Privacy impacts of e-government authentication reported

In June 2003, the New Zealand government gave the go ahead for the development of a "whole of government" G2P authentication scheme, involving the establishment of a single stand-alone authentication agency with a minimum of information exchange and storage.

By adopting this approach, the basic identity information supplied by the individual and verified by the authentication agency is kept separate from more privacy sensitive service information held by the agency that actually provides the government service.

The information interchange between the authentication agency and the service agency is limited to the release of identity data (name or names/gender/ date and place of birth) as authorised by the relevant individual using a password or other key (such as a digital certificate) with which his or her identity credentials have been previously associated.

As part of the on-going design work for the scheme, government commissioned a privacy impact assessment ("PIA") by outside consultants. The consultants' report has now been released publicly.

The report is generally supportive of scheme's direction, which:

• recognises that not all online government services require authentication;
  
  
• is not based on a national ID card;
  
  
• will not require a uniform PKI-based authentication solution; and
  
  
• provides for authentication (verifying identity) to be handled independently from authorisation (access to services).

However, there are other features of the scheme on which "red flags" have been raised.

For example, one of the scheme's design assumptions is that the public should be able to choose whether or not to access services that require online authentication (the "opt-in" principle). The report questions whether this objective can be maintained over time.

It suggests that in order to make the scheme financially viable, government will be tempted to proactively promote the online alternative by offering the public incentives to convert, and by making offline service delivery channels more difficult to access.

In addition, the report predicts that one large category of initial users will be those conducting online transactions for business purposes. Such people are likely to be required by their employers to obtain ID credentials from the authentication agency in order to carry out their job. The report notes that the proposed authentication model makes no provision for the issuance of ID credentials based on organisational roles, even though in many B2G transactions service agencies have no need to actually identify individuals.

Another issue raised by the report, concerns the ongoing use of the photograph that the individual is required to provide when he or she applies to the authentication agency for the issue of ID credentials. The photograph is to be required to ensure that one individual does not try to register more than one identity.

The current design assumes that the photographic image and its associated biometric will be retained by the authentication agency. The report questions the need for the retention of this kind of information, especially given the risk of false negatives using face recognition technology and the fact that ID credentials (with the resubmission of photographs and other identifier information) will have to be renewed on a periodic basis. The authors of the report also express concern on the possibility of use of this kind of information by service agencies over time.

The report also:

• notes that the design needs to include how possible failures in the system will be dealt with, coupled with an acceptable set of rights and remedies available to those unfortunate individuals who are the subject of operational errors concerning their identity;
  
  
• calls on government to clarify the application of various aspects of New Zealand's Privacy Act to the scheme particularly around the use of the ID credential as a unique identifier and the control and regulation of authorised data matching operations between government departments;
  
  
• stresses the need for a comprehensive and continuing security and risk assessment (on data quality and other matters) to address the many security issues affecting the scheme that remain unresolved.

These issues and others that are canvassed in the report could, the authors say, result in a system that evolves into a kind of national population register, with all the potential that such a system has for secondary uses of information or subsequent extensions (including the adoption of a national identity card system, a development currently rejected by government.)

It is stated that this impression will only be managed properly by strongly and deeply entrenched legislative safeguards. The report makes a number of detailed recommendations as to the kind of privacy enhancing measures that should be included in the statute that sets up the authentication agency.