infrastructure can create data co-mingling and segregation issues. For this reason, agency may choose not to move sensitive or confidential information into the cloud.
Depending on the nature of the information that is being stored or processed, the agency will need to ensure that its data can be segregated from all other third-party data as part of the cloud-service. The ownership of the data by the agency must be confirmed in the contract and the cloud provider would be required to return or destroy the data in its possession at the end of the relationship.
Location of Data. A cloud provider’s infrastructure may be located in different jurisdictions within Australia and maybe internationally (in an Australian government agency or on a shared basis with an international law enforcement or security agency) which can result in a number of legal issues for the agency and the State and Federal Governments of Australia. Among other things, if data is transferred to another country it will become subject to the privacy laws of that country. The contract should also restrict the locations where the data may be held the cloud service will be provided from a location within Australia, the contract should prohibit transmission of data outside of Australia without the agency’s specific consent.
Security Procedures/Standards. The level of security and the encryption procedures that will apply to the agency data should be identified. If possible, an actual, specific and independent security standard should be identified in the contract.
Encryption (layers) can impact speed of data movement and system reliability. Speed need not be sacrificed to achieve high levels of encryption. Agencies would choose products that are proven in jurisdictions that have proven systems and who are allies of Australia. Suggested speeds would be in the order of 10 gigabytes with latency in milliseconds. At least two layers of encryption should be installed to allow large movement of data needed for law and case presentations, with encryption devices installed between points to points and multi-points between the Cloud or Host provider and the agency’s local area network or wide area network.
The NSW EFIMS systems contains very basic encryption (if at all) and would require substantial upgrade in regard to protection of data and privacy.
EFIMS also contains Biometric Information but this is in the form of reference containers. The system, as far as I am aware, is not state of the art in biometrics read out to eID case files and personal data. And may not support any or all EAC versions or OEM third party products include Biometric capture devices such as fingerprint readers, DNA, Voice and so on.
Access Protocols and Network Security. The specific access security protocols that are being implemented by the cloud provider should be identified in order to help reduce the risk of unauthorised access or data theft. The Network Security would conform to ISO27001 and mandated cryptography, BSI-Standards 100-1 100-3 100-4 and with Secure Workflow design
Intrusion detection should be embedded within the security protocol provided under the Security Elements Provider, which should not be the same company as the Cloud Provider. Penetration and Authorised Hackers should test the system for vulnerabilities.
Audit Rights. The contract should include a right for the agency to audit the cloud provider’s security procedures as well as the cloud provider’s compliance with the contract generally and standards set by the Australian Defence Department or some other issuing Body for a licence to the Cloud Provider to work with Government Agencies. The contract should also include a right for the Agency Odfficers with appropriate security clearances to access the cloud provider’s data center or premises where the organization’s data is located.
Notification of Security Breaches. The cloud provider should be required to provide the agency with immediate notice of any security/data breaches so that the agency can instigate remedial action immediately.
Agencies must assess the benefits and risks against privacy laws and regulations (Attorney generals Department, Privacy Commissioner, State and Federal Laws Evidence Act, Court Rules and such) when considering a cloud solution. The agency remains accountable to protect the personal information and it must remain in control of that information.
Cloud computing and storage used in National Security and Policing will create new privacy issues. When data in a cloud system is accessed, stored or processed, new “transactional information” is created which may constitute personal information under privacy legislation. The new transactional data will be subject to the same privacy law requirements as the primary data.
If data that the agency is sending to the cloud is processed or stored in another jurisdiction then the agency will have privacy obligations in that jurisdiction where it collects personal information as well as the jurisdiction where the data will be located. For example, if data is being stored in Australia and also in Interpol or in the United States as part of a cloud-service relationship (Global Fight Against Terror and Crime) then that data may be subject to access by the US government as a result of the USA Patriot Act.
An agency engaged in National Security and Policing intending to move personal information into the cloud must:
Implement a (Single or Multi) privacy compliance programme (starting with Australian Frameworks and Laws and then branching out) that addresses collection and use of personal information in the cloud.
Classify the type of data that will be sent to the cloud and how the information will be stored by the cloud provider. Agencies covered within this paper should retain its most confidential information under its direct control and not within an External Cloud.
Ensure that that appropriate consents of Australian Departments charged with implementing the rules has been obtained to send personal information to a cloud provider.
National security risks
“The ASIO Report to Parliament 2010-2011 states that espionage by foreign intelligence services is an enduring security threat to Australia, both conventional and new forms, such as cyber espionage. Our increasing reliance on communications technology to conduct the business of Government, commerce and our daily lives makes Australians more vulnerable to malicious attack. As such cyber security has emerged as a serious and widespread concern. States, as well as disaffected individuals or groups, are able to use computer networks to view or siphon sensitive, private, or classified information for the purpose of, political, diplomatic or commercial advantage.
Individual records or files stored or transmitted on telecommunications networks may not be classified or particularly sensitive in and of themselves but, in aggregate, they can give foreign states and other malicious actors a range of intelligence insights not otherwise readily available. This threat extends to information vital to the effective day-to-day operation of critical national industries and infrastructure, including intellectual property and commercial intelligence.
It is imperative that Australia’s intelligence agencies are appropriately equipped to protect Australia’s vital national security interests. This includes the ability for Australia’s foreign intelligence and security services to interact and work seamlessly together.” (AG’s paper op cit)
The NSW model offers such a mechanism installed and proven. Obviously there are other systems installed in the European Union Nations and in the USA and Canada.
NSW Police EFIMS addresses the question as to how an extraordinary amount of data can be filtered and allocated a security level according to its purpose. The debate may revolve, inter alia, around what data should be centralised and operated on and what can remain distributed in the field. This is the decision of the system administrators. EFIMS is both fixed and mobile.
Australia’s National Security Committee can determine in what context the Commonwealth System is applied to Australian states, territories and local government management of its own law enforcement and agencies’ data, extent of sharing, privacy and cooperation in national security activities.
Information provided by commercial enterprise is drawn in EFIM’s capabilities incorporates required and offered participation by industry but also, in covert manner, can assemble information on how criminal elements infiltrate corporate enterprise and use it as well as tracking parties external to that enterprise. A disparate patch work quilt of policies and actions by government and key sectors of business enterprise (banking, utilities, telecommunications, document issuance and so on) serves to advantage criminal elements here and internationally are suddenly encapsulated into EFIM’s web of information sources.
National Security System, Australia’s Local Government, Other Agencies and CERT Australia
This proposal acknowledges the role of the Australian government’s Attorney-General’s Department as the lead agency for cyber security policy across the Australian Government and as the chair of the Cyber Security Policy and Coordination (CSPC) Committee, which is the interdepartmental committee that coordinates the development of cyber security policy for the Australian Government. It is presumed that the Department might have a key role in supporting the concepts set out in this paper and enjoining parties to consider the real possibilities for industry to contribute to national security policy, framework and actual actions.
Such a system could well be installed in the Australian Cyber Facility in Canberra.
One might assume, or external parties in the private sector may claim, they hold a similar philosophy as the government in defining measures relating to the confidentially, availability and integrity of information that is processed stored and communicated by electronic or similar means and which can contribute to national security surveillance and analysis. We find these contentions irrelevant to what we propose. This conceptual model, born out of the NSW Police EFIMS is not something they can replicate because its features are ultimately “classified”.
The record shows that not too many enterprise CEO and Boards are keen to enable data retrieval from their corporate systems and additionally they may resist the costs involved in participation in national security. To our mind this is also irrelevant. Commercial enterprise expects to be protected from terrorism, criminals and be provided with secure policing and security and there comes a cost with that. This proposal minimises that cost dramatically when compared to what big integrators my offer the government conceptually. Even if they do offer something they do not operate holistically in Australia as NSW Police EFIMS does. This is not to say that integrators need not be involved.
There may be a tendency to fob national security off to the Commonwealth and this proposal overcomes some of the barriers that may arise, other than funding, since EFIMS is a state policy system. All parties may claim to share the aim of the Australian Government’s cyber security policy in the maintenance of a secure, resilient and trusted electronic operating environment that supports Australia’s national security and maximises the capacity to have an input into national security in action.
Australia’s national security, economic prosperity and social well being are critically dependent upon the availability, integrity and confidentiality of a range of information and communications technologies. This includes desktop computers, the internet, mobile communications devices and other computer systems and networks and may I add products that are provided by external parties such as passports, employee identity, smart cards, tokens, credit cards and any other instrument that deals with data.
All of these are vital elements to building a state of the art response to the challenges posed by fundamentalism, ideology, terrorism, activism and criminality. Telecommunication providers can play an active role inputting data automatically into a National System for later analysis and processing, just as airlines, shipping and other industries can play a contributing role.
We can all cite an increase in malicious code, attacks and criminal activity, as is particularly the case for financial transactions and sensitive commercial or personal identity including theft thereof, or the creation of one core document to breed others for the purpose of opening a bank account, a social security identity, a driver licence and more. Terrorists can strike in many ways and rogue nations can attack Australia’s underlying financial systems and business using fake identities, credit cards, passports and other instruments.
In all of this governments have to balance national security against the civil liberties of Australians, including the right to privacy, and the inherent need to promote efficiency and innovation to ensure that Australia realises its full potential. This task is compounded by vested interests and users who are free with their private information on social media, perhaps not fully understanding the dangers and yet resist having their metadata examined?
In this proposal I am not concerned with civil liberties, National Security can be programmed to do whatever you want it to including limiting its reach and intervention or making it covert. That is a decision for government.
Within this proposal I am moving beyond the mere concept of a Cyber Security Centre gathering data and using the Internet and supporting the government’s objective of cyber safety focused on protecting individuals, particularly children, from offensive content, bullying, stalking or grooming online for the purposes of sexual exploitation to a broader economic and social contexts, requiring coordination of other related policies, programmes and industry participation. There is a role for industry in this scope particular in the federation of competing interests, and knowledge awareness of federal, state and territories.
A global network of criminal elements has emerged, literally coming together like a new generation mafia, using whole countries (pariah states, states under sanctions and so on) whilst integrating this into institutional structures (government, banking, financial systems, utilities, technology and telecommunications) across the world, including Australia, to launder large volumes of money, to create fraud and as we also know to fund terrorism.
This is not simply the transactional movement of funds involving the complicity of a bank or other structure it is the actual manufacture of the foundation for that movement beyond data transfer in computer systems and on the internet to physical instruments such as credit cards, chips in mobile devices and identity instruments. The clients of these outputs are those who embrace serious badness. EFIMS’s forensic capabilities are designed to enable capture of all of this intelligence with authorized access by as many agencies as required to work on the data and use it according to their individual charters. If you want to package up cyber data such as web sites preying on children or any such thing this National Security will do it.
Every honest business, and person with integrity at their core, would support the National Leadership approach by the Australian government within the federation of a shared responsibility in the communication, and storage, of sensitive information (of all types) and the obligations of mutual respect for the information and systems of other users. Not only the public service should be engaged, through knowledge leadership and action, in a partnership approach to cyber and national security across all Australian governments, the private sector and the broader Australian community is essential along with our nation’s allies and multi-national global corporations that cross borders.
Globalism supports many players and is a major fillip for the criminal person and the criminal state. Just we install systems in government to produce identity, across a myriad of agencies in Australia, all with varying or no level of security EFIMS is the hub from which you build the capacity to be ahead of them.
Australian government, via its public service agencies along with Police, Regulatory Agencies, Australia’s states and territories, and companies, that have global operations can support, and add value to such a system.
All business, just like Australia’s Governments, requires risk management in a globalised world where interoperability and internet-connected systems are potentially vulnerable and where cyber - attacks are difficult to detect, there is no such thing as absolute cyber security.
However on too many occasions, entities operate in a state of unawareness of what human and machine networks they are in and supporting, knowingly or unknowingly. In concert with government, and community, everyone must be brought into the policy and the intelligence exchange, and all must apply a risk-based approach to assessing, prioritising and resourcing cyber security activities within the values paradigm of their individual operations.
Many enterprises educates customers, and others, with whom they come into contact (at exhibitions, conferences and seminars) as to the cyber risks of instruments that individuals carry and use. As a part of their own cyber security they must operate, and maintain, secure and resilient information and communications technologies to protect the integrity of operations and the identity and privacy of the customers and end users. This vitally includes corporations engaged in the manufacture, and distribution of critical identities and software particularly everyday commercial software that can also be used for elicit purposes.
The Australian government and other jurisdictional agencies can assist in educating, and empowering, all Australians with the information, confidence and practical tools to protect themselves online and in their financial and other transactions but what of the hidden criminal operations described previously that pray upon ignorance, greed and human nature?
Australia’s Governments may promote security and resilience in infrastructure, networks, products and services across governments, including parliamentarians, associated people, employees and communities but this is but one part of the puzzle and vital mosaic that builds to protect our nation and our cooperation with like - minded sovereign states. It is but one part of our proposal’s potential. The private sector and government agencies the world over look to the protection of their ICT systems but to what extent do they ponder how criminal elements become embedded and institutionalised as part of those structures? They take live (or deceased) identities and data to manufacture other things for their needs and then send them into the legitimate world. Significant Australian companies and, more particularly, those with global footprints can work with CERT Australia to assist the owners, and operators, of critical infrastructure, and systems, of national interest and add support to CERT Australia within the global community of computer emergency response teams (CERTs) to support international collaboration in regards to cyber and national security issues and also complement the work of the Cyber Security Operations Centre within the Australian Signals Directorate. These collaborative arrangements can also serve to make participants aware that their business can also provide the foundation and tools of crime and terrorism and to incite them to vigilance. This conceptual model is being offered as a tool in an arsenal of such vigilance. A sort of crime stoppers in technology form.
KAuthor: Kevin R Beck, Melbourne Australia, 2015
Australia's National Security
Cyber Security in the World
Network and Information Security
Australia Anti Money Laundering
Counter Terrorism Financing Act
Australia Cyber Crime
Australian Security Intelligence
on National Security in Australia
FAIL ON ENERGY SECURITY (2007 - 2013)
Australia holds about 20 - 23 days of petrol and diesel supplies. The Australian government refuses to spend the funds necessary to fill storage tanks at strategic locations around the nation. We hold less than New Zealand and about 29 other countries that are members of the world energy security group. Successive governments have allowed storage tanks to be decommissioned.
In 2010 Australia's largest motoring organisation issued this statement:
NRMA To Make Energy Security An Election Issue
Author: NRMA MediaDate: 03 March 2010
Labor and the Coalition will be publicly graded on the transport energy security policies they present to the Australian people in the lead-up to this year's Federal Election. Speaking at NRMA's Alternative Fuel Summit in Sydney this morning, NRMA Motoring & Services President Wendy Machin said the NRMA would publicly rate the major parties' energy policies for the first time. "Australia has no transport energy policy," Ms Machin said. "We are running out of our own oil and growing more reliant on oil imprted from the most volatile parts of the world - unless a policy is implemented the economy will suffer. "In this election year the NRMA is committed to holding both parties accountable. "Australia needs a workable plan to end our dependence on fossil fuels and secure sustainable, domestically driven alternatives that will create local jobs and clean the environment." "The best policy will get the thumbs up from Australia's largest motoring organisation. (end of release)
So much for the bluster nothing happened and today March 5, 2013, rhey return to the issue. Labor is deaf and dumb to things that are beyond their scope and vision.
The Labor government, under Prime Minister Julia Gillard, and Minister S Smith, and the ones before him in Defence, have a record of giving scant attention to all aspects of the nation's security failing to agree with the states on whole approaches to security in ports, airports, telecommunications, power, water, gas and transport. Labor has proven to be derelict in a duty of care and is dangerous because of its lack of knowledge and experience within its policy vacuum. The Greens have had a big input into defence, border and energy security spending and priorities.
This little piece examines, and comments, on the Australian government's response to the recommendations made by a Parliamentary Joint Committee on Law Enforcement (PJC): Inquiry into the Adequacy of Aviation and Maritime Security Measures to Combat Serious and Organised Crime, 2011 and also the state of Australia's National Security policy and actions by all stakeholders.
I would preface this commentary by noting that those who try and participate are not easily accepted and are rebuffed. Further to try and make a contribution to debate, to offer positive criticism or to assert that Government, public service or the private sector is not taking National Security (in all of its multifaceted components seriously if at all) does not elicit a two way interchange in the national interest rather it provokes a defensive, hostile and sometimes retaliatory response from Governments (state, federal and territory) or mostly no response from the States and Territories and a disregard by others including major Australian corporations.
Within the Australian Government's response they claim "a multi-layered and cooperative effort between Commonwealth, and State and Territory agencies, as well as partnership with the aviation and maritime sectors."
I would assert that the approach is fragmented, impacted by political considerations and a lack of awareness, understanding and experience in national security and the broader implications of the obligations of federal and state as well as the private sector. The States and Territories appear asleep at the wheel, or have no ponderings, as to national security matters and implications within their jurisdictions. But they are not alone, the private sector pays little attention within the larger picture of how they may have a role or they cherry pick according to their own interests. Large and influential enterprises owning their own facilities within a larger enterprise, undertake their own "stand alone" security measures and there is no consistency and quality across the operation - example Sydney Airport.
Whilst the government may assert that at airports and seaports, the Australian Customs and Border Protection Service (Customs and Border Protection) is "responsible for protecting the safety, security and integrity of Australia's border through a wide range of regulatory and enforcement powers with key functions include preventing and intercepting illegal movements of people and goods (such as illicit drugs and firearms) across the Australian border", we have now seen how such systems and protections are compromised by naughty Customs people who are then disciplined with a wet lettuce leaf by their employer.
A jumble of Acts and regulations and the interests of politics and the objectives of public and private sector stakeholders serve to compromise Australia's national Security. It is asserted that the Office of Transport Security (OTS) "follows a risk-based, outcomes-focused approach to regulation through consultation with industry and international engagement. OTS works with industry to ensure compliance with the law and regulations by effecting changes in industry participant behaviour towards their regulatory obligations". >br>
The identity application process and subsequent issued card to anyone applying for an entry to an Australian airport is nothing but comical in topology and out dated security. One can make it on a cheap desktop printer. The Auditor General expressed a view on this several years back but because it had little or any interest to the Minister, and no funding, the situation of rather simplistic application processes, identity issuance and access to facilities (airports) is allowed to continue putting at risk security in Australian ports. Poor OTS has to busy itself in trying to enact the necessary things highlighted by the AG by undertaking environmental scans as to what is out there in the world of security. The art of looking like something is being addressed has been honed by Australia's state and federal public servants (sorry Government public servants) over decades.
The States and Territories retain the primary responsibility for enforcing state offences and criminal law at Australian ports largely as an outworking of the Australian Constitution. This adds a major workload to stretched agencies and personnel. It also shows the failure by COAG to take National Security seriously. Their policies, implementations and attention to security, and identity, at facilities within their jurisdictions are limited and are much like other COAG relationships, accountability and responsibility shifting. State and Territories have little if any policy on their role in Australia's National Security. One may ponder what precise set of National Security policy and initiatives the Northern Territory might have as big enterprise sits in the harbour and the arrival of US troops is pending along with anyone who has a row boat.
Multiple government agencies have coverage of some aspect of security operations at Australia's ports, which enable the 'shifting sands and smoke and mirrors' modus operandi of our Federation to continue untroubled by notions of what happens in other parts of the world. Maybe it is our distance from the reality of major continents that creates a malaise in our legislators and the Board and CEOs of Australia's critical utility and services? The Government is currently focused on the nebulous navel examination, and counter measures, of cyber-attacks and not on the physical, which hardly ever occur.
The committee recommended that the scope of the Aviation Transport Security Act 2004 and the Maritime Transport and Offshore Facilities Security Act 2003 be widened to include serious and organised crime in addition to terrorist activity and unlawful interference.
Rather than be decisive, the Government "Noted this" The Australian Government does not have an action plan it has an "Organised Crime Strategic Framework" which says that industry "has a key role in understanding its environment and identifying potential opportunities for organised crime exploitation". The Government's approach to organised and serious crime is based on "preventative partnerships" between government and industry participants. Beaut, this works so effectively, there are no drugs in Australia and no illegal goods coming in and Customs is squeaky clean and everyone who works at Sydney airport and any other access point in Australia are all on board and humming along nicely. There is a national regulatory framework for the aviation, maritime, and offshore oil and gas sectors. Administered by an Australian government agency that is starved of funds. This requires industry participants to prepare transport security plans and implement risk based preventive security measures aimed at facilitating transport by reducing the risk of unlawful interference with transport systems under their control. One wonders what the register of plans looks like and what might happen if it was audited? National Security is worked out on a policy of minimising the impact on industry, "in line with the Government's objective of achieving an efficient, sustainable, competitive and secure transport system." Of course another way of looking like one is addressing key requirements of Australia's national security is to create another forum, a favourite activity of the Rudd and Gillard labor Governments and one highly valued by state, territory and federal public servants because it fills their busy days with exciting deliberations, an "aviation and maritime industry forum to examine options for organised and serious crime prevention at Australian airports and seaports in partnership with industry. This will include examining legislative change options, such as the potential to enhance powers under the Customs Act 1901, in the context of working with industry to address serious and organised crime in the aviation and maritime border environments. This would be informed by ACC risk assessments relevant to organised and serious crime in Australia's airports and seaports. The verbiage is just wonderful in its construct
The committee recommends that security at major airports be undertaken by a suitably trained government security force. Forget that, not agreed. This matter was considered by Government in December 2009 as part of Flight Path to the Future: National Aviation Policy White Paper. This document confirmed that the current industry led and government regulated model provides an "effective, efficient and sustainable security service, notwithstanding evolving threats, increased security requirements, and increases in domestic and international aviation traffic".
A more centralised model was not supported on the grounds that a government agency screening model would be overly prescriptive, more expensive and less efficient than current arrangements. Rubbish, such a concept would step on the toes of too many vested interests. Instead the Government continues to work with industry to improve the current system through improved industry guidance, enhanced technology and better training. Industry (focused on profit and shareholder interests) is about reducing costs and focusing on revenue whilst Government seems to focus on anything and everything but nothing in particular unless it serves political interest.
The committee recommends that joint maritime taskforces, mirroring the functions of the Joint Aviation Investigation Teams and Joint Aviation Intelligence Groups in the maritime sector be established in every state and the Northern Territory. These taskforces should include officers of the Australian Federal Police, state or territory police, the Australian Customs and Border Protection Service and the Australian Crime Commission.
Ah, noted again! Apparently all is working well and the Government prefers the 'ad hoc - cobble together a team - once the criminal threat has been identified. Apparently marine is unique and flexibility is well regarded as an alternative.
The committee recommends the formation of a Commonwealth maritime crime taskforce that would act as a national Australian Federal Police led "flying squad", responding to specific intelligence and also conducting randomised audits of maritime and seaport security.
They didn't like this and it was not agreed
Because these activities also involve a range of Commonwealth, State and Territory agencies, and the Australian Federal Police does not have sufficient expertise in this area. So what would a logical administrator do about the latter?
Then there is the old fall back, the committee recommends that the Attorney-General's Department conduct a review of current information sharing arrangements between law enforcement agencies and private organisations in the aviation and maritime sectors.
This is the "down the road don't have to stress response of Governments and Ministers, of course it was agreed. There will be consultation, a cast of thousands, travel, hospitality, food and ….. "AGD will lead this review in consultation with the AFP, ACC and Customs and Border Protection." It is consistent with the Organised Crime Strategic Framework's objectives of strengthening information sharing between law enforcement agencies and working more closely with industry."
Then there is the barbeque stopper, the slack jaw and the heart palpitating recommendation. The committee recommends that it be made a legal requirement to provide photo identification confirming passenger identity immediately prior to boarding an aircraft.
No hesitation, "not agreed, the recommendation as specified is not supported, particularly the requirement for all passengers to provide photographic identification." Industry stakeholders have also expressed concerns that an approach such as the one recommended may lead to delays in passenger facilitation (especially at large airports that are close to reaching capacity) and additional costs to industry and the travelling public.
Under current arrangements, it would be ineffective and impractical for such activities to be conducted by airport check-in staff who are not trained to recognise fraudulent documents and have no law enforcement powers. So what about adding value to the jobs of the humble, low paid security personnel looking in your bags, at X-rays and sniffing the clothes? No! Imagine paying security people a good salary for a job that has National Security and lifesaving implications. Border control officers and police at immigration gates and elsewhere are trained in forensic identification. The Australian Department of Immigration and Citizenship has an excellent accredited (TAFE) course. It is also not feasible for a government official, acting as government security officer, to conduct identity checks of all passengers on domestic aircraft services as there is not sufficient capacity to staff each boarding gate in order to conduct identification confirmation. I imagine if there was a major security incident, where lives were lost and things exploded or other, the Government might change its mind.
And you thought that agencies and industry shared information like in CSI?
The committee recommends that the Commonwealth Government review the technical and administrative requirements necessary to facilitate the effective sharing of information between airlines and air cargo agents and law enforcement agencies and the Australian Crime Commission Fusion Centre for the purpose of enhancing aviation security and law enforcement activities. The review should include research into technical requirements for such a scheme, the costs involved and any relevant statutory or other barrier to the sharing of such information. The findings of the review should be reported to the Australian Parliament. Of course a review, agreed!
The AGD will lead this review in consultation with the AFP, ACC, and Customs and Border Protection. This recommendation is consistent with the Organised Crime Strategic Framework's. If you want to get something up then be consistent with Frameworks that do not require the Government to actually do anything.
Then, there is the secrecy clause, the Commonwealth will consider options for reporting the findings of the review. As the review may contain operational sensitivities that cannot be made public, it may not be possible to report the full findings of the review to Parliament".
If you do not know what the review found or says then you cannot critique it. What operational sensitivities are there, procedures that the hundreds of people working at airports, or the companies putting stuff in, or Qantas policy and processes that they do not already know?
The committee recommends that the Australian Government provide further resources to support an increased presence for currency and illicit drug detection canine units at Australian airports", more noting. The Commonwealth considers that current levels of currency and illicit drug detection canine The "Budget measure" together with Customs and Border Protection will consider whether additional resources for currency and illicit drug detection canine unit are needed.
The committee recommends that access to port security areas prescribed under the Maritime Transport and Offshore Facilities Security Act 2003 should require verification that the Maritime Security Identification Card belongs to the individual seeking access, either through human gate operators, verification by Closed Circuit Television or any other appropriate solution. Again it is noted. While face to MSIC checks are required at some higher risk facilities, in areas of lower risk, other security approaches, such as electronic swipe access coupled with random inspection and controls may be appropriate. Never mind that the technology is out dated and low grade and that if someone has an identity card for access to one airport or sea port entry (that is not encoded) they probably, in reality, have one for all.
The committee recommends the development of a system that enables the confidential movement and examination of containers that increases the likelihood that trusted insiders involved in serious or organised crime are not alerted to law enforcement agency interest in a container", noted.
The problem as I see it is - there is no feasible technological or human method of checking every container.
The committee recommends that the Commonwealth government further invest in CCTV at airports and ports, with consideration of a number of ongoing improvements, including:
" that CCTV cameras should be capable of producing footage of evidential quality;
" the continuing lead role of Customs in coordinating the monitoring of CCTV networks; and
" that CCTV networks should be complemented with automated number plate recognition, and/or facial recognition technology.
Some CCTV is in and there is a strategy….. In consultation with relevant stakeholders, Customs and Border Protection has developed the CCTV Strategic Outlook 2020, a strategy to guide future investment in CCTV at the border. within current resource constraints, the implementation of the initiatives is being prioritised according to the business needs of individual Australian's eight international gateway airports and 63 gazetted seaports, and the level of risk presented by existing systems". In addition to the work of Customs and Border Protection, the National Counter Terrorism Committee, Legal Issues Sub Committee CCTV Working Group is developing a national policy and strategy for CCTV regarding the production of footage of evidential quality and a Practical Guide for law enforcement and national security agencies for use when using CCTV vision in counter terrorism investigations.
The committee recommends that Customs be given the power to revoke a depot, warehouse or broker's license if it determines, on the strength of compelling criminal intelligence, that an individual or individuals are involved or strongly associated with significant criminal activity.
"Customs and Border Protection will examine options to further strengthen its licensing regime with initiatives such as the power to request and assess staffing data."
The committee recommends that the Attorney-General's Department, in consultation with the Australian Crime Commission, reviews the list of relevant security offences under the ASIC and MSIC schemes to assess whether any further offences are required in order to effectively extend those schemes to protect the aviation and maritime sectors against the threat of infiltration by serious and organised criminal networks.
DIT and AGD, in consultation with the ACC, will review the lists of security-relevant offences to assess whether any further offences are required.
The committee recommends that the Attorney-General's Department arrange for a suitable law enforcement agency to be given the power to revoke an Aviation Security Identification Card or Maritime Security Identification Card if it is determined that a cardholder is not a fit and proper person to hold a card on the basis of compelling criminal intelligence.
Imagine cancelling an identity!
So instead we have "DIT and AGD will consider options. This policy work will be conducted in conjunction with the proposed review of security-relevant offence criteria to respond to Recommendation 14." The committee recommends that the MSIC eligibility criteria be harmonised with that of the ASIC scheme so as to make two or more convictions of an individual for maritime security relevant offences grounds for disqualification if one of those convictions occurred in the 12 months prior to an application, regardless of whether either conviction led to a term of imprisonment.
But always the caveat*:
The DIT will assess the eligibility criteria exclusion mechanisms in the ASIC and MSIC schemes with a view to greater harmonisation *if appropriate.
Now being an ordinary citizen would you presume that everyone working at an airport or port would be covered by a National Security action policy? Well they are not, they may have a local employer company or some other issued access card or identity but there is no national consistency:
The committee recommends the expansion of the coverage of the ASIC and MSIC schemes to capture a greater part of the overall supply chain, including some or all of the following:
" staff at cargo unpacking and stuff-unstuff facilities;
" transport workers involved in the transmission of cargo between ports, airports and other parts of the logistical chain;
" customs brokers that do not access port facilities; and
" human resource staff and management at companies with employees that currently must hold ASICs or MSICs.
"The DIT, in conjunction with the AGD and relevant portfolio agencies, will evaluate the potential security benefits of expanding the categories of people required to hold ASICs/MSICs.
The committee recommends that AusCheck and CrimTrac work together to develop a database system that enables continual assessment of a cardholder's criminal record in order to ensure that cardholders are disqualified very soon after being convicted of a relevant security offence.
Now would you, as a citizen assume that there is a system that would automatically disqualify someone with a criminal offence and get their identity card back? Well how do you feel about a "mandatory self-reporting requirement designed to identify those card-holders who may be convicted of a security-relevant offence in order to reassess their eligibility to hold a card." Yes that is as it says the criminal or the employer has to self report.
Now it gets sticky, biometrics!
The committee recommends that use of biometric information, particularly fingerprints, to establish a unique identifier for applicants for the purpose of maintaining an accurate database of cardholders.
This can only elicit one response from the Government,
"The Government notes the recommendation and will consider the use of biometric information in the context of its work coordinating Australia's National Identity Security Strategy, a cross jurisdictional initiative endorsed by COAG in 2007. One of the key elements of the Strategy is enhancing national inter-operability of biometric identity security measures which is being progressed through the development of a Biometrics Interoperability Framework."
The above is frog shit, that Strategy, developed when Kevin Rudd was Prime Minister has never been enacted
The Prime Minister, Premiers and Chief Ministers signed the IGA at the COAG meeting on 13 April 2007. The key objectives of the Strategy, as set out in the IGA and detailed in the reports to COAG, include:
o improving standards and procedures for enrolment and registration for the issue of proof of identity documents (POI)
o enhancing the security features on POI documents to reduce the risk of incidence of forgery
o establishing mechanisms to enable organisations to verify the data on key POI documents provided by clients when registering for services
o improving the accuracy of personal identity information held on organisations' databases
enabling greater confidence in the authentication of individuals using online services, and enhancing the national inter-operability of biometric identity security measures.
At that meeting, COAG also noted the progress made to date in giving effect to the six to the six elements of the Strategy, and acknowledged the value of this work in providing guidance to government.
The public service produced yet another framework, which is a recommendation guide but not legislated policy. "The Biometrics Interoperability Framework" since 2007 it has been "exploring specification of the uses of particular biometric types, namely fingerprints and face; the manner in which biometrics information is validated, stored and shared; and the data standards applicable to achieving interoperability." It is still exploring away and there are conferences and meetings to go to every few weeks to keep everyone excited and to fill their busy days.
The committee recommends that the Australian Government consider the use of biometric information for the purpose of controlling access to security controlled areas in the aviation and maritime sectors.
I am excited that there will be exploration and more….year after year after year
The committee recommends that AusCheck establish memoranda of understanding with the Australian Federal Police and other key law enforcement and intelligence agencies in order to allow the timely provision of information held in the AusCheck database to those agencies. Agreed
And there will be and there are "Memorandums of Understanding" between the agencies.
And finally, after an exhaustive period the Parliamentary Committee comes to its final recommendation
The committee recommends that current ASIC and MSIC issuing bodies are replaced by a single, government-run, centralised issuing body.
And down on the touch line at the final siren, it is "Noted" and there will be a "functional review, in consultation with industry stakeholders, unions and Government agencies to identify preferred issuing body functional models and operational structures for the ASIC and MSIC schemes. This comprehensive review will undertake a cost benefit analysis of preferred functional models, including the option of a single, government-run, centralised issuing body. It will also seek to identify potential unintended consequences - such as airport and seaport operational issues - that may arise from the introduction of different models, as well as consider transitional issues should a new model be introduced as Government policy."
Expect to wait many more years and since there will be an election in September 14, 2013, do not expect National Security to be anything beyond the political big themes of "Refugees, Military, Wars and Immigration".
meanwhile just about anyone, with some smarts and a bit of nouse, can gain access to a secure area of a telecommunications facility, a water storage, an airport or sea port, a bank, a public service building.
However, to be fair, there has been amending legislation to cover off the need for a consistent identity for all categories of employees (staff at the cargo mentioned above and others) and the easy bits of the reccoendations have been acted upon. There is an expectation that the long suffering Transport Security Division of the Department will get some money and I think a better hearing under a Colaition Government than a labor one, following the federal election.
THE AUSTRALIAN BANKING SECTOR
Since the sixties a whole industry has developed around card issuance. First we had the membership cards, many of them pieces of paper laminated. The identity instrument - things like paper driver licences - were similarly laminated. Bank cards heralded the introduction of mass plastic cards in the mid sixties and large volume card printers entered the market invented by Datacard in Minneapolis, in the United States.
Employee identity, loyalty and the myriad of other cards evolved. Magnetic stripe technology changed the way cards could be used, and the ATM and EFTPOS systems were born. The chip card (or smart card) arrived and the whole concept of cards and identity entered the privacy debate arena. Government wanted to identify people. Big brother conspiracy theories and the "benders and the shapers" who like to tell us how to live and what information may be kept by banks, enterprise and governments, took up the cudgels to defend our very existence against the pernicious forces.
Meanwhile a myriad of players world wide had entered the market place, ranging in size from multibillion dollar international corporations down to small businesses turning a million or lower. The number of players have created a predatory market not the least with the rise of China into the cheap seats, setting new benchmarks in "quality can be cheap" "cheap can be quality", perception and thinking of both business and consumer. The wonder is that some believe that increased productivity and reduction in costs will save the day and that endless growth is achievable. Cheap takes us to the bottom and is a zero sum game. No one is happy except the ultimate winner and are they really the winner in the long run? Relationships are short term, and fraught, in a world of cheap commercial players and market gamers.
The biggest buyers of cards in Australia, and probably the world, are the banks. They come armed with their own rules and a cheap mindset for everyone else except themselves. So the suppliers of products, and services, to them are supposed to sell it to them at bargain basement prices, whilst wearing loin cloths and shivering in cardigans in the icy cold fridge that is the banking world of negotiating contracts and relationships. No heart beats here. On the reverse side the banks charge heavily to their customers making enormous profits for their shareholders. A detachment from reality and relationships. The game is not fair or even. I think that the banks have questionable tendering practices. A technique used by less ethical operators would be to tell bidders how much dearer they are against the others to achieve their price objectives. The end justifies the means and anything goes s we have seen in the past few years. The banks are not good learners. They use fear as their primary tool of negotiation. The suppliers live project by project in this atmosphere of fear. The contracts churn. The margins ever lower destroying the supplier economic base. The consumer never receives the benefits of this repressive action. They still pay the banks usury rates for their credit.
Vested interests rule the world of the ordinary person, and we the consumer, and user, get little say, but that is about to change. Technology as always changes the world and it is mobile technology that returns the control to the user/customer and is the disruptive technology that incumbents fear. Disruptive technology shatters the cosy relationships and the clubby atmosphere.
Mobile technology is evolving and when coupled with the Internet it is defining a forward looking statement based on the long term view of the replacement of cards, tickets, cheques and cash. Financial institutions and banks can move beyond traditional customer bases to targeting the "non bank" customer, which is a very large segment of the Australian market sought by banks as well as micro finance for small business and single entrepreneurs. The Application Mobile Wallet - A new type of instant issuance of the future
A "Mobile Payment Wallet" bundles cards, accounts, prepaid cards, cheques, BPay along with other instruments onto a mobile device. This offering incorporates digital receipts, loyalty, (underwritten by banks and other enterprises, including large retailers and service providers entering non - traditional markets in insurance and finance), generic gift card, health and social security payments and transactions (government and private), airline flight boarding passes, cardless ATM withdrawal, ticketing services for transit and entertainment, using the devices as the transmission (wave and pay technology) with an endless set of options for merchants to participate in programmes.
These new offerings include customer choice options for billing of transactions into the mobile phone, or device service provider such as Optus or Telstra in Australia and subsequent clearance of that bill by the banking or financial services provider. The server-based wallet is quite agnostic to the telecommunications access channel and the customer can access services over both mobile and non-mobile services.
Instead of using a card the customer can use a secure SIM menu, a USSD channel or an SMS, web, POS, ATMs, IVRs and any other thing that comes onto the market. The mobile device, and the identity credential including the PKI credentialing certificate process, enables any transaction over any digital transmission technology.
These technology platforms incorporate multi factor and multi modal authentications for customers covering merchants, money transfers such as western Union, bill pay, secure on line shopping eliminating the "no card present" issue, with stored value prepaid options for customers who wanted secure transaction with limited exposure of their funds and budgetary control. The software control, for these various transactions on mobile, accords with Anti-Money Laundering plus credentialing for specified transactions. Any abnormal account activity will stop the transaction in the mobile device. This goes head on into competitors anti-fraud systems such as ANZ Bank's Falcon.
A whole industry developing mobile applications is crated. The applications are deployed and automatically transmitted to the mobile device without required user action, once they have logged on via their app on the mobile device. The user profiles, goes beyond a mere card, to a customer defined suite of tailored services for the customer demographic running on various integrator platforms.
THE GRADUAL DEMISE, OR REDEFINITION OF TRADITIONAL INDUSTRIES AND SMALL PROVIDERS IN AUSTRALIA
As with any major disruptive shift in technology there are winners and losers. Many small entrepreneurs have built a business around plastic cards, small software applications and the clips and pins that go with them. Some will remain to service niche markets.
The real impacts will come in the large production, and printing bureaus, that have grown up to service banks, large enterprise and government agencies. The card manufactures, and personalisation industries, including packaging, that deliver flat boring cards and the new generation smart cards.
Cards which have dominated the market will no longer be the over - riding marketing, branding and service instruments tools, as the developed world goes mobile.
There are those who argue that mobile devices are unreliable, that not all people have smart phones, the older people will not want to use them, the lower income people. The Australian government gave away set top boxes when they mandated digital and shut down analog. The internet has been embraced. New gadgets infest the houses and the tablets are everywhere. Apps like software are easy to replicate, at almost no extra cost, transport costs, vaults and machines are no longer needed. Cards are not replicated quickly like apps and cannot move invisibly and be delivered instantaneously. It will take time, I think five years. The bureaus will have to become software houses developing applications and offering data warehousing and other services to meet the challenge. Cards will not die out completely they will just slowly fade away to an insignificant proportion of business compared to now. The Australian bureau that moves first on this will take the market until the others catch up. I have a theory as to which of the major players it will be out of, Gemalto, Oberthur, Placard or ABnote Australasia. The manufacturers of the card personalisation machines at desktop and bureau levels (companies like Datacard, Muhlbauer, Zebra, Fargo, Evolis et al) will have to think about their future too. They will have to diversify. United States technology and finance and banking that have for a long time dominated because of their size will lag behind other developed countries. They are price driven, often small banks and companies with a small market share and customer base. The card, and identity, technologies, for example in US banking and telecommunications, are aged or designed for the US market and are not easily migrateable. There are often differing regulatory rules to in the rest of the world.
AUSTRALIAN GOVERNMENT SERVICES AND TELECOMMUNICATIONS DELIVERY
Australians have become used to their Medicare card and their health cards. But governments are looking at the way they interact with the citizens to whom they deliver services,. They are moving on line and with that comes the need for a technology that transmits data in huge volumes to millions of devices of varying type. users will have many, PCs, tablets, mobile phones and televisions. The National Broadband Network is a physical representation of anticipating the challenge. The traditional sellers of telecommunications services, like the bureaus above are also impacted. They better have a better infrastructure than they have now, coupled with really good government policies (the Australian Liberal Party federal opposition wants to get a move on in defining one) than they have got now which is labouring under the new hand held devices. Telecommunications companies live on the edge of misrepresentation of their service delivery capabilities. (Kevin R Beck, "Fear, Manipulation and Disruptive Technology in the Card World", 2012)
An uncomprehending, uncompromising political mindset that plays with the national interest.
When the labor government under Kevin Rudd came to power an initiative known as the National Broadband Network was unveiled. It was valued at $A40 billion. Hysteria among the conservatives and the economic rationalists broke loose. The vested interests of the telecommunications owners was apparent. The media danced a jig with the now common, and boring, retort, "where is the money coming from?". Apparently we, as a nation through our governments, cannot invest in our future if it is expensive. That is the role of the private sector. This is closed mind economic, and ideological, humbug.
Under the Australian coalition, and the ideologically inclined free marketeers, our telecommunications, and internet, is to be at behest of vested "narrow minded" interests. Those who will value Facebook at $US90 billion and believe the internet is about movie downloads and surfing or shopping on line.
The arguments against labor's NBN oscillate around the value of Telstra's copper cable, design concepts - fibre to the node, fibre to the home, wireless and two wires between two cans, all focused on the person at home. Typical myopia. But this was never the aim or objective of the labor plan.
When one digs deeper into the concept, design, planning, and structure, of the NBN Corporation and all of the participants involved it becomes apparent that the fibre optic cable to the home is merely a peripheral item in the more adventurous, and innovative, conceptual NBN. It is a brilliant piece of thinking. There are strategies within strategies, wheels within wheels.
PERHAPS THE LIBERAL OPPOSITION ARE PISSED THEY DID NOT THINK OF IT?
Of great interest to me, in the mosaic of the NBN, is Australia Post's Digital Strategy (incorporating their 24 hour self assistance centres, gyro banking and services kiosks and Amex foreign exchange facilities along with a myriad of other Australia Post initiatives which I believe will include a shopper comparison web based service similar to the Canadian Post service.
In amongst the openly known, higher profile planners and participants we find people working from universities, and institutions, education, research and development, small to medium enterprise existing, emerging and new services, the Digital Economy, commerce, and disciplines such as science, engineering, architecture and planning, housing, banking and finance, manufacturing and design, consumer services, broadcasting services (ABC, SBS, Community, Commercial and new media). People working on many, and as of yet unconceived, contributing value that come from high speed broadband to local government, communities and industry. The NBN and its capabilities are limited only by the imagination of the builders and can only be shackled by the small minded opponents who may occupy decision making roles in the future.
Government agencies will morph to the virtual, the areas of change will be in services transmigration onto the NBN of activities of the public service. Indigenous devices delivery, trade, defence and law enforcement including cyber crime, child protection, transport and regional development, tourism, trade, immigration, foreign affairs. All of them, small, large and obscure, will take on new digital personas and operations.
The NBN brings the ability to register, and apply on line from home or at one of the Post facilities, a library, local government, pharmacy, newsagent, or anywhere there is a connection, for a digital identity to conduct business with all governments and to access services. Instead of the current low grade medicare card which is open to fraud a new logical identity where a card may or may not be required or even issued. The logical instrument can reside in a phone, device, laptop, PC, and one does not necessarily need a smart phone to access services. The National e Health Strategy for medical records and public health services, social security benefits. The operational programmes of COAG, the programmes of Customs, Defence, Immigration and the National Security agenda. The NBN literally revolutionises the social, and economic, fabric of the Australian nation impacting every person at every level. It is something that a new government cannot unravel and will not want to. It is typically the genius of the Australian Public Service hidden from view. The NBN will go down as a change agent on Australia far beyond the impact of any climate change policy and carbon tax. (Kevin Beck, "The NBN, more than just a cable", Melbourne 2012).
Australia's National Security
Australia's National Security Agencies
Australia's Defence and Security
Australia's Strategic and Defence Studies Centre
Smart cards may have a shorter than expected life span. Some predict that biometrics will emerge in a big way in Australia but for that to happen the Greens party, left wing Labor Party machinists, the Privacy and Orwellian conspiracy theorists will have to be shackled and they should be.
So what is a biometric? Find out here.
Is this the world's dearest driver licence in terms of sunk capital costs?
Whilst applauding the move from paper based to plastic licences one wonders why the programme is being rolled out over five years and why it has taken ten years to get to the first base? The Queensland Department of Transport and Main Roads will begin transitioning to the new cards in late 2010. These cards include driver licences, heavy vehicle driver licence, adult proof of age card, marine licence indicator, industry authority which includes driver authorisations, dangerous goods driver licences, tow truck drivers and assistants, traffic controllers, driver/rider trainers and pilot and escort vehicle drivers. Click here for more information
The overall study, specification and procurement exercise has taken the Queensland Department just on ten years, without explanation as to the reason for delays, and the real foundation costs before issuing to the public. The Department has appeared at expensive conferences and exhibitions around Australia and the world over for years, crowing about their new smart card without ever having it on the horizon.
The exercise, during those years, has been plagued with scandal (typical of Queensland) and unethical behaviour, and the tender for the cards has been let twice at great cost to industry.
There is an embedded overblown approach to tendering by governments all across Australia, with poorly constructed, overly complex and onerous documents, requests for technologies that often do not exist and demands for particular goods, and services, that belie reality. The Auditor Generals of all jurisdictions have commented on the processes but all governments (labor and liberal) have ignored the escalating and often wasted costs and efforts. The rise of the bureaucracy seeking to transfer risk, accountability and responsibility, makes doing business with all governments in Australia a very risky business. (Kevin R Beck, Melbourne Australia)
The Australian Passport is far and away the most sophisticated, and secure, identity instrument in Australia today. Why? Because we take it seriously and it has international standing and utility.
The former Australian Prime Minister, Kevin Rudd, the Premiers and Chief Ministers of states and territories, signed an Inter governmental Agreement "IGA" at the Commonwealth of Australia Governments "COAG" meeting on 13 April 2007. The key objectives of the Strategy, as set out in the IGA, and detailed in the reports to COAG, include:
o improving standards and procedures for enrolment and registration for the issue of proof of identity documents (POI)
o enhancing the security features on POI documents to reduce the risk of incidence of forgery
o establishing mechanisms to enable organisations to verify the data on key POI documents provided by clients when registering for services
o improving the accuracy of personal identity information held on organisations' databases
o enabling greater confidence in the authentication of individuals using online services, and
o enhancing the national inter-operability of biometric identity security measures.
o At that meeting, COAG also noted the progress made to date in giving effect to the six to the six elements of the Strategy, and acknowledged the value of this work in providing guidance to government.
Based on the above, and the work of the National Identity Security Strategy Coordination Committee, a federal government entity charged with developing national identity programmes one might think that the progress towards national security and identity is a best practice model. There is after all an impressive library of slogans ("achieving a just and secure society"), political and bureaucratic spin, seriously big, Orwellian and technologically laden words, a healthy mix of motherhood, theoretical frameworks, designs, encryption, standards dissertations and replication, document and identity verification interchange, some inventions (Plaid), extensive studies, theories, committee deliberations, white papers, vacuous policies, diatribe, desktop studies, R&D and agreements. However such an assumption would be an error of judgement. It is not a best practice conversion of policy to outcome, it is not barely an outcome almost all of the time. The bureaucracy does a sterling job and the legislators at state, territory and federal levels let them down. The Ministers, Cabinets and legislators procrastinate, obsfucate and deliberate. They hardly ever activate. Biometrics probably scares the civil libertarian side of the political legislature.
Any action, and implementation, is largely a random set of disparate, high cost - low return, activities across Australia's federal, state, territory and local governments. The latter (local government) is not even in the picture to any extent.
The focus is primarily on "computer logical identity" not physical identity. Cyber crime, and cyber portals, and the interaction between citizen and state, are far more sexy topics than a plastic card, or public servant employee identity and access card. All projects entertained by governments come with massive infrastructure and back room processes and costs. The military, and police, tend to take the issue of identity seriously. They are at higher risk than ordinary folk.
Identity fraud, social security fraud and ATM fraud, is quite common in Australia since the major physical instruments of identity can be easily tampered with or reproduced. Credit cards (magnetic stripe) abound and are easily copied. The banks and credit unions dither because of the cost of conversion, so do universities who struggle with the positive dimensions of possibility. The economy, and taxpayers, bleeds meanwhile. The NSW driver licence is among the most faked in Australia. Yet the NSW state government persists with the arcane, and challenged, notion that people should be able to go into a one stop government services retail store and apply for, and receive, on the spot, a driver licence. Similar on demand services are available at government one stop shops in the Australian Capital Territory. In Victoria the Police have been successful in having the driver licence removed from decentralised instant issuance to central secure issuance though the licence is still mailed.
In Queensland it has taken ten years, and millions of dollars of tax payer funds (including public servants gallivanting all over the world blowing their trumpet at conferences)to devise a smart card driver licence. Talk about reinventing technology and creating hurdles.
OF RESPONDING TO PUBLIC SERVICE ISSUED EXPRESSIONS OF INTEREST
AND TENDERS IN AUSTRALIAN
State and Federal
Probity and extended compliance rubbish in government tenders that cost and arm and a leg to respond to, are another matter for debate.
There is a card known as ASIC (Aviation Security Identity Card) in Australia, which allows the holder entry to secure areas of Australia's airports. One gets it by going to an agent and filling out a form and producing required identity documents, which make up a points scale, and paying a fee. The documents go off to the Transport department and a police check is requested. Time goes by and then the applicant fronts up somewhere upon notification and shows the agent an identity instrument, say a NSW driver licence, and collects the card. It is, in 2010, a white base plastic card with a low quality facial image and a very questionable overlay. It can be produced on any cheap desk top plastic card printer. So it would have to change from base white stock.
A white base card degrades quickly and can be easily replicated by anyone with a modicum of skill. Yet the federal government agency is hamstrung from doing much about it due to a lack of clear policy, and direction, from the Australian government. State governments, when asked about security in their local ports, babble on with incomprehensible duck shoving and blame shifting. Everything is the responsibility of the Commonwealth apparently. When one writes to an agency some public servant responds with references to the National Identity Strategy, the endless paper trails and diatribe that appear to be action in the eyes of a bureaucrat. If it is on paper and signed by a Minister or the Prime Minister then all is well and good and we are on top of the issue. Why is it that when you write to a public servant that they assume one is uneducated as to the policy frameworks and typical rubbish responses and platitudes? Why can they, like their political masters, rarely answer a question openly and with vigour?
There is no clear mandate for a basic high quality, identity security instrument, for designated public and private sector environments, such as Australian ports,
sensitive enterprises such as utilities, transport, communications and banking, because Australia's governments (labor and liberal) prefer the "arms length - industry self regulation and accountability", proposition.
What do you think of the security procedures at airports? Let's ignore the fact that the people employed at the gates are not the highly paid lateral thinkers in the whole airport. The charade of removing the computer from its case, one wonders why this is a must, perhaps taking off one's shoes, every now and then doing the explosive rub down with a small white bit of paper, taking off the belt, jewellery, chastity belt and so on. All very impressive stuff. This is not security it is show time.
Every person who wants access to an airport, or sea port, beyond being at the front door should have to carry an acceptable identity instrument. All people entering the airports should have to swipe a card or present identity of some form. It cannot be slower than the facade of the current system. And if it is so what! What is important to us?
Australia's Governments will act when a political imperative such as an internal act of terrorism or other embarrassing, and nasty, event motivates them.
A man was beaten to death in the entrance to Sydney airport in view of the public. There was a flurry by authorities, state and federal governments, for a short period then they all went back to snoozing. Flurry, words and platitudes, and then nothing is not irregular for the labor government in New South Wales.
In 2007 the Prime Minister signed the document and yet today public servants still carry sub standard, multiple access and identity cards. Some carry them as a badge of honour. The more one has and the particular colour (carried on their belt and around their necks) denotes their rank and importance perhaps? There are still a plethora of disparate costly tenders and (suspect) outside of tender acquisitions, fishing expeditions by agencies to learn things and inform themselves, especially in NSW where nothing much happens and the system appears to be manipulated if not actually corrupt.
The cost of abandoned tenders and programmes such as the Access Card and programmes in other state and federal agencies, is astronomical measured in the hundreds of millions, it is waste of Australia's productive capacity.
There are endless conferences where participants get excited at the novelty of things that have been around overseas for decades. Producing a driver licence is a feat for some that takes ten years. There are studies in identity, fretting about biometrics, academic and privacy rants and "Orwellian conspiracy theories" across the Australian nation. There is massive fraud in social security. All of this costs the nation hundreds of millions and puts security somewhere at risk everyday. Everyone has agendas, including this author. (Kevin R Beck, Melbourne Australia).
The politicians have weak, shallow polices, and the shackled public servants play to the Ministers' ignorance. Accountability, and responsibility, is pushed towards industry self regulation shoved off to someone else in the hypocrisy that the incumbents have the audacity to call quality government.
The most common identity in Australia, a driver licence, is a budget instrument, cheaply made to a specification, that is designed to reduce cost not deliver security. When I ask about this they tell me is a compromise. The roads department decide and the police may or may not have sway. The governments of those states with more secure licences misrepresent facts to their constituents, and paint a picture of tamper proof technology. This is what the Transport Minister did when the new style Victorian driver licence was launched. There is however no such thing as tamper proof in an identity card of any type.
There is one smart chip driver licence (Queensland) about to be released in Australia and the reliance on a smart chip as the ultimate in security demonstrates the lack of awareness, and knowledge, on the part of the government. Perhaps they have swallowed a story from their advisers. The applications on the chip are a hindrance more than a security feature. This driver licence will be a pain in the arse to police in the field.
Meanwhile Australian, federal, and state, police have to deal with tens of thousands of fake driver licences, and other low grade identity instruments across Australia because they do not have control of a portfolio policy that rightly is their domain.
Politicians see it an economic issue with a driver licence costing $A4.50 mailed. This is quite simply ignorance inviting associated costly risks. Privacy interests see identity mandates as an invasion of privacy and some Orwellian plot. Complicating police working safety is the stupidity of New South Wales, government and public service, issuing driver licences at shop fronts on cheap desktop printers, rather than via high security central issuance as in Tasmania, Victoria and Queensland.
The Australian passport is by far the best identity instrument. That is because the passport is subject to international standards and an international image. The Australian passport office public servants take identity seriously unlike other federal, and state, Ministerial offices and agencies. When one questions each senior state, and federal, Minister about their views of national and local security one gets a rote answer, always full of esoteric references to a framework document, or some paper (weight) policy document as if that is a measure of serious intent, deliberation and commitment. There are more papers on frameworks, in our Australian governments, state and federal, than there are working policies. The identity documents to enter airports and ports, utilities and many other sensitive enterprises are cheap and nasty plastic with a little if any, security features. getting in an out often can be done without any identity card at all. What we need is a crisis to galvanise political attention and action.
They were, and are, under performing on national security policy, internal security, identity holistics and imperatives.
Now, in September 2010, in order to garner support to win government, via the independents Ms Gillard is willing to look at smart cards to reduce problem gambling. What an irony. Meanwhile for the past four years under labor, and even under John Howard's coalition government, it has been possible to obtain a low grade, flawed identity card to work in an airport, port or in the airline industry There is a national checking system. There is no national checking system to gain an identity to enter power stations, other utilities and critical asset environments. Why not? What is the difference in criticality and danger to security?
When one inquires why the aviation and maritime identity document is such poor quality, and capable of being frauded (a transportation identity in use today can actually be made at home) one learns that the government's policy regarding this critical arena of activity is one of self regulation by industry. Now isn't that just peachy. It is one of the most stupid policy derelictions amongst many. The Australian Labor Government has demonstrated a dysfunctional ignorance, a vacuum of ideas and a blatant disregard for national security that one can imagine.
Some public servants opine that it will take a terrorist attack, inside Australia, to galvanise their attention.
The privacy groups, who object to identity cards, have no concept of anything remotely close to understanding just what the Access Card could have been and how it may intertwine with other areas of national security. Perhaps labor thinks that national security is military and refugee focused with no linkages to internal security? Imagine how the privacy. Imagine the reaction if everyone had to have an identity card to go beyond the baggage area of an airport or sea port. To get on a plane or a train. People who want access to these critical areas should have an identity access card but labor is too weak kneed to act to protect our national internal security. Tens of millions of dollars are wasted by industry each year trying to get the attention of Ministers whose pressing interest is one of self. Gillard is an amateur in the role of Prime Minister and national security but Ms Gillard, and her inept colleagues, will most likely be in government and the pain of dealing with those who have little awareness of what to do as an holistic set of actions, will continue unabated. (Kevin R Beck, Melbourne Australia)
Today the government cooks the figures to cover up the extent and the Minister for Health, Nicola Roxon, approved rate rises for health fund premiums that encompass an entrenched, high level of stealing by some in the health professions with patient complicity or disregard. The preferred provider agreement, proffered by health funds, as a benefit to members promotes fraudulent practice. Minister Nicola Roxon, has constantly for over a year, ignored provided evidence, from practitioners, and in this regard she is derelict of the public interest along with her federal labor cabinet colleagues.
Many time this year documents have been sent to the offices of several senior Ministers, including the Prime Minister, to private health funds and to regulators and senior bureaucrats, providing them with evidence of significant, and growing fraud, in the private and public health sectors. They choose to ignore this material and face to face meetings.
THE FARCE OF IDENTITY POLICIES
AUSTRALIA'S GOVERNMENTS DO NOT COLLECTIVELY TAKE NATIONAL SECURITY SERIOUSLY
Primary Document, 70 points
> Birth Certificate
Birth Card issued by the New South Wales Registry of Births, Deaths and Marriages
Expired passport which has not been cancelled and was current within the preceding 2 years
Other document of identity having the same characteristics as a passport including diplomatic documents and some documents issued to refugees
Secondary Document 40 points - Must have a photograph and a name
Driver licence issued by an Australian State or Territory
NSW RTA Photo Card or other state instrumentality issued card
Licence or permit issued under a law of the Commonwealth, a State or Territory Government - (e.g. a boat licence)
Identification card issued to a public employee
Identification card issued by the Commonwealth, a State or Territory Government as evidence of the person's entitlement to a financial benefit
An identification card issued to a student at a tertiary education institution
tertiary Document 35 points - Must have name and address on it
A document held by a cash dealer giving security over your property
A mortgage or other instrument of security held by a financial body
Council rates notice
Document from your current employer or previous employer within the last " 2 years
Land Titles Office record
Document from the Credit Reference Association of Australia
Other Document 25 points - Must have name and signature on it
Marriage Certificate (for maiden name only)
Foreign Driver Licence
Medicare Card (signature not required on Medicare Card)
Other Document 25 points - Must have name and address on it
Records of a public utility - phone, water, gas or electricity bill
Records of a financial institution
Electoral Roll compiled by the Australian Electoral Commission and available for public scrutiny
A record held under a law other than a law relating to land titles,
> Lease/rent agreement
Rent receipt from a licensed real estate agent
Other Document 25 points - Must have name and date of birth on it
Record of a primary, secondary or tertiary education institution attended by you within the last 10 years,
> Record of professional or trade association of which you are a member
Note the Medicare card at 25 points. This card issued by the Australian government enables the holder to obtain medical services across Australia, and in some cases internationally by reciprocation, for thousands upon thousands of dollars. It has no picture, no address and no signature and no security features. An Australian driver licence is valued at 25 points, why? Because it is not a trusted instrument. A bunch of invoices for electricity, gas and telecommunications etc, which can be arranged over the phone or over the internet and the company has no idea who you really are. These are accepted identity instruments. What they are is political necessity unless the voter becomes annoyed. In NSW the driver licence is issued on the spot using low grade identity equipment for political reasons, the applicant wants the instant fix. Never mind that the NSW driver licence is one of the most frauded in the nation. In the Northern Territory the driver licence is issued from a desktop printer like NSW, with low level identity features. There are highly secure standards developed for identity. The question is why do we not have them coherently, and consistently, implemented under a Commonwealth Heads of Australia's Governments Policy and Specification Standard?
What would Australia's travellers say if they had to produce an aviation airport identity card to enter the airport and to board the plane? Would they bleat and whinge? Yet it is in these places that we can expect danger.
"Sydney airport killing after flight argument between bikie gangs, by Kara Lawrence From: The Daily Telegraph March 23, 2009
SENIOR members of both the Hells Angels and the Comancheros outlaw motorcycle gangs were on a Sydney-bound flight and an argument escalated into a fatal brawl from the moment they left the plane, it has been alleged. The brawl resulted in the death of 29-year-old Anthony Zervas and his older brother, senior Hells Angel Peter Zervas, was arrested at the scene, Central Local Court heard this afternoon."
"Keelty says airport bikie brawl response 'acceptable', BY NICK RALSTON, STEPHANIE GARDINER AND KELLEE NOLAN 24 Mar, 2009
Australian Federal Police Commissioner Mick Keelty insists the response to Sunday's deadly bike gang brawl at Sydney Airport is ''within acceptable practice''. The brutal murder of a man in front of crowds of travellers has exposed fatal shortcomings in Sydney airport's security as it was revealed airport police only learned of the brawl, involving up to 20 men, after terrified passengers telephoned triple-0."
Whilst airports have closed circuit cameras would it not also be an effective law enforcement and security policy if everyone had to swipe, or present a proximity card, and the then police could see who was in an airport and where at any time? Could we not attach the card to an alarm system for wrongful entry into a restricted area? We have proximity cards for Victoria's transport system but not for airports? (Kevin R Beck, Melbourne Australia)
AUSTRALIA'S GOVERNMENTS AT ODDS AND ENDS ON IDENTITY AND SECURITY
In 2010 the best that Rudd can offer in a national identity security strategy is a disregarded COAG agreement on identity:
The Prime Minister, Premiers and Chief Ministers signed the IGA at the COAG meeting on 13 April 2007. The key objectives of the Strategy, as set out in the IGA and detailed in the reports to COAG, include:
improving standards and procedures for enrollment and registration for the issue of proof of identity documents (POI)
enhancing the security features on POI documents to reduce the risk of incidence of forgery
establishing mechanisms to enable organisations to verify the data on key POI documents provided by clients when registering for services
improving the accuracy of personal identity information held on organisations' databases.
enabling greater confidence in the authentication of individuals using online services, and
enhancing the national inter-operability of biometric identity security measures.
At that meeting, COAG also noted the progress made to date in giving effect to the sixÂ elements of the Strategy, and acknowledged the value of this work in providing guidance to government.Â
Today (June 2010, public servants carry multiple access and identity cards. a status of their pecking order, to enter Commonwealth government buildings, around the nation, and the federal Parliament in Canberra. Tenders are called and then delayed or abandoned.
The Prime Minister, in response to a security threat at an Australian airport decided that the body scanner should be installed at designated major airports. Never mind that aviation identity applications process, allowing personnel who work in or travel though airports, can be applied for, under the most insecure conditions, from hundred of outlets around the nation using a set of breeder documents that are in themselves questionable. The end result is an aviation - airport identity card that is highly open to fraud and counterfeiting. The national policy on security, and identity, is but words on paper. The whole notion of an identity standard is subject to budget cut whims, and a disjointed research programme and pet project implementation. It is subject to hysterical misrepresentation in the media, "Orwellian" conspiracy theories and the notion that government can spy. Politicians are under educated or non educated. Public servants spend millions at conferences and on the examination circuit worldwide engaged in exploration and study. It takes a decade to produce a smart card driver licence.
There are no standard identities for Australian police, driver licences, for sensitive enterprise employees, for state, and federal, public servants and for parliamentarians. The best, and most secure, identity instrument in Australia is the Australian Passport. Except when the Israeli's produce fraudulent ones. The worst identity instrument would have to be the Australian aviation airport identity card and the NSW driver licence, among others. Instead of demanding highly secure instruments jurisdictions demand that driver licences be produced for $A4.00n each, financial credit cards for few cents. This is quite frankly stupid and counter productive. (Kevin R Beck, Melbourne Australia)
"Deployment of a national access card will be a job for private industry, not government, according to the federal Human Services Minister, Joe Ludwig. The government launched scathing criticism at the Howard government's plans for a national identity card, but has remained open at the philosophy behind the initiative. Speaking at the 2008 Australian Smart Cards Summit in Sydney today, Ludwig said the government does not reject the idea of a national identity card, but will not deploy it without private investment. "The Access Card structure tangled everything into one big complex project, which risked delays, cost blow-outs, and restricted the former government's ability to steer the project over the long term," Ludwig said. "Labor was opposed to the previous government's Access Card, but we have no in-principle objection to smart cards. The Access Card was an Identity Card by stealth. "Even if the Access Card was signed off by the Department of Finance, I don't think it made good sense for the government to be involved in the roll out." The controversial Access Card was designed by the Howard government to tie welfare payments to healthcare and other services and improve service delivery and reduce fraud. The plans were scrapped in December last year. Ludwig said it will be up to the private sector to create a national smart card, and the government would create standards for the transfer of payments. He said enough work is being done to secure identities through reforms including the Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) laws, the Know Your Customer regulation, and identity management in the finance sector. "We are keen to take a step-by-step logical approach [to smart cards] where each step stacks up on its own, and unmeasurable synergies are a bonus." Ludwig said further collaboration is required between government and non-governmental agencies to bolster the framework and delivery of national smart card initiatives, including the income management card." Source: Extract of speech by the Minister for Human Services, the Hon. Joe Ludwig, at the Australian Smart Card Summit, Sydney, June 2008)
The Australian smart card industry wasted millions tendering for the, now defunct, Australian Access Card. They did so on the previous government's undertaking that the card was designed to seek to (a) streamline efficient payment social welfare benefits and (b) eliminate fraud currently exceeding $A1 billion per annum. The question of whether it was an identity is mute in the greater necessity of things. To simply kill it for an Orwellian perception, and political expediency and one upmanship, make decisions is scandalous. It is typical of the corrupt nature of Australia's political duopoly who make decisions for political gain rather than public interest. There is a demonstrable lack of morality, and a moral compass, in the above speech. The public service wants to stem the fraud and waste, and inefficiency, but the Minister takes away the tools and shackles them. Whilst the published figures imply a fraud level above a $Abillion other anecdotal estimates are ion the $A2 billion range. This type of decision making is becoming a modus operandi of the Rudd Labor government. Policy made without deep reflection.
Why would the private sector invest in something that renders a massive public benefit to the taxpayer and relatively little to industry? It is a social welfare card. It could be that others wanted the smart card for identity purposes (e.g a video shop, a utility, a medicare provider) but this is ancillary. The current (easily frauded low grade) medicare card is used in the "100 point check assessment" and it is used to give people discounts in local government, utilities and services, it just has no picture on it.
The Australian government of Kevin Rudd is condoning, and allowing, theft of Australian taxpayers' money. It is that simple.
It should only take a year, sometimes as little as six weeks to six months to implement and issue a smart card. So why are Australia's governments spending years and billions to get nothing?
After all of the cost, and effort, there are no smart cards in existence in any of the much published projects.
In keeping with the fine tradition of rewriting history, and manipulating perception, and debate, the Australian government Human Services web site no longer has a reference to the Access Card. The practice of managing democracy and perception, by Australian government media units, within the Premiers and Prime Ministers offices is corrupting democracy. It is reprehensible and criminal.
As demonstrated above there are web sites (some still up, others departed) talking of great initiatives and there are media announcements by Ministers of the state and federal governments. There is the federal government Smart Card Framework that labours over the proposition for a simple device. There there are identity related activities across Australia's governments. There is no common policy, and standard security design and topology, across Australia for all sensitive identity documents such as passports, diplomatic identity, driver licences, sensitive industries identity(airports )ASIC card), transport and utilities, state, federal and territory employees identities. . There is just a mismatch rhetoric of bull dust. The identity documents that exist, are very low standard in design, topology and security features and are easily counterfeited particularly the Medicare card and the Queensland and NSW driver licences.
There are lies and misrepresentations of extensive proportion. There is waste in the order of several billions of dollars. There are no smart cards as of June 2008.
The Australian Labor Party, whilst in federal opposition, were happy to trash the Coalition governments Access Card. They now find themselves of being in the embarrassing position of being in government and having the Access card killed off by one of their Ministers during their time in opposition. They are unable to stem fraud exceeding $A1,000,000,000 in Commonwealth medicare and other payments because of their ill considered, and politically opportunistic stance in 2007. The rhetoric of the Prime Minister, the Treasurer and the Minister for Finance regarding their seeking out savings in the 2008 federal budget to fight inflation is hollow. They today fail to act on the massive fraud and thus are hollow on achieving savings. This ongoing fraud wipes out their claimed savings in the 200 budget papers.
Australian government Department of Human Services. The winners have been the lawyers and the consultants and the embedded computer systems integrators. They have reaped tens of millions of dollars without ever delivering a single smart card to the tax payer. The unit cost of the Queensland driver licence, when and if it emerges, if embedded expenditure is taken into account, will be several thousand dollars per licence. The cost of a smart medicare card will be much ore than was necessary also.
This web site tracks that history, analyses the above activities and also informs the reader about smart card technologies.
See the world today through the Kevin R Beck Mosaic Portal
The Honourable Tanya Plibersek, now a federal government Minister opposed the Access Card, ending up costing the taxpayer tens of millions. In doing this Ms Plibersek has by doing so, assisted the massive fraud of the purse to continue. They have done this in pursuit of their own political interests. They have been ably assisted by others. The goal to kill off the initiative regardless.
"A LABOR government would scrap the contentious $1.1 billion Access Card project, human services shadow minister Tanya Plibersek has confirmed. .... "We have said all along that if the Access Card had not been introduced by the time of the election we would not proceed with it," Ms Plibersek said. "So, yes, we would scrap the proposal entirely." (Source: Labor to dump Access Card,
Karen Dearne and Ben Woodhead, October 16, 2007, Australian newspaper, IT section).
"The Federal government calls it a Human Services Access Card, We call it for what it is: a National ID Card System
This very successful campaign ran from the beginning of 2006 until late 2007. The weight of evidence eventually resulted in a (Coalition-dominated) Senate Committee severely criticising the project. The Coalition all-but gave in, and the incoming Labor Government scrapped the project and the Office of Access Card very shortly after its election.
Congratulations to Campaign Director, Anna Johnston, whose efforts over an extended period were instrumental in the Access Card's defeat; and to the many others who made significant contributions, especially Tim Warner of the Access Card No Way Campaign, other members of APF, and Electronic Frontiers Australia (EFA)!" (http://www.privacy.org.au/Campaigns/ID_cards/HSAC.html)
Is this why there is no Medicare smart card in the 2008 federal budget designed to stop massive fraud? All because of Ms Plibsrsek's short sighted all encompassing statement? The work, the tenders, the research and the money all gone, never to be used? What criminal waste is this in pursuit of political one up manship and the ignorant belittling of the public service effort? The Prime Minister. Kevin Rudd, it seems may have little regard for the public service effort also and could care less about the waste of money and ongoing fraud.
Why bother? |
The Auditor Generals of Australia's governments need to look at the embedded, absorbed and hidden costs! They are really eye poppers.
Smart cards, or chips on plastic, are fundamentally quite simple. They are small computers. They use script to run programmes to perform functions. Computers were invented some time ago although you might not believe this when you look at the cavalcade of waste, and stupidity, that passes for informed knowledge in relation to the Access Card, federal - liberal government initiative and the Queensland driver licence smart card, a labor state government initiative under the logo Smart State, are two that stand out.
Auditor General's and independent members of parliaments, need to look at the costs of ICT activity in governments and the empire building in public service agencies, duplication, and above all relationships of public servants and private company officers and employees as well as the processes and time frames. The hidden costs are enormous. The projected and/or end cost given to parliaments, or publicly stated, across the nation, for most ICT projects, are not true.
Queensland Transport embarked on their study of an evaluation for smart card drivers licence in 2001. The date for delivery was 2008.
The hype that politicians swallow about smart cards leads them to waxing lyrical as if there has been a ground breaking discovery. Even worse are the claims for the efficiency and operation of this simple technology.
" Premier & Treasurer, The Honourable Peter Beattie, Thursday, December 29, 2005
"Smart Licence on the Cards
The State Government will be seeking expressions of interest next year for the delivery of a new Queensland smartcard driver's licence by 2008, Premier Peter Beattie said today. "The new licence technology required in this day-and-age will be a giant step in the right direction in the fight against identity fraud and it will also deliver other benefits to Queenslanders," Mr Beattie said. "As well as incorporating microchip technology, the successful tenderer will be working closely with the Queensland Government to update the licensing technology we need to have in place across the State. "The way driver's licences are currently made and the way information is stored needs to be brought into the new digital age. "Queensland is the Smart State, and we will have a smarter licensing product in place in 2008." (Government media release extract)
" MEGAN MAGILL:
There are estimates the system would cost $60 million to establish. Civil libertarians are alarmed that the government is considering entering partnerships with banks and businesses to help pay for it. Ian Dearden says all Queenslanders should be worried by the prospect of big business paying the government to access otherwise private information.
IAN DEARDEN: It's hard to know what their agenda is. This current licence, if the government believes it needs replacing, could be replaced by a system that very cheaply and adequately does the only job that we believe driverâ€™s licences should be used for, which is to prove that you are a registered driver and you are legitimately able to drive in Queensland and what card, what class of vehicle you are able to drive etc.
MEGAN MAGILL: But Paul Lucas insists the card will only be used by banks and business for identification and security.
PAUL LUCAS, QUEENSLAND TRANSPORT MINISTER: Banks will have access to the authentication material on the smart card if that is the subject of that particular bank's arrangement with the customer but as I said to you, it doesn't have information necessarily about bank balances it certainly doesn't have information about Queensland transport records other than you've got a driverâ€™s licence this is your address, this is your date of birth and what classes of driverâ€™s licences that you've got and the ability perhaps if you wanted to have your donor information on the card as well.
MEGAN MAGILL: He stresses card holders will be able to choose whether they want their bank details stored.
PAUL LUCAS: If you don't have a driver's licence you don't have a card at all. If you do have a driverâ€™s licence it's there for your driverâ€™s licence purposes but many people complain that they have too much plastic in their wallets and many people complain about bank card theft, about credit cards being used and skimmed this is about improving technology, reducing fraud, giving better confidence in our driver's licence system.
MEGAN MAGILL: But critics warn the card's potential is far greater. (Source of extract: ABC Stateline,Broadcast: 30/07/2004, Reporter: MEGAN MAGILL
The simple driver licence is suddenly a monster in the hands of bureaucrats and politicians. They dream large. Yet this is lost on the public officials. Queensland Transport people travel the world extolling their expertise and tell us that they will have the licence out in 2009. Just a minor slippage. What they do not tell the people of Queensland and the audiences of the conferences they attend is the real cost of the licence.
Both government jurisdictions have embarrassed themselves with non sensical, and uninformed, public tenders putting into print some of the most contentious drivel and hurdles for something that is quite simple. The waste by the federal and Queensland governments in worthless study and ponderings is scandalous.
Some fifty nations have smart cards of some type Australia has none. They cannot replicate the best and seek to in effect invent wheels that are square and demand that bidders make them round whilst mandating they be square. They both out multiple tenders that went nowhere and the latter case Queensland has just reissued another two remarkably complex and fantastical in statement of intent. Whomever wrote the tender is a master of complexity bordering on nonsense. They should get a prize for making something simple incomprehensible.
Both are captive to consultants, IT geeks and hired lawyers who know little about the topic at hand, the technology and most strikingly of all, doing business effectively and economically.
The lawyers, in their fanciful world believe that the individual projects they run can be isolated from the general trend towards convergence of technologies and the relationship of the Access Card and the driver licence to security and integrated planning. The few bidders who can provide an integrated conceptual and effective solution are threatened with sanctions for talking about the Access Card or driver licence in any forum. The tender documents contain gag clauses as if they contain intellectual property. The public sector treats its internal IT systems as belonging to them and not the public. Behaving as if they in some Hollywood movie script they state that their diagrams are commercially confidential and highly secretive. Rubbish. These systems are funded on public monies and should be shared by all state and federal jurisdictions rather than be the deemed property of separate states of the federation.
The processes of tender assessment are long and drawn out. They are too often leaded down by people who are not expert in the technology on offer.
In their myopic consideration parties to the tender cannot communicate with governments and agencies about anything in the documents. They create Chinese walls and advisers convince politicians that this world of make believe is real. There is an expectation, from the bureaucrats, controlling these processes, that business will hold their breath and bear exorbitant costs at the demand of a few out of touch public servants and politicians. The Commonwealth Department of Human Services during 2007 stalled numerous other vital projects in an attempt to centralise control. Identity, access and security including improved possibilities for Medicare and Centrelink were all stymied and the cost to taxpayers and the inefficiency, money laundering, fraud and general criminal activity using Medicare cards has been allowed to continue. The incoming labor government then stopped the Access Card.
The creation of complex and unnecessary IT infrastructure demands in tenders has forced innovative smaller companies out of the bid. The Access Card demanded that only companies that had carried out projects of similar dimension could bid. The problem is that there are none in the world like the Access Card. There are no projects of this multicard application implemented and operating any where in the world. It has ensured control of hundreds of millions of dollars in taxpayers' funds will be placed in the hands of systems integrators - big central IT server architectures managed by expensive human resources in a plan to maintain the status quo. The status quo is to maintain the power of IT making treasury captive to gobbly gook. This is common to state and federal jurisdictions. The use of IT models to do simple tasks and thus maintain control of the funds flow.
In most industry sectors there are demands that suppliers provide fixed price contracts. The world of IT is unique. The major corporations, and consultancies, of the IT world are masters at avoiding fixed price. Some better than others. Time and materials contracts rip the budgets as big companies experienced in manipulating politics, and bureaucracy, raid the public purse.
A smart card is worth between $2.50 and say $30.00 if there are a whole lot of "u beauty" applications, holograms and optigrams on the latter. However the federal government Access Card, and Queensland drivers licence, are in reality likely to be a real cost of $10,000 a card when one amortises the cost of all of their activities, trips overseas, studies, consultants and processes undertaken since 2001. The two Auditors' General of these jurisdictions should have a look at the real cost and ask why is it that it takes from 2001 to today to get nowhere on a drivers licence and how a lazy $50,000,000 plus went down the drain on the Access Card?
Meanwhile back in Queensland, Transport issues tenders over the Christmas break. These are people who will go on leave and relax whilst industry slaves over the holiday period to meet the deadlines. These people are detached from commercial reality. It is frankly not worth bidding a Queensland tender. The people of the state are kept in the dark as to the costly failures and over runs of the IT projects in the Smart State, since 2000.
Below in this web site I talk of the government's move into smart card technologies and frameworks. There is much publicity about the government's Access Card. It is stalled, locked in a legislative mire and world of unreality.
Like all projects of this dimension it has been stuffed by experts and consultants and public servants who think they are inventing a new product. There is involvement by the Department of Defence, Agencies, Centrelink, Medicare, other agencies, by AGIMO and anybody who claims knowledge. It is like the Victorian transit card, a shambles. Why is it that a simple card is made complex. Why is it treated as a high security, complex instrument when banks and bureaus are distributing hundreds of millions of cards daily around the globe? The Access Card is a social welfare transaction card. It is not a high tech "spook" card requiring the involvement of the Defence Signals Directorate and a group of people focused on FIPS, cryptography and other fantastic solutions. The government ministers swallowed the advice, and have been mislead and the people of the nation have been conned with lies and misrepresentation. A card that should have been easily communicated to the people, easily designed and produced has been made overly expensive and complex as well as a "dangerous instrument". As a result it is a dead duck.
For this we can blame DHS and the myriad of high paid consultants. We can include the new breed of controller - the probity adviser (lawyers) who make open, and honest, communication between skilled people bidding and the public service a nightmare. They divide the public service from industry and are a imposition on efficiency. They are an overblown, questionable cost on the public purse. For what purpose? Fairness, equality and ultimately compliance to an unrealistic process that says that value cannot be added to a tendered proposition at a later date? What is written is it, and upon that decisions are made, regardless of cost, impact and loss? This is stupid in the extreme and the federal Auditor General needs to examine the rules of probity and their results and costs. The people involved in the tender processes of governments, now operate in some world distinct from the reality of innovation, and cooperation possibilities, that might actually be in the public interest. They are obsessed with their artificial processes and thinking. They are risk adverse and want someone else to bear the accountability. The winners here are the lawyers, the hired experts and consultants who get their fees regardless of delivery and end result. The Access Card has cost the government, the taxpayer, the industry and the nation tens of millions of dollars without result.
The tenders are quite unique in that the imagination of the writer is detached from the reality of the world in the case of the larger contracts on offer. They seek to impose liabilities, and responsibilities, on the market as if the technology is being invented for their particular project. The assessment processes, and subsequent winning bidders, will be interesting given the level of expertise in Australia in this field of technology and within the consultancies hired to advise the government agencies. There was surprise in the industry because they do not reflect the reality of the industry operations or the expertise. They focus on systems integration rather than card technology and public exposure in parliamentary enquiries and in the announcements over time demonstrate the card to be considered as a periphery object. The Senate became aware in enquiries that the Department proposes a new central infrastructure of a dimension unseen. A massive database. This IT structure would reinforce the Department's role and also put it into murky territory. The parliament scrutinised the legislation and the intent and decided that the project was dangerous to privacy and to individual citizens.
The politics ran high as industrial relations became an Achilles heel for the government, a new Minister in the shape of Senator Ellison was appointed. Joe Hockey went to the Workplace Relations portfolio. This was major loss since Joe's knowledge of the card technology was unmatched in the government. Why he allowed the tender process to proceed in its structure and form, in two parts with an emphasis on IT systems is not clear.
The Australian Financial Review published an inside story stating that IBM and Thales were the successful winners of the first tender. The Department was mute and refused to respond. The politics cost the Secretary, Patricia Scott, the role as head of this new super agency. In the meantime the Department continued to issue written threats to anyone in the tender process who criticised them publicly or muttered the words "access card". The rights of people to communicate with the parliament and their government were, and are being, over ridden by the Department's commercial imperatives and their view of the world. Misinterpretation of technology and the word "access" which normally means entry into buildings and computers via passwords has embarrassed the Minister and opened the Department to a lack of attention to detail. The Department was, and is not, reading the politics and the players well at all. The words Department of Human Services, or for that matter "public servant", do not appear in the Australian Constitution. The smart card framework, created by Special Minister of State, Gary Nairn, has taken a back seat as delays and politics intrude.
A more astute, seasoned and experienced, Secretary in the form of Helen Williams, was moved from the Department of Communications Information Technology and the Arts, a loss to Senator (Minister) Ms Helen Coonan. As the debate became more heated the government decided to reframe the legislation and put it out to public view in the June session of parliament. The adversarial forces have struck in the heightened atmosphere of an election campaign. The decision about the card has been deferred into 2008. Labor's Tanya Plibersek told the Australian Broadcasting Corporation (ABC Radio) at the 2007 Smart Card Summit, in Sydney (Wednesday June 6, 2007) that a labor government would tear up the card. In July 2007 the smart card is dead. It will not work in the wider world envisioned by Joe Hockey who created the vision. It was a simple concept made horrendously complex by bureaucrats and information technologists who build monolithic systems as edifices to their expertise. The Minister has the regulatory power to upgrade the Medicare card, to chip, if he chooses to exercise this power. It is likely he would be supported by the parliament and the detractors if - there was no picture on the card and all data needed to support issuance and personalisation was purged from the Department's computers after the file has been sent to the card issuance bureaus. The data that creates the personalised card is not needed to make Medicare function and to reduce or eliminate fraud. In 2008 a smart card will replace the current magnetic stripe Medicare card but it will have no picture on it. It will have a signature on the chip and some minimal detail. Any other detail will be loaded at the discretion and request of the card owner, the citizen.
Queensland is grappling with smart card technology and the methodologies adopted by governments and their agencies such as Treasury and others seem to work against achieving the objective at the first cut. Millions of dollars of public funds are pouring into the coffers of advisers and lawyers, consultants and the big end of town. The governments, through the bureaucracies, are seeking to pass liability onto the corporate solution providers of the cards. This is euphemistically called a form of "public private partnership". Where partnership is definitely one sided. All government tenders now include confidentiality provisions - designed to limit scrutiny by the parliaments, the public and anyone else. Enter the Machiavellian, and Orwellian, world of conspiracy theories and processes below in this site. Welcome to the world of Kevin R Beck.
EMV Migration and the Smart Card
The Australian identity, passport, driver licences, financial and other plastic card and e-document personalisation market scene, including gift cards, smart cards and other bits of marketable plastic is about to undergo a major C-change. The move by Australian banks to EMV compliance and the entrance of new players to the Australian card and e-document systems integration market, generated by the Australian government initiative known as the Access Card, of a scale, not previously in play, in Australian economy and society, will alter the dynamics of the system. The domination of major multinational computer companies is being challenged by new consortiums. The proposal for an Australian Government smart card has generated a mix of hysteria, misinformation, conspiracy theories, hysteria and myopia. This can be viewed in the submissions to the Office of the Access Card and to the Senate enquiry.
There is a lot of concern about the government smart card (which is EMV based) but no concern from consumers about the costs that will flow to them from the changes to credit card liability in Australia and the transfer of costs to establish EMV.
In the UK alone, introducing EMV, the payments associations backed specification for smart credit and debit, will cost over Â£1bn. Most of that will be financed by the banks. Yet the rationale for EMV, that it will slash fraud losses, no longer seems enough. How can organizations use EMV to earn revenue from new services and cut bad debt at the same time? (Winter 2003)." (Source: ACI Worldwide Trends).
For some their only contribution to the nation is hot air and words rather than actions that add to the nation's economic and social well being. They rely upon perceptions rather than fact and their notions, and beliefs and fears, personal agendas, and ideologies, rather than undertaking an examination and doing the research.
Academics trot out desk to theoretical papers, based on "literature searches and examination", some carefully defined research interest and the need to be seen to be published and relevant. To be contrary is to attract media attention. Some tend to be motivated by prurient interests and are not necessarily aimed at the public interest and positive enhancements, but more so designed to bolster their resumes implying an active contribution to national debates in their particular area of academic discipline. These critics, including many in the minor political parties, do not create jobs, do not run businesses, do not add to the nation's development economically or socially. They harp on the fringes with rudimentary awareness and a lack of experience and knowledge. Such is the nature of representation in our democracy. These self appointed guardians of the ordinary citizen's privacy, moral and spiritual lives, have cost Australia billions over the years. They would prefer that we as taxpayers continue to fund the fraud of Medicare and assist counterfeiters. They are happy to have fraud greater than $A3,000,000,000 per annum rampant if it means that they can claim victory against the Orwellian conspiracy of our government. The most interesting contribution comes from the Democrats and Greens party members who sit in parliament and enjoy all of its benefits whilst accusing their co=parliamentary members of plotting all sorts of crimes against the people. These people should stand in front of a mirror in parliament house and ask "Mirror Mirror on the Wall, am I also a willing participant here in this place?
The foundations of the traditional influencers of policy and outcome are moving. New themes and players are emerging. The landscape and aspect of society and economy will change. I am not simply talking about government and citizen interaction. I am talking about banking, supermarkets, public service and every aspect of the way we currently do business, the cards we carry, passports, employee identity cards and every major economic interaction at every level, with a synergetic value, well above the $100 billion the government is focused on.
A number of the traditional industry players, particularly the bureaus, will progressively lose ground and be culled One or more may be forced out of the market space as international juggernauts begin to carve up the market with new technology offerings across governments, business and community sectors. The deliverers of this high profile government driven initiative will shape the market for the next decade. The source of supply to end user customer will move from the existing group to enterprises not traditionally in the field offering large scale integration services direct to Australian governments, corporations and even end users. The drivers of this C-change are the federal government, under the stewardship of then (2006) Minister for Human Services, Joe Hockey. Mr. Hockey is destined for better things and will move on before the Access Card is implemented. This is a pity because his knowledge of the implications, and the technology, is very extensive. Though he may be prone to extending the concept of a services card into no traditional arenas spooking the horses.
Eventually state governments will be forced by the financial sector impacts into changing every type of card and e-document, embracing some smart card technologies. Though the states, particularly South Australia, Western Australia and Tasmania, are dragging the chain on innovation and take up national security issues will over ride their lax attitudes and failure to anticipate the impacts in their jurisdictions. In fact the states seem oblivious to the whole scenario and sit watching the federal government as if it is the sole catalyst. There is no expectation for change from now till maybe 2013?
The states in Australia have not been the drivers of innovation. The interplay, and jockeying, between federal government agencies will increase as large buckets of money and entrenchment of power base drive their agendas. The problem for the government bureaucracies, state, federal and territory, is that many within do not recognise that the market may, and will be driven, by non - government strategists and action oriented types. That is commercial interests and their hired guns will shape the future. Alliances and joint ventures will play a big role in reshaping and expanding the Australian scene.
Security will impact the shape of Australia's market and future growth and direction in a big way. The states will be dragged into the trajectory as they are required to move towards a common high definition standard of identification and access. Queensland is trying to enter the game with its Expression of Interest for a smart card driver licence. The EOI does not reflect well on the knowledge, and awareness, of the tender specification writers, regarding world market in this arena. The "Smart State" as Queensland likes to be known can inadvertently tarnish its image when it goes into print. The traditional resistance of partisan interest groups, both commercial, and public, to identity cards and smart chip technologies, government and other data gatherers, will be eroded.
Here in this site you can acquaint yourself with the technology, the status of the government project and a myriad of other issues including which companies are advising, planning and leading the implementation, the privacy and security debate and more. There are a number of social factors that have a significant effect on how major projects, and changes, are approached in Australia.
A DRAMA OF SHAKESPEARAN PROPORTIONS
Naivety, misinformation, lack of education and awareness, hubris and sometimes plain stupidity can derail worthwhile exercises in public policy and action
The Minister for Human Services told the Australian Pres Club that the proposed Australian Access Card would, due to its chip - key technology design - be more secure than the Australian passport. The Minister is very well informed on his topic and is knowledgeable about technologies around smart cards but his advisers have mislead him. The Australian passport is more secure due to its total design. A chip on a smart card can be attacked. The reliance on the security of the public key is ill informed. Smart card security is a mix of technologies and techniques from the base card stock, through the personalisation process, image, laminates, overlays, holograms, microprint, indent print and many other features. If the Australian government issues a simple plainly designed and personalised card relying on the chip and terminal (EFTPOS) technologies and the "always on and available" proposition, then fraudsters and hackers will quickly debilitate it and destroy its security and its value. The bureaucracy may well be singularly focused on its own interests in reducing fraud on welfare and payments to the detriment of the broader public interest of how fraudsters may use the card to create fake identities and garner other documents.
The government shies away from a focus on registration and enrollment. The Consumer Privacy Taskforce has reported concern with the possibility of document scans taking place at point of application by the citizen as they are registered. There has been debate about photo capture and signature. Australians are not well versed in lateral thinking and tend to be immature in their grasp of the realities of the modern age. They are inconsistent. They will spill all of their information to borrow money or to register for free stuff on the internet but balk at participating in valuable and justified government initiatives. Documents should be scanned in for later verification against databases around the nation to prove the identity of the person seeking to access the $A1,000,000,000,000 pool of funds given to citizens annually in the form of welfare and support payments. The Orwellian conspiracy theories are immature and show the lack of complex thought, understanding and ability to distil facts from fiction, by many commentators and activists.
Many worthwhile initiatives are abandoned by Australia's governments (brown water recycling is an example) simply because the maturity of the public, commentators, corporation executives and interest groups is stunted. Much of this comes from a lack of ability, experience, knowledge and the ability to look over the horizon and see a bigger picture. In the case of the government, and corporate person, it is likely to be the affliction of myopia.
In the case of the Access Card there are privacy activists more interested in pursuing and maintaining their own platforms, influence and objectives. The project is a billion dollar one and it attracts every aspirant business some capable of implementing all of the enrollment and issuance of the cards, interfacing to the government computers and privacy data bases. Many if not most of the Australian companies and bureaus are not. Of significant annoyance is the arrogance and ignorance of many Australian corporate executives by comparison to their well mannered and polite US counterparts. To test this I wrote to all major Australian interests and their US parent enterprises. Every US parent senior executive at CEO and Managing Director level responded by comparison the Australian senior executives did not. This is not limited to the world of smart cards. It is typical of Australian resource and energy companies, banks, retail and major enterprises.
They are less likely than Americans to treat people with respect, and mutuality, and seems to have an inflated opinion of their position and abilities. If the Australian enterprise executive does respond it is normally via a delegation to a mid level manager. This inculcates the middle ranks with an overblown view of the importance of their bosses. One can observe this when dealing with pubic servants who hold the Secretary of the Department in muted reverence, as a living deity. Looking across differing spectrums there is clear evidence that many of the people who see themselves as having a part to play in influencing decisions, policies, actions and outcomes have a narrow perspective of who might have a role or effect, and how and why, in their particular arena of activity. It is quite apparent that Australian executives and advisers do not spend enough time researching and investigating.
The effects of lack of awareness, knowledge, ability to conceive the broader picture, underestimating and pushing self interest to the detriment of any other consideration has the effect of adding costs, time and unnecessary problems segmenting the nation and making it difficult to undertake any nation building projects particularly if they impact sectional interests. The financial institutions, particularly the banks, are recalcitrant and obstructive. It is an hierarchical system that is inefficient and cumbersome weighing down the process and stymying action particularly at the political level. Politicians become reticent in the face of opposition from powerful interests.
Add all of this to the mix and a somewhat complex technical exercise becomes one of monumental struggle brimming with ego, mistrust and theatrics. Due to the limited, perhaps lateral conceptual, and over the horizon, capacities capacity of significant interests the cost of the Access Card is well beyond $1.2 billion Australian when these hidden imposts of posturing, positioning, time, and waste, are added in. The arguments I encounter every day from those who question the worth of the initiative by Minister Hockey are often spurious, uninformed and based on narrow, short term selfish interests such as the cost business might have to incur. What of the cost of billions to the taxpayer through medicare fraud, credit card and financial fraud, identity fraud and business inefficiency and greed? The banking network hardly offers Australians innovation, technical product and service excellence and security. Yet it has the effrontery to pontificate and I think misrepresent the true value of criminal activity resulting from their ineptitude, incompetency and myopia. Individualism (rampant self interest) is really quite debilitating on economy and society.
THE CREDIT, AND OTHER CARDS, YOU CARRY, IN AUSTRALIA TODAY (March 2007) ISSUED BY BANKS, INCLUDING SMART CHIP CARDS AND OTHER ENTERPRISES IN AUSTRALIA, WITH THE HUMBLE MAGNETIC STRIPE ARE NOT SECURE FROM TAMPERING AND FRAUD BECAUSE THEY ARE NOT THE BEST CARD TECHNOLOGY AVAILABLE. GIFT CARDS IN AUSTRALIA ASSIST MONEY LAUNDERERS
THE FULL RISK AND EXTENT, AND THE COST, OF FRAUD IN AUSTRALIA IS BEING WITHHELD FROM THE PUBLIC. THE INFRASTRUCTURE TO READ SMART CHIPS DOES NOT EXIST NATIONALLY AT THIS TIME.
SOME FINANCIAL SERVICES CARD PROVIDERS HAVE ACCESS TO THE TECHNOLOGY TO GIVE YOU A SECURE CARD HOWEVER AUSTRALIA'S BANKS ARE BEHIND IN THEIR TECHNOLOGY AND INNOVATION AND YOU CANNOT ACCESS SUCH SECURITY FEATURES. THE COST IN THE UNITED KINGDOM FOR UPGRADE D TECHNOLOGIES IS IN THE BILLIONS. PEOPLE CARRYING OLD TECHNOLOGY CARDS WILL BEAR THE COST IF THEIR CARD IS SKIMMED. YOU SHOULD DEMAND THAT YOUR FINANCIAL SERVICES PROVIDER PROTECTS YOUR PRIVACY AND GIVES YOU THE LATEST TECHNOLOGY TO PROTECT YOUR FUNDS.
THE ARGUMENTS, THE FACTS
The KEVINRBECK Mosaic Portal continues its provision of comprehensive research and information on significant Australian public issues. The owner Kevin R Beck, invites a mature, comprehensive and exhaustive, debate on this very important Australian government proposal and on the impact of the emerging smart card technologies across the whole of economy and society. In the coming next two years the changes to the Australian financial transaction sector will be extensive as governments, banks and institutions and other service providers reissue all of our cards, licenses and documentation to authenticated identity types with an extensive range of features and added security.
Why Australians should consider a better technology and demand that their governments, banks and other card providers (such as Qantas Frequent Flyer, Australian retail groups David Jones, Myer and other branded credit and loyalty card purveyors), implement anti-fraud and secure personalised cards. Why people should carry authenticated identification on a smart card to save the public purse billions of dollars whilst seeking to counter fraud. Demand real (not lip service) security and privacy of your personal information.
For some time now a series of behind the scenes meetings, negotiations and strategies have been taking place. Some of these are conducted by government and others by corporations. The media have been asleep at the word processor. The development of a "smart card" nation is underway. There are many seeking to have "skin in the game". A handful have, and they are driving the agenda and direction. They are not necessarily the ones the media are telling you about. The major driver is Minister Joe Hockey. He may well go down in political history as the politician who made the greatest impact on government since Paul Keating floated the dollar. A new Deputy Secretary role is being created within the federal agency of Human Services along with a number of other strategic roles.
The Australian banks, ever the dinosaurs, avoiding innovation, of the corporate world have been exposed as having their minds in neutral. Up until May 2006 they seemed oblivious to the things that go on beyond their horizon. They were however engaging in their own little exercise of authenticated identification platforms. A 100 day exercise, euphemistically called the "trust". The difference being that in their world, as distinct from government, people can, and do, have multiple identities. Some two years after these initiatives were launched by government and some selective corporations, the Australian banks (June 2006) have finally had a dawning of awareness.
The Australian government, through the efforts of Minister for Human Services, Joe Hockey, is driving a change so pervasive that no person or commercial entity in Australia will go untouched by it.
One hundred billion dollars ($100 billion)in transactions has been the catalyst to galvanise the banks' attention. This represents a gold mine in fees and they have to be there to win a slice. In addition they may be able to piggy back onto the government's card, create their own and charge their customers even more for their questionable services, which seem to lag behind the rest of the developed world by years. Pity that the more altruistic outcomes of saving Australian tax payers billions by reducing fraud and inefficiency are not as effective drivers. Greed, as the banks' collective credo is far more potent to their imagination and hip pocket nerve. On 21 June 2006 a major international enterprise notified journalists, and thousands of small, medium and large businesses that the world's most advanced smart card personalisation production equipment and software would go on display in Canberra and Sydney. In Canberra not one bank, law firm, medical practitioner, professional association or private enterprise bothered to take up the offer to view this display or talk about its impact on their lives with the people who would be catalysts in impacting their world of business and enterprise. In Sydney a representative of one of the major bank's came along. Whilst there were hundreds of government and private enterprise observers who attended but again no cross sectional representatives from the greater part of the commercial world. There was no media, large retailers, small business and those who are most directly affected in attendance. They simply appear not to get it.
It seems that others in Australian society are also not so bright overall as to realise what is over the horizon. Every terminal, every card, every automated teller machine and every EFTPOS machine and thus every business will be impacted. These businesses will be impacted, and their world and future will be shaped, by a handful of people who they never bothered to come and meet, though they have been invited.
The privacy conspiracy theorists and certain members of the Australian Labor Party, Democrats and Greens as well as the usual sectors of an uneducated, and often unthinking, public are quite willing to retain the billions in fraud, and inefficiency, rather than learn and jettison their whacky arguments and fears. It seems that the spectre of connected government computers threatens their finely balanced psyche. Meanwhile supermarket giants, banks, market researchers as well as other commercial enterprises grab all and any private information without raising so much as a squeak from the same mob. Perhaps someone might enquire about the Australian labor party's antics of regularly invading the privacy of citizens for political purposes. Those worried about these things might enquire who is assembling and selling lists? Who feeds the call centres that ring incessantly?
Most recently (May 2006) a significant number of discussions have been taking place between a multinational venture and some state governments regarding the creation of a national centre of excellence in smart card and other technologies. The most prominent in those discussions being Queensland's drive to be the leading smart state. South Australia, Tasmania and Western Australia along with the Australian Capital and Northern Territories seem resigned to playing the role of lesser smart types. They have no plans for anything smart let alone cards. In particular South Australia is mired in protocol. The email inviting participation could not be passed to the Premier. It had to be formally written in a mailed hard copy letter. Thus a multimillion dollar opportunity with a potential hundred or more jobs has passed them by. One must keep up appearances and the system of bureaucratic niceties must not be threatened by the technology monster and crass emails. New South Wales, hearing of these chats, has come late to the bargaining table. Victoria has been there from inception of talks but seems unable to quite grasp innovation in thinking and policy when compared to Queensland. The Victorian bureaucrats tend to sit in their office tower and wait for someone to call. Queensland by comparison have "executives that travel" seeking to close the deal. So why would a centre of excellence be of interest? All plastic cards are the same are they not?
"Magnetic stripe technology remains in wide use in the United States. However, the data on the stripe can easily be read, written, deleted or changed with off-the-shelf equipment. Therefore, the stripe is really not the best place to store sensitive information. To protect the consumer, businesses in the U.S. have invested in extensive online mainframe-based computer networks for verification and processing. These have proven to be as ineffective against criminal activity and yet the vested interests persist. In Europe, such an infrastructure did not develop -- instead, the card carries the intelligence". (How Stuff Works)
Perhaps we are simply complacent, some of us are uneducated or passive about the dangers and we have been lulled into a sense of security. Not every incident is reported. If we knew, for example, that 40,000,000 credit cards had been compromised would we suspect that might happen here? Could it be that some would not want us to know that the processing of our data occurs outside of Australia? Would we, should we, demand better security personalised products from our banks and financial institutions now? Which do we prefer? A false sense of privacy reinforced by making our governments drop their plans because we are suspicious, or do we want to have lower taxes, less theft and protect our own money? The privacy fanatics are keen to protect individual privacy and assume conspiracies but at what individual, and collective, cost? They never ever mention that aspect nor do they do their sums just as governments do not like to do pre and after the event, evaluation impact analysis. Vested interests prefer simple and ethereal ideological arguments. Thousands of people are turned away from Centrelink for not having the correct identification. They have to go without whilst the inane of the Australian labor party, and other critics, snipe in their well off world.
"The Australian Federal Police Commissioner Mick Keelty says Australia's current credit card security measures have "outlived their day".
He's also criticised the banks' 100-point check system for identification, on the grounds that many of the documents needed for the test are easily forged. (Source ABC Australia Radio, PM Programme - see hyperlink above) Australia's top police officer made the comments at an international credit card summit in Sydney."
There are new cards being offered every day under the same old technology. The providers, the banks, credit unions and retail stores, and others involved in promoting credit cards, might be (let's trust that it is by omission and not deliberate intent) misrepresenting the security of your credit, and debit, card and your information on it. They are relying principally upon you keeping the pin away from the card number. Similarly the cards you are given by retailers and frequent flyer programmes and other programmes are not secure. Soon the banks and other providers of services and goods, where you use your credit cards, and thus consumers, will lose their liability cover and be forced to implement secure protection. The reason is that there are a plethora of agencies that process the transactions. Your bank is not the most likely company processing transactions to your account. It is just the end recipient of the process. If liability shifts to them the fees they charge you will dramatically rise.
They will blame everyone else for this, and probably try to pass some claim onto the Australian government and the smart card initiative indicating that the onerous provisions of dealing with welfare recipients demands a fee rise on the least able to pay. The banks are going to be forced to move quickly towards authenticated identification by force of the credit card companies, the criminals and the forces of the free market. So why assume that the government's smart card project is, by its design, some form of national identity card? The banks can buy a consumer demographic list (example A-B demographic) that provides far more personal information about you than that which the government may hold.You will have to have an authenticated identification to interact with your financial institutions and other service providers well before the new medicare, centrelink, study, family services and other government agencies'("access") card is implemented. The Australian government alone is not the driver it just happens to be the most public, and proactive, in the arena.
In Australia magnetic stripe is the primary data storage on our credit, loyalty and other cards. It is a very crude form of authentication. It is high risk.
"The scam works by criminals implanting devices into chip and pin machines which can copy a bank card's magnetic strip and record a person's pin number. The device cannot copy the chip, which means any fake card can only be used in machines where chip and pin is not implemented - often abroad". Source article: Bruce Schneier So why would anyone oppose the introduction of a smart card on the pretext of some conspiracy myth of privacy and security breaches? Technology cannot yet breach a chip easily and at low cost like it can a magnetic stripe.
Below is a description, and explanation, of the state of the art. However the practice in this country is more rhetoric and spin, on the part of banks (regarding security)a process largely ignored by governments and politicians, until now. The Australian government (May 2006) decided to move all citizen interaction with federal agencies into the realm of smart cards. The Australian Labor Party, has been caught, yet again, without a credible spokesperson, and policy, and as become the norm fails to give an erudite argument for or against, instead seeking a political advantage rather than a national interest position. The claim by the Honourable Kelvin Thomson, labor member, that the government's budget of $AUD1.1 billion is fictional is a throw away and feeble response to a critical issue. The budget is more than enough to produce the 15,500,000 cards necessary to address the fundamental issues of fraud, security and efficiency with savings in the multiples of billions. The Australian Labor Party opposition in the parliament would do better to consider how it might constructively deliver better services to the people of the nation via its membership of Australia's federal parliament. This matter is, as you will learn below, far more critical than the trite gladiatorial games the party hacks may play in the closeted world of political interest as distinct from public interest. The federal Labor Party, through its ignorance, is helping to maintain the world where your personal funds, identity, taxes and long term security are at risk.
In the emerging debate it is unlikely that the national interest will be the priority as stakeholders, and interest groups, jockey for their position and perceptions. The uninformed, and mischievous, will focus on the "identity" aspect of the technology rather than its extraordinary beneficial applications. The criminally inclined will want to keep the simple medicare card that allows them, and their complicit cheats, to defraud the taxpayer through pharmaceutical and medical rip off schemes. This is a billion dollar crime spree we do not need and costs us millions to hunt down and prosecute.
The Technology, Utilisation, Benefits, Pitfalls and Justification Explained
Authentication establishes trust by proving the identification of a participant in any communication, or in the case of conducting electronic business, in any transaction within the scope of the environment. Authentication solutions are designed to ensure that a person is who he/she claims to be and further that they are legally able to be a participant in the transaction process of a designated type. Transactions can be multiple in nature. The most common authentication used in public and private enterprise is the delegation process for approvals, access control into buildings and into computer systems. A limited number of individual enterprises have carried out pilot work and systems design for using smart cards to create large-scale authenticated access. These are predominantly in the finance sector. These trials in Australia are limited in scope to a small number of entities and are not a sign of the Australian financial sectors desire to take security seriously. These systems define the relationships between authenticated users and information, through the control of access to applications and services through a distributed network application focusing on authorisation level and who did what, where and when with auditing trails. The most common authentication systems in use in the community are in the banking and financial transactions sectors. The common belief is that the EFTPOS - PIN system is safe and yet it is one of the most at risk systems in use in Australia today. It has singular authentication. It identifies the card holder but the card user cannot tell if the system they think they are dealing with on the EFTPOS trader connection, at the ATM or on the Internet, is actually the one they think it is.
Justifying multiple uses for authentication solutions
It may not have dawned on some in enterprise, such as the recruitment and personnel agencies but their temporary staff and contractors, will have to have authenticated identification to enter federal government agencies. Similarly it will permeate into states and territories and sensitive private enterprise. Who will pay for that?
There are primary uses for authentication solutions within any industry or government sector. These are:
Information systems technology - logical access, that is log on and use the computer system. The Australian government's "access" card is somewhat of a misnomer, by industry terminology. The term "access" means to access government services, over the counter or via electronic or other means. Logical access is to do with physically using a computer or some form of technology such as the ATM. Our magnetic stripe credit or debit card is read by the ATM machine and a stream of data communicates to the host financial provider's system which then communicates to the financial network linked systems. This card is neither state of the art technology and nor is it secure.
Internally, an enterprise must ensure that there exist effective mechanisms for controlling access to networks, systems and applications from the perspective of their obligations under legislation, business efficiency and security. In the latter regard their internal systems with firewalls and other software and hardware may fit the definition of security but the focus is on their systems security and not that of the user. They would move swiftly to support the government's proposal for integrated smart card technologies if consumer security was a priority.
These logical access solutions necessarily cover both on-site and off-site requirements such as ATM and banking networks within Post Offices and other agencies, in shops (EFTPOS)and commercial enterprises and in customer enterprises. They also involve controlling employee (permanent, part time, temporary and contractors and other allowed persons) access to premises, and assets, which are fixed and mobile. They may be interactive with external users.
Facilities, infrastructure - physical access
Authentication mechanisms of a somewhat cumbersome and crude variety, by comparison to smart cards, are currently used as a means of restricting or granting access to buildings and facilities. These usually involve a single dimensional picture, name and proximity or magnetic stripe encoded object, which is ungainly and easily duplicated. They are far from tamper proof. Such security apparatus will not comply with the Australian government's desire for greater security in their premises and similarly sensitive corporations such as ports, utilities, airports, banks, transport and so on must look to new devices.
Proactive private enterprises, governments and agencies, would be looking towards convergence of their logical and physical access. The singular problem, as with other major public issues, such as the nuclear debate, the greater number are not proactive. They actually create barriers. In politics it appears that it is the labor party horse has to be literally carried to the water. Their contribution to making Australia secure has yet to surface. The Australian government is looking for a system of convergence (employees) and for selected levels of access (clients and public). It is expected that States and Territories in Australia are similarly planning and will follow suit. However the owner of this web site, Kevin R Beck, conducted an extensive mail out to senior ministers of states and territory governments. The replies indicated that it was only the Australian government that was actually being proactive with many states being well behind in comprehension and planning. A representative of the Western Australian government dismissed any further interaction stating, in writing, that the government had no plans to introduce authenticated identification cards. The Northern Territory and Australian Capital Territory governments did not reply as is par for the course and the Tasmanian government sent a post card size letter saying the "Premier" has noted the content. Queensland, South Australia and Victoria have asked for written details and a meeting has already occurred with representatives of the Victorian government, Department of Innovation, under the portfolio management of Minister and Treasurer, John Brumby.
One of the barriers to progressing any major complex initiative in Australia is the lack of lateral thinkers, and the poor research and awareness, of many in the public service and in advisory roles, to ministers.
The private, and public, sectors have at their disposal numerous authentication solutions for logical access, such as passwords, tokens, USB tokens, smart cards, digital certificates and biometrics, which can all be used either independently or in combination. An examination of the effectiveness of the interaction of the technologies, methods and capacities (largely due to poor induction and training) of the humans who manage them (particularly the front desk contract security person) indicates that physical access security is not taken very seriously in Australia. It is both archaic and substandard.
When choosing an authentication solution individual enterprises tend to focus on their own scale and lowest possible cost (including of the personnel), rather than taking a broader perspective of total system (internal and external) security, implications and overall benefits to society. Companies with proprietary interests are selling their products creating a diversity of applications and products at the front and back end of the processes many of which are outdated, cheap and cannot be upgraded.
Smart cards as a secure and reliable means of electronic identification are the system of choice for modern enterprises. The smart card applications, which most will be familiar with, are the transit systems, of Asia and the physical access solutions developed by large corporations such as, Siemens, IBM and applications by chip manufacturer, Gemplus.
Cards capable of carrying individual stakeholder data and records
U Sim - 16kb - 64kb
U Sim - large memory MB-Giga
The microchip (contact or contactless) within the smart card can be used incrementally (upgradeable depending on RAM size of the chip processor) to store, protect and modify information, thereby offering flexibility for information, sharing and transfer, between parties who are allowed in a transaction. The employer, department or enterprise can choose the level of credentials security required for an employee or client including static and dynamic passwords, digital certificates and private keys, biometrics and pictures.
The justifiable benefits of smart cards
Of the various authentication mechanisms smart cards are the only technology that offers a cost-effective solution for both logical and physical access, across the whole spectrum of activity and service delivery. As well as these inherent security capabilities, smart cards can be used to host multiple applications, enabling consolidation of services on one card, which promotes cost savings and efficiency as well as new services. For example the telecommunications industry's multiple business activities, described below, lend themselves to Smart Card applications technology.
1. Fixed and mobile access services
2. Mobile music
3. Mobile commerce
4. Mobile tickets & room keys
5. Mobile email and internet
6. Mobile photo and video
7. Mobile television
8. Mobile gaming
9. Mobile GPS
Think of all of the stakeholders in your particular enterprise equation. Think of the primary application and who benefits? It is a somewhat trite dismissal of deep evaluation to refuse to consider the Australian governments proposal purely on the grounds of some perceived "big brother" syndrome or fear. There are very valid economic and social reasons for industry, community and interest groups, to work together on a suitable compromise solution. Like the uranium debate, the level of maturity of some in politics, industry, interest groups and community, leaves a lot to be desired. The Australian Banking Industry could be taking a motivating lead in the discussion, design and implementation but appears to be adding little if any value from a corporate citizen perspective. They have as yet not demonstrated that they are going to take a constructive or risk oriented stance, with a record of preferring positions of self interest. This does not reflect well. Evidence, the management practices, customer services, products, facilities and technologies placed in the customer's hands and one might be lead to conclude that bankers are not the most innovative thinkers, and actors, in Australia's industry landscape.
Below in this document are cost savings, and productivity improvements, through application of smart card technology to work flow, services and reduction moving to, ultimate, elimination of fraud. Privacy Issues
There are three levels of smart card:
1 Static data authentication, the lowest level of protection with limited interactive capacity in terms of security because a fake or duplicate card is not detected by the reader terminal.
2 Dynamic Data Authentication, the next level, where the reader can detect a fake or duplicate card using data verification and random challenges, and
3 The highest, and most secure, level of card, the Combined Dynamic Data Authentication/Application Cryptogram Generation (CDA) which can detect communication probes, faked and duplicate cards.
This card can interrogate the host data system (i.e. the Australian government's Centerlink, Health Insurance Commission and other systems) before it is interrogated and can decide what information is imparted via its programmed technology. It can come with an onboard chip capable of storing data in megabytes and gigabytes.
This 3rd card is what people, and interest groups, concerned with privacy and security should demand from their governments (state, territory and federal and their banks and other card providers). It is the one that puts control in their hands. If governments, and companies, really want ensure that Australian society is secure, as free from fraud and identity theft and is as efficient as technologically possible, then they should issue an appropriate card to the user with the maximum chip size necessary to do the task. On that chip reside the user's data, history and personal details. The card user can download the data from their smart card, and regularly put a backup copy onto their own computer if they want through an interface which could be bought from an electronics/computer store or smart card equipment provider such as Datacard South Pacific.
The card owner can choose to store their backup chip contents copy on a secure and provider system of choice that they trust, spreading where Australians store their personal details and card content for backup purposes. On the government systems, the retailers, the agencies, the banks and any other large computer systems, would reside only enough data to verify that the card holder is eligible for the transaction, the name and a secret key (ICC) and the software programmes necessary to communicate, make, and record, payments and services. The card chip can be encrypted requiring that the user be on line with their smart card giving a response to the system before someone in an enterprise, or a hacker, or rogue computer system, can open any personal files or access any data. Audit trails can be stored on the personal smart card as well as the computer to which it is communicating. This acts as a disincentive for anyone to try and gain unauthorised access. The card should have a magnetic stripe with substrate particle fingerprints (not an actual fingerprint of the user but a unique alignment of metal fragment patterns) and embedded noise both of which cannot be replicated.
The smart card is far less vulnerable to attack, compromise and fraud than the existing PC and network systems and financial transaction cards in use such as the one-dimensional magnetic stripe credit card which relies on using a PIN. "Skimming" are the buzz words that denote these cards as being highly insecure and vulnerable. Once the number and the PIN are known a card can be produced quickly.
Add to this the practice of gathering personal data from garbage bins and tips and the spectrum of insecurity broadens making fraud opportunity, and actuality, measurable in billions of dollars. The smart card, as a secure data holder, is mobile in the hands of the accredited party whereas the current magnetic stripe is very machine dependent and gives up its data relatively easily without a fight. There is a new magnetic stripe technology available that is more resistant. It creates a "metallic" fingerprint in the substrate and encodes a noise signal on the card. These are very hard, if not impossible to record and duplicate.
Smart cards are encrypted and they turn off if they are fondled, and interrogated, too much by unfamiliar inquisitors. The functionality of smart cards in providing strong two-factor authentication set smart cards apart. A smart card will interrogate the system at the other end before it is interrogated itself by that system. The card owner can be assured that they are dealing with who, or what, they think they are at the other end or the smart card will decline to be involved in the relationship. The combination of something a user has (the smart card) and knows (a PIN or password), coupled potentially with the user's physical make-up (e.g. a fingerprint, picture) as well as with an encrypted chip is common sense. The proposition that the current EFTPOS system using a magnetic stripe card and a PIN even with signature, in isolation of encryption and two factor identification, is secure, is ludicrous by comparison.
Regulatory compliance factors.
Many private sector enterprises, such as those operating in the financial, prudential and telecommunications sectors, are subject to regulatory regimes. Smart cards can incorporate one or all of these requirements and imperatives.
Conformance to delegations and authorities
Licenses to operate and conditions under which transactions may occur
Contract and other regulated payments systems
Approvals and benefits (class of client/customer and eligibility)
payments, automatic auditing and fraud elimination
Integrity of the system and data security
privacy and consistency of user data and records
The Australian government Human Services portfolio incorporates a range of services and policy agencies. There are seventeen agencies and these include, among others) Centerlink (welfare and employment support in concert with the Department of Employment and Workplace Relations), Veteran Affairs, Family Services, Child Services, Carers, Hearing, Medicare (with cooperative arrangements from within the Health portfolio including pharmaceutical benefits and programmes) as well as support services in disasters such as hurricane Larry (10,000 homes destroyed, farms wiped out and 23,000 insurance claims), flood and fire, other welfare such as food vouchers for purchases in supermarkets.
There are 20,000,000 people enrolled in Medicare, and there are 8,500,000 Centrelink accounts. These are serviced by 850 outlets, 40 call centres and 38,000 staff. Centerlink will advise banks that an individual has access to an amount of funds. They use their ATM card to get to these. This is a paper system. There are 580 forms in Centrelink. The system overall holds 60,000,000 scanned and verified documents. The departments handle about 60,000 address changes per day, with 250,000 individual client services, 180,000 telephone contacts and 400,000 pieces of correspondence. There are 600,000 clients who have to return for services because they have incomplete identification documentation which is currently four identifying documents. These can be a driver's license, passport or student card (with photo) none of which are really authenticated identifications since they are obtained by providing paper records such as birth certificates. The balance of two items can be utility bills, rental leases, a library card or such. It takes 3 - 4 minutes to process these four documents. Every year the government agency replaces 500,000 medicare cards. The medicare card, with no photo or other real identifying security, is used to transact business with doctors, pharmacies, hospitals and other agencies. These transactions range from values around $20.00 to $00,000 or more per individual. people give their cards to relatives and friends particularly when they have reached the annual expenditure threshold, of a few hundred dollars, after which the Australian taxpayer picks up the bill. The opportunity for fraud and actual fraud approaches $3 billion dollars per year. Add to this the fraud in the financial sector and it can be seen that Australian governments (particularly those of the past who have had access to this technology), including state and territory (current governments) and all commercial enterprises (banking, retail, services, transport) operate a pretty sloppy, and cheap system, with attendant security risks. This information, and high risk along with the actual value of annual fraud, in governments and enterprise (public and private) has been kept from the public. It can be seen why critics such as the Australian Labor Party, the privacy groups and commercial enterprises, who present shallow and simplistic arguments should be dismissed. Technology exists to enroll, photograph, identify and verify a person's eligibility to receive government benefits. It is tried and tested. Capture equipment exists, to international standards, such as FIPS 201 and ICAO, to create highly secure data, card and e-document environments which will enhance privacy well above the standards in Australia today. Australian privacy is really not protected with the devices and technology we are using and the state, federal and territory governments policies, processes and systems. Tasmania, Western Australia and South Australia have no plans to introduce smart cards but are watching the federal government's Access Card project closely. The Australian Capital Territory and New South Wales are silent on the matter. Perhaps they have no imagination for a[applications - birth and marriage registration, land titles and other agency documentation called be converted to the smart card in the person's wallet. However such customer, and citizen service, oriented technology applications might deplete government coffers.
Queensland has a expression of interest (EOI) out (August 2006) for a "smart card" driver's licence. This EOI has a process, and a timeframe, for technology assessment, two pilots and planning stretching from October 2006 to November 2009. Queensland has had a driver's licence test centre for smart cards for many years. What have they learnt from that? Reading the EOI apparently very little. The documentation implies a clean slate in terms of awareness and knowledge. The EOI reads as if Queensland is about to assess something mystical and complex. Smart cards are used in 120 countries, not including Australia. The EOI refers to Queensland as the smart state? The Smart State seems unaware that implementing a driver's licence is actually a piece of cake. A smart card driver's licence can be implemented in Queensland and integrated to the Queensland Department of Transport in house "Trails" computer system in under a twelve month time frame. Probably nine months at most. This EOI is an example of the poor take up of technology and a demonstrable lack of awareness in government (by legislators) and the bureaucracy of technology and application. Alternatively the Queensland government may be waiting to piggy back onto the Australian government Access Card in 2009? This would save the Queensland government millions. Surely the government would not be misleading and wasting bidders time and resources in such a cynical manner? However the Australian government, Minister Joe Hockey, would be well advised not to complicate life by populating the federal government access card chip with other applications at such an early stage. The question is why does Australia not have a common driver's licence? The answer is - political and bureaucratic self interest and revenue. Australian governments, and bureaucracies, demand compliance to standards in their tenders but do not apply common platform standards to public policy and systems. The Australian driver is being fleeced (money wise) on their licence card production, and issue, charges. New South Wales has one of the easiest licences to copy in Australia. How does this sit with the national security policy agenda?
Development of standards and compliancy issues in determining product choice
The smart card can go a long way to creating efficiency, eliminating fraud and risk. If implemented in government and the financial sector it will have a payback exceeding $5,000,000 per annum by the year 2010.
Smart cards conform to international standards in terms of content, communication, integrity and security from attack and violation. Customisation of the card is the key to making it tamper evident. The card or document must have both covert, and overt, security features to enhance the authenticity. The internal operation of a smart card can be expanded, and upgraded, to take account of changes in government policy, laws, corporate policy, approvals and authenticated transactions as well as new technologies.
The smart card personalisation production equipment, chosen by enterprise, can be vendor independent to allow flexibility of pricing and competition whilst ensuring secure control and production at the foundation level. Datacard South Pacific a part of the worldwide Datacard Group, for example, is a vendor independent supplier of the platform technologies (production equipment, software and back room management systems) that support open systems card design (all types including smart cards), security, authenticated identity, and the differing natures of transactions, production and distribution. This company creates, and represents the world standard and the highest security available.
Â· High volume data preparation (up to 60,000 records per hour)
Â· Scalable applications adding high security mechanisms
Â· Any volume of card production
Â· Separation of data preparation from personalisation
Â· Migration to an enterprise environment
Â· Branch office production
Â· Emergency card replacement
Â· Scripting methodologies for flexibility of card manufacture interface and determined applications use
Â· Thales P3
Â· IBM 4758 HSM
Â· Global Platform Standards V1.1 - V1.3
Â· Visa VSDC 2.4.1/2.5.0 SDA/DDA and Mastercard M/Chip EMV standards
Â· ISO 14443 contact less
"EMV" is an acronym often referred to mean the specifications issued by EMVCo, LLC covering the operation of Smart card payment cards. Vendors refer to being "EMV Approved" when their products have been certified as having passed tests to ensure compliance with these specifications. Europay International, MasterCard International and Visa International formed EMVCo, LLC ("EMVCo") in February 1999 to manage, maintain and enhance the EMV Integrated Circuit Card Specifications for Payment Systems as technology advances and the implementation of chip card programs become more prevalent.
The objective of EMVCo is to ensure that single terminal and card approval processes are developed at a level that will allow cross payment system interoperability through compliance with the "EMV" specifications, Europay, Mastercard and Visa Integrated Chip Card Standards. The latest version of the specifications, EMV 2000 version 4.0, was published in December 2000. It is envisaged that the specifications will in the near future be supplemented with support for lower voltage cards and a definition of a contact-less interface to EMV chip cards. The EMV Specifications are built upon the existing ISO 7816 series of standards for Integrated Circuit Cards with Contacts.
The ISO 7816 standards were developed by an inter-industry group and thus contain options applicable to certain sectors only. (Source of EMV description: Acces Keyboards Chip and Pin, United Kingdom)
Contactless smart cards
Currently all issued smart cards have a contact area on the front face of the card to interface to a payment terminal. Contactless SMART cards do not have a contact area, but have an embedded inductive loop aerial which allows them to work in proximity to a contactless card reader without physically making contact. Although not EMV compliant, these types of cards are already used by several toll systems and mass transit operators including the London Underground. EMVCo has worked with the ISO/IEC JTC1/SC17/WG8 committee to come to a clean solution for supporting Contactless Technology Cards and Terminals in the EMVCo specifications. An amendment to the EMVCo V4.0 book 1, detailing the technical changes for supporting Contactless Cards and Terminals, issued by the end of 2002. The standard is therefore still evolving and in the past hardware suppliers have been forced to discontinue products previously believed to be EMV approved. (Source of EMV description: Access Keyboards Chip and Pin, United Kingdom)
Determining the solution and the rate of return on investment.
Consider the complexity of the decisions, and the factors, you must address in evaluating card differentials and the technologies. Datacard South Pacific (www.datacard.com.au) can advise the appropriate technology to suit specific and diverse needs.
1. Planning and Design
4. Investment Optimisation
Enterprises, and government agencies, are able to determine indicative cost and productivity data if each element, described below, is considered, determined and tabulated. Banks might argue that smart card authentication systems require more sophisticated communication protocols increasing the physical operational costs of their own and other retail networks - ATM and EFTPOS machines - by millions of dollars. These costs are well and truly offset by:
Reduction in the costs of maintaining legacy technologies through human management and intervention - e.g. passwords
Passwords require internal system management and are prone to cyber attack and systems violations.
It is a very costly human activity within the government and commercial environments. Smart cards solve the problem of passwords and lessen the human component of password maintenance and application.
Enterprises can reduce overhead costs through the improvement in efficiency gained from combining physical, and logical, access and services payments (benefits) approvals streamlining the productivity internally and externally.
The investment can be measured against the financial criteria of compliance with budgets; costs and the return on the investment measured in pay back timeframes and cost reductions and increased productivity over time.
It is therefore important for board members and executive and line management to understand the potential financial returns that smart cards solutions will generate within their business and community operations. It is vital that citizens understand how smart card technology will improve and secure their livelihood and daily existence and allow them to access and receive the benefits of technology to its fullest capability.
Reducing the varying methodologies, and costs, of management and control and external interactions and systems
The current systems are diverse and there are inconsistencies of costs, controls and security across similar enterprises within sectors. There are (as at August 2006) only two card personalisation bureaus that have the technical capability, with their hardware and software, to personalise credit cards to high level security standards. This means that the bulk of the cards being churned out in Australia, and all cards being personalised in New Zealand are open to security breaches and fraud. The elements of management should be consistent, and controllable, across economies and at the operational levels to take advantage of economies of scale as well as conformance to national and international security considerations and agreements. This is particularly so in relation to international agreements on money laundering and anti-counterfeiting as well as movement of funds across borders. Money launderers buy gift cards to wash their cash and thus the retailers and the card personalisation enterprises that make these low security products are contributing to the ease at which laundering can be effected.
Smart cards can be acquired at an equivalent cost to USB tokens and digital signatures, and are cheaper than biometrical authentication solutions. They can be standardised and thus are cheaper than proprietary solutions provided that vendor independent foundation hardware and software providers are used.
Systems integration, the diversity and disparity of existing systems can be reduced and eliminated over time.
Contactless (cash less) payment systems e.g. canteens, social clubs, smart credits and debits, e-wallets and any need for payment internally or by direct credit to an external e-wallet in the hands of a customer.
Imagine how much easier the lives of people affected by the Larry Hurricane, in Queensland, would have been if we all had smart cards. The ATM's, and banks, were out of action yet the community could have functioned. The supermarket trucks coming in could have had satellite capable terminals. The Australian government could have placed the $1,000 aid grant directly into the holder's record account at Centrelink, their bank, any system. The recipient could have got their vital needs, clothing, food etc. and simply swiped their card across the reader or scanned it by other means and paid for the goods. The holder does not need to have a bank account. The card can draw from the Australian government approved recipient account within Centrelink. So it goes for medicare and for any government service.
Security - fraud detection, and elimination, remains the greatest justification for smart cards. There is fraud everyday across Australia in our government agencies and thousands of investigators are working to reduce it, eliminate it and get the money back. It is measured in billions in social security, medical, credit card and finance fraud. It is in the multiple billions. We demand that the government eliminate it and yet we tie the government's hands with nebulous arguments about privacy and our poor understanding of the capacity of technology to eliminate fraud and protect our privacy. We do not trust our governments yet we are always ready to demand that they look after us when we are afflicted by a bad event or circumstance.
More sophisticated capability including isolating incidence occurrences
No footprint fraud investigation capability
Theft and fraud detection, reduction and elimination
Elimination of counterfeiting opportunities.
The replacement of a lost or stolen smart card comes at a cheaper cost than alternative authenticators. The smart card internal authorisation code can be changed eliminating the previous card from the system.
Public key and biometrical solutions stored on a smart card are far less vulnerable than on a PC desktop, legacy system or external user or contractor system.
Security in using collaborative web services
Single sign on that translates across multiple enterprises.
Portability (smart cards move with the user and do not require mandated static hardware access) which increases serviceability and makes fraud all that harder to effect.
Satellite and mobile communication capability.
A smart card that masks, or eliminates its tracks, during or immediately after use would be a great aid to people who investigate major crimes.
It is security and elimination of fraud worth billions from our government and private sectors, that Australian citizens should be demanding. We need new technology credit cards and a card to receive our benefits and services from government and the companies with which we deal. The financial sector appears to put costs, and profits, before risk assessment, avoidance and protection of is customers' assets, privacy and security of information. The skeptics rave on about privacy, and conspiracy, surveillance and skullduggery, without doing an evaluation, or gaining real knowledge, as to what it is costing them personally in higher prices and lost public infrastructure and service because criminals are stealing billions from our taxpayer funded systems and banks, retailers and any other places where it is easy to carry out criminal activities. How much does criminal activity add to the cost of goods and services and how much does it divert public funds from public benefit. Is my personal data so important that the nation should collectively bear that enormous cost. As they say, "get real".
The credit card, and other cards, in your wallet issued by your Australian or international bank, credit union, building society, airline or any other entity are not safe. The medicare card invites fraud as do most other bits of plastic including our driver's licenses and birth certificates. The identity cards we take to work and use to enter government buildings and other sensitive enterprises are a joke. Particularly when the receptionist at the counter is an outsourced, under trained security guard, who will accept a verbal nod or word, that it is okay to let you in. Recruitment companies are providing staff, across the nation, often on a moments notice (temporary and contract) whose identity have not been originally authenticated and who are going into places without any secure identification.
In the Australian Defence Department, the external recruitment agency that is the major supplier of temporary and contract personnel will simply send a body and they get in to our most sensitive locations without strict and constant secure procedures and personal identification. The company rarely if ever has checked their identity, and these personnel carry no authenticated identification. They may not be the original person designated to be there. In any location you go where there is a security desk you will observe people playing at checking and identifying people. Every day in our government agencies staff and investigators use rudimentary methods to try and stop fraud.
The cards we carry are collectively not secure unless you have a very specific type of card manufactured specifically with security and authentication as the priority.
These enterprises upon some other entity carrying the burden of recompense. In the lives of citizens this means that currently the banks and credit unions are relying upon Visa, Mastercard, Amex and Diners and so on, to take the risk and compensate you when your card security is breached and purchases are charged to your account. Things are about to change as these companies are telling Australia's banks and financial institutions and retailers that they are not going to take the liability any more. Similarly other companies such as Frequent Flyer (airlines) and similar loyalty programmes are using lower standard produced cards which can be easily copied. Again it is about not wanting to spend the money necessary to protect your security. They want your business preferably without any, or as minimal as possible, liability on them.
What of the vigilance of our policy makers?
The Australian government is trying to do something about all of this. Yet the state and territory governments, some politicians, the banks, the critics and the stakeholders of antiquated systems and technologies are all seeking to frustrate the progress.
Interests within the IT departments of enterprise and government, and the large computer manufacturers will want to protect their current and future interests by convincing Ministers of governments, CEOs of companies, their executives and clients to keep all the data to be used in the smart card project on mainframes in the central offices.
Â· Make the IT people indispensable and grow their influence and control
Â· Guarantee the revenue, maintenance and ongoing high cost of existing legacy systems to the large companies whilst extracting maximum dollars from the implementation budget by arguing the enterprise needs new, and ever bigger systems. Likely leading to cost blow outs in implementation costs of the projects.
Â· Risk networking of the systems between government departments, and external parties, enabling access of the information for whatever purpose deemed necessary by the public service, the government of the day and major corporations.
Â· Support the departments' central control that allows the card content, and capability, to be altered after it has been issued without necessarily having to notify the holder.
The Australian Privacy Foundation, and others, are marshaling their resistance and are communicating with like interests overseas to garner arguments for their case. It is possible to influence the development of cases and to counter fear mongering.
The privacy and security of data in these large systems cannot be guaranteed since the data is under many peoples' control. However it is possible to place the data in the hands of the consumer of service. This is true interactive authentication and control. This method of design, and implementation, would:
1. Limit the personal data held on the government's large computer systems
2. Save the public service money in terms of computer hardware and software
3. Allow the user to determine where their smart card back up data is stored
4. Allow the user to negotiate what is on the card and limit what is sharable between departmental and other agency, computer systems.
The big computer companies arguing for large central computer systems do not make state of the art capture and smart card production systems so they have to push the entities towards their systems opening up the security and privacy debate. They are integrators of systems.
The provider of the personalised card should be vendor independent.
That is the card personalisation company should be capable of working with the existing large computer back room systems of any make, or of managing the production and deployment of cards independent of the suppliers of existing large systems but capable of communication and interaction with their systems.
The issue for any supplier of smart cards, and computer systems, should be what does the consumer (card user) need to make them feel secure in their privacy? Which manufacturer interest is arguing their case in Australia? Not the big legacy computer systems and their supporters because they want big systems to sore and integrate and network the data.
The Australian media tends to run trite hysterical and fanciful pieces without examining and informing the public. It makes for better stories if there is sarcasm, conspiracy and 1984 themes to trot out. Fiction is more enthralling than fact. The sad fact is that there is little mature debate, on major policy matters like this and there is no common ground. The prurient interests of an antiquated, and slow to grasp what is over the horizon, financial sector, the under performing, and narrow minded, corporate executives, with limited horizons and a here today mentality, the vested interests, such as the privacy theorists, the lawyers, etc. etc. etc. are all working to scuttle the Australian government's plans. There are legitimate considerations and it is not intended to make light of them. It would just be a little easier if people would actually learn something before they run off and make accusations and claims. The proposition that governments will create huge databases and that police and pharmacies, doctors and other places will have card readers to access the information and store it, network and distil it belie the fact that to do this would cost mega-billions. These costs are beyond all of Australian's enterprises and an attempt to do so would bankrupt the small, and the large, snoops who are alluded to but never identified.
Are we suspicious of our fellow citizens? The bodies the privacy worriers, and critics, are pointing at are staffed by people who live next door and who carry cards themselves and are users of the system. Do we consider that they have separate personalities and ideals to us? Are they robots who with malicious intent have Jekyll and Hide alter egos?
Alternatively there are those commercial enterprises trying to avoid having to spend money to make Australia more secure. It is of no consequence to these people if the government is exposed to massive fraud. Their personal privacy issues, their personal corporate empires and their vested interests, fears, ignorance and misinformed views, are of greater significance.
There are some serious academic papers on the topic but they are not contemporary and they authors are informed as to the cutting edge production of today's real cards. Not the bits of plastic we are issued with by our banks, credit unions and myriad of service providers.
The greater number of Australian people are always disengaged. They are too busy to inform and to educate themselves to the facts. They rely upon the self appointed experts, the commentators with a small amount of acquired knowledge and a few adjacent ideas. The merchants of doom peddling hysteria, the shock jocks, their favourite television host and talk back reality shows to inform their views. They have their place and are right and able to express their views and worries, concerns and fears. Meanwhile they, like the rest of us, are being robbed blind and the criminals are laughing all the way to their banks.
Australian Senate Enquiry into Access (Smart) Card
Submission by Kevin R Beck