Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
STANDING COMMITTEE ON COMMUNICATIONS
09/10/2009
Cybercrime

CHAIR —Although the committee does not require you to give evidence under oath, I advise you that this hearing is a legal proceeding of the parliament and warrants the same respect as a proceeding of the House. The giving of false or misleading evidence is a serious matter and may be regarded as a contempt of parliament. Would you care to make an opening statement?

Mr Wilson —I would like to make some really careful comments about identity. I stress ‘careful’ because experience tells us that this is an area that can drag us into the black hole of identity cards if we are not careful. I would like to state at the outset that we do not support the idea of any new identity card. We do not think that this is a necessary or even efficient approach to deal with the predominant cybercrime problems that we are here to talk about.

We do, I think, a pretty good job of identifying people already in the real world. There are a few cases like banking where identification is regulated, but for the most part identification is a local issue, meaning that identification rules are not set globally or centrally but tend to be worked out locally from one sector to another. For example, different credentials are used by lawyers compared to doctors. Lawyers will sign conveyancing materials and doctors will sign prescriptions using different systems and qualifications. Indeed, when consumers use their credit card, they are using a different identity.

I will tell a personal anecdote. I am a small business person. For convenience I opened my business bank account at the same bank where I do my personal banking, but I use different identities to do personal banking and business banking. I think it is actually the law that my corporate bank account has a different corporate identity from my personal bank account. Except at one time the bank mixed this up. I presented my business banking card to transact and the teller was able to access my credit card and my mortgage account from my business bank account through a bank error. I was personally affronted that those two identities had been mixed up. I think that was quite telling.

So in the real world I put it to you that identification and relationships are pretty well managed. The pressing problem in cybersecurity is to translate real world identities and credentials and relationships online. We said in our submission that credit card fraud online is the model cybercrime. By ‘model’ I mean that it illustrates the ease with which digital identities can be assumed and appropriated. We all know about stolen credit card black markets. I think you have heard this already in submissions. There is a huge black market. It is possible that tens of billions of dollars are changing hands. It is definite that a proportion of that is going to fund terrorist activities.

Crucially, most card details are stolen not from people as they go about using their credit card online, but rather the credit card details are stolen en masse by organised attacks on department store databases and third-party credit card bureau processes. This means that the best safe shopping advice in the world is moot. It does not matter how careful you are shopping online, you are still subject to identity theft.

The problem is that stolen identities are valuable. There is this huge black market where people buy and sell stolen credit card details and Lord knows what else. The technological problem is that stolen identities can be reused without anybody knowing. They can be replayed and stolen. This goes to Ms Rea’s question before about the risk of divulging more personal information like your CVV number on the back of the card. Indeed, these things get stolen and used against you behind your back.

To really curtail this problem we need to stop putting fire out with gasoline. The state of the art at the moment is that people just keep asking more and more secret questions. To curtail this we need to take steps to stop stolen identity data being replayable and reusable. There are so-called intelligent security technologies that you can use to release your identity data point to point in a very limited and controlled way. These identities are used one time and they cannot be reused and replayed against your will. These technologies really replicate our existing real world credentials and they do not involve imposing any new arbitrary global identification practices. It preserves what we heard before about different levels of identity being used for different contexts.

CHAIR —Were you here when Microsoft were making their submission?

Mr Wilson —Yes, I was.

CHAIR —How does your proposal differ from the meta identity that they are suggesting?

Mr Wilson —It is an extension, if you like. I am speaking specifically and frankly about intelligent identity devices—things like smart cards and SIM cards—that act as physical keys. In an encrypted form in the firmware of these devices they protect a whole portfolio of identities in the same way that your purse will hold a number of real world identities. The identity metasystem is like the business process behind that that allows electronic replication of your different identities—like your Medicare identity, your drivers licence and all of your different bank accounts.

What I am talking about is, where the rubber hits the road with the identity metasystem, that there will still be a weakness if the person accessing a computer system in trying to release the precise identity that they need in that context. The identity metasystem helps you get that identity and it helps paint a secure online experience where you know what you are doing, but the weak link is still going to be that your identity numbers can still be stolen if you are not very careful.

We are in a technology neutral environment. We like to frame approaches and regulations in a technology neutral way—I understand that—but the fact remains that some technologies are stronger than others in this regard. This brings me to the idea of smart cards and other intelligent devices which have small computers in them and they know what the user is trying to do. They know on your behalf that you are trying to do banking so that they will on your behalf communicate banking details to a website. If you are accessing a personal health record, you would use a different chip and that chip would know the context that you are trying to communicate to a personal health record and it would protect your privacy in that context without letting these different websites be linked.

CHAIR —Could you have a number of chips in one card?

Mr Wilson —Certainly.

CHAIR —Or could you have a card that you could just add different identities to? I have a whole heap of cards now. It is becoming ridiculous. I assume that if you had one for every computer identity you would have double the number of cards that you have now. Could you put it into one?

Mr Wilson —Absolutely, in the same way that your cell phone has multiple codes in it so that you can roam across different telephone networks. You can travel internationally and your phone is smart enough, through the magic of the SIM, to know what part of the world you are in and how to log onto the right network. Certainly smart cards can combine multiple identities. It might be quite sensible to have a health card that was used to access health sites, and you might have different logons for different sites all automated on the one card. We see this a lot in patient centric health care at the moment where people are making more and more sophisticated elections about who they want to divulge information to. In mental health services, and psychiatry in particular, it is very important. I think it is almost accepted now amongst professionals that, when you communicate details to a psychiatrist or in a counselling session, those details are firewalled from your general practitioner, for example—unless of course you elected to open up the files. So the technologies will allow that in a single chip.

CHAIR —I have recently been exposed to a computer which uses physical identification as a way of gaining access to the computer.

Mr Wilson —Biometric identification?

CHAIR —Yes. Couldn’t you do that for internet access, and then no-one could be you? I do not know how secure it is.

Mr Wilson —It is not.

Ms REA —Unless you have an evil twin somewhere.

CHAIR —I suppose if you had an identical twin you would be in trouble.

Mr Wilson —I would like to find a way to curtail the biometric debate because I think that the biometric technologies are not ready for what we are talking about. Biometrics are assumed to be—and in fact they are presented by their proponents as being—unique markers of who you are. The truth is they are not unique. In practice biometric systems always confuse small sets of people with one another. Moreover, there is no biometric that I am aware of that will allow you in the event of a theft to have your biometric identity revoked and then reissued. So it is distinctly unlike a bank card.

CHAIR —You cannot cancel it—unless you have a facial search!

Mr Wilson —That is exactly right. From a security point of view they are not perfect, and we have no way of dealing with the imperfection.

CHAIR —Sci-fi movies used to always have eye readers. I do not know if you remember those movies.

Mr Wilson —They look great because you stare into the camera and a split second later it says, ‘Hello, Tom Cruise.’ But those systems can take minutes and minutes to identify you against a big database, and then they will make a mistake. They will come back and say, ‘Are you Tom Cruise or are you Stephen Wilson,’ and you then have to clarify.

Ms REA —It is really hard to tell!

Mr Wilson —So I am told!

CHAIR —So you do not think those are viable options at this time.

Mr Wilson —They are very important technologies in limited doses. They are very important for things like data centres. Half-a-dozen people in the whole world might have access to a bank’s data centre. They might stare into a camera for several seconds, and the camera will take its time and be very precise. It might say: ‘I reject you. Would you have another go.’ If it is very high security, the biometric system is adjusted to not make any mistakes. So it might reject you, and you say, ‘Oh gosh, I need to stare again.’ I have used these systems, and if you are a data centre operator then you are used to that. It is part and parcel of the job. But if you are trying to access your funds in an ATM and there is a queue of people behind you, to begin with it has taken half a minute to recognise you, and then it might make a mistake, and the people behind you are waiting. There is really no biometric system that I know of that has solved those sorts of compromises in practice. Biometrics are very good for—

CHAIR —Identification out of a small group.

Mr Wilson —Yes, it performs well there. When you are enrolling people for passports, say, and you want to make sure that the photograph you have just taken does not match anybody else that you have previously photographed, you can take your time and do data cleansing and have your mainframe computers look for repeat photographs. But that is a distinctly different use from the science fiction idea of looking at the camera and money popping out. Coming back to digital identity, which is my theme, how do you cope with multiple digital relationships without linking them together so that people maintain their privacy and their autonomy? Biometrics really is not the answer for that, because all it conveys is your biological self. If you want to go to a Medicare office and say, ‘This is me,’ they do not want to know you DNA; they actually just want to know your Medicare number. One of the really important e-health applications now is online counselling and online patient consultation.

CHAIR —If you were a doctor trained over many years in psychiatry this would be a bit off-putting, but I have heard they actually receive better results from online counselling than from personal counselling.

Mr Wilson —Yes, it is phenomenal. If that is true then participation in those systems absolutely rests on privacy and preserving people’s anonymity. The last thing you would want somebody to be able to do is to insert your Medicare card and receive anonymous counselling, obviously. But you might insert some sort of other key that has been given to you by your counsellor, and you know it is a separate device and you know that it is going to log you on securely to an anonymous system.

Ms REA —Like a token.

Mr Wilson —Yes. One of the paradoxes in all of this is that these digital identities are the keys to e-health, e-banking and e-government, but we have this ‘anything goes’ kind of Wild West environment at the moment. We have a number of different passwords and some people give you random logon generators and other people give you plastic cards, and it is really like the Wild West.

It is interesting to me that we take a lot more care with car keys. My car has got a modern key that you cannot duplicate at the locksmith; you have to take it back to the manufacturer. It has an engine immobiliser and all of these electronics and smarts. But electronic service providers are still very timid about authentication. They are very timid that authentication technologies will compromise convenience. Convenience trumps all else at the moment. We have got ourselves into a situation where, believe it or not, the cost of identity fraud every year far exceeds the cost of car theft. There is half a billion dollars of car theft every year and at least $2 billion of identity fraud, according to the AFP.

CHAIR —That is four times as much.

Mr Wilson —We are in this situation because we take more care with car keys than we do with logons. If you would like me to continue my remarks, I have some thoughts about the role of government that I would like to share.

CHAIR —Yes, that would be good.

Mr Wilson —I would reiterate that we need no new identification regime to solve cybercrime. I think what we need instead is a better way of taking our digital identities or our existing physical identities and using them online. So I would like to see government lead by example. I believe that governments should commit to the public that some of the new e-government services will use state-of-the-art identity safeguards. We especially have to take care with the new programs like the national individual health identifier.

CHAIR —I think that will be a real testing ground for all of these sorts of issues.

Mr Wilson —I do too. It is a work in progress but some of the things that were said about this thing a year or two ago suggested that not a great deal of care was going into security. I heard once that the health identifier was compared to a pin number. That would be a very dangerous mindset because, as we know, when your PIN number gets stolen, you go and get a new one. The idea of the IHI is that you do not ever get a new one and so it needs to have that commensurate safeguard in place.

I would suggest that the Attorney-General’s Department, which has had carriage of something called the National Identity Security Strategy, should re-energise that work and expand its scope to look at digital identity as well as birth certificates, passports and what have you. We have heard already that the National Broadband Network needs to factor in security. I would suggest that it really takes care to factor in digital identity security as well. I would like to suggest that idea of the smart Medicare card, which gets a run every now and again, be taken progressively. The idea of a smart Medicare card devoted to health care and protecting things like health identifiers is a very powerful idea and is long overdue. I could see the smart Medicare card being married to the individual health identifier in a really useful way.

CHAIR —Yes, it sounds like an obvious combination.

Mr Wilson —It does. Politically it produces a lot of anxiety, it is fair to say. But I would put it to you that the political risk of the smart Medicare card could be reduced in three ways. We could make it dedicated to health care, we could produce express engineering designs that protect privacy and, above and beyond all else, we need to make sure that any new chip card does not introduce arbitrary identification processes. We have tried that before. We have had the concept of photographing everybody before they get their Medicare card. Clearly, that is such a jolt to the way we interface to Medicare that it is risky. If we follow the line that your existing relationships in the real world can be transferred online with the proper technology then you can have a chip enabled Medicare card that replaces your existing card. Then we can allow people to start using the technology to access healthcare services online as well as the new emerging electronic health record systems.

CHAIR —How do you do that online? If it is like a Medicare card and is credit card size, how does that allow you to access health information online?

Mr Wilson —My company advocates the use of chip technologies in smartcard readers.

CHAIR —But how would your computer read it?

Mr Wilson —You would use it just like you do an ATM or an EFTPOS terminal. You would have a reader connected to your workstation or terminal at home, you would insert the right card, like a Medicare card, and the chip in the card then talks to the website. The chip, on your behalf, will make sure that you are talking to the real Medicare site and not some fraudulent site or, if you are attempting to talk to a personal health record site, the chip on your behalf can hold back your Medicare number and release just your nickname or your handle. People in psychiatric online counselling sites are going to have their own handle and be completely anonymous. You can protect that anonymity by simply coding or encrypting their nickname into the chip. The chip will communicate to the website on your behalf and make sure that you are going to the right site and then release the information on your behalf that is required to authenticate you. We are seeing a lot of this sort of technology being reused especially in Europe.

CHAIR —Where in Europe?

Mr Wilson —The most advanced system is actually in Estonia.

CHAIR —Really? How extraordinary.

Mr Wilson —When I say ‘advanced’, there are chip cards that are used for multiple applications.

CHAIR —I see; they are not just used for health.

Mr Wilson —They are used for multiple health applications: health records and prescriptions as well as rebates. France has had a smart health card for over 10 years, but it is fairly low-tech. It is just about taking magnetic stripe information and securing it in a chip, and it is not used online. But I believe that the French technology has been refreshed so that you can start to use it online at home. That may be the case with the German card, but that has not been determined yet.

Ms REA —That is very interesting.

Mr Wilson —Estonia’s national card is a really interesting program. They do internet voting using the card.

CHAIR —Voting as in national elections?

Mr Wilson —Election voting.

Ms REA —Is it a smart card? Is it a multipurpose card?

Mr Wilson —Yes, it is.

Ms REA —Does it include health?

Mr Wilson —In Estonia, yes.

Ms REA —It would be interesting to know what their security issues are. Have they identified security issues with having all of those applications on one card? That was an issue that you raised earlier.

Mr Wilson —Yes. The card has been engineered from the outset with those advanced encryption technologies in the chip. It is also optional, I believe. It is not compulsory to use your card to vote online. It is an extra that people are electing, pardon the pun, to do or not. That level of consumer acceptance and consumer election is always going to be important.

CHAIR —I do not think we would want to do that first off. I think most people would see that as some sort of conspiracy.

Mr Wilson —I agree, Chair, that that would be a step too far in the first instance.

Ms REA —But I am interested that there is a country that has got quite a sophisticated level of applications on one card. There must be some learnings coming out of there. What do they do, for example, about lost cards and all of those sorts of things? Is that data protected?

Mr Wilson —Definitely. They have an encrypted database for replacing lost cards and there are protocols for facing up to a government agency and proving your legitimacy to retract or reproduce a lost card. I certainly do not advocate the one-card-fits-all approach in the Australian environment or indeed as a cybercrime response. What I am suggesting to you is that there are these smart technologies that are congruent with our existing relationships. So what I do suggest is that the Medicare card could have a chip in it and be used to conduct health care relationships online securely in the same way that your bank card has probably got a chip in it now, if you check. Increasingly, those chip cards are going to be used online to do secure internet banking. I think that we should be mapping things from the real world onto the online world and preserving those relationships and keeping things separate.

CHAIR —I imagine there is a great deal of advantage in terms of how you could record things. You could record what you are allergic to and your blood type. If it included prescriptions, it could record what other prescriptions you have, whether you prefer to have no-name prescriptions when you go to the pharmacy—a range of things which would make it more effective in terms of your personal health care.

Mr Wilson —Again, going back to cybercrime, one of the intelligent things that these chips can do is without revealing to the world—and certainly without revealing everything to a central database—they can self monitor how they are being used and they can look out for abuse, if you like, intelligently and locally.

One of the problems in health care—it is not a huge problem, but it is a problem—is prescription shopping, where somebody will go to a dozen GPs in one afternoon and get precursors for speed or whatever. It is said that you could stop that by data mining every prescription, but I do not think you want to send all mom-and-pop prescription data to Canberra and data mine it to look for the tiny proportion of crime. Instead, you could have your smart Medicare card involved with the prescription event so that, when the doctor fills out prescriptions for opiates or narcotics, that is flagged in the chip, and the chip will know if you are doing that multiple times.

There is always the convenience trade-off, and some people will say that it would be poor form to limit people’s access because they do not have their chip card. But, on the other hand, if you are dealing with prescribing scheduled narcotic prescriptions, there are rules and barriers in place anyway, and it might be a reasonable trade-off to insist that people involve a chip card in that prescribing event so that the chip can look out for abuse.

It is analogous to the way that chip cards are used to prevent credit card fraud in Europe. In Australia, our EFTPOS system is largely online, which is why we have relatively low rates of card fraud in Australia, but in Europe, because telecommunications is more expensive, your retailers are usually offline. The crooks know that, so they can take a stolen credit card and they can buy 10 VCRs—there are no VCRs anymore, are there?—or they can buy 10 DVDs.

CHAIR —I think they are still around; I do not think many people use them!

Mr Wilson —You know what I mean. You can make 10 huge purchases without busting the credit limit. But the chips now have come in, and the chips will actually keep tally of your credit card transactions in the chip, so if you try and buy more than €1000 worth of stuff in one day the chip itself will block the transaction. It is a lesson, a learning, about how these intelligent technologies can curtail crime in a decentralised way. We are not talking about taking every transaction and sending it centrally and data mining it, but rather we are saying, ‘Let’s use the technology locally.’

That is all about card abuse, but equally these technologies can protect people against misadventure online, because they can check the validity of websites. We heard previously that browsers now can flag a green light or a red light. All of these things are good measures, but there is an arms race going on, and phishing sites can beat those traffic light colours in a variety of ways.

Ms REA —Already?

Mr Wilson —Already. So what you need to do is to peer deeper into the cryptographic codes that are being exchanged between the browser and the website.

CHAIR —‘Fast flashing’ or whatever it is called; isn’t it?

Secretary —Fast fluxing.

CHAIR —Fluxing.

Mr Wilson —Yes. It is beyond the ability of the lay user to check out those codes for themselves. What you could do is put that into the chip so that when you access an important website the chip in your card is communicating to the website, knocking on the door and checking the answer as to who is there.

CHAIR —Fascinating.

Ms REA —I found that very informative.

CHAIR —I have to say it was absolutely fascinating. It has not only given me great ideas for this particular inquiry but also given me great ideas for my other areas of interest, so I very much appreciate your coming in.

Mr Wilson —I hope that is useful.

CHAIR —Thank you for appearing.

Mr Wilson —I would like to just add that, on the point of the anxiety that these technologies generate, I do understand that, but it is somewhat disproportionate when you look at SIM cards. I think we spoke before about learnings. Some of the most important learnings are actually in Australia, where we have a whole generation now of experience with smartcard technology in the form of SIM cards. My kids have an amazing first-hand understanding of SIM cards. They know about the importance of the PIN. They know that, if they swap a SIM into another phone, your phone numbers go with it by magic. They have also experienced SIM lock, where you cannot put the SIM into some handsets. That is a privacy sort of issue.

All of those learnings, I think, are really important. We use SIM card technology without giving a second thought to the idea that we have a smartcard in our phone that might be monitoring what we are doing, because it does not. I would like to suggest that we could take a more level headed view of some of these smartcard technology options if we drew the parallels with the SIM card. SIM cards are obviously subject to telecommunication regulation and a whole lot of frameworks that prevent abuse and regulate their use, but we are in an environment where people no longer have that level of anxiety that maybe somebody is monitoring their phone calls just because they have a smartcard in their phone.

It is a really deep learning that we take this sort of stuff for granted, and yet when somebody comes along and suggests a progressive idea like a smart Medicare card then it sends the hares running on the basis of anxieties that the technology would be an aid for surveillance or an aid for monitoring. In fact, it can be just like SIM lock. SIM lock means that if you put your SIM into another handset it will not work. If I had a smart Medicare card, I could put it into an ATM and it would not work, or a hacker could take my smart Medicare card and put it into a reader, but it would not work, because of SIM lock.

I would just like to close on that note. We have a technology that is about 20 years old that is well habituated and well embedded in a lot of what we do. Certainly, in terms of cybercrime, the same technology could be leveraged again in things like smartcards.

CHAIR —Thank you very much, Mr Wilson. Our committee may contact you again if we have further matters. Thank you again.

Proceedings suspended from 12.36 pm to 1.33 pm