Article 1: Methods of Identification

I have chosen swipe cards and driving licences as methods of identification for this article.

Attributes used for Identification

Both swipe cards and driving licences have to be issued from their respective organisations. The difference here is that driving licences are issued by the DVLA, the UK government body that maintains the database of drivers. There is only one authority that can issue driving licences but there are many companies that can issue their own swipe cards. The fact that the driving licences are issued by the government gives it credibility.

The attributes that are used on the driving licence differs depending on the situation. For example, if the police stopped you and ask to you provide your licence; they may well use the licence number to perform a database search. On the other hand, if you were buying alcohol, the clerk serving you would use the photo to verify the card belongs to you and then work out your age dependant on the date of birth attribute.

The physical attributes that the swipe cards use is that they have some data stored on their magnetic strip. They may also have some details printed onto them so we know who the card belongs to. The driving licence on the other hand only contains subset of information from the drivers’ database of a particular driver’s record.

Verification of Identity

The issuers of the swipe card rely on the person possessing the card and the data therein to be the person they issued the card to. This system relies on faithful representation. What this essentially means is that the issuer of a swipe card depends on the person who the card was issued to, to be the only person to use it. By having someone else use the card, it compromises the validity of the data that is logged when it is used as well as the resources it is guarding.

The driving licence has a primary use and many secondary uses. The primary use is to permit people to drive on the country's highways. If you should get pulled over, the police will examine your licence and search the database check to verify the data on the licence. All they are doing there is comparing what is on the card to that stored in the database.

There are many secondary uses for a driving licence such as confirming the age of the person involved. Normally the verifier compares the picture of that on the licence to the claimant and if they determine it is the same person, then they will calculate the age of the person given the date of birth on the card. This is generally used in cases where by a minimum age restriction is in place, such as purchasing alcohol and "18" rated films.

Historical Context

As swipe cards are individual to different organisations, there are many different reasons why they have ended up with swipe cards. For instance, the University of Portsmouth had used their library card as a form of ID (S. Perry, personal communication, November 3, 2009) before swipe cards. Now they are able to combine multiple forms of ID into one as they had a library card that was separate from their student numbers. Swipe cards are also harder to fake then their previous counterparts which consisted of "a photo stuck on a piece of square paper with a bar code and then laminated", (S. Perry, personal communication, November 3, 2009). Swipe card have given them greater controllability of managing their site. All staff, students and contractors are given cards that can each be managed separately and automatically.

Driving licences were introduced in 1934 (Driving licence in the United Kingdom, 2010), however it was not until July 1998 (64 years) that it was compulsory for photographs of the licence holder to be printed onto the card. The reason for this was to prevent the abuse of driving licences that was going on. According to (UK driving licence to carry photo, 1997), it states that people were cheating with their driving tests as there was no way to guarantee that the person they were testing was the person that should be tested. With a photograph, it is much harder for someone to cheat on their driving test as a simple comparison of the provisional licence and the person in front of them should validate that they have the right person. Aside from making sure the right people are doing the tests, the article notes that the new licence format would "greatly assist with law enforcement" and that it "could be used for identification purposes". The latter has now become a standard form of identification with many applications such as purchasing alcohol (verifying age) and collecting parcels (verifying name).

Who Benefits?

With the swipe card, the obvious benefit one would think was that the swipe card user gets access to specific resources or building without the need for someone to unlock the door after checking they have permission. However, it stands to reason that the true beneficiary would be the owner of the resources. They are able to grant and restrict access to resources with the click of a button. The resources could be expensive laboratory equipment and they probably don't want just anyone around their equipment. This, in turn, also implies that if any resources were damaged or stolen, only people with the correct swipe card access would have been responsible. The organisation will probably also keep logs of people swiping in and out and could further narrow down who the perpetrator is.

Having a driving licence means that people have access to the country’s public highways. It gives them the freedom to go where they want, when they want. Of course, they are subjected to an exam to make sure they can use the highways safely. The driving licence does, however, get more use elsewhere in life. The predominant secondary use would be validating the age of the licence holder. Some people will go for years without using the driving licence for its intended use but use their driving licence on a regular basis for other uses.

Effects of Collecting Personal Data

As swipe cards rely on swipe card readers that are connected to computers in some way, it is inherent that the communications between the reader and computer is logged (S. Perry, personal communication, November 3, 2009). This gives the system a bit of a big brother effect. The other issue this has is that there is no way to guarantee that the card is being used by the person it was issued to. This affects the veracity of the data being logged and could compromise the resources the system was set up to secure.

Along with a driving licence, is the driving record that is stored on the governments databases. This means that any accidents and/or fines are all attached to your record. It is a permenant record that you can't loose as even if you loose your licence, it will say when and why you lost it on the system and you are subject to criminal justice system if you are caught driving.

Article 2: Authentication Systems

Authentication systems are important to establish that the user using the system is legitimate. There are many ways of improving authentication above and beyond what passwords offer. Two of these systems will be discussed and compared here.

The first system, we will be looking at using the Yubico YubiKey (Yubico, 2009c), a hardware based one-time password (OTP) that is commercially available. An alternative that is available for mobiles phones and is open source will also be explored. This mobile OTP generator is called Mobile OTP (mOTP).

The Technology Involved

The YubiKey works by emulating keystrokes through a standand keyboard interface (Yubico, 2009b) and connects to the computer via a USB port. The hardware itself consists of easily available components, for this reason, there are no patents. Hence, similar products are already showing up such as the UmiKey (http://umikey.com/).



The image above clearly demonstrates two factor authentication as a traditions user name and password is required, as well as YubiKey code. First the application authenticates the user name and password, if this fails, the user is redirected back to the login page. Once this step is successful, the OTP is authenticated with the YubiKey authentication service. Should the password be valid, then access is granted. A company is not forced to use the YubiKey Authentication service, it is possible to set up a validation server (Yubico, 2009d).

On the other hand, we have mOTP. mOTP is available as a Java MIDlet that will essentially run on any hardware that can support Java. Currently on the website (http://motp.sourceforge.net/) there are downloads available ready to be put onto the iPhone and Android operating systems. This does not mean it can't run on other operating systems. The mOTP software for both the client and server are open source, meaning that not only can the software code be reviewed prior to installation but also that changes can be done.



The mOTP authentication process is not that all indifferent from the YubiKey, but it does require the user to have a mobile phone with the software installed to generate the OTP. As the only servers that are available to use are those that yourself or company have installed, the user authentication and OTP authentication can take place in one step rather than the two steps that the YubiKey requires.

Both systems can be implemented into a wide variety of systems. The most common will be a website as they have a tendency to be easier to modify than an operating system.

Purchase Costings

Purchasing Yubikeys would be the inexpensive part of implementing them. To fully utilise the technology, the software system that it is intended to be used with would need to be adapted to accept it as an authentication method. Luckily, the YubiKey can store two configurations, one that produces a OTP and another that stores a (albeit) strong password. Therefore the second configuration could be used within any piece of software that accepts normal passwords, but this is not as secure as two factor authentication.

A server is not required as Yubico provides this service for free. However, a large company may decide that they want to have full control over their Yubikeys and set up their own server. This would mean purchasing the necessary hardware or setting up a virtual server. The server code is all open source and it available in a few different languages (Yubico, 2009a). Of course, to set up a specialist server will require a developer with the correct skills. This could be quite expensive as it would be a specialist area. On the other hand, the company could opt to train an employee to meet their needs. The latter would most probably offer some savings in the long run if the YubiKey was extensively used.

The Yubico server is a single point of failure (more about this later on) and could be open to a physical attack. By managing your own server, you need to take extra steps to ensure its integrity. In contrast, even though the mOTP software is freely available, it requires a phone that can run the software. Java capable mobile phones can be expensive, especially an iPhone or an Android phone, this is much more than the nominal cost of an YubiKey. The server side for mOTP is the same as YubiKey except that there is no option to use an official free server. mOTP requires it's users to use their own software, because of this, it acquires the same risks as a YubiKey server.

Even though mOTP can seem cheaper from the outset, it is far from it. You need to have a Java capable phone as well as a server that is accessible to use it. Therefore the YubiKey could seem more attractive to smaller companies as they can start off small, using only a few Yubikeys and as they expand they could then consider the use of their own server and update the changes on the YubiKey to use the new server. Having Yubikeys also means that they are more easily transferable from one employee to another. This in turn does also mean it is more easily misplaced or forgotten whereas people have got used to taking their mobile phone with them making it less prone to these sort of situations.

Supporting and Maintaining the Technology

Both OTP solutions have very similar needs but the costs could vary significantly.

If a company was to handle their own OTP server for authentication, then there are the added costs that hosting and maintaining a server brings. There is also the security of the severs to consider. For example, the servers could be compromised if an unauthorised person had physical access to it. Contingency plans would also need to be implemented in the event of downtime, security breach, etc. We can safely say that the cost of using one's own authentication server could be quite costly, however it does come with it's own benefits. Companies will be able to fully manage their OTP authentication server and not rely on a third party. They would also be able to grant access and restrict access easier.

On the other hand, Yubikeys are significantly cheaper (starting at $25 in the USA) than a modern phone. For small companies, the YubiKey would be an obvious choice over the two, but nowadays, most people with a mobile phone contract will have a phone that is capable for running mOTP. On top of this, if they ever upgraded their phone, the software is easily transferred/installed onto the new phone. Expecting everyone in a company who will use the server to own a brand new modern phone cannot be relied upon.

Another cost to take into account is the cost of replacing a YubiKey. Old keys need be to barred from the system, especially if it is lost. As for mOTP, the only way the to loose the mOTP is to loose the phone. Although uncommon, it does happen and security measures need to be in place to handle that.

Known Vulnerabilities

Yubico has written a security evaluation (Yubico, 2009e) of the YubiKey that points out some areas that could be potential risks that hackers may utilise to gain unlawful access. The problem with the security guide is that it does not go into detail of any possible attacks. For example, the document states "A successful attack on the server, e.g., a physical server attack or cracker attack, will compromise the AES keys for the YubiKeys.". What this is saying is that there could be a potential issue such as an attack over the internet.

YubiKeys do have the disadvantage that if the physical device gets stolen, it could be used to access all the systems it is linked to. This is because there is no way to protect when an OTP is generated, like mOTP does. There are more vulnerabilities such as exploiting the the automatic navigation feature. The automatic navigation features is used to automatically load up the default browser and take the user to a website. This could be reprogrammed to a malicious website to execute code that could compromise the affect workstation (Björck, 2009).

mOTP is also affected by the fact that if access was compromised to the software and the perpetrator knew the pin, they they would be able to access the system. What makes it harder in mOTP is the fact that you require a pin number. This pin number is either generated at the time of sign on, or it is set, much like the pin number for a bank card. mOTP also warns on their website that the secret "key" used to generate the OTPs and the pin numbers are stored in clear text on the server (Limitations, 2009). This again means more security to protect the physical machine from attacks as well as attacks from the internet.

Personal Privacy Issues

The YubiKey and the mOTP software can be used with multiple systems. This in turn means that it it was to be compromised with one system, it would have compromised all of them. The attacker could masquerade as that user. A possible way to solve this is to have multiple keys or multiple installations of the software on the phone to grant access to different systems. This is, however, cumbersome and annoying for the end user.

Benefits which Organisations?

These two OTP systems add an extra layer of security to protect what is important for the organisation. The added benefit of a OTP is that it is incredibly hard to guess the next OTP ignore within a reasonable amount of time. OTP are also long and generally considered to be strong passwords due to their length mainly. With a traditional password, a user may opt for writing their password on paper, ready for prying eyes. Having a password that is 40 characters long presents humans with many issues. For example, it is hard to write down a 40 character password without writing it down incorrectly. Even if they succeed, it will be hard and time consuming to type it back into the computer to log in. This in turn also means it will be much harder for someone to copy a 40 character password without getting it wrong and quick enough before someone notices.

Using OTPs also adds accountability. For example, someone who wants to charge a £500 computer games a department's expense account. The person who wants to make the claim would need to go through some bureaucracy to be successful, how ever, they could just steal the user name and password of the account holder and make the payment without going through the proper chain of command. When questioned, the account holder will be held responsible for the claim. However, using an OTP method will make it harder to get away with something like this. Sure they might have the user name and password, but the OTP is also now required.

It can also be used for a wide variety of systems to protect such as on line banking systems, email, software access etc. But as stated before, if the perpetrator has the Yubikey or access to the mOTP then they would have be able to gain entry into all associated accounts.

Article 3: Using Legislation to Protect Identity

The British Data Protect Act of 1998 (UK Government, 1998) and the Australian Privacy Act of 1988 (Attorney-General's Department, 2009) will be compared to one another with regards to how it upholds the identity of citizens to their respective countries.

Political Objectives

The Data Protection Act (DPA) was set up so that living individuals had a way to control their personal information such as knowing what data is collect and what purpose the data will serve as well. The DPA has given responsibilities to those who collect, process and handle data as well (Information Commissioner's Office, b). This enables individuals to manage who has access to their information as they are able to make requests to any data controller to find out what information they have about them and to make any amendments. The government may have passed this act to protect private information, however it is hard to physically keep track of which data controllers stores data about any particular individual. For example, when signing up into a competition, at the end of the form may be a tick box stating something like "Tick this box if you do not want us to contact you for marketing purposes and if you do not want us to pass on your information to selected third parties.". The main concern here is that we do not know who these third parties are and what intentions they may have with the private information. This makes it difficult for an individual to contact these companies should they require to remove their information from the third party's data controller database.

The Privacy Act (PA) Australia has similar intentions, giving the power to individuals to control who has access to the information and requirements put on those who act data controllers. Section 14 of the PA (1988) states the principles of their act and stipulates the collection of data, use of data and data security (Office of the Privacy Commissioner, b) to mention a few. Both Acts essentially have the same principles but they just use different titles. A difference between the two would be that the PA is not enforceable upon a company with a turnover than $3 million AUD (£1,677,658 (http://www.xe.com)). The Office of the Privacy Commissioner does state that companies can opt into it to give their customers confidence and integrity and ultimately protecting their privacy (Office of the Privacy Commissioner, c).

An interesting fact about the PA is that in contrast to the DPA, it does not specifically implicate that the individuals have to be living. This could be that the two governments handle the private information of the deceased in a different way and that they have different means of handling their information.

Amount of Government Spending

Both the UK and the Australian have separate regulators that manage their respective acts. In the UK, the representative body is called the Information Commissioner's Office (ICO). The Australian equivalent would be the Office of the Privacy Commissioner (OPC).

By looking at their annual reports to their respective governments, we can calculate how much money these bodies are spending to monitor and enforce these Acts.

ICO Balance Sheet

Income: £11,151,000
Expenditure: £16,909,000
Operating Deficit: £5,758,000

Source: Annual Report 2008/09 (Information Commissioner's Office, a, p. 70)

OPC

Income: $7,374,000 AUD (£4,121,532)
Expenditure: $7,969,000 AUD (£4,445,665)
Operating Deficit: $595,000 AUD (£332,562)

Source: The Operation of the Privacy Act Annual Report 1 July 2008 - 30 June 2009 (Office of the Privacy Commissioner, a, p. 145)
Exchange Rate: 1 AUD = 0.560319 GBP (2010.01.24 19:11:30 UTC) (http://www.xe.com/)

Review of Expenditure

We can see that there are significant differences between the two regulators with the ICO spending £8,940,000 more than the OPC. Putting it into contrast, the ICO deals with Acts other than the DPA such as the Freedom of Information Act of 2000 (Freedom of Information Act 2000, 2010) for example and would inherently have a greater expenditure. Adding that also there is a big difference in population between Australia and the United Kingdom. The United Kingdom has a population of ~61,113,205 (United Kingdom, 2010) and Australia has ~22,126,799 (Australia, 2010). This would suggest that the UK has a much bigger task at handling DPA issues, but we can look at it in another way. The ICO regulates 4 Acts (Information Commissioner's Office, 2010), if we take £16,909,000 and divide it by 4 we get an approximate expenditure per Act, in this case it could be £4,227,250 which brings it on par with the OPC expenditure and in comparison, the UK should be getting better value for the taxes than the Australians.

Political Effects on Personal Privacy Issues

The DPA has a technicality within it that could effectively compromise an individuals private information, and there their identity. An individual can be legitimately rejected access to their information. This is due to the fact that the data controllers have up to 40 days to respond to requests. However, if the data is to be kept for less than 40 days, and subsequently deleted under normal procedures, then the data cannot be supplied. What we mean here by normal procedures is that they were going to delete the data before the request had been received. This can be particularly prevalent with CCTV images (Data Protection Act 1998 - Apparent Flaws in the Act, 2010) whereby the old images are continually overridden. Requesting access to the video may be declined, thus making it ineffective against fighting crime as perpetrators cannot be caught and brought to justice.

The PA may not seem to have many issues, but there my be a small technicality. The PA stipulates that the Act is only mandatory for companies with a turnover of more than $3 million AUD. It would be our assumption to assume that there are hundreds of thousands of small enterprises earning less than the obligatory limit. This could be putting the identities of thousands of Australian citizens at risk.

Success of the Legislation

In the UK, breaches of the DPA are few and far between, most probably down to the fact that £5,000 can be alot for a business to pay for a fine. This money could be better spent and benefit this business positively. It has been noted that the fine may not be enough, not nessesary for large companies but for the severity of the crime. As of the 6th April 2010, the ICO will be able to impose a fine of up to £500,000 when the Act is breached (Information Commissioner's Office, 2010, January 12). This will most certainly act as a huge deterrent. We believe that this will uphold the success of the DPA for British citizens.

It would appear that the PA in Australia is just as successful, however it is worth to note that privacy doesn't seem to be a big issue there. The ICO (UK) had received 112,767 calls(Information Commissioner's Office, a, p. 29) with regards to the DPA. With the Australian population a third of the of the UK, you might expect a reasonable figure to be ~38,000 calls, however, the OPC (Australia) received 21,178 (Office of the Privacy Commissioner, a, p. 51) calls with regard to their PA. This could either mean that there are fewer concerns or that there is less chance of a breach in law in Australia. This Act as well as the DPA offer individuals access to their information in an easy way. The problem is the amount of time that it takes to process a request. An issue that affects the success of the PA is down to the fact that there are no methods and controls for individuals to access their information with companies with a turnover of less than $3 million AUD and are not on the PA opt in register.

Achieving Political Objectives through Business Markets

Both governments could achieve the same political objectives if they implemented s system whereby personal information agencies are set up and regulated by the government. Individuals in turn, register, with these agencies and store any information about themselves that they require. The individuals will all have a unique identifier for their records. When personal information is required when signing up to websites, competitions and so forth then they would provide this identifier as well as the agency that stores their information. The company running the website will now need to go to the agency, with the identifier and request access to the individuals information. It will be granted but only to a limited profile of sorts. For instance no name, address, gender or date of birth will available from the offset. If the company does require this information, then the individual needs to be informed of what data is required and the purpose it will serve. The individual can then grant access to this information or deny it (even though it may affect their accessibility with the service). The individual has the right to restrict access by later denying the information to a specific company or to all companies. This will benefit the individuals as they would have a centralised place to easily manage their personal information to make amendments but also to view who is using their information and how often are they accessing it as well without compromising the key identifiable information.

References

Australia. (2010, January 25). Retrieved January 25, 2010, from Wikipedia: http://en.wikipedia.org/wiki/Australia

Data Protection Act 1998 - Apparent Flaws in the Act. (2010, January 21). Retrieved January 25, 2010, from Wikipedia: http://en.wikipedia.org/wiki/Data_Protection_Act_1998#Apparent_flaws_in_the_Act

Driving licence in the United Kingdom. (2010, January 13). Retrieved January 25, 2010, from Wikipedia: http://en.wikipedia.org/wiki/Driving_licence_in_the_United_Kingdom

Freedom of Information Act 2000. (2010, January 16). Retrieved January 25, 2010, from Wikipedia: http://en.wikipedia.org/wiki/Freedom_of_Information_Act_2000

Information Commissioner's Office. (2010, January 7). Retrieved January 25, 2010, from Wikipedia: http://en.wikipedia.org/wiki/Information_Commissioner's_Office

Limitations. (2009, December 28). Retrieved January 25, 2010, from Mobile-OTP: http://motp.sourceforge.net/#5

UK driving licence to carry photo. (1997, December 18). Retrieved November 22, 2009, from BBC News: http://news.bbc.co.uk/1/hi/uk/40804.stm

United Kingdom. (2010, January 25). Retrieved January 25, 2010, from Wikipedia: http://en.wikipedia.org/wiki/United_kingdom

Attorney-General's Department. (2009, October 16). Privacy Act 1988. Canberra, Australia.

Björck, F. (2009, February 15). Yubikey Security Weaknesses. Retrieved January 25, 2010, from Security DJ: http://security.dj/?p=4

Information Commissioner's Office. (2010, January 12). Press Release - Data breaches to incur up to £500,000 penalty. Retrieved January 25, 2010, from Information Commissioner's Office: http://www.ico.gov.uk/upload/documents/pressreleases/2010/penalties_guidance_120110.pdf

Information Commissioner's Office. (a). Annual Report 2008/09. Retrieved January 25, 2010, from Information Commissioner's Office: http://www.ico.gov.uk/upload/documents/library/corporate/detailed_specialist_guides/annual_report_2009.pdf

Information Commissioner's Office. (b). The Basics. Retrieved January 25, 2010, from Information Commissioner's Office: http://www.ico.gov.uk/what_we_cover/data_protection/the_basics.aspx

Office of the Privacy Commissioner. (a). 2008-09 Annual Report of the Office of the Privacy Commissioner. Retrieved January 25, 2010, from Office of the Privacy Commissioner: http://www.privacy.gov.au/materials/types/download/9417/6961

Office of the Privacy Commissioner. (b). Information Sheet (Private Sector) 1A: National Privacy Principles. Retrieved January 25, 2010, from Office of the Privacy Commissioner: http://www.privacy.gov.au/materials/types/infosheets/view/6583

Office of the Privacy Commissioner. (b). Information Sheet (Private Sector) 12 - 2001 Coverage of and Exemptions from the Private Sector Provisions. Retrieved January 25, 2010, from Office of the Privacy Commissioner: http://www.privacy.gov.au/materials/types/infosheets/view/6544

UK Government. (1998, July 16). Data Protection Act 1998. London, United Kingdom.

Yubico. (2009a). Basic Server Libraries. Retrieved December 8, 2009, from Yubico: http://www.yubico.com/developers/library/

Yubico. (2009b). Description. Retrieved December 8, 2009, from Yubico: http://www.yubico.com/products/description/

Yubico. (2009c). The YubiKey. Retrieved December 7, 2009, from Yubico: http://yubico.com/products/yubikey/

Yubico. (2009d). YubiKey OTP Validation Server. Retrieved January 25, 2010, from Yubico: http://yubico.com/developers/srv/

Yubico. (2009e). YubiKey Security Evaluation. Retrieved January 25, 2010, from Yubico: http://yubico.com/files/Security_Evaluation_2009-09-09.pdf