21 August 2007

Electronic Frontiers Australia (EFA) submission on the Exposure Draft
of the Human Services (Enhanced Service Delivery) Bill 2007

1. General Comments on the Access Card proposal

EFA is opposed to the introduction of the Access Card in its proposed form. The reasons for our opposition are largely on privacy concerns arising from the following issues:

Despite claims that the Access Card is not meant to be a universal ID Card, its design has many characteristics of an ID card, e.g.
  • effectively universal coverage;
  • mandatory photo on the surface;
  • mandatory signature on the surface;
  • optional date of birth on the surface;
  • very strict requirements for proof of identity which will enhance the card's reputation as an identity document.

The requirement for a biometric quality photograph will create a national high-quality photo database of almost every adult Australian citizen or resident. This is a tool that could be readily abused by authorities in the future, no matter what protections are built into the introductory legislation. For example, developments in biometric technology could readily enable routine scans of crowds or individuals in public places, to be matched against a photo database. The temptation for a future government to utilise information in this way, e.g. as a new tool in the "war on terror", may well prove irresistable. EFA holds grave concerns that the fraud-prevention justification advanced for the use of biometrics cannot be sustained in practice, and that ulterior motives therefore exist.

The assignment of a universal identifying number to every adult Australian opens up the future possibility of large-scale data-matching with other personal information held by government. Again, current promises about protection of data are unpersuasive unless they irrevocably bind all future governments. As legislation cannot effectively bind future governments, and the technology proposed for use with the Access Card is specifically designed to allow future changes and expansion of the system, the Access Card proposal should not proceed for this reason alone.

EFA is not opposed to the introduction of new technology to improve efficiency in delivery of government services, and we acknowledge that the Medicare Card in particular is due for replacement. However, we can see no justification for bundling delivery of welfare benefits with health care (whether for veterans or ordinary citizens). These services have distinctly different characteristics that impose compromised requirements when they are combined into a single system, e.g.
  • the welfare system provides direct financial payments and is admittedly open to identity fraud, although the claims made for the magnitude of this fraud have not been well substantiated;
  • the health care system involves reimbursement of costs of delivery of services by health care practitioners, and is essentially an insurance claim, with premuims paid via taxation levies. The opportunity for financial fraud by recipients has not been identified as a key problem in the present system;
  • the current Medicare Card is commonly issued to a family, and the system will be complicated by the need to issue Access Cards to individuals;
  • given that Medicare has been touted in the past as an agency suited to privatisation, the incorporation of Medicare Cards into an all-inclusive government access card will severely limit the opportunity for privatisation of this or other services in the future.

EFA is therefore concerned that excessive and privacy-intrusive identity requirements are being introduced to solve alleged welfare fraud, but are being imposed upon the population universally, including upon those segments of the population whose only access to government services is for health care. EFA cannot support such a proposal, but would be open to consideration of alternative proposals that are less privacy-intrusive and which more realistically recognise that health care has vastly different characteristics compared with welfare delivery.

2. Specific comments on the Exposure Draft

Title of the Act

EFA considers the title indicated by the draft Bill, i.e. "Human Services (Enhanced Service Delivery) Act 2007", is highly misleading. We are of the view that the Act should have a name that makes it readily apparent to the general public what the Act is about. We submit that it should be named the "Human Services (Health and Social Services Access Card) Act".


chip means a microchip or any other device that stores information.

This definition should be amended to the type of microchip intended to be placed in the Access Card, or at the least limited to a contact chip/device. The proposed definition would permit the use of a contactless chip, which carries significantly greater security/privacy risks, without Parliamentary or public scrutiny and/or the use of any other 'device' with less effective security mechanisms than the type of chip which the government has stated will be used.

document includes:
(a) any paper or other material on which there is writing; and
(b) any paper or other material on which there are marks, figures, symbols or perforations that are:
(i) capable of being given a meaning by persons qualified to interpret them; or
(ii) capable of being responded to by a computer, a machine or an electronic device; and
(c) any article or material from which sounds, images or writings are capable of being reproduced with or without the aid of any other article or device.

This definition, in conjunction with the broad powers to be granted to the Secretary, would enable the Secretary to demand finger prints, iris scans, etc for inclusion on or in the card and in the national ID database (Register).

The definition should be amended to exclude paper or "other material" on which there is any biometric information/data other than facial data. If the government plans to require the provision of finger prints or iris scans etc either in the short or long term future, such plans should be required to be the subject of public and Parliamentary scrutiny.

legal name of an individual means:
(a) the name on a certificate, entry or record of the individual's birth, being a certificate granted or entry or record made by the Registrar of births, deaths and marriages (however described) of a State or Territory; or
(b) the name on the individual's Australian passport issued under the Australian Passports Act 2005; or
(c) the name on:
(i) a certificate of citizenship granted to the individual under the Australian Citizenship Act 1948; or
(ii) a notice given to the individual under section 37 of the Australian Citizenship Act 2007; or
(d) the individual's name as shown on a certificate, entry or record of the individual's marriage made by the Registrar of births, deaths and marriages (however described) of a State or Territory; or
(e) a name adopted by the individual on marriage, if that name consists of:
(i) the individual's given name or names, as shown on the certificate, entry or record of marriage made by the Registrar of births, deaths and marriages (however described) of a State or Territory; and
(ii) the family name of the other party to the marriage, or a combination of the family names of both parties to the marriage, as shown on that certificate entry or record; or
(f) the name included, by way of effecting a name change of the individual, on a register kept under a law of a State or Territory by the Registrar of births, deaths and marriages (however described) of the State or Territory; or
(g) if none of paragraphs (a) to (f) apply to the individual—the name on a passport issued to the individual by a foreign country; or
(h) if none of paragraphs (a) to (g) apply to the individual—the name on a document prescribed by the regulations.

The definition and information provided in the explanatory material concerning the new term "legal name" is inadequate and unclear. Among other things, who will determine which of the names on the documents listed is an individual's "legal name"? This definition appears intended to give the government/DHS the power to decide what a person's name is instead of the person. Further, will the "legal name" be able to be changed at a future time when, for example, a person marries, or a person reverts to a previous name after divorce or death of the spouse, or changes their name by Deed?

The list of documents appears to have been extracted from the Passports Act (which does not use the term "legal name") and used without due regard for the different context. Persons applying for an Australian passport are limited to Australian citizens and are therefore generally likely to have one or more of the Australian-issued documents in (b)-(d) if they do not use the name on their birth certificate. However, persons from overseas who are entitled to Medicare refunds (including temporary residents from countries with reciprocal arrangements), and those who are entitled to government provided benefits, are not limited to Australian citizens and are significantly less likely to have a document in (b)-(d).

Individuals from overseas may be using a name that is on a marriage certificate, or deed of name change, issued in another country. These individuals will apparently be forced to have as their "legal name" the name that is on their birth certificate. For example, a woman who married overseas will not be able to have her married name as her "legal name" unless she pays to have her name changed by deed poll in an Australian State/Territory. This would result in no more surety as to "who the person is" than if DHS allowed the person to have, as their legal name, the name on an overseas marriage certificate, or on a passport issued by another country, etc.

EFA submits that the list of documents allowed to be used to prove name must be extended to include other documents such as other countries' passports and marriage certificates.

EFA objects to a new concept of a "legal name" whether determined by the government or otherwise, being introduced into Australian law. Individuals should continue to be able to use, as a matter of general practice, the name they wish and DHS agencies should be required to respect an individual's preference, not force them to have a so-called "legal name" recorded in the national ID database (Register).

Objects of the Act

7 Objects of this Act
(1) The objects of this Act are: ....

(e) to permit access card holders to use their access cards for such other lawful purposes they choose.
(2) It is also an object of this Act that access cards are not to be used as, and do not become, national identity cards.

Objects 1(e) and 2 are inconsistent. On the one hand the Access Card has been designed so that it can be readily used as an ID card, and on the other hand it is claimed that it is not to be used as a national identity card. The proof-of-identity standards that will be applied to registration for the card will ensure that it becomes a defacto national identity card.

If it were truly the objective of the Act to ensure that access cards "are not to be used as, and do not become, national identity cards" then the legislation should be amended to specifically prohibit their use as general purpose identity cards. That is, it should be an offence to ask for or to accept an access card as a form of identification.

Powers to demand and store information

19 Applying for registration
(1) An individual may apply to the Secretary to be registered by:
(a) lodging a written application in accordance with subsection (2); or
(b) making an application (whether or not in writing) in a manner approved by the Secretary.
(2) For the purposes of paragraph (1)(a), a written application must:
(a) be in the form approved by the Minister; and
(b) include, or be accompanied by, the information and documents required by the form; and
(c) be lodged at a place, or by a means, specified in the form.
(3) In approving a form under paragraph (2)(a), the Minister must:
(a) consult with the Privacy Commissioner; and
(b) take into account any comments made by the Privacy Commissioner.
(4) For the purposes of assessing an individual's application, the Secretary may request the individual to give the Secretary specified additional information or a specified additional document that the Secretary considers is needed:
(a) in order to be satisfied that the individual is eligible to be registered; or
(b) in order to be satisfied of the individual's identity.

The types of information and documents required for registration should be specified in the legislation, not left to the Secretary to determine, and identity guidelines proposed to be determined by the Minister should also be specified in the legislation.

Further, as mentioned earlier herein, these provisions together with the definition of "document" would enable the Secretary and/or Minister to determine that fingerprint, iris scan, etc. information is required. This should not be permitted.

The remarks above also apply to s41 concerning "Applying for an access card" which contains similar provisions/powers to s19, although it is not clear why individuals apparently need to apply for registration independently of applying for an access card.

Information in the Register

These comments refer to information to be stored in the Register (s33 to s38)

There is no explanation for the inclusion of awarded honours or military rank. These items have no obvious relevance to the purpose of the Register.

benefit cards
Since the purpose of the Access Card is to replace benefit cards, there is no obvious reason why this information should be in the Registry.

Information on the card surface

71 Information relating to an individual that must be on the surface of an access card when it is issued
Information that must be on the surface
(1) Information relating to an individual must be on the surface of the individual's access card when it is issued if:
(a) the Secretary has the information at the time when the Secretary makes the issue decision for the card; and
(b) the information is of the kind specified in an item of the following table.
Information relating to an individual that must be on the surface of the individual’s access card when it is issued
if the individual's photograph was taken in accordance with subparagraph 42(1)(d)(i), 58(1)(e)(i) or 64(1)(d)(i)—that photograph;
if the individual provided his or her signature in accordance with subparagraph 42(1)(e)(i), 58(1)(f)(i) or 64(1)(e)(i)—that signature digitised;
date of birth
the individual’s date of birth;
DVA information ....

EFA submits that prior to/during registration individuals should be given the option of choosing whether or not their photograph will be printed on the surface of their Access Card.

We note that both the Consmumer and Privacy Taskforce and the Senate Committee expressed reservations about including photograph and digitised signature on the surface of the card. Given that a smartcard's properties enable such information to be recorded in a protected manner in the chip itself, amd that the information is also recorded in the registry database, the need to have the same information on the surface is highly questionable.

In addition, there is demonstrated tension between preventing identity fraud and ensuring that individuals are provided with services to which they entitled. We contend that if a photograph on the surface is used in the way that DHS apparently plans, i.e. that doctors, pharmacists, etc, become responsible for preventing identity fraud, it is very likely that some individuals will be incorrectly denied services due to human inability to accurately match photographs with unknown faces, while the majority of fraudulent cards are likely to be accepted. This issue is of critical importance and fundamental to EFA's overall objection to the Access Card concept. We expand in further detail on this matter in Photograph on surface of Access Card (section 4 below).

The inclusion of date-of-birth and DVA information as items that must be on the surface of the card is confusingly contradicted by s72:

72 Information relating to an individual that must not, or need not, be on the surface of an access card when it is issued
Information that must not be included on the surface
(1) Despite section 71, information relating to an individual must not be on the surface of the individual's access card when it is issued if a circumstance specified in an item of the following table applies to the information.
Information relating to an individual that must not be on the surface of the individual’s access card when it is issued request not in force
(a) the information is of the kind specified in any of the following provisions of the table in subsection 71(1):
(i) item 6 (birth date);
(ii) paragraph (a), (b), (c), (d), (e) or (f) of item 7 (DVA information);
(iii) item 8 (blind disability support); and (b) before the day the Secretary made the issue decision for the access card, the individual did not request the Secretary to include the information on the surface of the individual’s access card, or did so request but withdrew the request before that day;

The intent appears to be that date of birth, DVA information and blind disability support information are optional rather than mandatory items on the surface of the card, yet the legislation is drafted in such a clumsy way as to imply the opposite if s71 is read without reference to s72. There is no obvious reason why this confusion should exist, and EFA recommends that these sections be completely re-worded to clearly distinguish mandatory items from optional items.

74 Information relating to the access card holder that may be in the chip
(2) Information relating to an individual may be in the chip in the individual's access card at the change time if:
(a) the information is technical information (for example, a personal identification number or serial number for the chip) that:
(i) assists in the proper functioning of the chip; or
(ii) protects information in the chip; and
(b) only the Secretary is able to access the information.

The above information includes potential personal information but this information does not appear to be protected information under the proposed legislation.

Information in the chip

These comments apply to s73 to s77.

Given the claim that the photograph needs to be printed on the surface, the question arises as to why any personal data at all needs to be mandatorily stored on the chip. Personal information that will not be mandatorily on the surface, such as date of birth, is already stored in the Register and in DHS agencies' databases and these agencies' staff will presumably continue to have online access to those databases for necessary purposes as they do now. Therefore, why does this same information have to be duplicated on the chip?

The only information that needs to be stored on the chip apart from identifying numbers is information that needs to be read in an offline environment, e.g. concession status. The additional information is redundant and its presence invites cracking of lost and stolen cards in order to obtain identity information.

It is not clear how personal information on the chip will be protected so that the information required for particular usage is segmented, e.g. when a card is read offline by a business which offers concessions, what protection prevents the reader being modified to access personal data in the chip.

In relation to Pensioner Concession Card information, we note that this information is not recorded in the Registry. It is therefore not clear how a card would be reproduced if lost. The need for this additional data, e.g. address, also needs to be questioned. If the information is stored for a perceived need to replicate data that is currently printed on a concession card, the need for organisations offering concessions to know card holders' addresses needs to be questioned.

Information stored on the card about a principal, e.g. a child, appears to be present in order to simulate current practice of issuing Medicare cards to families rather than to individuals. However, this will presumably necessitate including children on the cards of both parents so that either can claim Medicare benefits on behalf of children. However, this information is not stored in the Register, which would appear to present problems in replacing lost or stolen cards.

EFA is pleased to note that the troublesome "private area" of the chip has been eliminated from the current proposal.

Accessing Protected Records

These comments apply to s94 to s98.

The offences that are likely to apply to public servants who unlawfully misuse their access to the register or to protected information carry a maximum penalty of 2 years jail. This is inadequate and suggests that the commonwealth is not serious about protecting people's private information on the register from public servants, especially when compared against the 10-year offences elsewhere in the Act.

Given the high likelihood that public servants who do abuse their access to the register will be dealt with internally (i.e. counselled, cautioned, suspended or fired) rather than prosecuted, there should be a requirement for an annual report to Parliament of incidents where this type of activity has occurred.

s97 prevents people from accessing information in the chip in their *own card*, because only the secretary, in writing, can authorise someone to access such data.

Further, there should be an exception to s97 and s98 to allow appropriately qualified security researchers to test the security of the access card system.

Permitted Disclosures

These comments apply to s100 to s118.

EFA has concerns about disclosure of identity information to other agencies, e.g. law enforcement and Dept. of Immigration. The assumption inherent in these provisions is that individuals are able to be identified by running a photograph against the biometric photographs stored in the Registry and thereby identifying the individual. However, this assumption fails to take into acount that facial recognition is not an exact science, and is far less reliable than say, fingerprinting.

The assumption that individuals can and should be identified using data collected for Access Card registration fails to recognise that the result of such a search will be a potentially very large number of possible matches ranked by probability. No consideration has been given to the high likelihood of misidentifying a person and the consequences for the individuals concerned. This is of particular concern if the unknown person is suspected of a crime. The bland and bold assertions made for the accuracy of biometric facial matchig need to be countered by realistic consideration of the problems that may arise from erroneous conclusions about identity.

Access to the database by the Immigration Department is strongly questioned. Repeated claims have been made that such access will prevent re-occurrances of the Cornelia Rau situation, yet no evidence is presented that the proposed system will be capable of precisely matching a photograph taken at a different time with an image stored in the Access Card database.

EFA's concerns about claims made for the accuracy of facial biometrics is expounded in detail in the Access Card Biometrics (section 3 below).

EFA believes that a warrant should be required for law enforcement access to the database, and that the definition of "serious offence" needs to be set to a higher threshold than 2 years. However, we endorse the general protection of privacy and reporting provisions that have been incorporated in the disclosure exceptions permitted in s100 to s118.

Offences for doing things to access cards

132 Defacing or damaging someone else's access card
A person commits an offence if the person:
(a) defaces or damages an access card; and
(b) is not the holder of the access card.
Penalty: Imprisonment for 5 years or 500 penalty units, or both.

The penalty for this offence is excessive relative to the nature of the offence.

3. Access Card Biometrics

The Department of Human Services ("DHS") has made a number of claims about expectations of performance and accuracy of one-to-many matching of facial biometric technology as part of the registration process. These claims go to the ability of the system to detect fraudulent registrations, i.e. attempts by applicants to register twice under different names, and therefore appear to form part of the cost justification for the system.

The proposed biometric database will possibly be the world's largest rollout of a system designed for one-to-many matching. As such, the expected performance of the system needs to be demonstrated. The claims made for the technology do not appear to be supported by available information about the current state of the technology.

3.1 Claims made about the technology

3.1(a) One-to-many matching

Two kinds of claims have been made by the Department about the capabilities of the biometric technology in a one-to-many matching situation:

  1. That potential registrants can be screened against the database to ensure that duplicate registrations cannot be made.
  2. That in a situation such as that of Cornelia Rau, if the person was registered with the system, they could be readily identified from a current photograph, i.e. "unknown person" searching.

3.1(b) Registrant matching

The government has stated on a number of occasions that the registration process will include facial matching of new enrolments against the existing biometric photo database, e.g.:

Biometric Photo
The use of a biometric photo in the access card system is required to reduce health and social service fraud and to help protect customers from identity theft.
Two types of biometric photo comparisons can be made by authorised agency staff to verify a customer's identity:
- One-to-many matching to determine if an individual matches someone already on file under a different name. One-to-many matching will be conducted before an access card is issued to protect the integrity of the registration process.
- One-to-one matching after the card has been issued to confirm an individual's identity, for example where a person's appearance has altered from the photo on the card.

Post Registration Checks
There will be a number of system checks before the access card is ready to be issued to the customer. These quality assurance checks provide a high level of assurance for the system and include:

  • A one-to-many facial recognition template check
  • Proof of identity verification using the Document Verification Service

Once the checks are completed the information will be stored in the secure Customer System.

The Access Card System (13-Dec-2006)[5]

This dual check of the Proof of Identity (POI) documentation and the attempted matching of the photo against existing photographs in the database is illustrated below (Source: Access Card Consumer and Privacy Presentation (13-Dec-2006)[6]

Registration Process

This plan is confirmed in the Overview of the second access card procurement process (31-Jan-2007)[7]:

"For the access card, biometric technology measures characteristics of your photograph to prevent people from trying to register twice to defraud the system."

Given that face-matching checks during the registration period will need to be made at an average rate of 32,000 per day (as estimated in the DHS submission to the Senate Committee inquiry), the demands placed on the personnel responsible for manually checking the ranked matches will be substantial. Each search of the database, which we understand will be carried out on a nightly batch basis, will return a number of possible matches, ranked in probability order. Registration staff will then be required to make a visual determination of whether any of the computer-matched photos is the same person as is currently being registered. Given the known unreliability of human matching of unfamiliar faces (see Section 4.3(a) under Photograph on Surface later herein), this process is likely to be extremely error-prone and therefore likely to miss duplicate registrations or make unfounded accusations of fraud against innocent citizens.

The government's explanation of the technology here suggests that the process is relatively quick and easy:
Unfortunately the demonstration example uses an identical photograph for matching purposes, which is hardly a real-life scenario. Granted, this is obviously a vendor demonstration, but the use of such an example does not inspire confidence.

It is understood that the Document Verification Service, the other major component in verifying identity, is unlikely to be available until 2010. With both parts of the POI process under something of a cloud, the foundation on which the system is being built looks very shaky indeed.

3.1(c) Unknown Person searching

Whether the proposed system could be of assistance in a future Cornelia Rau situation, as is proposed to support the inclusion of s112 in the Exposure Draft, remains open to speculation. It is well established that this technology becomes more unreliable as the time elapsed since the original photograph increases, and the ravages of time may well make it very difficult to visually identify an unfamiliar face from a list of possible matches, particularly if the person involved has been retrieved from a hostile physical environment as was the case with Cornelia Rau. Glib responses suggesting that such persons could be "quickly identified" need to be backed up with case studies demonstrating that the technology is actually capable of such a feat.

3.1(d) One-to-one matching

Two types of biometric photo comparisons can be made by authorised agency staff to verify a customer's identity:
- One-to-one matching after the card has been issued to confirm an individual's identity, for example where a person's appearance has altered from the photo on the card.

The Access Card System (13-Dec-2006)[9]

Although not concerned with registration, this aspect of the system severely impacts on consumer acceptance of the proposed system. This particular functionality of the system does not appear to have been widely discussed in briefing papers or hearings, and therefore the scenarios in which it might operate are not clear. A verbatim understanding of this proposal would suggest that biometric booths, similar to the Smartgate system to be installed at airports, would necessarily be installed at agency offices, but the circumstances in which clients would be asked to submit to being re-photographed "to confirm an individual's identity" are by no means clear.

Since this process is likely to be a rather confronting situation for clients, some questions arise:

  • is it expected that agency staff will be unable to visually match some clients with their photograph, and if so, with what frequency will clients be asked to be photographed again?
  • if agency staff are expected to have problems matching clients with their presented photograph, how can doctors' surgery and pharmacy staff be expected to perform this task?
  • how many agencies will have this photo-matching equipment installed?

It would seem that the equipment required would be somewhat different from that required for initial registration, in that it would need to be linked to biometric software installed in agency offices, rather than being operated as a specialised back-office function as in the registration task.

However, answers given by Mr Graham Bashford, Acting Head, Office of Access Card to a Senate Estimates Committee hearing in May 2006, indicate that there is no plan to deploy facial recognition booths at agency offices:

"Senator CAROL BROWN—Senator Stott Despoja just mentioned the biometric photograph: can you explain what it is?

Mr Bashford—It is a photograph that is taken under controlled conditions which measures distances across your face.

Senator CAROL BROWN—And that is going to be part of the access card?

Mr Bashford—It will be on the card, in the chip, and on the database.

Senator CAROL BROWN—So the government plans to introduce some sort of facial recognition scanners at the service points?

Mr Bashford—No, it plans to have a registration process—and again, this is preliminary and could change. The thinking is that we would take a photograph under controlled conditions at the registration process. That photograph would be on the card, in the chip, and on the database. When the customer presented that card into a reader at the desk that photograph would be checked against the database. If there were a mismatch then that would raise an alarm."

Not only is this statement contradicted by the December 2006 statement about the intention to perform one-to-one matching, but it also suggests a very unusual design approach to card validation. How secure is the proposed smartcard system if there are doubts about the integrity of the biometric photo on the card?

EFA therefore believes that the use of biometric one-to-one matching needs to be far better explained so that the condradictions and conumdrums about the implementation can be resolved.

3.2 Performance of Face-matching technology

A number of studies have been made in recent years about the accuracy of face-matching technology, both in the one-to-one (authentication or verification) scenario and in the one-to-many (identification) scenario.

A Report on Biometrics and Government[10] by the Parliamentary Library, Canada summarises the trade-off between false rejection and false acceptance errors:

"The accuracy of a biometric recognition system is characterized by two error statistics:
the false rejection rate, where the system identifies two biometric measurements from the same person as being from two different persons; and the false acceptance rate, where biometric measurements from two different persons are identified as being from the same person.

These two error statistics are related, and there is a trade-off between the two rates in every biometric system. Both rates are functions of the system’s "decision threshold" – a value determined by the system’s designer or operator that defines when a match is declared. Scores above the threshold value are designated as a "match" and scores below the threshold are designated as "non-match." If the threshold is decreased to make the system more tolerant to input variations and noise, then the false acceptance rate increases. On the other hand, if the threshold is raised to make the system more secure, then the false rejection rate increases. The point at which a system’s false rejection rate is equal to the false acceptance rate is known as the equal error rate. The smaller this rate, the more accurate the system as it indicates a good balance in sensitivity. Besides the above error rates, the failure-to-capture rate and the failure-to-enrol rate are also used to summarize the accuracy of a biometric system.(7)

Accuracy claims provided by equipment vendors must be carefully scrutinized since only one of the statistics described above may be cited by vendors to support their claims; accuracy rates provided by vendors generally have been determined from tests or operations with small-scale recognition systems under controlled conditions; and the accuracy requirements of a biometric system are dependent on whether the system is being used for verification or for identification."

The Face Recognition Vendor Test (FRVT) conducted by the National Institute of Standards and Technology (NIST) in the USA is recognised as the main independent test of facial biometrics. The 2002 version of this test (FVRT2002[11]) concluded that one-to-many testing against watchlists was subject to severe performance degradation with increase in database size:

"One open question in face recognition is: How does database and watch list size effect performance? Because of the large number of people and images in the FRVT 2002 data set, we were able to report the first large-scale results on this question. For the best system, the top-rank identification rate was 85% on a database of 800 people, 83% on a database of 1,600, and 73% on a database of 37,437. For every doubling of database size, performance decreases by two to three overall percentage points. In mathematical terms, identification performance decreases linearly with respect to the logarithm of the database size."

The 2006 tests (FVRT2006[12]) of controlled illumination images showed a significant (order of magnitude) improvement in performance compared with the 2002 tests, but strangely no one-to-many tests were conducted in 2006. The tests demonstrated an average benchmark of a False Rejection Rate of less than 2% (absolute rate 0.02) for a threshold False Acceptance Rate (FRR) of 0.1% (absolute rate 0.001).

The following diagram illustrates the error rates (these are absolute rates, not percentages) in FRVT2006 obtained with various algorithms compared with human performance with small datasets (80 face pairs of varying difficulty):

FRVT 2006 test results

While these results show that the technology is now capable of performing better than humans, and that the technology has improved significantly since 2002, the results still show a significant error rate, especially when it is considered that these tests were conducted in a strictly controlled experimental test on relatively small sets of data in a one-to-one matching scenario. The results certainly do not give confidence that the technology is capable of accurate performance in a one-to-many scenario with a very large database of several million images as is proposed by DHS.

Recent evaluations of one-to-many face recognition have suggested that the technology performs poorly in real-world scenarios. A 2005 report Biometrics at the Frontiers: Assessing the Impact on Society[13] (Feb 2005) prepared by the European Commission’s Joint Research Centre for the European Parliament’s Committee on Citizens' Freedoms and Rights, Justice and Home Affairs, came to the following conclusion:

"It [face recognition] is unsuitable for large databases and large watchlists, and even for moderately-sized lists it has a mediocre performance. Accuracy drops when the acquisition and test occur further apart in time, suggesting faces may need regular re-enrolment."

A highly cited paper on the technology, An Introduction to Biometric Recognition[14], Anil K. Jain, Arun Ross, and Salil Prabhakar, IEEE Transactions on Circuits and Systems for Video Technology, Vol. 14, No. 1, January 2004, found:

"It is questionable whether the face itself, without any contextual information, is a sufficient basis for recognizing a person from a large number of identities with an extremely high level of confidence."

In 2003, a feasibility report was commissioned by the UK Home Office, to assess the status of various biometric technologies. The Feasibility Study on the Use of Biometrics in an Entitlement Scheme[15] by Tony Mansfield and Marek Rejman-Greene (Feb 2003) made a number of recommendations, including:

"Recommendation 7. Face recognition is not strong enough to uniquely identify one person in a population of 50 million.
  Recommendation 9. Performance of face recognition is satisfactory for watch-lists of size up to approximately 1000."

The report concluded that fingerprints (of four fingers) and iris recognition (using both irises) were the only technologies with error rates low enough to uniquely identify persons in a large population. Obviously these biometrics are more intrusive from a collection standpoint than photographs, but they were initially adopted by the UK government for its ID Card proposal. This project has subsequently been severely curtailed because of the political fallout arising from the proposal.

The Mansfield Report also found:

Excessive number of false alarms
A false alarm occurs when the system mistakenly indicates an attempted duplicate enrolment. Such cases must be resolved manually using other slower and more costly checks. Excessive numbers of such alarms could result in a backlog of unprocessed applications. In some cases, these checks will involve face-to-face interviews at which an innocent applicant may face a false accusation of fraud. If this happens too often, public confidence in the system will be compromised. Because the false alarm rate depends on the size of the database, this problem may become apparent only once a sizable proportion of the population is enrolled, at which point it will not be possible to change many aspects of the system.

3.1.1 Accuracy of a "one-to-many" identity search
In the case of a database search to determine whether an individual already has been enrolled we are concerned with two types of error:
a. False alarms, where an unenrolled person is false matched against one of the existing biometric templates, thereby denying that person their entitlement card, passport or driving licence; and
b. False non-matches, where an enrolled person does not match their enrolment template thereby allowing an application for a second entitlement card, passport or driving licence.

As the person's biometric is compared against every template in the database, the false alarm rate is very dependent on the number of people in the database. As the numbers of subjects in the database increases, the probability of a false alarm increases correspondingly. The false alarm rate depends on the number N of people in the database according to the formula:
          FalseAlarmRate = 1 - (1 - FalseMatchRate)^N
In our case the database size will eventually be approximately 50 million, and yet the false alarm rate must remain very low as each case will require manual (and expensive) checking. With a daily throughput of several thousand applications, a target of less than 1 in 1000 for the false alarm rate offers a reasonable compromise, while a false alarm rate of much above 1% would probably make the system unworkable. This implies that the false match rate for every single comparison must be at most 1 in 10^10 or better. With the known performance of fingerprint, iris and face biometric systems, this requirement mandates the use of multiple fingers, or irises, and confirms that facial recognition is not a feasible option.

A June 2005 report by the London School of Economics LSE Identity Project 2005, The Identity Project[16] assessed the proposal for the UK Identity Cards Bill and concluded:

"Facial recognition is not currently sufficiently reliable for the identification of each member of the population and recent trials have shown relatively poor identification performance."

In 2004, the UK Passport Service, in partnership with the Home Office Identity Cards Programme and the Driver and Vehicle Licensing Agency, commissioned trials involving 10,000 voluntary participants to examine various biometrics for identity authentication (i.e. one-to-one matching). Persons enrolling in the trial were required to undertake a verification check immediately after the initial biometric was taken. In the case of the facial biometric this involved taking a second photograph. The results were published in May 2005 as the UK Biometrics Enrolment Trial Report[17].

The report found a very high error rate for the verification process:

"Facial verification success
• Of the three biometrics, the lowest verification success rate occurred with the face. The success rates were 69% for Quota participants, and 48% for Disabled participants, however disability was not a factor. The majority of Disabled participant verifications took place in the mobile enrolment centre where lighting conditions adversely affected all facial verifications.
• Changes in the participant’s appearance also caused verification to fail.
• The facial verification success rate was higher for participants aged under 60 than it was for those aged over 60."

DHS has admitted that the error rate is likely to be substantial. In a written answer to Questions on Notice during the 2007 Senate Committee Inquiry[18] the Department responded:

"32. What is the estimated error rate (both false positives/matches and false negatives/rejects) from the automatic facial recognition technology to be adopted in DHS / DVA offices?

[Answer:] Booz Allen Hamilton advises that on present technology in use error rates are less than 5%. As with the Australian passport a manual checking will also occur for seemingly similar identities. This and future technology improvement is likely to bring the error rate down to a very low number."

It is not clear from that response whether "5%" refers to false negatives or false positives, but in any case it does not give great cause for comfort given the number of applications that are planned to be processed daily.

3.3 Large-scale face recognition in practice

There appear to be very few examples where face recognition is used as a sole identifier on a large scale. It is well known that ePassports conforming to ICAO standards have been issued by a number of countries, including Australia, commencing in 2005. These passports are designed to enable machine verification of identity for border control purposes. However, this application involves one-to-one matching, i.e. a comparison of a real-time photo of the passport holder with the biometric photo stored in the passport chip. This is the basis of the Smartgate system being rolled out in Australian airports in 2007. The automated system is backed up by a manual fallback in case of error or system failure.

However, one-to-many applications are quite rare. The US city of Tampa in Florida introduced a system to scan faces in crowds and compare them against a watchlist of known criminals, but this was withdrawn in late 2003 when it failed to produce any useful results. (Tampa drops face-recognition system[19])

The proposed DHS facial biometrics database is certainly on a scale that does not exist anywhere in the world for one-to-many matching. The nearest in scale would be the Australian Passport Office (APO) database which is used to vet passport applications in a one-to-many scenario. (This is distinct from Smartgate which is owned by Customs and is a one-to-one matching system.)

The APO database has approximately 1.7 million images (information obtained by personal communication) and it is understood that the system is well regarded by the APO, yet this experience would seem to be at odds with experiences elsewhere. The APO uses Cognitec software, which also forms the basis for systems used by Customs (Smartgate).

A 2004 report by the Australasian Centre for Policing Research, Developing a police perspective and exploring the use of biometrics and other emerging technologies as an investigative tool in identity crimes[20] indicates that the NSW Police PhotoTrac system is being used with a database of 350,000 images. The reports states that "PhotoTrac is used more as an investigative and time-saving tool rather than as a 'go or no-go' remote ID verification system."

The report also reveals that "The Identity Crime Task Force of the Australian Federal Police is currently using the In-Vestigate(TM) facial recognition system to conduct one-to-many searches to identify potential matches within a photo database returning a series of photos in order of closeness to the match." The In-Vestigate system is also based on Cognitec technology.

However, none of these systems come close in scale to the database of 16.5 million images that the DHS proposes to create, and there appears to be no other system anywhere in the world that deploys this technology for real-time identity checking on such a scale. The claims made by DHS for the capability of the proposed system to reduce fraud need to be verified through a pilot implementation to provide confidence that this proposal is soundly based on empirical evidence rather than vendor marketing claims.

4. Photograph on surface of Access Card

EFA submits that prior to/during registration individuals should be given the option of choosing whether or not their photograph will be printed on the surface of their Access Card.

We observe that the Senate Committee Inquiry in March 2007 reported "The Committee remains concerned that the inclusion of a biometric photograph, as well as the other information on the surface of the card, could trigger public concern about the access card becoming the preferred identity document of most Australians. There is no comparable document issued on a national scale in Australia that contains a photo of biometric quality." The Federal Privacy Commissioner has also urged that the surface photograph be at the option of the card holder.

Very late in the Senate Committee inquiry process, the Department of Human Services lodged a supplementary submission containing numerous arguments for a mandatory photograph on the surface of the card. However, on close analysis, the DHS arguments do not stack up. The DHS arguments include non-factual claims concerning identity protection and security and/or are distinctly anti-choice and consumer hostile.

In addition, DHS arguments demonstrate the tension between preventing identity fraud and ensuring that individuals are provided with services to which they entitled. We contend that if a photograph on the surface is used in the way that DHS apparently plans, i.e. that doctors, pharmacists, etc, become responsible for preventing identity fraud, it is very likely that some individuals will be incorrectly denied services due to human inability to accurately match photographs with unknown faces, while the majority of fraudulent cards are likely to be accepted. Research findings in the foregoing regard are provided in Section 4.3(a) later herein.

In the remainder of this section, we address the DHS arguments for a mandatory photo on the surfaces. Text in boxes below contain extracts from DHS submissions[23] and DHS testimony[24] to the Senate Finance and Public Administration Committee Inquiry in early March 2007.

4.1 Protecting/securing your identity

4.1(a) Loss of identity security

"Loss of identity security
Identity crime is one of the fastest growing crimes in Australia. ...
The inclusion of a photograph on the card will protect the card owner's identity and significantly enhance the identity security elements of the card." (DHS Supplementary Submission to Senate Committee)

If it was true that "a photograph on the card will protect the card owner's identity", the Australian Federal Police would not need to issue warnings to the public about safeguarding their drivers licences (all of which have a visible photograph), such as the warning issued in December 2006:

"Federal Police issued a strong warning to consumers against allowing any business to take a copy of their licence without good reason, saying identity theft was 'one of the fastest growing crime types around the world'.

'Every time you give up your identity to someone else you place yourself at risk,' an AFP spokeswoman said. 'The AFP's Identity Crime Task Force recommends that consumers treat any requests to provide your identity details with caution.'

A number of people are facing charges after Federal Police launched three major investigations into the manufacture of NSW drivers' licences.

Some of the licences bore the details of genuine licence-holders – the only difference being the photograph of the identity thief."
(Where your ID is at risk[25], Daily Telegraph, 29 December 2006)

The Department of Human Services (DHS) should not compel people to have yet another photo ID card, which criminals will be able to use to perpetrate identity crime, just as they use drivers licences with photographs on them.

4.1(b) Protecting your identity

"Protecting your identity

Contrary to the view that the photograph on the card undermines privacy, having the photograph on the card is a privacy and security enhancing feature. A visible photograph provides a link between a person's name and their identity, thereby reducing opportunities for fraud.

One high profile identity fraud case is that of Jodie Harris, the ‘Catch me if you can' thief. Jodie Harris pleaded guilty to about 40 charges relating to identity fraud and theft. She used up to 25 aliases and stole tens of thousands of dollars from scores of victims. The fraud charges she faces relate to Medicare Cards, drivers’ licences, passports and credit cards. In at least one case, Harris was accused of obtaining an Australian passport in the name of a victim after stealing that woman’s Medicare Card, Qld birth certificate and proof of age card." (DHS Supplementary Submission to Senate Committee)

Although DHS presents the Jodie Harris case in support of their contention that a visible photograph is "privacy and security enhancing" and will "reduc[e] opportunities for fraud", in fact the Harris case is a good example of why people should not be compelled to have a visible photograph printed on their Access Card. Such a card would be yet another insecure photo ID card that criminals could steal and use in the same way that Jodie Harris used stolen Australian-issued drivers licences and allegedly a Queensland proof of age card, all of which already have a visible photograph:

Woman wanted over series of deceptions[26], Victorian Police, Media Release, 21 May 2006
"Police are seeking a rampant con artist who, since January this year, has obtained about $50,000 in deceptions committed predominantly in Victoria.

The deceptions were carried out using other people’s credit cards and identification documents such as driver’s licences.
She then attends more obscure branches of these financial institutions, or those without camera surveillance, pretending to be the victim and withdrawing large amounts of money.

Most-wanted woman taunts police[27], 7.30 Report, ABC TV, 7 June 2006
"Her exploits have already been likened to a movie, but Australia's most wanted woman has no fans among her victims. The woman who sometimes calls herself Jodie Harris, steals the identities of others and plunders their bank accounts taking more than $100,000 in two swindles alone. She befriends unsuspecting women, steals their drivers' licences and that, apparently, is enough for the banks to open up the unsuspecting victims' accounts. There's a police alert for Jodie Harris across three states, but despite widely published images of her, she's managed to escape her hunters. Now she's even begun taunting police. Mary Gearin reports."
Con artist offers to spill beans on police, The Age, 8 July 2006
"...Harris is accused of befriending her victims and stealing their drivers' licences and other IDs that she later used to withdraw cash from their accounts.
She is accused of walking into various Sydney banks and withdrawing up to $4000 at a time, including $2800 from [AC], by providing personal details of her victims. ...

With regard to the DHS claim that "Harris was accused of obtaining an Australian passport in the name of a victim after stealing that woman's Medicare Card, Qld birth certificate and proof of age card", if Harris was able to obtain a passport with those documents, then replacing the Medicare Card with an Access Card showing a photo would not prevent the problem. The Queensland proof of age card (18+ Card) has a visible photo (as does the proof of age cards issued by all States/Territories). Criminals who look like, or are able to disguise themself to look like, a person pictured on an 18+ Card (or drivers licence) would just as easily be able to pretend to be the person shown in a photo on a stolen Access Card. In addition, if a passport was in fact obtained with only the three stated documents, this would indicate a failure of process within the passports office. Applications for an Australian passport require at least one document[28] that shows the applicant's address. The Queensland proof of age card does not include an address[29], and nor does a Medicare card.

Of the five most recent investigations by the ICTF [Identity Crimes Task Force] involving the seizure of false identity manufacturing equipment, all have included templates for manufacturing Medicare cards on computer equipment along with thousands of blank plastic cards capable of being converted into Medicare or credit cards. (DHS Supplementary Submission to Senate Committee)

While the above is most probably factual, it is most likely that they all included templates for manufacturing drivers licences and passports as well. The DHS submission does not provide dates or details of the "five most recent investigations", however media releases and media articles about ICTF investigations in recent years show that all involved templates for manufacturing drivers licences. There have also been reports about criminals manufacturing fake Mykads, i.e. Malaysian Government issued photo ID smart cards.

November 2004:
Officers from the Identity Crime Task Force raided several Sydney properties and seized thousands of forged documents used to create fake identities and document templates which allowed the user to create fake Australian visas, Medicare cards, NSW driver's licences and concession cards.

"Federal Agent Craig Mann said the documents were of high quality documents, complete with watermarks, holograms and other duplicated security features. 'They certainly have the capability to produce documents that would be extremely difficult to detect, to the point where we would be relying on database verification to check them,' Mr Mann said."
(Raids crack counterfeit identity ring, say police[30], SMH, 4 November 2004; ID fraud gang broken up[31], The Age, 5 November 2004)

March 2005:
Federal agents from the Identity Crime Task Force said they had smashed "a very major and sophisticated fraud ring - one of the biggest" after raiding houses in Greenacre, Homebush West and Lidcombe. Items seized included thousands of fake credit cards, passports and NSW driver's licences, a Datacard plastic card printer, a card laminator, a large number of bank key cards in various names, a large number of blank plastic cards, 14 false Medicare cards in various names, 126 blank Australian Tax Office cheques, and a large number of blank bank cheques from various banks.
(Police smash massive identity fraud syndicate[32], Minister for Justice, Media Release, 11 March 2005)

" 'Access to false identities is vital to the activities of criminal groups including drug smuggling, people trafficking and terrorism." Most of the equipment could be bought commercially, [Federal agent Craig Mann] said. 'But the holograms would have been made overseas and imported, you'd have to have criminal contacts in hologram-manufacturing plants who are prepared to steal the designs and duplicate them.'
Criminals would have little trouble acquiring forged documents with false identities from operations like that run by the alleged crime boss, police said.

'For you and me, you can't just walk into one of these places and ask for a fake driver's licence, but if you're tapped into this world, if you have contacts, it's really simple and it takes very little time,' Mr Mann said. 'You just put a name into the laptop, hit a button and the card comes out within minutes.' "
(Police smash huge identity fraud ring[33], SMH, 12 March 2005)

August 2005:
"Dozens of forged identification documents - with links to an overseas criminal syndicate - were seized by authorities during raids in Sydney today.

The Australian Federal Police (AFP) and NSW Police raided properties in Waterloo and Kingsford this morning, seizing ten forged Australian and foreign passports, a quantity of forged Australian visas and migration arrival stamps, Medicare cards, NSW driver licenses, and blank NSW birth certificates.

Computer disks containing high quality templates that could have been used to reproduce the fraudulent documents and more than fifty stolen cheque books were also seized.
Police allege the man possessed stolen genuine passports and fraudulently obtained Australian visa and citizenship documents, opened bank accounts in false names and fraudulently operated those accounts. It is also alleged the man stole authentic identification and assumed the stolen identities in addition to fabricating new identities which were compiled in 'identity kits'.
(ID Crime Taskforce charges Sydney man[34], AFP Media Release, 26 August 2005)

April 2006:
Malaysian officers arrested two people alleged to be part of "a 'gang' responsible for producing and selling fake MyKad and work permits to illegal immigrants". MyKad is the photo ID smart card issued by the Malaysian Government.

"The immigration enforcement chief, Datuk Ishak Mohamad, said the raid followed months of surveillance. The mastermind was a computer graduate from a university in Bangladesh, Malaysian newspapers News Straits Time and The Malay reported on Saturday.
'The MyKad produced by this gang is 90 per cent perfect. They were sold at RM500 each and the permits at RM50 each. The equipment seized is worth RM15, 000.'
(Bangladeshi arrested in Malaysia for selling fake work permit[35], New Age, Bangladesh, 23 April 2006)

July 2006:
The Identity Crime Task Force announced it had dismantled one of the country’s largest identity crime syndicates following a six-month operation in NSW.
(One of Australia’s largest identity crime syndicates dismantled[36], AFP Media Release, 11 July 2006)

"The fake identifications included stolen Australian passports with photos of the true owners replaced with pictures of those adopting their identities, complete with duplicate Australian Government holograms. The alleged fraudsters even produced NSW drivers licences, complete with waratah holograms and manufactured in Indonesia and Bangladesh, along with Medicare cards and bogus electricity or water-rate bills to create fake accounts, or shadow accounts of real companies, according to facts produced in the NSW Supreme and Central Local Court.
Thirteen members of two of the alleged gangs ... were arrested in a series of raids in the past month. Among them were two bank tellers who allegedly facilitated transactions or provided the gang with details of accounts and personal information of the holders.
Those arrested face a total of 230 Commonwealth and state charges for forgery and fraud, including the theft of mail from business and residential letterboxes, allegedly used to obtain details to create new identities to raid bank accounts.
Police alleged that the syndicate recruited and trained predominantly young adults in specialists teams. Some were to steal mail. Others were to assume identities of real or fictitious people to open new accounts or apply for loans or credit cards. The largest individual withdrawal detected so far amounted to $80,000.

Hundreds of fake plastic NSW drivers licences, Medicare cards and even fake manufactured Indonesian, Indian and Bangladesh passports were also seized, it was alleged."
(Vigilant teller unmasks major identity theft ring[37], SMH, 12 July 2006)

December 2006:
"A number of people are facing charges after Federal Police launched three major investigations into the manufacture of NSW drivers' licences.

Some of the licences bore the details of genuine licence-holders – the only difference being the photograph of the identity thief."
(Where your ID is at risk[38], Daily Telegraph, 29 December 2006)

March 2007:
"Fake Mykads [Malaysian photo ID smart cards], complete with embedded chips, have been recovered from an Indonesian couple who sold them to illegals for RM500 each.

The cards have been described as very good forgeries.

Police found 28 fake Mykads, 21 unprocessed ones, 18 multiple entry visas, pieces of pages from Malaysian passports, 12 driving licences and processing equipment at an apartment in Bayu Puteri 2 in Permas Jaya last Thursday.

Johor Baru (South) OCPD Asst Comm Shafie Ismail said the couple from Batam, Indonesia, were believed to have sold about five to 10 Mykads daily.

He said the couple, who have been remanded, had also been producing fake passports, visas and driving licences."
(Duo nabbed for Mykad forgery[39], Malaysian Star, 7 March 2007)

4.1(c) Giving cardholders a false sense of security / peace of mind

Ms Scott-An access card with a photograph on it provides the card owner, the customer, with much more confidence about protection of their privacy, their identity, because it has got a photograph on it. (Senate Committee Hansard Transcript Tue 6th Mar 2007)

Senator FIERRAVANTI-WELLS—...In the end the person—the individual—has the feeling that if it has got their photo on it, it cannot be used by somebody else.
Ms Scott—That is right.
Senator FIERRAVANTI-WELLS—In the end there is that peace of mind for the user.
Ms Scott—That is right. ... (Senate Committee Hansard Transcript Tue 6th Mar 2007)

The only people likely to have more confidence about the protection of their identity, or peace of mind, due to a photograph being on the surface of a card are those who do not know the facts about identity crime and that drivers licences with photographs on them feature in such crime. Unfortunately, such people could be a fairly large proportion of the population due to government agency staff and politicians making non-factual statements such as the above which give people a false sense of security. As the recent Jodie Harris case shows, it is not true that a card with a person's photo on it "cannot be used by somebody else".

4.1(d) Use of Medicare Cards to establish bank accounts etc

"At present, if you lose your Medicare card, it is very easy for someone to take that and use it to claim benefits in your name. They can even use it as proof of identity to establish such things as bank accounts in order to perpetrate identity theft." (DHS Supplementary Submission to Senate Committee)

The Medicare Card is what the AFP call a 'breeder document' since it can be used to produce higher forms of identity documentation. (DHS Supplementary Submission to Senate Committee)

Drivers licences and birth certificates are also breeder documents and that is why the Attorney-General's Department is developing the Document Verification Service, to enable breeder documents to be verified with the document issuer.

Moreover, it appears that the existing Medicare card will not be able to be used as a breeder document, nor as an EOI document, after December 2007, at least not in the banking/financial services industry. As a result of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act), the existing 100 Point ID check system (under which Medicare cards are worth 25 points) will cease to exist.

New Rules made pursuant to s229 of AML/CTF Act[40] were issued by AUSTRAC[41] on 30 March 2007 and will come into effect from December 2007. The Rules include safe harbour provisions detailing the types of evidence of ID documents which financial institutions may use in order to be covered by the safe harbour protection. Medicare cards are not included in list of acceptable identification documents (see Clause 4.2.11) and also do not meet the definitions of the various types of acceptable ID documents.

Hence, the ability to use a forged or stolen/lost Medicare card to open bank accounts etc will apparently cease from December 2007, whether or not it is replaced by an Access Card. In addition, use as a breeder document is likely to be significantly reduced if other sector organisations continue the practice of referring to financial sector rules in deciding which types of identification documents they will accept.

4.1(e) Statements by the Australian Federal Police

DHS seek to support their advocacy for a visible photograph by reference to statements made by representatives of the Australian Federal Police (AFP). For example, the DHS Supplementary Submission states:

"In their testimony to the Senate Inquiry, the Australian Federal Police reported that they anticipated that the access card would result in a reduction in the use of existing welfare cards in the facilitation of crime:
'For example, the current Medicare card is easy to counterfeit and reproduce owing to the absence of rudimentary security features such as a photograph and signature, and the lack of other technological protections to ensure the integrity of the card's information and security.'
While the access card system will employ a range of technological protections, the photograph and the signature are considered rudimentary security features by Australia's premier agency for the investigation of identity theft, the Australian Federal Police." (DHS Supplementary Submission to Senate Committee)

However, a photograph on the surface of a card is only a rudimentary security feature, and is deemed necessary only because DHS does not intend to take full advantage of the chip in smart cards. Failure to do so will mean that criminals will be able to use an Access Card with a visible photograph in the same way as they have long been using drivers licences with photographs.

The DHS submission selectively quoted the AFP testimony, omitting to note that the AFP's statement above was in the context of there being no means of viewing a photograph if it was not on the surface of the card:

"CHAIR—As I understand it, there will be no benefits paid unless the smart card is accessed into a reader. In other words, that will facilitate, in a sense, social welfare. It is not supposed to be used as an ID card—or at least that is an absolutely secondary or ancillary purpose. I still do not understand why there has to be a photograph on the front. There will be a photograph on the chip. That is different, and you and I would agree on that. When you put the card in, up will come a photograph of the holder. We have even heard some evidence that having a photograph on the front allows you to facilitate identity theft.
I have not heard any good evidence as yet as to why the photograph should be on the card. If we are just talking about facilitating access to welfare and cutting identity fraud, why do we need the photograph? And I am waiting for the evidence, but it has not hit me like a bombshell as yet, I can tell you.

Federal Agent Drennan—I take your point that when it is inserted into the reader the photograph comes up. People will use that card for the purpose of getting their services and maybe for other reasons—and as much as we can say that people will not use it for other reasons, there is all likelihood that people will; it is their card. What we are saying is that the purpose is for the delivery of their benefits and services. But we need to ensure that there is a readily recognisable link between the holder of the card and their entitlement, and photograph is that link in the absence of the reader.

CHAIR—But there is going to be a reader; no welfare will be paid without access to a reader. That is the problem with that argument. I will hear from DHS later on. Perhaps they have some stirring arguments.

Senator FORSHAW—That is the reason we had the microchip.
Senator FORSHAW—Let me put this to you. ... I understand it is not a policy position—and it is not your decision as to why this policy has been implemented—but you could achieve the same objective without limiting and perhaps enhancing the ability of ASIO or the AFP to investigate these things by rolling out a streamlined modern-day technologically suitable Medicare Card without a photo.

Federal Agent Drennan—We would rely upon our experience, and very much from the law enforcement perspective. Identity crime manifests itself where there is the ability to obtain documents and use documents that do not have a direct link to the actual holder of the document or they have an absence of technological features, which makes it difficult for people to manufacture or misuse that card. ... From the perspective of trying to ensure that government services are delivered to the right person and opportunities for people to exploit a card permitting access to services are minimised, the more robust its security features can be, the better." [emphasis added] (Senate Committee Hansard Transcript Tue 6th Mar 2007)

The proposed Access Card could, and should, have much more robust security features than merely a photograph on the surface, which will enable it to be used for identity crime purposes in the same way as drivers licences. Placing a photograph only on the chip, and using the technological security features of smart cards and associated card readers to a greater extent than DHS currently intends, would make it much more difficult for criminals to manufacture and use fake Access Cards or use other people's cards to perpetrate identity theft and identity fraud.

4.1(f) Views of KPMG

DHS also seek to support their advocacy for a visible photograph by frequent reference to the views of KPMG, who undertook a 'business case' analysis for DHS dated February 2006, for example:

Ms Scott—A Medicare card can be used by anybody and we know that it is. The access card has a clear photograph on the front. I know that KPMG in their business case went to some length to discuss why the photograph needed to be on the card. ... That photograph is a significant deterrent for fraud against the Commonwealth, because there it is, there is the photograph. It is also a significant safeguard for someone pretending to be you, because it has your photograph on it.
This matter was considered carefully by government and the subject of a public report, which indicated that the photo on the card is essential to the business case. I would refer you to pages 16 and 17, because KPMG is of a view that this is a major deterrent to fraud. (Senate Committee Hansard Transcript Tue 6th Mar 2007)

However, the KPMG business case[42] was based on an assumption that no providers of DHS and DVA services, other than DHS and DVA agency offices, would have card readers capable of displaying a photograph. The reason for that assumption is not known because the KPMG report was heavily censored before being made public. The KPMG business case document states, in section 6.1.3:

"In deciding the appropriate types of readers for pharmacies and medical practices, KPMG considered the costs and benefits of a number of options outlined in Attachment E (Attachment E deleted for commercial reasons)."

In addition, while the KPMG business case discusses various options in relation to photographs, their reasons for rejecting options that would give consumers choice about a photo on the surface are extremely weak at best. Other options listed in the KPMG business case document included:

(a) "Option 2 - no photo required on the chip or the face of the card but the consumer being asked to present other photo identification"

We note that KPMG's rejection of the above option is based on an assumption that everyone would be compelled to present other photo identification. Their assumption is anti-choice. KPMG failed to consider the option of allowing individuals to decide whether they would prefer to have a photograph on their Access Card, or not have a photograph and present other photo identification that they already have, such as a drivers licence, passport or State/Territory proof of age photo card.

(b) "Option 3 - photo on the chip only"

We also note that KPMG's rejection of the above option was based on their belief/understanding that "card readers capable of reading a photographic image will not be uniform in the HSS service system" and whether or not a photo on the chip would be protected by a PIN. KPMG's arguments in the latter regard are anti-choice and consumer hostile. KPMG argued:

"* If the photo was in the chip only, it would need to be in the 'public zone' to enable access without a Personal Identification Number (PIN). Anything stored in the 'public zone' is potentially vulnerable to being captured electronically without the permission of cardholders.

* If it is in the 'closed zone', consumers would need to access it with a PIN

* Given that people will not use this card as frequently as they use banking cards, people will forget their PIN and cause delays at the chemist or at the doctors and will be forced to get a new PIN from a call centre. It is simply not a practical solution."

The above is an argument against allowing people to choose to have PIN protection at all. The possible delays referred to by KPMG would also occur in Medicare and Centrelink offices where photo capable readers will, according to DHS, be used. Moreover, they could occur whether or not a photo is on the surface. Even if a photo is on the surface, other information in the Commonwealth area of the chip will need to be accessed when rebate/benefit claims are made in medical practices, pharmacies, etc. and DHS has stated that people will be able to choose to have the information in the Commonwealth area of the chip protected by a PIN.

Furthermore, there appears to be question of whether it will in fact be possible for people to have an Access Card that does not have a PIN, due to DHS's intention that Access Cards be used in conjunction with ATM and EFTPOS terminals for the purpose of receiving emergency payments and claiming Medicare rebates, etc.

4.2 Lack of necessary equipment/technology

4.2(a) Photograph capable readers not included in business case/budget

The DHS wish for a visible photograph on the Access Card arises at core from their business case/budget decisions:

  • not to provide doctors, pharmacists and other DHS and DVA service providers with photograph capable card readers; and
  • to expect doctors, pharmacists and other DHS and DVA service providers to become the identity fraud police.

"The present business case is not based on photographic card readers in doctors, pharmacists and allied health professionals. Our analysis and consultations conclude that this is impractical. Virtually no existing readers in Australia have the capacity to view photographs. While the Human Services' agencies will have this capability, doctors, pharmacists, allied health professionals, specialists, hospitals and third party concession providers will not. ...

The option of rolling out a huge infrastructure of photo readers is questionable when there is a simpler, cheaper and more secure alternative available, i.e. the photo on the card." (DHS Supplementary Submission to Senate Committee)

The claim that a photo on the surface of the card is "more secure" than on the chip is astounding, given the prevalence of criminal mis-use and forgery of drivers licences (as detailed earlier herein), and DHS has not provided any evidence or information to support their claim.

Without the photograph on the card, a person seeking to establish the cardholder's identity would be forced to either access the person's photograph on the card chip or on the Register or seek other forms of photographic identification. (DHS Supplementary Submission to Senate Committee)

It should be noted that the only reason a person would be "forced" to do any of the above is because DHS wants doctors, pharmacists and other DHS and DVA service providers to become the identity fraud police.

Furthermore, the KPMG business cases document (p.20) argues against the photograph being on the surface but not on the chip because:

"* The card face may be damaged or defaced and the photo not visually recognisable. ...
* The face of the card is the most vulnerable for interference, e.g. changing the photo on the face of the card.

KPMG's statements above raise the question of how service providers are expected to prevent identity fraud, without a photograph capable reader, when the photograph on the surface is damaged and not visually recognisable.

4.2(b) Unavailability of technology necessary to support the proposed system

The DHS Supplementary Submission contains a number of claimed reasons for a photograph on the surface that are based on unavailability of, or unwillingness to use, the technology necessary to support the system:

Not all participating offices will have reliable access to technology
Having a photograph on the surface of the card will support safe, reliable and efficient customer authentication where technology is not available or is not reliable, including:
* Medicare benefits delivered in rural and remote areas where there is no internet or telecommunications reception, or where connectivity is so slow that reading a card is an impractical interruption to the normal work flow patterns in the business. (DHS Supplementary Submission to Senate Committee)

The above indicates a total lack of understanding about how smart cards operate. Reading a photograph or any other data from the chip of a smart card does not require "the internet or telecommunications reception", hence whether or not such connectivity is slow has nothing to do with the ability and/or time taken to view a photograph on a chip.

Without a photo on the face of the card to authenticate the user, a number of unacceptable risks are introduced into the access card system. These include ... lack of appropriate terminal infrastructure ... and schedule delays (given lead times to upgrade the terminal infrastructure). (DHS Supplementary Submission to Senate Committee)

If supplying appropriate terminal infrastructure would result in schedule delays due to lead times to upgrade terminal infrastructure, this indicates that DHS's schedule for rolling out the proposed system is impractical and inappropriate. It remains entirely unclear why DHS is in such a rush to implement the proposed system, especially in view of the fact that new Medicare eClaiming[43] and PBS Online[44] systems, which operate with the existing Medicare Card (and we understand are intended to reduce Medicare related concession fraud), will be operational by 1 July 2007.

[I]f alternative card reading devices are supplied to medical practitioners and pharmacists, they are unlikely to be compatible with devices being rolled out by financial institutions for the Electronic Medicare claiming initiative.
This would result in doctors having two card reader devices in operation simultaneously. Doctors will likely see this as introducing inefficiencies into the administration of their practices. (DHS Supplementary Submission to Senate Committee)

The above suggests failure within DHS to properly plan and integrate proposed new systems. We note that former DHS Minister Hockey informed the AMA National Conference[45] in May 2006 that:

"I am anxious to ensure that your front desk has only one keypad and one computer for all Government interactions. It is feasible that if we get this wrong you could end up with three terminals including an Eftpos facility, HIC Online and electronic claiming terminals and a separate Access Card device. Then if an ehealth record system eventuates you could be required to have a fourth device. This scenario is plainly absurd.

As a former Small Business Minister I will be the first to argue that we need to integrate the systems into a single easy to use device. That's why we are reluctant to rush to early decisions on technology for the access card-we want to get this right!!!"

However, DHS's recent arguments that "alternative card reading devices" would introduce inefficiencies and/or inconvenience for medical practices, due to the roll out of the new Medicare eClaiming system this year, shows that DHS have not got their new/proposed systems right. It indicates that technology decisions have been rushed and/or that various divisions within DHS have been failing to communicate about proposed systems in order to plan integration of same.

Not all providers will elect to use new technology
Even if the Australian Government was to roll out photo capable readers to all pharmacists and general practitioners (at considerable cost and delay to the project), there is still no reasonable way of ensuring that these are actually used by the providers.
This has been demonstrated by recent experiences with trying to encourage health professionals to upgrade information technology systems. (DHS Supplementary Submission to Senate Committee)

The above is an argument against rolling out smart cards at all. Obviously there is no way of ensuring that all providers will use smart card readers whether or not they are photo capable readers.

4.3 Doctors/pharmacists etc required to prevent identity fraud

It is not apparent how DHS intends to force service providers to check photographs, nor undertake any other role in preventing identity, or any other type of fraud, nor that they are willing to voluntarily do so. According to the DHS Supplementary Submission:

"The Australian General Practice Network (AGPN) has advised that removal of the photograph from the surface of the card would be logistically difficult for general practitioners. This is particularly the case if communications lines were down." (DHS Supplementary Submission to Senate Committee)

However, "communication lines" have nothing to do with reading the information/photograph in a smart card chip.

Moreover, any support by the AGPN for GPs becoming involved in fraud prevention is apparently based on a requirement of government funding for the extra time and training of staff, which is not included in the government budget/KPMG business case:

"AGPN is supportive of ensuring that only eligible patients are able to access the government rebate; however the quantum of any fraud and the extent of disputes/conflict that arise on eligibility grounds will now be more prevalent in the practice. This increased scrutiny is not something that practices are currently funded for or trained to cope with, particularly as GPs do not ration care on the basis of eligible/non eligible Medicare guidelines; rather they seek to improve the health outcomes of any person that requires treatment or advice. The proposed approach passes the responsibility of managing the physical processes for checking a patient’s eligibility to access an Australian Government rebate to the practice without acknowledging this in the legislation.
AGPN recommends: that general practices be adequately funded for the extra time and to allow practices to provide training in the verification and billing reforms to all staff. ...
(AGPN submission to Senate Committee)

The Royal Australian College of General Practitioners also raised a number of concerns in relation to fraud prevention requirements, in testimony before the Senate Committee, and made clear that they do not support fraud prevention becoming the responsibility of general practitioners:

"There are four issues that I would like to draw to the committee’s attention. The first is around access and the relationship of trust. ...
The college is concerned that the introduction of an access card may restrict provision of health services to those Australians who hold and present an access card at the time of service. This will adversely affect the health care of some Australians, notably those who can least afford to privately fund their own health care. In the words of the inverse care law, the more disadvantaged a patient, the less likely they are to receive care.

Requiring general practitioners to undertake eligibility checking for Medicare changes the nature of the relationship between the doctor and the patient. In fact, the relationship in relation to a Medicare benefit is between the government and the consumer, not the GP. The decision to require use of an access card in order to claim healthcare benefits, such as rebates from the Medicare scheme, creates the risk that general practitioners and their practice staff will be seen not as the providers of care in time of need but part of the government machinery of fraud compliance. The college strongly recommends that consideration be given to the potential that this has in undermining the trust between patients and their general practitioner, and believes that this trust, once lost, is not likely to be regained. The college is concerned that social trust in the profession of general practice could be adversely affected if it were perceived that fraud compliance has become an integral part of the task of the general practitioner.

I turn now to compliance and risk management. ...
Under current arrangements, a patient may fraudulently use a Medicare card to obtain a service provided in good faith by the GP. The general practitioner is paid for the service provided, and Medicare Australia seeks repayment from the patient when the fraud is discovered. Under the new scheme, the general practitioner could be faced with the conundrum of refusing service to someone without a card, perhaps in the face of a demonstrable need of that person or in circumstances where the GP may have ethical or medico-legal responsibilities to provide a service, or to provide the service and run the risk of non-payment. I remind you that the most disadvantaged of our community are the ones who will be most affected. The RACGP recommends that this matter is further investigated and supports the premise that fraud compliance should remain an Australian government, not an individual general practice, responsibility.
" [emphasis added]
(Royal Australian College of General Practitioners, Senate Committee Hansard, Friday 2 March 2007)

Furthermore, if doctors, pharmacists and other service providers are required to become the identity fraud police, individuals who cannot afford to pay the cost of the service without DHS payment will be at risk of being denied medical and health services due to the low accuracy level in human ability to accurately match unknown faces (see Section 4.3(a) below). In addition, people may be unjustifiably accused of attempted fraud.

EFA questions the extent of current fraud of this nature and whether prevention is worth the cost. We note that despite numerous questions from Senate Committee members etc, DHS has declined to provide a breakdown of the claimed fraud costs in terms of types of fraud. It is likely that the majority of fraud relates to Centrelink from where actual cash can be obtained, rather than a discounted medical/pharmaceutical service. There is significant tension here between health service access and welfare benefits access via one card.

4.3(a) Risks of human inability to accurately match unknown faces

"33. If there is going to be a photograph on the chip why is it necessary to have the photo displaying on the card too?

The inclusion of the photograph on the face of the card will maximise the integrity of the system. It provides a quick and simple way of verifying who a person is when accessing Australian Government Health benefits, veterans' and social services." (DHS Answer to Questions on Notice)

A belief that a photograph on the face of a card is "a quick and simple way of verifying who a person is" indicates a lack of knowledge that people are generally bad at correctly matching unfamiliar faces via photographs:

"...Research by forensic psychologist Richard Kemp suggests people are bad at identifying unfamiliar faces.

The University of NSW academic[46] is undertaking a three-year study to pinpoint those with good face recognition skills and isolate what makes them different.

The $150,000 project, funded by the Australian Research Council as part of a focus on national security issues, will have implications for the training and hiring of immigration officers, with spin-offs for the banking and retail sectors.
...Dr Kemp said his research showed people were bad at correctly identifying unfamiliar faces via photographs.

A UK study he undertook for the banking sector showed the use of photographs on credit cards was no deterrent to fraud.

In more than 50 per cent of cases, shop assistants and retailers incorrectly ... accepted cards with phony photographs.

'All faces are fundamentally very, very similar,' he said. 'On top of that we use faces to express emotion -- we smile, we frown -- and we age.'
It was hoped his research would lead to advice or training for immigration staff on how better to match faces and photographs.

'The first step is to understand better the process between recognising familiar and unfamiliar faces,' he said.

'There is a tendency when matching unfamiliar faces to look for certain characteristics -- such as hair or an odd facial feature such as a mole.'

'Maybe we can change from using external clues to more internal aspects of the face structure such as the nose [and] mouth.' "
(Researcher faced with identity crisis, Dani Cooper, The Australian, 17 March 2004.)

Details and findings of the above mentioned study are reported in When Seeing should not be Believing: Photographs, Credit Cards and Fraud[47], Richard Kemp, Nicola Towell and Graham Pike, Division of Psychology, University of Westminster, London, UK, published in Applied Cognitive Psychology, Vol. 11, 211-222 (1997).

The study found:

  • over 50% incorrect acceptance of fraudulent cards, i.e. cards showing a photo of a person who was not the card presenter; and
  • approx 14% incorrect rejection of legitimate cards showing a photo of the card presenter that had been taken in the previous 6 weeks, where the photo depicted the card presenter with minor paraphernalia changes such as a change of hair style, the removal of facial hair, or the addition or removal of eye-glasses or jewellery; and
  • approx 7% incorrect rejection of legitimate cards showing a photo of the card presenter that had been taken in the previous 6 weeks, where no paraphernalia changes had been made.

The cashiers who voluntarily participated in the trial, outside of normal business hours, knew that some of the cards that would be presented to them would show a photo of a person who was not the shopper presenting the card, and that the objective was to find out how accurately they could match photographs with the card presenter.

4.3(b) Risk/probability of improper denial of medical, health and pharmaceutical services

The research findings give rise to the question of what doctors, pharmacists, etc. will be expected to do if they think the photo on an Access Card is not that of the person presenting the card. Unless services providers are required to deny service in such circumstances, a photograph on the surface will not prevent identity fraud.

Hence, if identity fraud is to be prevented, there significant risk that suspect people, who cannot afford to pay the full cost of a medical consultation, health service, or prescription themselves, will be denied service. This is likely to result in people who are not engaged in fraud being denied services, given the study findings suggest that over 14% of people who present a card showing their own photograph will be suspected of fraud, while 50% of people presenting a fraudulent card will not be suspected.

4.4 Transaction Times / Customer Convenience

Transaction Times
Use of a digital image stored in the chip rather than a photo printed on the card will increase transaction time. Reading the digital photo from the chip may take from three to ten seconds plus the time to enter the optional PIN. While this does not seem like a great deal of time, in busy service provider locations such delays can add to congestion and wait times. Pharmacists have advised that transaction speed is an important issue especially at lunch time when many customers queue for prescriptions. (DHS Supplementary Submission to Senate Committee)

If the above times are factual and would cause increased congestion and wait times, then this would also apply to queues in Medicare and Centrelink offices, which DHS states will all use photograph capable card readers. Hence it appears people visiting Medicare and Centrelink offices will be subjected to more inconvenience as a result of the Access Card.

4.5 DHS Anti-Customer-Choice Arguments

4.5(a) Voluntary use as an ID Card

While the access card is not an identity card, a key feature of the card design is enabling card owners to use the advantages of a high integrity card for other purposes if they choose. ...
Removal of the cardholder's photograph from the face of the card would make the access card unusable as a primary identification document, thereby limiting the ability of consumers to choose to use the card for other identification purposes and diminishing consumer benefits. ...
It is the government's position that it be up to the individual cardholder to decide if they want to show the access card. (DHS Supplementary Submission to Senate Committee)

The above is an anti-choice, consumer hostile, argument. There is no reason why DHS cannot allow individuals to decide whether or not they want a visible photograph in order to use their card as a photo ID card.

Making a photograph on the surface of the access card optional would also create two classes of cards, only one of which could be used as a primary identification document. (DHS Supplementary Submission to Senate Committee)

The above fails to recognise that consumers could choose to have whichever "class" of card they want. DHS's "class" argument is also quite ridiculous given they already intend to issue more than one "class" of card (five different coloured cards), which they state will make some card holders a target for criminals:

4.5(b) Special colour Access Cards will put concession card holders at risk

If the coloured access cards that are offered for stable concession groups, such as aged pensioners, eligible self-funded retirees and veterans, do not display a photo they will be an attractive target for people committing fraud, providing almost endless opportunities for significant concession abuse. (DHS Supplementary Submission to Senate Committee)

Circumstances that make 2.5 million concession cardholders targets for criminals, because DHS has chosen to provide them with specially coloured cards, cannot be used by DHS or the government to justify compelling over 14 million other people to have a visible photograph on their Access Card. All card holders, whether or not they are provided with a specially coloured Access Card, should be allowed to choose whether or not they want a visible photograph.

4.5(c) Current Availability of Photo ID cards

What the market research says
Qualitative research on the access card has found that most participants wanted the access card to show their name and their photograph.
The research found that the second most commonly identified key benefit of the card (nominated by 80% of people who were aware of the card) was the option to use it to prove identity – especially for people without drivers' licences and passports. (DHS Supplementary Submission to Senate Committee)

As DHS has not made details of the research methodology etc publicly available, people who are aware of how easy it is to produce desired results, by asking biased questions etc, are unlikely to regard the above claim as necessarily factual.

In any case, while some people will no doubt wish to use an Access Card as an ID card, that does not justify compelling those who do not to have a photograph on their card. Furthermore, photo ID cards (generally called "Photo Card" or "Proof of Age Card" or "18+ Card") are already available in every State and Territory for any person aged 18 and above (there is no upper age limit) who wishes to have one:

The above cards range in cost to the applicant from $5 to $41 (mostly approx. $20) as at March 2007.

4.5(d) 90% of adults already have a photo ID document

Community acceptance of photo identification
Our market research suggests around 90 per cent of adults have a card displaying a photograph. Photo ID is also common place in many work places, clubs and associations. KPMG has made the point that 'it is not evident why the inclusion of a photo on the face of the (access) card would present additional privacy concerns given the already extensive use of photos in passports, drivers licences and other settings, compared with the enormous benefits that can be gained in terms of service entitlements and anti-fraud benefits.' (DHS Supplementary Submission to Senate Committee)

To date, DHS has not provide any justification, let alone good reason, for why the 90% of people who already have photo ID should be compelled to have another card showing their photo.

Although DHS proclaims that smart cards are security and privacy enhancing, DHS nevertheless plans to compel people to have a photo printed on the surface of yet another card, instead of actually making use of the security and privacy enhancing feature of smart cards that would enable people to choose to have a photo on the chip instead of on the surface. The fact that many other insecure cards with photos printed on them are already in use does not justify introduction of another insecure card, nor spending over a billion dollars rolling out a smart card that fails to use the security and privacy features of smart cards properly.

4.6 Access to State and Territory Government and other third party concessions

Access to state and territory and third party concessions
Customers value these concessions highly.
The Australian Government through Centrelink and the DVA issue concession entitlement cards to a range of customers. There are around 2.5 million concession cardholders (including 1.9 million Age Pensioners, 0.3 million eligible self funded retirees and 0.3 million Veterans) who will be eligible for coloured access cards. These people are the major users of an estimated $4 billion worth of state/territory and third party concessions provided each year.
A key benefit of the photo on the face of the card to third party providers is the ability to ensure that the person presenting the card is the card owner. Removing the photo from the face of the card will limit the validation options available to these providers to either the chip or online. Accessing the photo via the chip will require a more sophisticated reader than would be needed to just confirm concession entitlement. In the absence of a photo on the surface of the card, customers may be required to provide other evidence of identity. Providers choosing to confirm online will not have access to the photo stored on the register. (DHS Supplementary Submission to Senate Committee)

Circumstances applicable to 2.5 million concession cardholders cannot be used to justify compelling over 14 million other people to have a visible photograph on their Access Card.

State and Territory Government and other third party concession providers have been providing discounts/concessions without Commonwealth photo ID for many years and if they are concerned about the identity of cardholders they have the option of requesting photo ID. Every State/Territory in Australia makes available a photo ID card to any person aged 18 and above, generally called "Proof of Age" or "18+" cards. If some persons entitled to concessions cannot afford to obtain one of these low cost cards, the State/Territory Governments are at liberty to provide them at no cost to such people. It is not a Commonwealth Government responsibility and hence does not provide any justification for a mandatory photograph on an Access Card.

Furthermore, arguments contending photographs on surface are necessary to reduce third-party concession abuse should be disregarded until DHS publicly explains how concession status can work at all. Apparently DHS still only has "design ideas" which appear to be entirely unworkable and, if implemented, likely to cause major inconvenience to many concession card holders and concession providers, and not likely to significantly reduce concession abuse.

4.7 Special needs of DVA customers

Special needs of DVA customers
Most of DVA’s business is between the client and medical and allied health service providers. A photo on the surface of the card provides certainty to these service providers about who they are dealing with.
Veterans and war widows have very frequent personal face-to-face contact with a wide range of over 50,000 contracted providers of health and community services. While these are government benefits they are delivered by third parties. There was no expectation that they would require readers with photo capability. The business case was based on them simply having to show their card or have low cost no photographic readers. A large number of these occur in the home or community setting. A photo on the card is added assurance for both the provider and the veteran that the right services are being provided to the right individual (e.g. medication administration). It goes without saying that there are major mutual benefits to all clients who are frail, confused or have dementia. (DHS Supplementary Submission to Senate Committee)

Circumstances that may be applicable to 300,000 DVA clients do not justify compelling over 16 million other people to have a visible photograph on their Access Card.

We question whether there is any evidence of identity fraud in relation to veterans' entitlements. Further, given DHS states a large number of these services "occur in the home or community setting", opportunities for identity fraud would be limited.

4.8 Fraud against the Commonwealth/taxpayers

4.8(a) Estimated Savings

While DHS insist that a photograph on the surface is necessary to prevent fraud against taxapayers, and that KPMG's estimated fraud savings will not be achievable without a visible photo, these claims have no credibility while the government continues to refuses to provide the Parliament and public with details of how the claimed savings were estimated and what percentage is attributable to identity fraud.

The major section in KPMG's business case document about claimed savings was censored before public release, leaving only a summary of the basis for claimed savings (p.6-7 and p.11-12). Nevertheless this summary indicates that very little of the estimated savings relate to identity fraud of the type that might be prevented to some extent by a photo on the surface of the card. KPMG stated:

"The biggest gains are likely to be in the following areas:
  • Substantial reduction in the opportunity to set up false identities
  • Preventing the use of someone else's card to claim that you are that person for obtaining an entitlement
  • Reductions of claims for MBS and PBS concessions and safety nets based on inaccurate concession information
  • An immediate reduction in the number of people claiming Centrelink benefits
  • Reduction of fraudulent claims for benefits from Centrelink through non-disclosure of changed personal circumstances."

None of the above have anything to do with a photo on the surface of the card, except the second item. In relation to the second item, as discussed earlier herein, a photo on the surface will not necessarily prevent use of someone else's card, but is likely to result in people who are not engaged in fraud being denied services, given study findings suggest that over 14% of people who present a card showing their own photograph will be suspected of fraud, while 50% of people presenting a fraudulent card will not be suspected.

To justify such potential inconvenience and detriment to honest people, the government must provide public information about the dollar amount of fraud, per year, that is said to be attributable to the second item above. We consider it likely to be a vanishingly small amount in comparison to the overall claimed savings. Furthermore, while billions of dollar savings figures are constantly quoted by DHS and the government, these are estimates over a 10 year period from 2010. KPMG estimated annual savings, after registration is complete, to be between $125 million and $250 million (relating to the identity related fraud and abuse of concessions, according to KPMG's testimony to the Senate Committee). This is very small amount of estimated savings given DHS agencies will pay out approx. 100 billion per year (DHS has stated 1 trillion is expected to be paid out over 10 years).

EFA considers a core question that the government must answer, if people are to be forced to have a visible photo on the their card for the purpose of doctors and pharmacists being expected to prevent identity fraud, is what percentage of the $125 million - $250 million estimated savings per year is attributable to use of other people's cards to receive taxpayer funded benefits and what percentages are attributable to each of the other items. The subsequent question, once the foregoing is known, is whether estimated savings related to item 2 are worth the social cost - that is the significant risk of people being unjustly denied access to medical and pharmaceutical services and accused of fraud because staff in private enterprise consider they do not look like the person in a photo. EFA considers it unlikely that the amount of estimated savings could justify the social cost and risks.

We would expect that if instances of such identity fraud are common or otherwise significant, such an example would be provided in Medicare's National Compliance Program 2006-07 document[56].

However, the example Medicare provides under the heading "Identity Fraud" is:

"Identity fraud – a case study
Acting on a tip-off from a medical practitioner, Medicare Australia identified a member of the public who was using the practitioner’s provider number and creating false computer generated accounts to obtain Medicare benefits. Medicare Australia referred the matter for further investigation and consequently to the Commonwealth Director of Public Prosecution.
Mr D appeared in the Melbourne County Court in July 2006. He was charged with offences under the Health Insurance Act and pleaded guilty to one charge.
He was sentenced to 10 months imprisonment wholly suspended. He was released on a $1,000 bond to be of good behaviour for 3 years. As part of the bond he was ordered to repay $11,063.

Obviously a photograph on an Access Card will not prevent members of the public engaging in the above type of "identity fraud".

The above also makes apparent that when Medicare refers to "identity fraud" they do not necessarily mean of a type that would be prevented by photos on the surface of a Medicare or Access Card. This has implications in relation to the estimated savings attributable to "identity fraud", given KPMG worked with Medicare and Centrelink to obtain estimates, because a significant proportion of that subset of the estimated savings may have nothing to do with the lack of a photograph on a Medicare card. Whether or not Medicare explained to KPMG what they mean by "identity fraud" is an open question.

Overall, the information in Medicare's National Compliance Program 2006-07 document provides significant grounds for the view that a vastly greater amount of taxpayer fund savings may be achieved if the over $1 billion to be spent on an Access Card system and new national ID database was instead spent on funding Medicare and Centrelink compliance programs, related additional investigation staff and staff involved in practitioner and public education programs, and, if they have not yet fully done so, addressing recommendations in ANAO audit reports concerning system inadequacies and/or failures and errors, discrepancies and missing information in existing customer record databases.

We observe that Medicare's 2006-07 Compliance Program includes:

"Patients with a concession card, such as those provided by Centrelink and Veterans’ Affairs, pay less for PBS medicine. Medicare Australia must rely on doctors and pharmacists to check the concessional entitlement of a consumer. Entitlement is often not checked because it is an extra administrative process in a very busy environment. This year we will be working with Centrelink to ensure that consumers know when they are no longer entitled to PBS medicine at a concessional rate."

The above appears to indicate that prior to the current financial year, people were not being notified that they were no longer entitled. The ANAO Audit Report titled "Administration of Health Care Cards"[57], issued in June 2005, stated:

"The ANAO recommends that Centrelink, in consultation with relevant policy departments, review the advice provided to customers relating to cancelled Health Care Cards, with the objective of reducing the likelihood that cancelled cards will continue to be used after the customer has been advised to destroy the card." (Recommendation No.3, Para 4.16)

We address several DHS claims in relation to prevention of fraud below.

Reduction of Australian Government concession leakage and fraud is premised on the concession or benefit going to the right person and that the benefit is not transferable. Not having the photo on the card basically turns it back into a Medicare Card with a chip. (DHS Supplementary Submission to Senate Committee)

The above is not necessarily true. A Medicare smart card with a PIN would not be able to be used to obtain government funded services by anyone who did not know the PIN (provided it was rolled out in conjunction with authorised readers able to verify that the chip was issued by DHS and had not been tampered with). This would be considerably more likely to prevent criminal mis-use of other people's cards than merely adding a photograph to the surface of the card. Also, it appears doubtful that a PIN will be optional due to the intended use of cards with the ATM/EFPTOS network.

Further, in late 2004/2005 when the trials of a new Medicare smart card were underway in Tasmania, a photograph on that card was optional. The government has not provided any indication of what has changed since 2004/2005 to justify such radical change from the then proposed Medicare smart card, to a card and related system that not only has all the hallmarks of a national ID card/system, but appears very likely to result in increased inconvenience and unjustifiable denial of service to some members of the public.

4.8(b) Lack of business case for Medicare safety net checking

According to DHS:

The use of Medicare cards to obtain these benefits has been exploited in the past and the incentives for such exploitation have increased considerably with the introduction of the government’s new Medicare safety net arrangements. There is an opportunity for people to manipulate and game the system by lending their Medicare card to others in order to reach the safety net sooner, or once they have reached the safety net, to lend their cards to other people who are then able to receive substantial concessions where their entitlements don't exist. (DHS Supplementary Submission to Senate Committee)

If Medicare safety net information is to be on the Access Card (as indicated above), the government should provide the public and Parliament with details of the business case for this, given the KPMG business case specifically excluded Medicare safety net checking:

"Medicare safety net checking has been excluded from the scope of this business case on Medicare Australia advice that its inclusion may create opportunities for over-servicing. The chip will contain a field for Medicare safety net checking which will allow easy inclusion of MBS should such an extension of use of the card be supported by a future business case." (KPMG p.42)

In view of the above, obviously the estimated fraud savings claimed by KPMG, which the government continues to quote, would not have factored in the estimated cost of over-servicing arising from inclusion of Medicare safety net checking.

Given the DHS submission indicates a decision has since been made to include Medicare safety net checking, the government should publicly issue details of the business case for this together with revised (reduced) fraud savings estimates.

4.8(c) Probability of unjustifiable denial of service/benefits in pharmacies

At present legislation requires a pharmacist to request a Medicare number for all PBS subscriptions. Most pharmacists meet this obligation by asking the customer to present their card unless they already know them and have their Medicare number.

If the photo was not included on the surface of the card, and noting that there will not be comprehensive coverage of readers capable of accessing photos, the system would not achieve the fraud benefits anticipated and the business case for the card would be compromised. (DHS Supplementary Submission to Senate Committee)

A requirement that pharmacy staff check a photo on an Access Card indicates the system will be considerably less, not more, convenient for members of the public. For example, how will the system deal with scenarios such as the following:

Jane's mother becomes unexpectedly ill and bed-ridden (therefore Jane is not listed as a carer on her mother's Access Card). A doctor visits her at home and writes a prescription. Jane wants to go to a chemist and obtain the prescribed medication for her mother. Will Jane be able to obtain the medication by showing her mother's Access Card, which matches the name on the prescription? If yes, then obviously the photo is not being matched with the person collecting the medication, which means that anyone could claim to be collecting a prescription for a relative or friend when they were in fact engaged in fraud.

If it is planned that Jane would also have to show her own Access Card, then:

  • what if Jane does not have an Access Card herself, after all it will not compulsory to obtain one!
  • even if Jane does have an Access Card herself, that would not prove that Jane is not fraudulently obtaining a prescription/benefit made out in someone else's name. A fraudster could, for example, show their own Access Card together with a stolen Access Card showing the same name as the name on the prescription.

The above is just one example of the tension between requiring health and medical service providers to prevent identity fraud and ensuring members of public will not be unjustifiably denied access to services/benefits to which they are entitled, nor experience greater inconvenience and difficulty in obtaining such services.

4.8(d) DHS Fraud Examples

Although DHS and former DHS Minister Hockey have referred to a small number of fraud case examples, which they have claimed the Access Card will prevent, generally too little detail about the examples has been provided to enable checking of the veracity of such claims. However, in several instances where sufficient detail was provided, it seems apparent that the Access Card will not, or is most unlikely to, prevent such fraud. DHS's Jodie Harris case example has been addressed earlier herein. Two others are discussed below.

The DHS Supplementary Submission stated:

Of the $100 billion in services and benefits delivered, $20 billion relates to the Medical Benefits and Pharmaceutical Benefits Schemes. It is very difficult to detect cases of fraud in these instances but fraud does occur. For example, recently a person was charged after allegedly using another person's Medicare card to obtain medical services for a relative. The person provided the card to the relative who accessed $10,000 worth of medical care at a Sydney hospital. (DHS Supplementary Submission to Senate Committee)

We note that the Australian Federal Police media release concerning the above case stated that:

"It will be alleged in court that the woman provided a Medicare card to a relative, who subsequently used it to fraudulently access medical care at a Sydney hospital. ...
Commander of the New South Wales Police Fraud Squad Detective Superintendent Col Dyson said yesterday's arrest was connected to the recent arrest of an alleged organised crime syndicate member who was charged with identity crime offences.
(Charges over alleged Medicare card fraud[58], AFP Media Release, 22 November 2006)

It is highly doubtful that a photograph on the surface of an Access Card will prevent people involved with organised crime syndicates from continuing such fraud, given numerous police media releases and media reports about fake drivers licences and replacement of photos on drivers licences. A significantly more effective means of preventing such fraud would be to have the photograph on the chip, and data including the photograph on the chip signed with a government signing key, together with photograph capable readers that would also be able to verify that the chip was issued by DHS and that data on it had not been tampered with. However, no DHS documents issued to date provide any indication that such smart card security capabilities will be implemented on Access Cards.

During a speech to National Press Club[59] on 8 November 2006, then DHS Minister Hockey said:

"As a Government it is our responsibility to stop the proliferation of these fraudulent cards and the misuse of genuine cards.

I would like to give you a just a couple of examples to illustrate what is a growing problem.

In a recent case, a Centrelink customer had meticulously created false identities for 18 non-existent children. The customer had used fraudulent birth verification forms and forged letters to falsely claim benefits for nine sets of twins! A tip-off from a suspicious Centrelink employee and a subsequent investigation exposed that fraudulent activity occurred between 1999 and 2005. Over that time, the individual had stolen $623,000 from the taxpayer."

However, the Access Card will not prevent such people from claiming/receiving benefits for non-existent children. As reported in the Courier Mail:

"[Prosecutor Shane] Hunter said Anderson used her position as a nurse at the Princess Alexandra Hospital to obtain Certificates of Birth and had a stamp featuring a local obstetrician's name to authenticate the documents. She also forged driver's licences, passports and death certificates."
(Mum rips off Centrelink - Nine sets of fictitious twins - $622,000 in benefits, Courier Mail, 17 December 2005)

Obviously the fraudulent claims were successful because counterfeit birth certificates were produced and used, and this will continue to be able to occur unless Centrelink check the validity of birth certificates of children with the relevant State/Territory Registrar's office, which does not have anything to do with the proposed introduction of Access Cards.

In relation to the large amount stolen, according to the Courier Mail report:

"Judge Ian Wylie, QC, sentenced Anderson to seven years' jail for what was described as the largest Centrelink fraud of the past decade, and the third largest overall.

Former Centrelink regional manager Christopher Bracken was jailed by the NSW Criminal Appeal Court in 1994 for stealing $708,000 over 12 years. Also in 1994, Queensland Centrelink senior staffer Jennifer Ritchie was jailed by the Supreme Court in Toowoomba for stealing $630,000 over six years."

5. References

1. Department of Human Services, Exposure Draft (21 Jun 2007) of the Human Services (Enhanced Service Delivery) Bill 2007

2. Senate Finance and Public Administration Committee, Report of Inquiry Into Human Services (Enhanced Service Delivery) Bill 2007, March 2007

3. AGIMO, Australian Governemnt Smartcard Framework - Section 2 - guidance at the project management level in important areas such as privacy, security and technology selection

4. DSD submission to Senate Committee

5. The Access Card System (13-Dec-2006)

6. Access Card Consumer and Privacy Presentation (13-Dec-2006)

7. Overview of the second access card procurement process (31-Jan-2007)

8. www.accesscard.gov.au/technology.html

9. The Access Card System (13-Dec-2006)

10. Biometrics and Government

11. FVRT2002

12. FVRT2006

13. Biometrics at the Frontiers: Assessing the Impact on Society

14. An Introduction to Biometric Recognition

15. Feasibility Study on the Use of Biometrics in an Entitlement Scheme

16. LSE Identity Project 2005, The Identity Project

17. UK Biometrics Enrolment Trial Report

18. DHS written answer to Questions on Notice during the March 2007 Senate Committee Inquiry

19. Tampa drops face-recognition system

20. Developing a police perspective and exploring the use of biometrics and other emerging technologies as an investigative tool in identity crimes

21. Access Card Technology page

22. Regione Lombardia smartcard

23. DHS submissions to Senate Committee Inquiry:
Supplementary Submission

24. DHS testimony to Senate Committee Inquiry

25. Where your ID is at risk

26. Woman wanted over series of deceptions

27. Most-wanted woman taunts police

28. Australian Passport requirements - identity documents

29. Queensland proof of age card

30. Raids crack counterfeit identity ring, say police

31. ID fraud gang broken up

32. Police smash massive identity fraud syndicate

33. Police smash huge identity fraud ring

34. ID Crime Taskforce charges Sydney man

35. Bangladeshi arrested in Malaysia for selling fake work permit

36. One of Australia’s largest identity crime syndicates dismantled

37. Vigilant teller unmasks major identity theft ring

38. Where your ID is at risk

39. Duo nabbed for Mykad forgery

40. AUSTRAC Rules made pursuant to s229 of AML/CTF Act 2006

41. AUSTRAC media release, Rules assist industry with compliance under anti-money laundering laws, 30 March 2007

42. KPMG business case

43. Medicare eClaiming

44. PBS Online

45. Address to the AMA National Conference 2006, Minister Joe Hockey, 27 May 2006

46. Richard Kemp, University of NSW

47. When Seeing should not be Believing: Photographs, Credit Cards and Fraud, Richard Kemp, Nicola Towell and Graham Pike, Division of Psychology, University of Westminster, London, UK, published in Applied Cognitive Psychology, Vol. 11, 211-222 (1997).

48. Australian Capital Territory: Proof of Age Card

49. New South Wales: Photo Card

50. Northern Territory: 18 Plus Card

51. Queensland: 18 Plus Card

52. South Australia: Proof of Age Card

53. Tasmania: Proof of Age Card

54. Victoria: Proof of Age Card

55. Western Australia: Proof of Age Card

56. Medicare's National Compliance Program 2006-07 document

57. ANAO Audit Report: Administration of Health Care Cards, 2005
<http://www.anao.gov.au/download.cfm?item_id=1EB2A925E3A1D6C5B016A021E18DB54B& binary_id=46ED4DE91560A6E8AAF53B454645BB55>

58. Charges over alleged Medicare card fraud

59. Address to the National Press Club on Future Directions for the Access Card, Minister Joe Hockey, 8 Nov 2006

About EFA

Electronic Frontiers Australia Inc. ("EFA") is a non-profit national organisation representing Internet users concerned with on-line rights and freedoms. EFA was established in January 1994 and incorporated under the Associations Incorporation Act (S.A.) in May 1994.

EFA is independent of government and commerce, and is funded by membership subscriptions and donations from individuals and organisations with an altruistic interest in promoting online civil liberties. EFA members and supporters come from all parts of Australia and from diverse backgrounds.

Our major objectives are to protect and promote the civil liberties of users of computer based communications systems (such as the Internet) and of those affected by their use and to educate the community at large about the social, political and civil liberties issues involved in the use of computer based communications systems.

EFA policy formulation, decision making and oversight of organisational activities are the responsibility of the EFA Board of Management. The elected Board Members act in a voluntary capacity; they are not remunerated for time spent on EFA activities. The role of Executive Director was established in 1999 and reports to the Board.

EFA has long been an advocate for the privacy rights of users of the Internet and other telecommunications and computer based communication systems. EFA's Executive Director was an invited member of the Federal Privacy Commissioner's National Privacy Principles Guidelines Reference Group and the Research Reference Committee (2001) and the Privacy Consultative Group (2004-2005). EFA participated in NOIE's Privacy Impact Assessment Consultative Group relating to the development of a Commonwealth Government Authentication Framework (2003), Centrelink's Voice Authentication Initiative Privacy Impact Assessment Consultative Group (2004-2007), the ENUM Discussion Group and Privacy & Security Working Group convened by the Australian Communications and Media Authority ("ACMA" formerly ACA) (2003-2007), and the ACA's Consumer Consultative Forum meeting (April 2005). EFA has presented written and oral testimony to Federal Parliamentary Committee and government agency inquiries into privacy related matters, including amendments to the Privacy Act 1988 to cover the private sector, telecommunications interception laws, cybercrime, spam, etc. EFA has previously made submissions on earlier drafts of the Access Card legislation, to the Senate Committee which inquired into the February 2007 Bill, and to the Access Card Cunsumer and Privacy Taskforce.