16 April 2007

Access Card - Registration

Below is a copy of EFA's submission to the DHS Access Card Consumer and Privacy Taskforce in response to Discussion Paper No. 3: Registration.


  1. Executive Summary
  2. Introduction
  3. Access Card Biometrics
    1. Claims made about the technology
    2. Performance of Face-matching technology
    3. Large-scale face recognition in practice
    4. Tried and Tested Technology?
  4. Photograph on surface of Access Card
    1. Protecting/securing your identity
    2. Lack of necessary equipment/technology
    3. Doctors/pharmacists etc required to prevent identity fraud
    4. Transaction Times / Customer Convenience
    5. DHS Anti-Customer-Choice Arguments
    6. Access to State and Territory Government and other third party concessions
    7. Special needs of DVA customers
    8. Fraud against the Commonwealth/taxpayers
  5. Signature and unique DHS ID number on surface of Access Card
  6. Purpose of personal data on chip
  7. PIN numbers
    1. Issuing a PIN during registration - lack of PIN security
    2. Will a PIN in fact be optional?
  8. Optional DOB on surface / DHS claims re use of Access Card to establish bank account
  9. Matching registrants to existing clients
  10. Pre-Registration online may facilitate phishing
  11. Concessional Status
  12. Additional Datasets / 'Customer Controlled part of the chip'
  13. References
  14. About EFA

1. Executive Summary

  1. The Department of Human Services ("DHS") claims that one-to-many biometric face-matching against a very large database is sufficiently accurate to detect fraudulent registrations, but this is not borne out by recently published evaluations of the technology, nor by DHS figures for the error rate with current technology.

  2. The other half of the fraud-detection mechanism, the Documentation Verification Service (DVS), appears unlikely to be available until the end of the registration process (2010).

  3. There is no evidence to substantiate claims that face-matching technology is sufficiently accurate to identify unknown persons, as in the Cornelia Rau case.

  4. A database containing photographs of virtually the entire adult population is vulnerable to misuse by future governments, or to use for purposes for which it was not intended. Strong protections need to be incorporated into the legislation so that access to the database by other agencies of government is not permitted without very strict controls.

  5. Contradictory and puzzling statements have been made by DHS about the use of one-to-one biometric matching to verify the identify of clients once cards have been issued. These contradictions need to be resolved.

  6. The performance of face-recognition technology has improved in recent years but the published error rates are still very high, particularly when it is considered that the photo database will eventually reach over 16 million images.

  7. Several recent overseas studies have dismissed facial recognition as being not feasible for large scale databases.

  8. There are no known working examples anywhere in the world, on the scale proposed for the Australian system, of the use of facial biometrics for fraud prevention.

  9. Examples provided by the Department on the Access Card website of existing overseas implementations of the same technology are in fact substantially different from the Australian proposal in vital respects, e.g. they either do not use photographs or they do not use facial biometrics.

  10. A mandatory photograph on the card surface is likely to ensure that the card becomes a compulsory ID card. Individuals should be therefore be given the option of choosing whether or not their photograph on the Access Card.

  11. Since the Access Card is likely to be seen in the business community as an authoritative ID card, the use of a photo on the card may actually increase the likelihood that forgeries will occur.

  12. Examples quoted by the Department of situations where mandatory photographs are privacy-enhancing are shown to be invalid on closer examination.

  13. The existence of a photograph on the card could give consumers a false sense of security about the susceptibility of the card to identity theft.

  14. Claims that the existing Medicare Card is flawed as a proof-of-identity document cannot be substantiated beyond December 2007, since banks will no longer regard Medicare Cards as acceptable identity documents after that date.
  15. The possibility of making the photograph on the surface of the card optional has not been fully explored by the Department or by KPMG.

  16. It is not clear how the proposed Access Card rollout will integrate with the new eClaiming facility planned for the existing Medicare system from July 2007.

  17. Non agency personnel, e.g. doctors and pharmacists, will be required to take on a new role of fraud police, a role for which they are not well equipped.

  18. Research demonstrates that people perform very poorly when attempting to compare unfamiliar faces with photographs, and some patients may therefore be incorrectly denied services.

  19. DHS has been unable to provide a breakdown of current estimated fraud costs, so it is not clear how much fraud arises from Medicare as distinct from Centrelink, or indeed how much Medicare fraud is committed by patients. Detailed information on likely savings from fraud-prevention need to be provided so that the benefits of the Access Card can be properly assessed.

  20. DHS claims that photographs will enhance the utility of the card as a general ID document, yet approximately 90% of the adult population already have photographic ID of one kind or another.

  21. The security-enhancing features of a smartcard appear to have been disregarded in favour of placing an identifying photograph on the card surface.

  22. The particular needs of certain DVA clients have been used as a reason to compel all other card users to have photographs.

  23. The government should publicly issue details of the business case for including Medicare Safety Net checking together with revised (presumably reduced) fraud savings estimates.

  24. Some examples of the card's expected role in reducing fraud do not stand up to close scrutiny.

  25. It is not clear why any data apart from card number and perhaps name needs to be stored on the chip, since this data can be obtained online from the registry database. Storing the data in both places increases the possibility of anomalies, e.g. when address is changed online or by phone.

  26. The proposed method for issuing (optional) PINs is insecure and at variance with standard industry practice.

  27. It is not clear how PINs can be optional when the card will be capable of being used in ATM terminals for welfare withdrawals in emergencies.

  28. It is unclear how DHS proposes to link cards with "known customer" data in the relevant agencies.

  29. There are a number of serious problems for consumers using the card to prove eligibility to obtain government and business concessions, for which no robust solutions are in sight.

  30. The inclusion of a customer-controlled space on the chip is an unnecessary frill that is likely to add complexity to the design and introduce security risks.

  31. The Access Card project is complex and potentially risky, with a number of still-unresolved problems to be solved. AGIMO recommends pilot implementations for large projects to forestall potential IT disasters, although this advice is seemingly being ignored by the Department.

  32. Time necessary to obtain security evaluation from DSD does not seem to be included in project plan.

2. Introduction

This submission is made in response to the DHS Access Card Consumer and Privacy Taskforce's Discussion Paper No. 3: Registration[1].

EFA has previously stated our opposition to the Access Card system in its current form. Since then more information has come to light about the proposed system (e.g. during the recent Senate Committee inquiry[2]). However, it continues to appear that the proposed system is not fit for purpose; will cause greater inconvenience for the majority of members of the public; is likely to result in unjustifiable denial of medical and pharmaceutical services and false allegations of identity fraud, and involves a high risk of being a massive IT disaster and hence waste of over one billion dollars of taxpayer funding. The latter is especially likely if it is in fact rolled out just 12 months from now - given it is apparent that DHS does not even know yet how various aspects of the system could or will work.

With regard to the timeframe, while DHS has stated that "An important element of the security framework is evaluation, testing and certification of the end-to-end access card system by the Defence Signals Directorate (DSD) - Australia's national authority for information security and signals intelligence" (DHS submission to Senate Committee), it appears doubtful that such certification will be achievable by the scheduled roll out date of April 2008. AGIMO states in its its recently released Smartcard Framework- Section 2 - guidance at the project management level in important areas such as privacy, security and technology selection[3] that "EAL4 certifications may take between 9 to 12 months to complete under ideal conditions", ideal being "In cases where the product and design documentation is correct the first time". Some aspects of the Access Card system seem likely to require higher than EAL4 level certification.

As DSD advised in their submission[4] to the Senate Committee "DSD cannot provide detailed information on the security of the system as it is still in the early stages of design".

We consider the public consultation process being undertaken by the Taskforce is of dubious value given the Taskforce papers make clear that even the government-appointed Taskforce does not know what the government is proposing to do in relation to various aspects. This results in members of the public having to respond to speculative ideas and assumptions and remarks about technology that make no sense and/or appear to be non-factual, rather than having the opportunity to raise any issues they may be aware of about actual government plans/proposals with a view to assisting towards producing a result of a system that people will want and be genuinely voluntarily willing to use.

Nevertheless, we address various matters and issues related to the Registration process below.

3. Access Card Biometrics

The Department of Human Services ("DHS") has made a number of claims about expectations of performance and accuracy of one-to-many matching of facial biometric technology as part of the registration process. These claims go to the ability of the system to detect fraudulent registrations, i.e. attempts by applicants to register twice under different names, and therefore appear to form part of the cost justification for the system.

The proposed biometric database will possibly be the world's largest rollout of a system designed for one-to-many matching. As such, the expected performance of the system needs to be demonstrated. The claims made for the technology do not appear to be supported by available information about the current state of the technology.

3.1 Claims made about the technology

3.1(a) One-to-many matching

Two kinds of claims have been made by the Department about the capabilities of the biometric technology in a one-to-many matching situation:

  1. That potential registrants can be screened against the database to ensure that duplicate registrations cannot be made.
  2. That in a situation such as that of Cornelia Rau, if the person was registered with the system, they could be readily identified from a current photograph, i.e. "unknown person" searching.

3.1(b) Registrant matching

The government has stated on a number of occasions that the registration process will include facial matching of new enrolments against the existing biometric photo database, e.g.:

Biometric Photo
The use of a biometric photo in the access card system is required to reduce health and social service fraud and to help protect customers from identity theft.
Two types of biometric photo comparisons can be made by authorised agency staff to verify a customer's identity:
- One-to-many matching to determine if an individual matches someone already on file under a different name. One-to-many matching will be conducted before an access card is issued to protect the integrity of the registration process.
- One-to-one matching after the card has been issued to confirm an individual's identity, for example where a person's appearance has altered from the photo on the card.

Post Registration Checks
There will be a number of system checks before the access card is ready to be issued to the customer. These quality assurance checks provide a high level of assurance for the system and include:

  • A one-to-many facial recognition template check
  • Proof of identity verification using the Document Verification Service

Once the checks are completed the information will be stored in the secure Customer System.

The Access Card System (13-Dec-2006)[5]

This dual check of the Proof of Identity (POI) documentation and the attempted matching of the photo against existing photographs in the database is illustrated below (Source: Access Card Consumer and Privacy Presentation (13-Dec-2006)[6]

Registration Process

This plan is confirmed in the Overview of the second access card procurement process (31-Jan-2007)[7]:

"For the access card, biometric technology measures characteristics of your photograph to prevent people from trying to register twice to defraud the system."

Given that face-matching checks during the registration period will need to be made at an average rate of 32,000 per day (as estimated in the DHS submission to the Senate Committee inquiry), the demands placed on the database system and on the personnel responsible for manually checking the ranked matches will be substantial. Each search of the database will return a number of possible matches, ranked in probability order. Registration staff will then be required to make a visual determination of whether any of the computer-matched photos is the same person as is currently being registered. Given the known unreliability of human matching of unfamiliar faces (see Section 4.3(a) under Photograph on Surface later herein), this process is likely to be extremely error-prone and therefore likely to miss duplicate registrations or make unfounded accusations of fraud against innocent citizens.

The government's explanation of the technology here suggests that the process is relatively quick and easy:[8]
Unfortunately the demonstration example uses an identical photograph for matching purposes, which is hardly a real-life scenario. Granted, this is obviously a vendor demonstration, but the use of such an example does not inspire confidence.

It is understood that the Document Verification Service, the other major component in verifying identity, is unlikely to be available until 2010. With both parts of the POI process under something of a cloud, the foundation on which the system is being built looks very shaky indeed.

3.1(c) Unknown Person searching

... it is our expectation that, if we ever had a Cornelia Rau situation again and the person was registered, we would be able to quickly identify her for authorities. Whether that approach would be made through the Federal Police, whether or not they would have a search warrant, we have not got to that level of specificity. We have only looked at whether a technical capacity exists. But, as I said, we would not be making that generally available. It has to be a serious case. (Patricia Scott, Senate Estimates Hearing, 16-Feb-2007)

This claim requires closer examination. Given that the Access Card proposal will produce a photographic database of the entire population, its potential use for purposes other than access to government services, e.g. by law enforcement agencies, needs to be clearly spelt out. Evidence given during the Senate Committee hearings into the legislation indicated that guidelines for access to current DHS databases by law enforcement agencies are not well defined and are left to the decision of the Secretary. The availability of a photographic database of all Australians will undoubtedly give rise to novel and unforseen applications, quite apart from the obvious one of searching for crime suspects.

Whether the proposed system could be of assistance in a future Cornelia Rau situation remains open to speculation. It is well established that this technology becomes more unreliable as the time elapsed since the original photograph increases, and the ravages of time may well make it very difficult to visually identify an unfamiliar face from a list of possible matches, particularly if the person involved has been retrieved from a hostile physical environment as was the case with Cornelia Rau. Glib responses suggesting that such persons could be "quickly identified" need to be backed up with case studies demonstrating that the technology is actually capable of such a feat.

3.1(d) One-to-one matching

Two types of biometric photo comparisons can be made by authorised agency staff to verify a customer's identity:
- One-to-one matching after the card has been issued to confirm an individual's identity, for example where a person's appearance has altered from the photo on the card.

The Access Card System (13-Dec-2006)[9]

Although not concerned with registration, this aspect of the system severely impacts on consumer acceptance of the proposed system. This particular functionality of the system does not appear to have been widely discussed in briefing papers or hearings, and therefore the scenarios in which it might operate are not clear. A verbatim understanding of this proposal would suggest that biometric booths, similar to the Smartgate system to be installed at airports, would necessarily be installed at agency offices, but the circumstances in which clients would be asked to submit to being re-photographed "to confirm an individual's identity" are by no means clear.

Since this process is likely to be a rather confronting situation for clients, some questions arise:

  • is it expected that agency staff will be unable to visually match some clients with their photograph, and if so, with what frequency will clients be asked to be photographed again?
  • if agency staff are expected to have problems matching clients with their presented photograph, how can doctors' surgery and pharmacy staff be expected to perform this task?
  • how many agencies will have this photo-matching equipment installed?

It would seem that the equipment required would be somewhat different from that required for initial registration, in that it would need to be linked to biometric software installed in agency offices, rather than being operated as a specialised back-office function as in the registration task.

However, answers given by Mr Graham Bashford, Acting Head, Office of Access Card to a Senate Estimates Committee hearing in May 2006, indicate that there is no plan to deploy facial recognition booths at agency offices:

"Senator CAROL BROWN—Senator Stott Despoja just mentioned the biometric photograph: can you explain what it is?

Mr Bashford—It is a photograph that is taken under controlled conditions which measures distances across your face.

Senator CAROL BROWN—And that is going to be part of the access card?

Mr Bashford—It will be on the card, in the chip, and on the database.

Senator CAROL BROWN—So the government plans to introduce some sort of facial recognition scanners at the service points?

Mr Bashford—No, it plans to have a registration process—and again, this is preliminary and could change. The thinking is that we would take a photograph under controlled conditions at the registration process. That photograph would be on the card, in the chip, and on the database. When the customer presented that card into a reader at the desk that photograph would be checked against the database. If there were a mismatch then that would raise an alarm."

Not only is this statement contradicted by the December 2006 statement about the intention to perform one-to-one matching, but it also suggests a very unusual design approach to card validation. How secure is the proposed smartcard system if there are doubts about the integrity of the biometric photo on the card?

EFA therefore believes that the use of biometric one-to-one matching needs to be far better explained so that the condradictions and conumdrums about the implementation can be resolved.

3.2 Performance of Face-matching technology

A number of studies have been made in recent years about the accuracy of face-matching technology, both in the one-to-one (authentication or verification) scenario and in the one-to-many (identification) scenario.

A Report on Biometrics and Government[10] by the Parliamentary Library, Canada summarises the trade-off between false rejection and false acceptance errors:

"The accuracy of a biometric recognition system is characterized by two error statistics:
the false rejection rate, where the system identifies two biometric measurements from the same person as being from two different persons; and the false acceptance rate, where biometric measurements from two different persons are identified as being from the same person.

These two error statistics are related, and there is a trade-off between the two rates in every biometric system. Both rates are functions of the system’s "decision threshold" – a value determined by the system’s designer or operator that defines when a match is declared. Scores above the threshold value are designated as a "match" and scores below the threshold are designated as "non-match." If the threshold is decreased to make the system more tolerant to input variations and noise, then the false acceptance rate increases. On the other hand, if the threshold is raised to make the system more secure, then the false rejection rate increases. The point at which a system’s false rejection rate is equal to the false acceptance rate is known as the equal error rate. The smaller this rate, the more accurate the system as it indicates a good balance in sensitivity. Besides the above error rates, the failure-to-capture rate and the failure-to-enrol rate are also used to summarize the accuracy of a biometric system.(7)

Accuracy claims provided by equipment vendors must be carefully scrutinized since only one of the statistics described above may be cited by vendors to support their claims; accuracy rates provided by vendors generally have been determined from tests or operations with small-scale recognition systems under controlled conditions; and the accuracy requirements of a biometric system are dependent on whether the system is being used for verification or for identification."

The Face Recognition Vendor Test (FRVT) conducted by the National Institute of Standards and Technology (NIST) in the USA is recognised as the main independent test of facial biometrics. The 2002 version of this test (FVRT2002[11]) concluded that one-to-many testing against watchlists was subject to severe performance degradation with increase in database size:

"One open question in face recognition is: How does database and watch list size effect performance? Because of the large number of people and images in the FRVT 2002 data set, we were able to report the first large-scale results on this question. For the best system, the top-rank identification rate was 85% on a database of 800 people, 83% on a database of 1,600, and 73% on a database of 37,437. For every doubling of database size, performance decreases by two to three overall percentage points. In mathematical terms, identification performance decreases linearly with respect to the logarithm of the database size."

The 2006 tests (FVRT2006[12]) of controlled illumination images showed a significant (order of magnitude) improvement in performance compared with the 2002 tests, but strangely no one-to-many tests were conducted in 2006. The tests demonstrated an average benchmark of a False Rejection Rate of less than 2% (absolute rate 0.02) for a threshold False Acceptance Rate (FRR) of 0.1% (absolute rate 0.001).

The following diagram illustrates the error rates (these are absolute rates, not percentages) in FRVT2006 obtained with various algorithms compared with human performance with small datasets (80 face pairs of varying difficulty):

FRVT 2006 test results

While these results show that the technology is now capable of performing better than humans, and that the technology has improved significantly since 2002, the results still show a significant error rate, especially when it is considered that these tests were conducted in a strictly controlled experimental test on relatively small sets of data in a one-to-one matching scenario. The results certainly do not give confidence that the technology is capable of accurate performance in a one-to-many scenario with a very large database of several million images as is proposed by DHS.

Recent evaluations of one-to-many face recognition have suggested that the technology performs poorly in real-world scenarios. A 2005 report Biometrics at the Frontiers: Assessing the Impact on Society[13] (Feb 2005) prepared by the European Commission’s Joint Research Centre for the European Parliament’s Committee on Citizens' Freedoms and Rights, Justice and Home Affairs, came to the following conclusion:

"It [face recognition] is unsuitable for large databases and large watchlists, and even for moderately-sized lists it has a mediocre performance. Accuracy drops when the acquisition and test occur further apart in time, suggesting faces may need regular re-enrolment."

A highly cited paper on the technology, An Introduction to Biometric Recognition[14], Anil K. Jain, Arun Ross, and Salil Prabhakar, IEEE Transactions on Circuits and Systems for Video Technology, Vol. 14, No. 1, January 2004, found:

"It is questionable whether the face itself, without any contextual information, is a sufficient basis for recognizing a person from a large number of identities with an extremely high level of confidence."

In 2003, a feasibility report was commissioned by the UK Home Office, to assess the status of various biometric technologies. The Feasibility Study on the Use of Biometrics in an Entitlement Scheme[15] by Tony Mansfield and Marek Rejman-Greene (Feb 2003) made a number of recommendations, including:

"Recommendation 7. Face recognition is not strong enough to uniquely identify one person in a population of 50 million.
  Recommendation 9. Performance of face recognition is satisfactory for watch-lists of size up to approximately 1000."

The report concluded that fingerprints (of four fingers) and iris recognition (using both irises) were the only technologies with error rates low enough to uniquely identify persons in a large population. Obviously these biometrics are more intrusive from a collection standpoint than photographs, but they were initially adopted by the UK government for its ID Card proposal. This project has subsequently been severely curtailed because of the political fallout arising from the proposal.

The Mansfield Report also found:

Excessive number of false alarms
A false alarm occurs when the system mistakenly indicates an attempted duplicate enrolment. Such cases must be resolved manually using other slower and more costly checks. Excessive numbers of such alarms could result in a backlog of unprocessed applications. In some cases, these checks will involve face-to-face interviews at which an innocent applicant may face a false accusation of fraud. If this happens too often, public confidence in the system will be compromised. Because the false alarm rate depends on the size of the database, this problem may become apparent only once a sizable proportion of the population is enrolled, at which point it will not be possible to change many aspects of the system.

3.1.1 Accuracy of a "one-to-many" identity search
In the case of a database search to determine whether an individual already has been enrolled we are concerned with two types of error:
a. False alarms, where an unenrolled person is false matched against one of the existing biometric templates, thereby denying that person their entitlement card, passport or driving licence; and
b. False non-matches, where an enrolled person does not match their enrolment template thereby allowing an application for a second entitlement card, passport or driving licence.

As the person's biometric is compared against every template in the database, the false alarm rate is very dependent on the number of people in the database. As the numbers of subjects in the database increases, the probability of a false alarm increases correspondingly. The false alarm rate depends on the number N of people in the database according to the formula:
          FalseAlarmRate = 1 - (1 - FalseMatchRate)^N
In our case the database size will eventually be approximately 50 million, and yet the false alarm rate must remain very low as each case will require manual (and expensive) checking. With a daily throughput of several thousand applications, a target of less than 1 in 1000 for the false alarm rate offers a reasonable compromise, while a false alarm rate of much above 1% would probably make the system unworkable. This implies that the false match rate for every single comparison must be at most 1 in 10^10 or better. With the known performance of fingerprint, iris and face biometric systems, this requirement mandates the use of multiple fingers, or irises, and confirms that facial recognition is not a feasible option.

A June 2005 report by the London School of Economics LSE Identity Project 2005, The Identity Project[16] assessed the proposal for the UK Identity Cards Bill and concluded:

"Facial recognition is not currently sufficiently reliable for the identification of each member of the population and recent trials have shown relatively poor identification performance."

In 2004, the UK Passport Service, in partnership with the Home Office Identity Cards Programme and the Driver and Vehicle Licensing Agency, commissioned trials involving 10,000 voluntary participants to examine various biometrics for identity authentication (i.e. one-to-one matching). Persons enrolling in the trial were required to undertake a verification check immediately after the initial biometric was taken. In the case of the facial biometric this involved taking a second photograph. The results were published in May 2005 as the UK Biometrics Enrolment Trial Report[17].

The report found a very high error rate for the verification process:

"Facial verification success
• Of the three biometrics, the lowest verification success rate occurred with the face. The success rates were 69% for Quota participants, and 48% for Disabled participants, however disability was not a factor. The majority of Disabled participant verifications took place in the mobile enrolment centre where lighting conditions adversely affected all facial verifications.
• Changes in the participant’s appearance also caused verification to fail.
• The facial verification success rate was higher for participants aged under 60 than it was for those aged over 60."

DHS has admitted that the error rate is likely to be substantial. In a written answer to Questions on Notice during the 2007 Senate Committee Inquiry[18] the Department responded:

"32. What is the estimated error rate (both false positives/matches and false negatives/rejects) from the automatic facial recognition technology to be adopted in DHS / DVA offices?

[Answer:] Booz Allen Hamilton advises that on present technology in use error rates are less than 5%. As with the Australian passport a manual checking will also occur for seemingly similar identities. This and future technology improvement is likely to bring the error rate down to a very low number."

It is not clear from that response whether "5%" refers to false negatives or false positives, but in any case it does not give great cause for comfort given the number of applications that are planned to be processed daily.

3.3 Large-scale face recognition in practice

There appear to be very few examples where face recognition is used as a sole identifier on a large scale. It is well known that ePassports conforming to ICAO standards have been issued by a number of countries, including Australia, commencing in 2005. These passports are designed to enable machine verification of identity for border control purposes. However, this application involves one-to-one matching, i.e. a comparison of a real-time photo of the passport holder with the biometric photo stored in the passport chip. This is the basis of the Smartgate system being rolled out in Australian airports in 2007. The automated system is backed up by a manual fallback in case of error or system failure.

However, one-to-many applications are quite rare. The US city of Tampa in Florida introduced a system to scan faces in crowds and compare them against a watchlist of known criminals, but this was withdrawn in late 2003 when it failed to produce any useful results. (Tampa drops face-recognition system[19])

The proposed DHS facial biometrics database is certainly on a scale that does not exist anywhere in the world for one-to-many matching. The nearest in scale would be the Australian Passport Office (APO) database which is used to vet passport applications in a one-to-many scenario. (This is distinct from Smartgate which is owned by Customs and is a one-to-one matching system.)

The APO database has approximately 1.7 million images (information obtained by personal communication) and it is understood that the system is well regarded by the APO, yet this experience would seem to be at odds with experiences elsewhere. The APO uses Cognitec software, which also forms the basis for systems used by Customs (Smartgate).

A 2004 report by the Australasian Centre for Policing Research, Developing a police perspective and exploring the use of biometrics and other emerging technologies as an investigative tool in identity crimes[20] indicates that the NSW Police PhotoTrac system is being used with a database of 350,000 images. The reports states that "PhotoTrac is used more as an investigative and time-saving tool rather than as a 'go or no-go' remote ID verification system."

The report also reveals that "The Identity Crime Task Force of the Australian Federal Police is currently using the In-Vestigate(TM) facial recognition system to conduct one-to-many searches to identify potential matches within a photo database returning a series of photos in order of closeness to the match." The In-Vestigate system is also based on Cognitec technology.

However, none of these systems come close in scale to the database of 16.5 million images that the DHS proposes to create, and there appears to be no other system anywhere in the world that deploys this technology for real-time identity checking on such a scale. The claims made by DHS for the capability of the proposed system to reduce fraud need to be verified through a pilot implementation to provide confidence that this proposal is not an example of the triumph of salesmanship over strategy.

3.4 Tried and Tested Technology?

The Access Card Technology page[21] makes the following claims:

"Based on Tried and Tested Technology
This technology is increasingly being used around the world by banks and other private sector industries and by governments to provide more secure access to a range of services. For example:
  * During 2002-03 Taiwan rolled out more than 20 million cards for the entire population with a focus on health services
  * In 2002, the Lombardia region of Italy rolled out a multi-purpose government and health services smart card which has now been issued to about 9 million people
  * Austria has rolled out the e-Card smartcard to eight million citizens for access to government services in 2005-2006."

While we agree that smartcards themselves are based on well-established technology, the system proposed by DHS differs from the above examples in a number of important respects that may make implementation more risky than suggested.

  1. No country has previously performed a rollout on this scale using facial biometrics as a primary fraud prevention method.
  2. The combination of health, welfare and veterans entitlements in one card presents unique challenges and compromises. It is certainly not clear that such an ambitious system has been tried elsewhere.
  3. Photographs are used in only one of the three examples above.
  4. The confusing proposal to allow clients to place private information on a separate section of the card adds further complexity and raises privacy and security issues.
  5. The optional PIN proposal seems at variance with standard industry practice, particularly as the card may be used in some situations to obtain welfare benefits directly from ATM machines.
  6. There are questions about the accuracy of face-matching technology with large-scale databases, yet this is a key component of the fraud-prevention strategy.
  7. It appears unlikely that the government's Document Verification Service will be available before 2010, yet this is also hailed as an important part of the registration process to validate identity.

Information we have obtained about the systems implemented in these 3 countries is as follows:

3.4(a) Taiwan

Taiwan introduced a smartcard for access to Health Insurance from 2002, after abandoning a prior proposal for a combined ID Card. The Taiwanese card has a printed photograph on the surface of the card, but this is scanned from a printed photo supplied by the client. There is no evidence that biometrics are used, and in any case the uncontrolled conditions under which the photos are obtained would mitigate against use for face matching.

3.4(b) Italy

The Regione Lombardia[22] smartcard, which is primarily used for healthcare, does not incorporate photographs or biometrics.

3.4(c) Austria

The Austrian eCard does not use photographs or biometrics. The Australian Financial Review reported on 23rd March 2007:

"Pressure has intensified for the federal government to dump the biometric photograph planned for its troubled welfare smartcard project after the head of a similar scheme in Austria warned a photograph was unnecessary and could result in delays of up to five years. The managing director of the Austrian government's welfare smartcard agency, SVC, Ursula Weismann, said yesterday the exclusion of an identifying photograph had been necessary to retain public support for a welfare smartcard scheme largely similar to the one proposed for Australia."
      (Julian Bajkowski, Photo could delay smartcard by five years, AFR 23-Mar-2007)

It is clear that, notwithstanding the claims on the DHS website, the proposed system has features that make for a more complex implementation than the examples quoted.

4. Photograph on surface of Access Card

EFA submits that prior to/during registration individuals should be given the option of choosing whether or not their photograph will be printed on the surface of their Access Card.

We observe that the Task Force's registration discussion paper was written before the recent Senate Committee inquiry commenced and that, following the Committee's recommendations, it has been reported that the issue of whether a photograph on the surface will be mandatory or a matter of individual choice is to be re-considered.

Very late in the Senate Committee inquiry process, the Department of Human Services lodged a supplementary submission containing numerous arguments for a mandatory photograph on the surface of the card. However, on close analysis, the DHS arguments do not stack up. The DHS arguments include non-factual claims concerning identity protection and security and/or are distinctly anti-choice and consumer hostile.

In addition, DHS arguments demonstrate the tension between preventing identity fraud and ensuring that individuals are provided with services to which they entitled. We contend that if a photograph on the surface is used in the way that DHS apparently plans, i.e. that doctors, pharmacists, etc, become responsible for preventing identity fraud, it is very likely that some individuals will be incorrectly denied services due to human inability to accurately match photographs with unknown faces, while the majority of fraudulent cards are likely to be accepted. Research findings in the foregoing regard are provided in Section 4.3(a) later herein.

In the remainder of this section, we address the DHS arguments for a mandatory photo on the surfaces. Text in boxes below contain extracts from DHS submissions[23] and DHS testimony[24] to the Senate Finance and Public Administration Committee Inquiry in early March 2007.

4.1 Protecting/securing your identity

4.1(a) Loss of identity security

"Loss of identity security
Identity crime is one of the fastest growing crimes in Australia. ...
The inclusion of a photograph on the card will protect the card owner's identity and significantly enhance the identity security elements of the card." (DHS Supp Subm)

If it was true that "a photograph on the card will protect the card owner's identity", the Australian Federal Police would not need to issue warnings to the public about safeguarding their drivers licences (all of which have a visible photograph), such as the warning issued in December 2006:

"Federal Police issued a strong warning to consumers against allowing any business to take a copy of their licence without good reason, saying identity theft was 'one of the fastest growing crime types around the world'.

'Every time you give up your identity to someone else you place yourself at risk,' an AFP spokeswoman said. 'The AFP's Identity Crime Task Force recommends that consumers treat any requests to provide your identity details with caution.'

A number of people are facing charges after Federal Police launched three major investigations into the manufacture of NSW drivers' licences.

Some of the licences bore the details of genuine licence-holders – the only difference being the photograph of the identity thief."
(Where your ID is at risk[25], Daily Telegraph, 29 December 2006)

The Department of Human Services (DHS) should not compel people to have yet another photo ID card, which criminals will be able to use to perpetrate identity crime, the same as they use drivers licences with photographs on them.

4.1(b) Protecting your identity

"Protecting your identity

Contrary to the view that the photograph on the card undermines privacy, having the photograph on the card is a privacy and security enhancing feature. A visible photograph provides a link between a person's name and their identity, thereby reducing opportunities for fraud.

One high profile identity fraud case is that of Jodie Harris, the ‘Catch me if you can' thief. Jodie Harris pleaded guilty to about 40 charges relating to identity fraud and theft. She used up to 25 aliases and stole tens of thousands of dollars from scores of victims. The fraud charges she faces relate to Medicare Cards, drivers’ licences, passports and credit cards. In at least one case, Harris was accused of obtaining an Australian passport in the name of a victim after stealing that woman’s Medicare Card, Qld birth certificate and proof of age card." (DHS Supp Subm)

Although DHS presents the Jodie Harris case in support of their contention that a visible photograph is "privacy and security enhancing" and will "reduc[e] opportunities for fraud", in fact the Harris case is a good example of why people should not be compelled to have a visible photograph printed on their Access Card. Such a card would be yet another insecure photo ID card that criminals could steal and use in the same way that Jodie Harris used stolen Australian-issued drivers licences and allegedly a Queensland proof of age card, all of which already have a visible photograph:

Woman wanted over series of deceptions[26], Victorian Police, Media Release, 21 May 2006
"Police are seeking a rampant con artist who, since January this year, has obtained about $50,000 in deceptions committed predominantly in Victoria.

The deceptions were carried out using other people’s credit cards and identification documents such as driver’s licences.
She then attends more obscure branches of these financial institutions, or those without camera surveillance, pretending to be the victim and withdrawing large amounts of money.

Most-wanted woman taunts police[27], 7.30 Report, ABC TV, 7 June 2006
"Her exploits have already been likened to a movie, but Australia's most wanted woman has no fans among her victims. The woman who sometimes calls herself Jodie Harris, steals the identities of others and plunders their bank accounts taking more than $100,000 in two swindles alone. She befriends unsuspecting women, steals their drivers' licences and that, apparently, is enough for the banks to open up the unsuspecting victims' accounts. There's a police alert for Jodie Harris across three states, but despite widely published images of her, she's managed to escape her hunters. Now she's even begun taunting police. Mary Gearin reports."
Con artist offers to spill beans on police, The Age, 8 July 2006
"...Harris is accused of befriending her victims and stealing their drivers' licences and other IDs that she later used to withdraw cash from their accounts.
She is accused of walking into various Sydney banks and withdrawing up to $4000 at a time, including $2800 from [AC], by providing personal details of her victims. ...

With regard to the DHS claim that "Harris was accused of obtaining an Australian passport in the name of a victim after stealing that woman's Medicare Card, Qld birth certificate and proof of age card", if Harris was able to obtain a passport with those documents, then replacing the Medicare Card with an Access Card showing a photo would not prevent the problem. The Queensland proof of age card (18+ Card) has a visible photo (as does the proof of age cards issued by all States/Territories). Criminals who look like, or are able to disguise themself to look like, a person pictured on an 18+ Card (or drivers licence) would just as easily be able to pretend to be the person shown in a photo on a stolen Access Card. In addition, if a passport was in fact obtained with only the three stated documents, this would indicate a failure of process within the passports office. Applications for an Australian passport require at least one document[28] that shows the applicant's address. The Queensland proof of age card does not include an address[29], and nor does a Medicare card.

Of the five most recent investigations by the ICTF [Identity Crimes Task Force] involving the seizure of false identity manufacturing equipment, all have included templates for manufacturing Medicare cards on computer equipment along with thousands of blank plastic cards capable of being converted into Medicare or credit cards. (DHS Supp Subm)

While the above is most probably factual, it is most likely that they all included templates for manufacturing drivers licences and passports as well. The DHS submission does not provide dates or details of the "five most recent investigations", however media releases and media articles about ICTF investigations in recent years show that all involved templates for manufacturing drivers licences. There have also been reports about criminals manufacturing fake Mykads, i.e. Malaysian Government issued photo ID smart cards.

November 2004:
Officers from the Identity Crime Task Force raided several Sydney properties and seized thousands of forged documents used to create fake identities and document templates which allowed the user to create fake Australian visas, Medicare cards, NSW driver's licences and concession cards.

"Federal Agent Craig Mann said the documents were of high quality documents, complete with watermarks, holograms and other duplicated security features. 'They certainly have the capability to produce documents that would be extremely difficult to detect, to the point where we would be relying on database verification to check them,' Mr Mann said."
(Raids crack counterfeit identity ring, say police[30], SMH, 4 November 2004; ID fraud gang broken up[31], The Age, 5 November 2004)

March 2005:
Federal agents from the Identity Crime Task Force said they had smashed "a very major and sophisticated fraud ring - one of the biggest" after raiding houses in Greenacre, Homebush West and Lidcombe. Items seized included thousands of fake credit cards, passports and NSW driver's licences, a Datacard plastic card printer, a card laminator, a large number of bank key cards in various names, a large number of blank plastic cards, 14 false Medicare cards in various names, 126 blank Australian Tax Office cheques, and a large number of blank bank cheques from various banks.
(Police smash massive identity fraud syndicate[32], Minister for Justice, Media Release, 11 March 2005)

" 'Access to false identities is vital to the activities of criminal groups including drug smuggling, people trafficking and terrorism." Most of the equipment could be bought commercially, [Federal agent Craig Mann] said. 'But the holograms would have been made overseas and imported, you'd have to have criminal contacts in hologram-manufacturing plants who are prepared to steal the designs and duplicate them.'
Criminals would have little trouble acquiring forged documents with false identities from operations like that run by the alleged crime boss, police said.

'For you and me, you can't just walk into one of these places and ask for a fake driver's licence, but if you're tapped into this world, if you have contacts, it's really simple and it takes very little time,' Mr Mann said. 'You just put a name into the laptop, hit a button and the card comes out within minutes.' "
(Police smash huge identity fraud ring[33], SMH, 12 March 2005)

August 2005:
"Dozens of forged identification documents - with links to an overseas criminal syndicate - were seized by authorities during raids in Sydney today.

The Australian Federal Police (AFP) and NSW Police raided properties in Waterloo and Kingsford this morning, seizing ten forged Australian and foreign passports, a quantity of forged Australian visas and migration arrival stamps, Medicare cards, NSW driver licenses, and blank NSW birth certificates.

Computer disks containing high quality templates that could have been used to reproduce the fraudulent documents and more than fifty stolen cheque books were also seized.
Police allege the man possessed stolen genuine passports and fraudulently obtained Australian visa and citizenship documents, opened bank accounts in false names and fraudulently operated those accounts. It is also alleged the man stole authentic identification and assumed the stolen identities in addition to fabricating new identities which were compiled in 'identity kits'.
(ID Crime Taskforce charges Sydney man[34], AFP Media Release, 26 August 2005)

April 2006:
Malaysian officers arrested two people alleged to be part of "a 'gang' responsible for producing and selling fake MyKad and work permits to illegal immigrants". MyKad is the photo ID smart card issued by the Malaysian Government.

"The immigration enforcement chief, Datuk Ishak Mohamad, said the raid followed months of surveillance. The mastermind was a computer graduate from a university in Bangladesh, Malaysian newspapers News Straits Time and The Malay reported on Saturday.
'The MyKad produced by this gang is 90 per cent perfect. They were sold at RM500 each and the permits at RM50 each. The equipment seized is worth RM15, 000.'
(Bangladeshi arrested in Malaysia for selling fake work permit[35], New Age, Bangladesh, 23 April 2006)

July 2006:
The Identity Crime Task Force announced it had dismantled one of the country’s largest identity crime syndicates following a six-month operation in NSW.
(One of Australia’s largest identity crime syndicates dismantled[36], AFP Media Release, 11 July 2006)

"The fake identifications included stolen Australian passports with photos of the true owners replaced with pictures of those adopting their identities, complete with duplicate Australian Government holograms. The alleged fraudsters even produced NSW drivers licences, complete with waratah holograms and manufactured in Indonesia and Bangladesh, along with Medicare cards and bogus electricity or water-rate bills to create fake accounts, or shadow accounts of real companies, according to facts produced in the NSW Supreme and Central Local Court.
Thirteen members of two of the alleged gangs ... were arrested in a series of raids in the past month. Among them were two bank tellers who allegedly facilitated transactions or provided the gang with details of accounts and personal information of the holders.
Those arrested face a total of 230 Commonwealth and state charges for forgery and fraud, including the theft of mail from business and residential letterboxes, allegedly used to obtain details to create new identities to raid bank accounts.
Police alleged that the syndicate recruited and trained predominantly young adults in specialists teams. Some were to steal mail. Others were to assume identities of real or fictitious people to open new accounts or apply for loans or credit cards. The largest individual withdrawal detected so far amounted to $80,000.

Hundreds of fake plastic NSW drivers licences, Medicare cards and even fake manufactured Indonesian, Indian and Bangladesh passports were also seized, it was alleged."
(Vigilant teller unmasks major identity theft ring[37], SMH, 12 July 2006)

December 2006:
"A number of people are facing charges after Federal Police launched three major investigations into the manufacture of NSW drivers' licences.

Some of the licences bore the details of genuine licence-holders – the only difference being the photograph of the identity thief."
(Where your ID is at risk[38], Daily Telegraph, 29 December 2006)

March 2007:
"Fake Mykads [Malaysian photo ID smart cards], complete with embedded chips, have been recovered from an Indonesian couple who sold them to illegals for RM500 each.

The cards have been described as very good forgeries.

Police found 28 fake Mykads, 21 unprocessed ones, 18 multiple entry visas, pieces of pages from Malaysian passports, 12 driving licences and processing equipment at an apartment in Bayu Puteri 2 in Permas Jaya last Thursday.

Johor Baru (South) OCPD Asst Comm Shafie Ismail said the couple from Batam, Indonesia, were believed to have sold about five to 10 Mykads daily.

He said the couple, who have been remanded, had also been producing fake passports, visas and driving licences."
(Duo nabbed for Mykad forgery[39], Malaysian Star, 7 March 2007)

4.1(c) Giving cardholders a false sense of security / peace of mind

Ms Scott-An access card with a photograph on it provides the card owner, the customer, with much more confidence about protection of their privacy, their identity, because it has got a photograph on it. (Hansard Transcript Tuesday)

Senator FIERRAVANTI-WELLS—...In the end the person—the individual—has the feeling that if it has got their photo on it, it cannot be used by somebody else.
Ms Scott—That is right.
Senator FIERRAVANTI-WELLS—In the end there is that peace of mind for the user.
Ms Scott—That is right. ... (Hansard Transcript Tuesday)

The only people likely to have more confidence about the protection of their identity, or peace of mind, due to a photograph being on the surface of a card are those who do not know the facts about identity crime and that drivers licences with photographs on them feature in such crime. Unfortunately, such people could be a fairly large proportion of the population due to government agency staff and politicians making non-factual statements such as the above which give people a false sense of security. As the recent Jodie Harris case shows, it is not true that a card with a person's photo on it "cannot be used by somebody else".

4.1(d) Use of Medicare Cards to establish bank accounts etc

"At present, if you lose your Medicare card, it is very easy for someone to take that and use it to claim benefits in your name. They can even use it as proof of identity to establish such things as bank accounts in order to perpetrate identity theft." (DHS Supp Subm)

The Medicare Card is what the AFP call a 'breeder document' since it can be used to produce higher forms of identity documentation. (DHS Supp Subm)

Drivers licences and birth certificates are also breeder documents and that is why the Attorney-General's Department is developing the Document Verification Service, to enable breeder documents to be verified with the document issuer.

Moreover, it appears that the existing Medicare card will not be able to be used as a breeder document, nor as an EOI document, after December 2007, at least not in the banking/financial services industry. As a result of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act), the existing 100 Point ID check system (under which Medicare cards are worth 25 points) will cease to exist.

New Rules made pursuant to s229 of AML/CTF Act[40] were issued by AUSTRAC[41] on 30 March 2007 and will come into effect from December 2007. The Rules include safe harbour provisions detailing the types of evidence of ID documents which financial institutions may use in order to be covered by the safe harbour protection. Medicare cards are not included in list of acceptable identification documents (see Clause 4.2.11) and also do not meet the definitions of the various types of acceptable ID documents.

Hence, the ability to use a forged or stolen/lost Medicare card to open bank accounts etc will apparently cease from December 2007, whether or not it is replaced by an Access Card. In addition, use as a breeder document is likely to be significantly reduced if other sector organisations continue the practice of referring to financial sector rules in deciding which types of identification documents they will accept.

4.1(e) Statements by the Australian Federal Police

DHS seek to support their advocacy for a visible photograph by reference to statements made by representatives of the Australian Federal Police (AFP). For example, the DHS Supplementary Submission states:

"In their testimony to the Senate Inquiry, the Australian Federal Police reported that they anticipated that the access card would result in a reduction in the use of existing welfare cards in the facilitation of crime:
'For example, the current Medicare card is easy to counterfeit and reproduce owing to the absence of rudimentary security features such as a photograph and signature, and the lack of other technological protections to ensure the integrity of the card's information and security.'
While the access card system will employ a range of technological protections, the photograph and the signature are considered rudimentary security features by Australia's premier agency for the investigation of identity theft, the Australian Federal Police." (DHS Supp Subm)

However, a photograph on the surface of a card is only a rudimentary security feature, and is deemed necessary only because DHS does not intend to take full advantage of the chip in smart cards. Failure to do so will mean that criminals will be able to use an Access Card with a visible photograph in the same way as they have long been using drivers licences with photographs.

The DHS submission selectively quoted the AFP testimony, omitting to note that the AFP's statement above was in the context of there being no means of viewing a photograph if it was not on the surface of the card:

"CHAIR—As I understand it, there will be no benefits paid unless the smart card is accessed into a reader. In other words, that will facilitate, in a sense, social welfare. It is not supposed to be used as an ID card—or at least that is an absolutely secondary or ancillary purpose. I still do not understand why there has to be a photograph on the front. There will be a photograph on the chip. That is different, and you and I would agree on that. When you put the card in, up will come a photograph of the holder. We have even heard some evidence that having a photograph on the front allows you to facilitate identity theft.
I have not heard any good evidence as yet as to why the photograph should be on the card. If we are just talking about facilitating access to welfare and cutting identity fraud, why do we need the photograph? And I am waiting for the evidence, but it has not hit me like a bombshell as yet, I can tell you.

Federal Agent Drennan—I take your point that when it is inserted into the reader the photograph comes up. People will use that card for the purpose of getting their services and maybe for other reasons—and as much as we can say that people will not use it for other reasons, there is all likelihood that people will; it is their card. What we are saying is that the purpose is for the delivery of their benefits and services. But we need to ensure that there is a readily recognisable link between the holder of the card and their entitlement, and photograph is that link in the absence of the reader.

CHAIR—But there is going to be a reader; no welfare will be paid without access to a reader. That is the problem with that argument. I will hear from DHS later on. Perhaps they have some stirring arguments.

Senator FORSHAW—That is the reason we had the microchip.
Senator FORSHAW—Let me put this to you. ... I understand it is not a policy position—and it is not your decision as to why this policy has been implemented—but you could achieve the same objective without limiting and perhaps enhancing the ability of ASIO or the AFP to investigate these things by rolling out a streamlined modern-day technologically suitable Medicare Card without a photo.

Federal Agent Drennan—We would rely upon our experience, and very much from the law enforcement perspective. Identity crime manifests itself where there is the ability to obtain documents and use documents that do not have a direct link to the actual holder of the document or they have an absence of technological features, which makes it difficult for people to manufacture or misuse that card. ... From the perspective of trying to ensure that government services are delivered to the right person and opportunities for people to exploit a card permitting access to services are minimised, the more robust its security features can be, the better." [emphasis added] (Hansard Transcript Tuesday)

The proposed Access Card could, and should, have much more robust security features than merely a photograph on the surface, which will enable it to be used for identity crime purposes in the same way as drivers licences. Placing a photograph only on the chip, and using the technological security features of smart cards and associated card readers to a greater extent than DHS currently intends, would make it much more difficult for criminals to manufacture and use fake Access Cards or use other people's cards to perpetrate identity theft and identity fraud.

4.1(f) Views of KPMG

DHS also seek to support their advocacy for a visible photograph by frequent reference to the views of KPMG, who undertook a 'business case' analysis for DHS dated February 2006, for example:

Ms Scott—A Medicare card can be used by anybody and we know that it is. The access card has a clear photograph on the front. I know that KPMG in their business case went to some length to discuss why the photograph needed to be on the card. ... That photograph is a significant deterrent for fraud against the Commonwealth, because there it is, there is the photograph. It is also a significant safeguard for someone pretending to be you, because it has your photograph on it.
This matter was considered carefully by government and the subject of a public report, which indicated that the photo on the card is essential to the business case. I would refer you to pages 16 and 17, because KPMG is of a view that this is a major deterrent to fraud. (Hansard Transcript Tuesday)

However, the KPMG business case[42] was based on an assumption that no providers of DHS and DVA services, other than DHS and DVA agency offices, would have card readers capable of displaying a photograph. The reason for that assumption is not known because the KPMG report was heavily censored before being made public. The KPMG business case document states, in section 6.1.3:

"In deciding the appropriate types of readers for pharmacies and medical practices, KPMG considered the costs and benefits of a number of options outlined in Attachment E (Attachment E deleted for commercial reasons)."

In addition, while the KPMG business case discusses various options in relation to photographs, their reasons for rejecting options that would give consumers choice about a photo on the surface are extremely weak at best. Other options listed in the KPMG business case document included:

(a) "Option 2 - no photo required on the chip or the face of the card but the consumer being asked to present other photo identification"

We note that KPMG's rejection of the above option is based on an assumption that everyone would be compelled to present other photo identification. Their assumption is anti-choice. KPMG failed to consider the option of allowing individuals to decide whether they would prefer to have a photograph on their Access Card, or not have a photograph and present other photo identification that they already have, such as a drivers licence, passport or State/Territory proof of age photo card.

(b) "Option 3 - photo on the chip only"

We also note that KPMG's rejection of the above option was based on their belief/understanding that "card readers capable of reading a photographic image will not be uniform in the HSS service system" and whether or not a photo on the chip would be protected by a PIN. KPMG's arguments in the latter regard are anti-choice and consumer hostile. KPMG argued:

"* If the photo was in the chip only, it would need to be in the 'public zone' to enable access without a Personal Identification Number (PIN). Anything stored in the 'public zone' is potentially vulnerable to being captured electronically without the permission of cardholders.

* If it is in the 'closed zone', consumers would need to access it with a PIN

* Given that people will not use this card as frequently as they use banking cards, people will forget their PIN and cause delays at the chemist or at the doctors and will be forced to get a new PIN from a call centre. It is simply not a practical solution."

The above is an argument against allowing people to choose to have PIN protection at all. The possible delays referred to by KPMG would also occur in Medicare and Centrelink offices where photo capable readers will, according to DHS, be used. Moreover, they could occur whether or not a photo is on the surface. Even if a photo is on the surface, other information in the Commonwealth area of the chip will need to be accessed when rebate/benefit claims are made in medical practices, pharmacies, etc. and DHS has stated that people will be able to choose to have the information in the Commonwealth area of the chip protected by a PIN.

Furthermore, there appears to be question of whether it will in fact be possible for people to have an Access Card that does not have a PIN, due to DHS's intention that Access Cards be used in conjunction with ATM and EFTPOS terminals for the purpose of receiving emergency payments and claiming Medicare rebates, etc. This matter is discussed in Section 7.2 later herein.

4.2 Lack of necessary equipment/technology

4.2(a) Photograph capable readers not included in business case/budget

The DHS wish for a visible photograph on the Access Card arises at core from their business card/budget decisions:

  • not to provide doctors, pharmacists and other DHS and DVA service providers with photograph capable card readers; and
  • to expect doctors, pharmacists and other DHS and DVA service providers to become the identity fraud police.

"The present business case is not based on photographic card readers in doctors, pharmacists and allied health professionals. Our analysis and consultations conclude that this is impractical. Virtually no existing readers in Australia have the capacity to view photographs. While the Human Services' agencies will have this capability, doctors, pharmacists, allied health professionals, specialists, hospitals and third party concession providers will not. ...

The option of rolling out a huge infrastructure of photo readers is questionable when there is a simpler, cheaper and more secure alternative available, i.e. the photo on the card." (DHS Supp Subm)

The claim that a photo on the surface of the card is "more secure" than on the chip is astounding, given the prevalence of criminal mis-use and forgery of drivers licences (as detailed earlier herein), and DHS has not provided any evidence or information to support their claim.

Without the photograph on the card, a person seeking to establish the cardholder's identity would be forced to either access the person's photograph on the card chip or on the Register or seek other forms of photographic identification. (DHS Supp Subm)

It should be noted that the only reason a person would be "forced" to do any of the above is because DHS wants doctors, pharmacists and other DHS and DVA service providers to become the identity fraud police.

Furthermore, the KPMG business cases document (p.20) argues against the photograph being on the surface but not on the chip because:

"* The card face may be damaged or defaced and the photo not visually recognisable. ...
* The face of the card is the most vulnerable for interference, e.g. changing the photo on the face of the card.

KPMG's statements above raise the question of how service providers are expected to prevent identity fraud, without a photograph capable reader, when the photograph on the surface is damaged and not visually recognisable.

4.2(b) Unavailability of technology necessary to support the proposed system

The DHS Supplementary Submission contains a number of claimed reasons for a photograph on the surface that are based on unavailability of, or unwillingness to use, the technology necessary to support the system:

Not all participating offices will have reliable access to technology
Having a photograph on the surface of the card will support safe, reliable and efficient customer authentication where technology is not available or is not reliable, including:
* Medicare benefits delivered in rural and remote areas where there is no internet or telecommunications reception, or where connectivity is so slow that reading a card is an impractical interruption to the normal work flow patterns in the business. (DHS Supp Subm)

The above indicates a total lack of understanding about how smart cards operate. Reading a photograph or any other data from the chip of a smart card does not require "the internet or telecommunications reception", hence whether or not such connectivity is slow has nothing to do with the ability and/or time taken to view a photograph on a chip.

Without a photo on the face of the card to authenticate the user, a number of unacceptable risks are introduced into the access card system. These include ... lack of appropriate terminal infrastructure ... and schedule delays (given lead times to upgrade the terminal infrastructure). (DHS Supp Subm)

If supplying appropriate terminal infrastructure would result in schedule delays due to lead times to upgrade terminal infrastructure, this indicates that DHS's schedule for rolling out the proposed system is impractical and inappropriate. It remains entirely unclear why DHS is in such a rush to implement the proposed system, especially in view of the fact that new Medicare eClaiming[43] and PBS Online[44] systems, which operate with the existing Medicare Card (and we understand are intended to reduce Medicare related concession fraud), will be operational by 1 July 2007.

[I]f alternative card reading devices are supplied to medical practitioners and pharmacists, they are unlikely to be compatible with devices being rolled out by financial institutions for the Electronic Medicare claiming initiative.
This would result in doctors having two card reader devices in operation simultaneously. Doctors will likely see this as introducing inefficiencies into the administration of their practices. (DHS Supp Subm)

The above suggests failure within DHS to properly plan and integrate proposed new systems. We note that former DHS Minister Hockey informed the AMA National Conference[45] in May 2006 that:

"I am anxious to ensure that your front desk has only one keypad and one computer for all Government interactions. It is feasible that if we get this wrong you could end up with three terminals including an Eftpos facility, HIC Online and electronic claiming terminals and a separate Access Card device. Then if an ehealth record system eventuates you could be required to have a fourth device. This scenario is plainly absurd.

As a former Small Business Minister I will be the first to argue that we need to integrate the systems into a single easy to use device. That's why we are reluctant to rush to early decisions on technology for the access card-we want to get this right!!!"

However, DHS's recent arguments that "alternative card reading devices" would introduce inefficiencies and/or inconvenience for medical practices, due to the roll out of the new Medicare eClaiming system this year, shows that DHS have not got their new/proposed systems right. It indicates that technology decisions have been rushed and/or that various divisions within DHS have been failing to communicate about proposed systems in order to plan integration of same.

Not all providers will elect to use new technology
Even if the Australian Government was to roll out photo capable readers to all pharmacists and general practitioners (at considerable cost and delay to the project), there is still no reasonable way of ensuring that these are actually used by the providers.
This has been demonstrated by recent experiences with trying to encourage health professionals to upgrade information technology systems. (DHS Supp Subm)

The above is an argument against rolling out smart cards at all. Obviously there is no way of ensuring that all providers will use smart card readers whether or not they are photo capable readers.

4.3 Doctors/pharmacists etc required to prevent identity fraud

It is not apparent how DHS intends to force service providers to check photographs, nor undertake any other role in preventing identity, or any other type of, fraud, nor that they are willing to voluntarily do so. According to the DHS Supplementary Submission:

"The Australian General Practice Network (AGPN) has advised that removal of the photograph from the surface of the card would be logistically difficult for general practitioners. This is particularly the case if communications lines were down." (DHS Supp Subm)

However, "communication lines" have nothing to do with reading the information/photograph in a smart card chip.

Moreover, any support by the AGPN for GPs becoming involved in fraud prevention is apparently based on a requirement of government funding for the extra time and training of staff, which is not included in the government budget/KPMG business case:

"AGPN is supportive of ensuring that only eligible patients are able to access the government rebate; however the quantum of any fraud and the extent of disputes/conflict that arise on eligibility grounds will now be more prevalent in the practice. This increased scrutiny is not something that practices are currently funded for or trained to cope with, particularly as GPs do not ration care on the basis of eligible/non eligible Medicare guidelines; rather they seek to improve the health outcomes of any person that requires treatment or advice. The proposed approach passes the responsibility of managing the physical processes for checking a patient’s eligibility to access an Australian Government rebate to the practice without acknowledging this in the legislation.
AGPN recommends: that general practices be adequately funded for the extra time and to allow practices to provide training in the verification and billing reforms to all staff. ...
(AGPN submission to Senate Committee)

The Royal Australian College of General Practitioners also raised a number of concerns in relation to fraud prevention requirements, in testimony before the Senate Committee, and made clear that they do not support fraud prevention becoming the responsibility of general practitioners:

"There are four issues that I would like to draw to the committee’s attention. The first is around access and the relationship of trust. ...
The college is concerned that the introduction of an access card may restrict provision of health services to those Australians who hold and present an access card at the time of service. This will adversely affect the health care of some Australians, notably those who can least afford to privately fund their own health care. In the words of the inverse care law, the more disadvantaged a patient, the less likely they are to receive care.

Requiring general practitioners to undertake eligibility checking for Medicare changes the nature of the relationship between the doctor and the patient. In fact, the relationship in relation to a Medicare benefit is between the government and the consumer, not the GP. The decision to require use of an access card in order to claim healthcare benefits, such as rebates from the Medicare scheme, creates the risk that general practitioners and their practice staff will be seen not as the providers of care in time of need but part of the government machinery of fraud compliance. The college strongly recommends that consideration be given to the potential that this has in undermining the trust between patients and their general practitioner, and believes that this trust, once lost, is not likely to be regained. The college is concerned that social trust in the profession of general practice could be adversely affected if it were perceived that fraud compliance has become an integral part of the task of the general practitioner.

I turn now to compliance and risk management. ...
Under current arrangements, a patient may fraudulently use a Medicare card to obtain a service provided in good faith by the GP. The general practitioner is paid for the service provided, and Medicare Australia seeks repayment from the patient when the fraud is discovered. Under the new scheme, the general practitioner could be faced with the conundrum of refusing service to someone without a card, perhaps in the face of a demonstrable need of that person or in circumstances where the GP may have ethical or medico-legal responsibilities to provide a service, or to provide the service and run the risk of non-payment. I remind you that the most disadvantaged of our community are the ones who will be most affected. The RACGP recommends that this matter is further investigated and supports the premise that fraud compliance should remain an Australian government, not an individual general practice, responsibility.
" [emphasis added]
(Royal Australian College of General Practitioners, Senate Committee Hansard, Friday 2 March 2007)

Furthermore, if doctors, pharmacists and other service providers are required to become the identity fraud police, individuals who cannot afford to pay the cost of the service without DHS payment will be at risk of being denied medical and health services due to the low accuracy level in human ability to accurately match unknown faces (see Section 4.3(a) below). In addition, people may be unjustifiably accused of attempted fraud.

EFA questions the extent of current fraud of this nature and whether prevention is worth the cost. We note that despite numerous questions from Senate Committee members etc, DHS has declined to provide a breakdown of the claimed fraud costs in terms of types of fraud. It is likely that the majority of fraud relates to Centrelink from where actual cash can be obtained, rather than a discounted medical/pharmaceutical service. There is significant tension here between health service access and welfare benefits access via one card.

4.3(a) Risks of human inability to accurately match unknown faces

"33. If there is going to be a photograph on the chip why is it necessary to have the photo displaying on the card too?

The inclusion of the photograph on the face of the card will maximise the integrity of the system. It provides a quick and simple way of verifying who a person is when accessing Australian Government Health benefits, veterans' and social services." (DHS Answer to Questions on Notice)

A belief that a photograph on the face of a card is "a quick and simple way of verifying who a person is" indicates a lack of knowledge that people are generally bad at correctly matching unfamiliar faces via photographs:

"...Research by forensic psychologist Richard Kemp suggests people are bad at identifying unfamiliar faces.

The University of NSW academic[46] is undertaking a three-year study to pinpoint those with good face recognition skills and isolate what makes them different.

The $150,000 project, funded by the Australian Research Council as part of a focus on national security issues, will have implications for the training and hiring of immigration officers, with spin-offs for the banking and retail sectors.
...Dr Kemp said his research showed people were bad at correctly identifying unfamiliar faces via photographs.

A UK study he undertook for the banking sector showed the use of photographs on credit cards was no deterrent to fraud.

In more than 50 per cent of cases, shop assistants and retailers incorrectly ... accepted cards with phony photographs.

'All faces are fundamentally very, very similar,' he said. 'On top of that we use faces to express emotion -- we smile, we frown -- and we age.'
It was hoped his research would lead to advice or training for immigration staff on how better to match faces and photographs.

'The first step is to understand better the process between recognising familiar and unfamiliar faces,' he said.

'There is a tendency when matching unfamiliar faces to look for certain characteristics -- such as hair or an odd facial feature such as a mole.'

'Maybe we can change from using external clues to more internal aspects of the face structure such as the nose [and] mouth.' "
(Researcher faced with identity crisis, Dani Cooper, The Australian, 17 March 2004.)

Details and findings of the above mentioned study are reported in When Seeing should not be Believing: Photographs, Credit Cards and Fraud[47], Richard Kemp, Nicola Towell and Graham Pike, Division of Psychology, University of Westminster, London, UK, published in Applied Cognitive Psychology, Vol. 11, 211-222 (1997).

The study found:

  • over 50% incorrect acceptance of fraudulent cards, i.e. cards showing a photo of a person who was not the card presenter; and
  • approx 14% incorrect rejection of legitimate cards showing a photo of the card presenter that had been taken in the previous 6 weeks, where the photo depicted the card presenter with minor paraphernalia changes such as a change of hair style, the removal of facial hair, or the addition or removal of eye-glasses or jewellery; and
  • approx 7% incorrect rejection of legitimate cards showing a photo of the card presenter that had been taken in the previous 6 weeks, where no paraphernalia changes had been made.

The cashiers who voluntarily participated in the trial, outside of normal business hours, knew that some of the cards that would be presented to them would show a photo of a person who was not the shopper presenting the card, and that the objective was to find out how accurately they could match photographs with the card presenter.

4.3(b) Risk/probability of improper denial of medical, health and pharmaceutical services

The research findings give rise to the question of what doctors, pharmacists, etc. will be expected to do if they think the photo on an Access Card is not that of the person presenting the card. Unless services providers are required to deny service in such circumstances, a photograph on the surface will not prevent identity fraud.

Hence, if identity fraud is to be prevented, there significant risk that suspect people, who cannot afford to pay the full cost of a medical consultation, health service, or prescription themselves, will be denied service. This is likely to result in people who are not engaged in fraud being denied services, given the study findings suggest that over 14% of people who present a card showing their own photograph will be suspected of fraud, while 50% of people presenting a fraudulent card will not be suspected.

4.4 Transaction Times / Customer Convenience

Transaction Times
Use of a digital image stored in the chip rather than a photo printed on the card will increase transaction time. Reading the digital photo from the chip may take from three to ten seconds plus the time to enter the optional PIN. While this does not seem like a great deal of time, in busy service provider locations such delays can add to congestion and wait times. Pharmacists have advised that transaction speed is an important issue especially at lunch time when many customers queue for prescriptions. (DHS Supp Subm)

If the above times are factual and would cause increased congestion and wait times, then this would also apply to queues in Medicare and Centrelink offices, which DHS states will all use photograph capable card readers. Hence it appears people visiting Medicare and Centrelink offices will be subjected to more inconvenience as a result of the Access Card.

4.5 DHS Anti-Customer-Choice Arguments

4.5(a) Voluntary use as an ID Card

While the access card is not an identity card, a key feature of the card design is enabling card owners to use the advantages of a high integrity card for other purposes if they choose. ...
Removal of the cardholder's photograph from the face of the card would make the access card unusable as a primary identification document, thereby limiting the ability of consumers to choose to use the card for other identification purposes and diminishing consumer benefits. ...
It is the government's position that it be up to the individual cardholder to decide if they want to show the access card. (DHS Supp Subm)

The above is an anti-choice, consumer hostile, argument. There is no reason why DHS cannot allow individuals to decide whether or not they want a visible photograph in order to use their card as a photo ID card.

Making a photograph on the surface of the access card optional would also create two classes of cards, only one of which could be used as a primary identification document. (DHS Supp Subm)

The above fails to recognise that consumers could choose to have whichever "class" of card they want. DHS's "class" argument is also quite ridiculous given they already intend to issue more than one "class" of card (five different coloured cards), which they state will make some card holders a target for criminals:

4.5(b) Special colour Access Cards will put concession card holders at risk

If the coloured access cards that are offered for stable concession groups, such as aged pensioners, eligible self-funded retirees and veterans, do not display a photo they will be an attractive target for people committing fraud, providing almost endless opportunities for significant concession abuse. (DHS Supp Subm)

Circumstances that make 2.5 million concession cardholders targets for criminals, because DHS has chosen to provide them with specially coloured cards, cannot be used by DHS or the government to justify compelling over 14 million other people to have a visible photograph on their Access Card. All card holders, whether or not they are provided with a specially coloured Access Card, should be allowed to choose whether or not they want a visible photograph.

4.5(c) Current Availability of Photo ID cards

What the market research says
Qualitative research on the access card has found that most participants wanted the access card to show their name and their photograph.
The research found that the second most commonly identified key benefit of the card (nominated by 80% of people who were aware of the card) was the option to use it to prove identity – especially for people without drivers' licences and passports. (DHS Supp Subm)

As DHS has not made details of the research methodology etc publicly available, people who are aware of how easy it is to produce desired results, by asking biased questions etc, are unlikely to regard the above claim as necessarily factual.

In any case, while some people will no doubt wish to use an Access Card as an ID card, that does not justify compelling those who do not to have a photograph on their card. Furthermore, photo ID cards (generally called "Photo Card" or "Proof of Age Card" or "18+ Card") are already available in every State and Territory for any person aged 18 and above (there is no upper age limit) who wishes to have one:

The above cards range in cost to the applicant from $5 to $41 (mostly approx. $20) as at March 2007.

4.5(d) 90% of adults already have a photo ID document

Community acceptance of photo identification
Our market research suggests around 90 per cent of adults have a card displaying a photograph. Photo ID is also common place in many work places, clubs and associations. KPMG has made the point that 'it is not evident why the inclusion of a photo on the face of the (access) card would present additional privacy concerns given the already extensive use of photos in passports, drivers licences and other settings, compared with the enormous benefits that can be gained in terms of service entitlements and anti-fraud benefits.' (DHS Supp Subm)

To date, DHS has not provide any justification, let alone good reason, for why the 90% of people who already have photo ID should be compelled to have another card showing their photo.

Although DHS proclaims that smart cards are security and privacy enhancing, DHS nevertheless plans to compel people to have a photo printed on the surface of yet another card, instead of actually making use of the security and privacy enhancing feature of smart cards that would enable people to choose to have a photo on the chip instead of on the surface. The fact that many other insecure cards with photos printed on them are already in use does not justify introduction of another insecure card, nor spending over a billion dollars rolling out a smart card that fails to use the security and privacy features of smart cards properly.

4.6 Access to State and Territory Government and other third party concessions

Access to state and territory and third party concessions
Customers value these concessions highly.
The Australian Government through Centrelink and the DVA issue concession entitlement cards to a range of customers. There are around 2.5 million concession cardholders (including 1.9 million Age Pensioners, 0.3 million eligible self funded retirees and 0.3 million Veterans) who will be eligible for coloured access cards. These people are the major users of an estimated $4 billion worth of state/territory and third party concessions provided each year.
A key benefit of the photo on the face of the card to third party providers is the ability to ensure that the person presenting the card is the card owner. Removing the photo from the face of the card will limit the validation options available to these providers to either the chip or online. Accessing the photo via the chip will require a more sophisticated reader than would be needed to just confirm concession entitlement. In the absence of a photo on the surface of the card, customers may be required to provide other evidence of identity. Providers choosing to confirm online will not have access to the photo stored on the register. (DHS Supp Subm)

Circumstances applicable to 2.5 million concession cardholders cannot be used to justify compelling over 14 million other people to have a visible photograph on their Access Card.

State and Territory Government and other third party concession providers have been providing discounts/concessions without Commonwealth photo ID for many years and if they are concerned about the identity of cardholders they have the option of requesting photo ID. Every State/Territory in Australia makes available a photo ID card to any person aged 18 and above, generally called "Proof of Age" or "18+" cards. If some persons entitled to concessions cannot afford to obtain one of these low cost cards, the State/Territory Governments are at liberty to provide them at no cost to such people. It is not a Commonwealth Government responsibility and hence does not provide any justification for a mandatory photograph on an Access Card.

Furthermore, arguments contending photographs on surface are necessary to reduce third-party concession abuse should be disregarded until DHS publicly explains how concession status can work at all. Apparently DHS still only has "design ideas" which appear to be entirely unworkable and, if implemented, likely to cause major inconvenience to many concession card holders and concession providers, and not likely to significantly reduce concession abuse. For further information see Section 11-Concessional Status later herein.

4.7 Special needs of DVA customers

Special needs of DVA customers
Most of DVA’s business is between the client and medical and allied health service providers. A photo on the surface of the card provides certainty to these service providers about who they are dealing with.
Veterans and war widows have very frequent personal face-to-face contact with a wide range of over 50,000 contracted providers of health and community services. While these are government benefits they are delivered by third parties. There was no expectation that they would require readers with photo capability. The business case was based on them simply having to show their card or have low cost no photographic readers. A large number of these occur in the home or community setting. A photo on the card is added assurance for both the provider and the veteran that the right services are being provided to the right individual (e.g. medication administration). It goes without saying that there are major mutual benefits to all clients who are frail, confused or have dementia. (DHS Supp Subm)

Circumstances that may be applicable to 300,000 DVA clients do not justify compelling over 16 million other people to have a visible photograph on their Access Card.

We question whether there is any evidence of identity fraud in relation to veterans' entitlements. Further, given DHS states a large number of these services "occur in the home or community setting", opportunities for identity fraud would be limited.

4.8 Fraud against the Commonwealth/taxpayers

4.8(a) Estimated Savings

While DHS insist that a photograph on the surface is necessary to prevent fraud against taxapayers, and that KPMG's estimated fraud savings will not be achievable without a visible photo, these claims have no credibility while the government continues to refuses to provide the Parliament and public with details of how the claimed savings were estimated and what percentage is attributable to identity fraud.

The major section in KPMG's business case document about claimed savings was censored before public release, leaving only a summary of the basis for claimed savings (p.6-7 and p.11-12). Nevertheless this summary indicates that very little of the estimated savings relate to identity fraud of the type that might be prevented to some extent by a photo on the surface of the card. KPMG stated:

"The biggest gains are likely to be in the following areas:
  • Substantial reduction in the opportunity to set up false identities
  • Preventing the use of someone else's card to claim that you are that person for obtaining an entitlement
  • Reductions of claims for MBS and PBS concessions and safety nets based on inaccurate concession information
  • An immediate reduction in the number of people claiming Centrelink benefits
  • Reduction of fraudulent claims for benefits from Centrelink through non-disclosure of changed personal circumstances."

None of the above have anything to do with a photo on the surface of the card, except the second item. In relation to the second item, as discussed earlier herein, a photo on the surface will not necessarily prevent use of someone else's card, but is likely to result in people who are not engaged in fraud being denied services, given study findings suggest that over 14% of people who present a card showing their own photograph will be suspected of fraud, while 50% of people presenting a fraudulent card will not be suspected.

To justify such potential inconvenience and detriment to honest people, the government must provide public information about the dollar amount of fraud, per year, that is said to be attributable to the second item above. We consider it likely to be a vanishingly small amount in comparison to the overall claimed savings. Furthermore, while billions of dollar savings figures are constantly quoted by DHS and the government, these are estimates over a 10 year period from 2010. KPMG estimated annual savings, after registration is complete, to be between $125 million and $250 million (relating to the identity related fraud and abuse of concessions, according to KPMG's testimony to the Senate Committee). This is very small amount of estimated savings given DHS agencies will pay out approx. 100 billion per year (DHS has stated 1 trillion is expected to be paid out over 10 years).

EFA considers a core question that the government must answer, if people are to be forced to have a visible photo on the their card for the purpose of doctors and pharmacists being expected to prevent identity fraud, is what percentage of the $125 million - $250 million estimated savings per year is attributable to use of other people's cards to receive taxpayer funded benefits and what percentages are attributable to each of the other items. The subsequent question, once the foregoing is known, is whether estimated savings related to item 2 are worth the social cost - that is the significant risk of people being unjustly denied access to medical and pharmaceutical services and accused of fraud because staff in private enterprise consider they do not look like the person in a photo. EFA considers it unlikely that the amount of estimated savings could justify the social cost and risks.

We would expect that if instances of such identity fraud are common or otherwise significant, such an example would be provided in Medicare's National Compliance Program 2006-07 document[56].

However, the example Medicare provides under the heading "Identity Fraud" is:

"Identity fraud – a case study
Acting on a tip-off from a medical practitioner, Medicare Australia identified a member of the public who was using the practitioner’s provider number and creating false computer generated accounts to obtain Medicare benefits. Medicare Australia referred the matter for further investigation and consequently to the Commonwealth Director of Public Prosecution.
Mr D appeared in the Melbourne County Court in July 2006. He was charged with offences under the Health Insurance Act and pleaded guilty to one charge.
He was sentenced to 10 months imprisonment wholly suspended. He was released on a $1,000 bond to be of good behaviour for 3 years. As part of the bond he was ordered to repay $11,063.

Obviously a photograph on an Access Card will not prevent members of the public engaging in the above type of "identity fraud".

The above also makes apparent that when Medicare refers to "identity fraud" they do not necessarily mean of a type that would be prevented by photos on the surface of a Medicare or Access Card. This has implications in relation to the estimated savings attributable to "identity fraud", given KPMG worked with Medicare and Centrelink to obtain estimates, because a significant proportion of that subset of the estimated savings may have nothing to do with the lack of a photograph on a Medicare card. Whether or not Medicare explained to KPMG what they mean by "identity fraud" is an open question.

Overall, the information in Medicare's National Compliance Program 2006-07 document provides significant grounds for the view that a vastly greater amount of taxpayer fund savings may be achieved if the over $1 billion to be spent on an Access Card system and new national ID database was instead spent on funding Medicare and Centrelink compliance programs, related additional investigation staff and staff involved in practitioner and public education programs, and, if they have not yet fully done so, addressing recommendations in ANAO audit reports concerning system inadequacies and/or failures and errors, discrepancies and missing information in existing customer record databases.

We observe that Medicare's 2006-07 Compliance Program includes:

"Patients with a concession card, such as those provided by Centrelink and Veterans’ Affairs, pay less for PBS medicine. Medicare Australia must rely on doctors and pharmacists to check the concessional entitlement of a consumer. Entitlement is often not checked because it is an extra administrative process in a very busy environment. This year we will be working with Centrelink to ensure that consumers know when they are no longer entitled to PBS medicine at a concessional rate."

The above appears to indicate that prior to the current financial year, people were not being notified that they were no longer entitled. The ANAO Audit Report titled "Administration of Health Care Cards"[57], issued in June 2005, stated:

"The ANAO recommends that Centrelink, in consultation with relevant policy departments, review the advice provided to customers relating to cancelled Health Care Cards, with the objective of reducing the likelihood that cancelled cards will continue to be used after the customer has been advised to destroy the card." (Recommendation No.3, Para 4.16)

We address several DHS claims in relation to prevention of fraud below.

Reduction of Australian Government concession leakage and fraud is premised on the concession or benefit going to the right person and that the benefit is not transferable. Not having the photo on the card basically turns it back into a Medicare Card with a chip. (DHS Supp Subm)

The above is not necessarily true. A Medicare smart card with a PIN would not be able to be used to obtain government funded services by anyone who did not know the PIN (provided it was rolled out in conjunction with authorised readers able to verify that the chip was issued by DHS and had not been tampered with). This would be considerably more likely to prevent criminal mis-use of other people's cards than merely adding a photograph to the surface of the card. Also, it appears doubtful that a PIN will be optional due to the intended use of cards with the ATM/EFPTOS network (see Section 7.2 later herein).

Further, in late 2004/2005 when the trials of a new Medicare smart card were underway in Tasmania, a photograph on that card was optional. The government has not provided any indication of what has changed since 2004/2005 to justify such radical change from the then proposed Medicare smart card, to a card and related system that not only has all the hallmarks of a national ID card/system, but appears very likely to result in increased inconvenience and unjustifiable denial of service to some members of the public.

4.8(b) Lack of business case for Medicare safety net checking

According to DHS:

The use of Medicare cards to obtain these benefits has been exploited in the past and the incentives for such exploitation have increased considerably with the introduction of the government’s new Medicare safety net arrangements. There is an opportunity for people to manipulate and game the system by lending their Medicare card to others in order to reach the safety net sooner, or once they have reached the safety net, to lend their cards to other people who are then able to receive substantial concessions where their entitlements don't exist. (DHS Supp Subm)

If Medicare safety net information is to be on the Access Card (as indicated above), the government should provide the public and Parliament with details of the business case for this, given the KPMG business case specifically excluded Medicare safety net checking:

"Medicare safety net checking has been excluded from the scope of this business case on Medicare Australia advice that its inclusion may create opportunities for over-servicing. The chip will contain a field for Medicare safety net checking which will allow easy inclusion of MBS should such an extension of use of the card be supported by a future business case." (KPMG p.42)

In view of the above, obviously the estimated fraud savings claimed by KPMG, which the government continues to quote, would not have factored in the estimated cost of over-servicing arising from inclusion of Medicare safety net checking.

Given the DHS submission indicates a decision has since been made to include Medicare safety net checking, the government should publicly issue details of the business case for this together with revised (reduced) fraud savings estimates.

4.8(c) Probability of unjustifiable denial of service/benefits in pharmacies

At present legislation requires a pharmacist to request a Medicare number for all PBS subscriptions. Most pharmacists meet this obligation by asking the customer to present their card unless they already know them and have their Medicare number.

If the photo was not included on the surface of the card, and noting that there will not be comprehensive coverage of readers capable of accessing photos, the system would not achieve the fraud benefits anticipated and the business case for the card would be compromised. (DHS Supp Subm)

A requirement that pharmacy staff check a photo on an Access Card indicates the system will be considerably less, not more, convenient for members of the public. For example, how will the system deal with scenarios such as the following:

Jane's mother becomes unexpectedly ill and bed-ridden (therefore Jane is not listed as a carer on her mother's Access Card). A doctor visits her at home and writes a prescription. Jane wants to go to a chemist and obtain the prescribed medication for her mother. Will Jane be able to obtain the medication by showing her mother's Access Card, which matches the name on the prescription? If yes, then obviously the photo is not being matched with the person collecting the medication, which means that anyone could claim to be collecting a prescription for a relative or friend when they were in fact engaged in fraud.

If it is planned that Jane would also have to show her own Access Card, then:

  • what if Jane does not have an Access Card herself, after all it will not compulsory to obtain one!
  • even if Jane does have an Access Card herself, that would not prove that Jane is not fraudulently obtaining a prescription/benefit made out in someone else's name. A fraudster could, for example, show their own Access Card together with a stolen Access Card showing the same name as the name on the prescription.

The above is just one example of the tension between requiring health and medical service providers to prevent identity fraud and ensuring members of public will not be unjustifiably denied access to services/benefits to which they are entitled, nor experience greater inconvenience and difficulty in obtaining such services.

4.8(d) DHS Fraud Examples

Although DHS and former DHS Minister Hockey have referred to a small number of fraud case examples, which they have claimed the Access Card will prevent, generally too little detail about the examples has been provided to enable checking of the veracity of such claims. However, in several instances where sufficient detail was provided, it seems apparent that the Access Card will not, or is most unlikely to, prevent such fraud. DHS's Jodie Harris case example has been addressed earlier herein. Two others are discussed below.

The DHS Supplementary Submission stated:

Of the $100 billion in services and benefits delivered, $20 billion relates to the Medical Benefits and Pharmaceutical Benefits Schemes. It is very difficult to detect cases of fraud in these instances but fraud does occur. For example, recently a person was charged after allegedly using another person's Medicare card to obtain medical services for a relative. The person provided the card to the relative who accessed $10,000 worth of medical care at a Sydney hospital. (DHS Supp Subm)

We note that the Australian Federal Police media release concerning the above case stated that:

"It will be alleged in court that the woman provided a Medicare card to a relative, who subsequently used it to fraudulently access medical care at a Sydney hospital. ...
Commander of the New South Wales Police Fraud Squad Detective Superintendent Col Dyson said yesterday's arrest was connected to the recent arrest of an alleged organised crime syndicate member who was charged with identity crime offences.
(Charges over alleged Medicare card fraud[58], AFP Media Release, 22 November 2006)

It is highly doubtful that a photograph on the surface of an Access Card will prevent people involved with organised crime syndicates from continuing such fraud, given numerous police media releases and media reports about fake drivers licences and replacement of photos on drivers licences. A significantly more effective means of preventing such fraud would be to have the photograph on the chip, and data including the photograph on the chip signed with a government signing key, together with photograph capable readers that would also be able to verify that the chip was issued by DHS and that data on it had not been tampered with. However, no DHS documents issued to date provide any indication that such smart card security capabilities will be implemented on Access Cards.

During a speech to National Press Club[59] on 8 November 2006, then DHS Minister Hockey said:

"As a Government it is our responsibility to stop the proliferation of these fraudulent cards and the misuse of genuine cards.

I would like to give you a just a couple of examples to illustrate what is a growing problem.

In a recent case, a Centrelink customer had meticulously created false identities for 18 non-existent children. The customer had used fraudulent birth verification forms and forged letters to falsely claim benefits for nine sets of twins! A tip-off from a suspicious Centrelink employee and a subsequent investigation exposed that fraudulent activity occurred between 1999 and 2005. Over that time, the individual had stolen $623,000 from the taxpayer."

However, the Access Card will not prevent such people from claiming/receiving benefits for non-existent children. As reported in the Courier Mail:

"[Prosecutor Shane] Hunter said Anderson used her position as a nurse at the Princess Alexandra Hospital to obtain Certificates of Birth and had a stamp featuring a local obstetrician's name to authenticate the documents. She also forged driver's licences, passports and death certificates."
(Mum rips off Centrelink - Nine sets of fictitious twins - $622,000 in benefits, Courier Mail, 17 December 2005)

Obviously the fraudulent claims were successful because counterfeit birth certificates were produced and used, and this will continue to be able to occur unless Centrelink check the validity of birth certificates of children with the relevant State/Territory Registrar's office, which does not have anything to do with the proposed introduction of Access Cards.

In relation to the large amount stolen, according to the Courier Mail report:

"Judge Ian Wylie, QC, sentenced Anderson to seven years' jail for what was described as the largest Centrelink fraud of the past decade, and the third largest overall.

Former Centrelink regional manager Christopher Bracken was jailed by the NSW Criminal Appeal Court in 1994 for stealing $708,000 over 12 years. Also in 1994, Queensland Centrelink senior staffer Jennifer Ritchie was jailed by the Supreme Court in Toowoomba for stealing $630,000 over six years."

5. Signature and unique DHS ID number on surface of Access Card

EFA submits that prior to/during registration individuals should be given the option of choosing whether or not their signature and new unique DHS ID number will be printed on the surface of their Access Card. We do not repeat here our previously stated reasons for being of the view that the foregoing should be optional because the Task Force has previously recommended against these items being mandatorily printed on the surface. However, we do provide further information and comments in relation to the signature.

The Discussion paper states:

"Similarly there needs to be greater information provided about the encryption of signatures so as to minimise the security risks associated with copying of signatures from lost or stolen cards.

This is especially relevant to lost or stolen Medicare cards (some 500,000 each year); especially as such cards figure in something like one-half of all cases of identity fraud. Current Medicare cards, of course, do not carry either a photograph or a signature."

We find the reference to encryption of signatures above puzzling because whether or not the electronic copy of a handwritten signature on the chip is encrypted, signatures on lost on stolen cards will be easily able to be copied from the surface of the card (unless the government changes its mind about forcing people to have their signature printed on the card).

Common flat-bed scanners connected to personal computers can be used to copy graphics and text on the surface of a card and produce an electronic copy. Many scan at high resolution such that the resulting electronic copy would likely be as good quality as the copy DHS intends to store on the chip. It makes no difference if the signature is printed on a coloured background because commonly available (including free) graphics software can be used to make the background white or transparent.

Furthermore, purpose-made photo ID card scanning systems are available. These systems comprise a very small size scanner (operating at high optical resolution) and related software made specifically for the purpose of extracting graphics and text from the surface of photo cards. Such systems extract the full card image, face image, signature image and full text data, arranged in appropriate text fields, and can place those items in a database, or in the clipboard, or into third party software. Most copy both sides of the card in one swipe. The intended purpose is to enable car rental companies, hotels, and any other businesses, to easily and quickly copy all information from the surface of an ID card into their database. See for example:[60]
Other examples can be found by web search for terms such as "ID card scanner".

In addition, as stated by Professor William J Caelli AO in his July 2006 submission[61] to the Taskforce:

"Current smart card acceptor units require full insertion of the card into the unit and at that time both sides of the card can be copied simultaneously if desired. The attacker would, naturally, have to have modified an acceptor or built a specific unit for the purpose. If a card is lost, then even more time can be spent doing this."

It should be noted that when an individual voluntarily places their Access Card in a smart card reader in the private sector, they will have no means of knowing whether or not the card acceptor unit is copying signature, photo and text from the surface of the card.

Historically the above has not been readily able to occur in Australia because magnetic stripe cards have not been inserted fully into a reader.

The fact that smartcards are fully inserted into a reader requires attention to be paid to the capabilities of, and risks arising from, modern technology in general. It is quite ridiculous for Ministers etc to say that there is no problem with having signatures etc on the surface because they are already on the surface of drivers licences, etc. Cards that are not, of necessity, required to be fully inserted into a reader present considerably less security risk to the cardholder because information on the surface cannot be copied without the card holder being aware that it is being e.g. photocopied, or may be being copied because the saleperson, etc, has taken the card to another room out of the sight of the cardholder.

6. Purpose of personal data on chip

Given DHS's claims that the photograph needs to be printed on the surface, the question arises as to why any personal data at all needs to be mandatorily stored on the chip. Personal information that will not be mandatorily on the surface, such as address, date of birth, etc., is already stored in DHS agencies' databases and these agencies' staff will presumably continue to have access to those databases for necessary purposes as they do now. Therefore, why does this same information have to be on the chip?

Currently given the amount of personal information that DHS claims needs to be printed on the surface, it appears that the only real purpose for the chip is as a replacement for the magnetic stripe on a Medicare card and therefore only needs to store the same information as the magnetic stripe (e.g. Medicare number and probably name) in order to facilitate Medicare eClaiming.

Storage of other personal information on the chip appears to have a sole purpose of enabling it to be accessed in conjunction with voluntary usage of the card, that is, for purposes unrelated to DHS/DVA agency services.

If a photograph, signature and new unique ID number continues to be mandatorily required on the surface (which we oppose) then it appears that individuals should be given the option of not having any personal information on the chip other than that necessary for automated Medicare eClaiming (e.g. Medicare number and name if that is necessary).

Unless DHS can and does publicly provide a credible explanation for personal data on the chip, or decides that photo, signature and number will not be mandatory on the surface, this DHS smart card project will continue to appear to be a technology solution looking for a problem. It increasingly looks like the result of someone's vision of how government can force business (e.g. banking infrastructure providers) to roll out new technology.

7. PIN numbers

7.1 Issuing a PIN during registration - lack of PIN security

We observe that the Discussion Paper:

  • contains a diagram stating that "Collect PIN and optional online password" will take place during the registration interview; and
  • states that during the interview "PIN or secret passwords will be recorded if the individual chooses to use these to protect any part of their own controlled data";

and that Section 17(9)(d) of the first Bill states that "if there if there is a personal identification number for your access card" that PIN will/must be stored in the DHS database (Register).

The above PIN allocation process and storage in a database is completely inappropriate and unacceptable. It indicates a government policy decision (unrelated to smart card technology capabilities) has been made that would result in entirely unnecessary security risks for which no reason, let alone legitimate reason, has been given.

The system must be designed and implemented in a way that ensures no-one other than the cardholder and the chip application knows, or can find out, the PIN number. This is technologically possible and practical - the PIN can be allocated to the chip during a secure card manufacture/personalisation process which also issues a secure envelope containing the PIN which is sent to the cardholder separately from the card, as is usually the case with, for example, production of ATM and credit cards (smart cards and magnetic stripe cards) with PINs. People involved in card personalisation and bank staff do not know, and are not able to find out, the PIN number of a person's card. Access Cards must be produced by the same method, so that no person other than the cardholder knows, or can find out (e.g. by looking in a database), the PIN number.

7.2 Will a PIN in fact be optional?

While DHS statements and the Discussion Paper claim that a PIN will be optional, government intended purposes of the Access Card indicate that a PIN may not, in fact, be optional.

For example, we question whether an Access Card will be able to be used, as intended, to obtain emergency payments via the ATM/EFTPOS network if a card does not have a PIN. In this regard, we note that the DHS (first) submission to the Senate Committee stated:

"A PIN will be included on the card at the option of the card owner. A PIN will provide additional security. A person’s PIN is recorded in the chip of the card to enable them to control access to information secured by the PIN. Additionally, the PIN may be used to authenticate the card holder in electronic transactions." (emphasis added)

and DHS Case Study No. 3 (issued May 2006 with Budget documents) stated:

By using the access card in conjunction with an ATM or an EFTPOS facility at a retail outlet—once the system is built— people would be able to access government emergency relief cash payments almost immediately.

and in response to a question during the Senate Committee inquiry, the DHS Secretary stated that:

"The [emergency payment] money does not go into your account; it goes into—let us call it DHS’s account. The card you have, and we know you have that card and we are confident you have got that card, we can, through back-end systems at the bank, activate that. If that card is inserted in a machine, that card will be able to draw say $200 from our account. That would mean, in an emergency situation, if people lost their money or the government was going to make a one-off payment to them, they would be able to access that." (Hansard Transcript Tuesday)

Relevant to whether or not a PIN will be optional is the questions: Do any ATM/EFTPOS terminals in Australia allow withdrawal of cash without the card holder entering a PIN? Are any such terminals capable of identifying whether a card has a PIN or not, or do they expect a PIN to be entered?

It seems unlikely such banking system terminals issue cash without PIN entry, and particularly given the means by which Centrelink currently issues benefits electronically. Among the 17 cards that DHS state will be replaced by the Access Card is the Centrelink Electronic Benefit Transfer Card ("EBT Card") which has a PIN. According to the Centrelink brochure about the EBT Card[62], it is ATM Cashcard that Centrelink issues along with a separate envelope containing a PIN. The person goes to an ATM, inserts the card, enters the PIN and the ATM issues cash withdrawn from a Centrelink/Government bank account.

Whether or not any ATM/EFTPOS terminals do issue cash without a PIN being entered, we doubt the wisdom of a government decision to allow money to be withdrawn from a government bank account without the cardholder/authorised recipient of government funds being required to enter a PIN. Unless a PIN is entered, DHS cannot be reasonably sure that the machine is providing money to the authorised recipient - this would be particularly so when an ATM machine is used, as there will be no human present to check the photograph (and even in the case of EFTPOS terminal withdrawals, as detailed earlier herein, human ability to accurately match unknown faces with photographs is not reliable).

We submit that all Access Cards that will be capable of being used in ATM/EFTPOS terminals should be required to have a PIN. This PIN should be automatically allocated during a secure card personalisation process and therefore not be known to, or accessible to, anyone other than the cardholder. If DHS wants cardholders to be able to choose or change their PIN, this should be implemented by facilitating cardholder access to authorised card reader/writers (e.g. in DHS agency offices) that enable them to change the PIN on the chip themself after the card has been issued to them.

8. Optional DOB on surface

DHS claims re use of Access Card to establish bank account

DHS has claimed that a photograph is necessary on the surface so that people can choose to use their Access Card to open a bank account:

To take a practical example, [an access] card including the holder's photograph could be used as primary proof of identity in opening a bank account, ie. 70 points of value under the '100 point test'.

A card without photograph could not be used as primary proof of identity. It would be similar to the existing Medicare card which is worth only 25 points of identity. (DHS Supp Subm)

It appears DHS may not be aware that the 100 point test will cease to exist before the roll out of Access Cards commences. AUSTRAC issued the final version of new Rules made pursuant to s229 of AML/CTF Act[63] on 30 March 2007. These rules will come into effect from December 2007.

The new Rules indicate that an Access Card with a visible photograph may not be able to be used to open a bank account, etc, unless either the card holder has voluntarily chosen to have their date of birth printed on the surface, or the organisation intending to rely on the card as EOI has an "authorised reader" able to read necessary information from the chip.

Given DHS has publicly stated that people will be able to use an Access Card with a visible photograph to open a bank account, whether or not that is factual should be investigated (for example via communication with AUSTRAC) prior to the commencement of the registration process for an Access Card. As DHS apparently do not intend to provide banks with "authorised readers", it may be necessary to inform persons registering for an Access Card that they would need to choose, during registration, to have their date of birth printed on the surface of the card if they wish to use the card as a primary photo identification document for opening a bank account.

It should be noted that the AUSTRAC safe harbour rules also provide for opening of bank accounts without provision of a photo identification document.

9. Matching registrants to existing clients

Will people registering be required to bring along a list of their Medicare, Centrelink, Child Support Agency, DVA, etc. numbers? If not, how does DHS intend to match registrants to existing agency records and client numbers (numbers which according to the first Bill are to be loaded onto the chip), given DHS has claimed that some people do not update their address regularly and/or may be using an abbreviated version of their name with one agency but not another, etc.

Such collection of numbers during registration will make abundantly clear the potential for data matching/sharing across agencies. The reason for/purpose of such collection should be made available to registrants. Currently it is unclear what the purpose of the agency-related numbers on the chip is given there will also be a new unique DHS ID number, or alternatively, what the purpose of the mandatory new unique ID number is given agency-related numbers will also be on the chip.

10. Pre-Registration online may facilitate phishing

The proposed online pre-registration referred to in the Discussion Paper may facilitate phishing. The Paper appears to contemplate that individuals would enter personal information including name, date and possibly location of birth, address, drivers licence and/or passport numbers, etc. into a form on a web site. At the least, significant public education efforts, throughout the two year registration period, would need to be made to minimise the potential for people to provide personal information to phishing sites.

11. Concessional Status

The Discussion Paper states:

"At this stage the Taskforce has not attempted to explore the issues related to the identification of concessional status for cardholders. We understand that detailed discussions will need to take place between the Commonwealth and the State and Territory Governments who are the principal providers of concessions, especially those related to public transport. In addition some concessions are granted by Local Government (e.g. rate rebates) and by the private sector. Until these discussions have been undertaken and some agreement reached at a government-to-government level, the Taskforce does not think it can make a useful contribution to the wider debate, although it does intend to offer its opinions at an appropriate time."

EFA considers the identification of concessional status is likely to be a show-stopper for the project, and if not, the Access Card system is highly likely to cause great inconvenience and difficulty for many concession card holders and third-party providers of concessions.

Evidently DHS acknowledge the Access Card technology will cause inconvenience for many concession card holders and providers of concessions, therefore to reduce the number inconvenienced they have decided to issue some concession card holders with specially coloured Access Cards:

For concession groups whose entitlements do not tend to vary over time, such as veterans, aged pensioners and eligible self-funded retirees, optional coloured cards will be available to provide an easy verification of concession status. (DHS Supp Subm)

Ms Scott—Stable groups such as self-funded retirees, age pensioners and veterans. They tend to come into that category, their circumstances hardly ever change and they stay in that category.
Senator FORSHAW—Not the unemployed, for example?
Ms Scott—No. We discussed that previously at length. We will find the section.
Senator FORSHAW—... As I understood where you were heading, you were going on to explain that we can expect that there are identifiable groups that will have their own style of an access card?
Ms Scott—If they wish. I expect the great bulk of that group will want it because they will find it extremely convenience to access third-party concessions. (Hansard Transcript Tuesday)

Apparently there will be at least 5 different coloured Access cards. One colour for the vast majority of people including "non-stable" concession card holders, a different colour for "stable" concession card holders, and three colours for veterans (white, orange and gold, according to the DHS Access Card marketing video on the Office of Access Card web site).

Hence, "non-stable" concession card holders will not have a convenient means of accessing third-party concessions. Their ability to prove their concession entitlement will depend on whether the third-party concession provider has a card reader capable of reading concession status information from the chip.

Hence it is of major concern that DHS apparently still only has a "design idea" about how access to concesssion status information on the chip could perhaps work, although it is over 9 months since the Access Card was announced, and the DHS chaired Smart Technologies and Services IDC had been developing a DHS smart card proposal since at least June 2005.

At the March 2007 Senate Committee inquiry hearings, in response to questions identification of concession status, the DHS Secretary referred the Committee to previous DHS testimony "at about page 20" of the February Estimates hearing. Page 21 includes the following:

Ms Scott—...[I]f they want to go, for example, to the movies and there are concessions because they are on Newstart, unemployed, then our design idea is that they would dock the card in a reader and the card would simply indicate on a very small screen, which you tend to have in commercial centres, that they are concessional. That would be it. They would not be able to see the other parts of the card.

Ms Hartland—It might be as simple as just the letter 'C' for 'concessional', and that would be all that they would see. (Estimates Hansard, p21, 16 February 2007)

However, DHS's design idea appears to be unworkable. If it is not entirely unworkable, it will be highly inconvenient and impractical for many concession card holders and providers of concessions, and be most unlikely to prevent concession abuse.

The display of 'C' for 'concessional' will not give concession providers information about the type of concession entitlement, for example:

  • Pensioner Concession Card (which is available to people receiving various types of social security income support payments, not only Age Pension)
  • Commonwealth Seniors Health Card
  • Health Care Card
  • Foster Child Health Care Card
  • Low Income Health Care Card
  • Mobility Allowance Health Care Card

As the "Guide to Centrelink Concession Cards" brochure about the above listed cards states:

"Not all card types will attract the same type of concessions and the concession on offer to cardholders may also vary between different states and territories."

Hence State/Territory governments and businesses that provide concessions will need more information than just 'C'.

In addition, if concession abuse is to be prevented or at least reduced then, at the least, relevant dates will also need to be displayed.

It appears that the need for display of more information has come to DHS's attention since the Committee hearings, as the DHS Supplementary Submission prepared after the hearings states:

The information contained in the chip, such as card and payment type and the start and expiry dates of those [concession] entitlements, will be of use to providers when confirming those entitlements in a non-online environment. On docking the access card into an authorised reader, the card reader will enable limited status indicator information to be displayed to the service provider from the chip. (Further investigations about the information required to be made available on the card reader display are still underway.) (DHS Subm 1)

However the above also shows that DHS still does not know how or what concessional status information will be made available.

DHS's realisation that more information would need to be visible has significant implications in relation to the practicality and convenience of the type of card readers that DHS had envisaged concession providers could use, and hence cost implications for concession providers (as the DHS budget does not include provision of card readers to them).

In addition, regardless of the amount of information to be displayed, the "non-online" card readers that DHS has said concession providers could use will not prevent concession abuse of the type frequently referred to in the context of justification for the Access Card by the former Minister and the DHS Secretary, for example:

Ms Scott—I return to our earlier discussion about concessions when we talked about stable groups and concessions. There are some groups where people come on and off concessions very frequently—Newstart and so on. People might have a casual job picking strawberries and then become unemployed three months later and be on benefits. There is no point in giving them a coloured card because their concessional status changes all the time. This is the particular group that may end up with a card at the moment that is issued for 13 weeks or whatever—some are issued for longer—and they are accessing benefits when maybe they should not be. The advantage with having a card that has a chip in it is that it can be updated and then, as people seek to get different benefits, you will be able to establish that in fact they are no longer concessional. (Hansard Transcript Tuesday)

However, it is not apparent how, or even if, DHS could ensure that the chip in a card is in fact updated. As stated during the Senate Estimates hearing on 25 May 2006:

"Mr Leeper [Acting Secretary, DHS] —...In addition, I would anticipate that there would be savings arising from application of the currency of concession status, particularly for Centrelink payments. As you would be aware, under current arrangements Centrelink issues cardboard concession cards. When a person moves from being eligible for that concession to being ineligible, Centrelink contacts them and indicates that change of status and requests that the card be destroyed, but that is not something that can be enforced. You cannot summons someone in to cut up their cardboard card in front of you."

Given DHS acknowledge they "cannot summons someone in to cut up their cardboard card in front of you", it appears they also cannot summons someone in to dock their Access Card in a reader connected to a DHS database in order to update the chip.

Hence, the low cost off-line handheld devices, that DHS has said could be purchased by concession providers to view concessional status, will display out of date eligibility, the same as cardboard cards, unless the cardholder visits a DHS agency office or other premises where the chip can be updated.

The above situation raises the question of whether cardholders may be subjected to some penalty for failure or delay in visiting an office to have the chip updated. It is obviously much easier and convenient for honest people to destroy a cardboard card than to have to promptly visit a DHS office in order to avoid suspicision that they are continuing to claim concessions to which they are no longer entitled.

In addition, we observe that the low cost handheld "basic readers" that DHS claims in its Supplementary Submission can be used to show concessional status do not appear to be particularly practical for concession providers because they have a very short single line display. It appears concession providers would need to use buttons or a thumbwheel to scroll through the necessary information, i.e. card and payment type and the start and expiry dates.

A further issue in relation to convenience, and also the Access Card system design, is that these "basic readers" do not include PIN entry pads. It therefore appears that DHS does not intend that concessional status information will be able to protected by a PIN from disclosure without consent (notwithstanding that DHS has consistently said that individuals will have the option of a PIN applicable to the Commonwealth area of the chip). To date, DHS has not provided any credible information explaining what, if anything, will prevent disclosure of concessional information every time a cardholder's card is placed in a reader, including when for example voluntary use of the card has nothing to do with concessions. Obviously this is a privacy issue.

Furthermore, even if the concessional status information is not able to be PIN protected and therefore is readily accessible with "basic readers", there is a further issue in relation to these readers without PIN entry pads. For example, a cardholder who had chosen to protect their personal information with a PIN but needed to allow a concession provider to view their address, would not be able to do so because the reader does not have a PIN entry pad. According to the "Guide to Centrelink Concession Cards" brochure, in relation to existing cards:

"Customers can request that no address appear on their card, although this may cause the cardholders problems when attempting to claim concessions."

We question whether DHS has undertaken any investigation into the number of concession providers who may require address information. EFA does not have information on such requirements although we assume it might apply in the case of, for example, pensioner discounts on rates and electricity.

Hence, it appears DHS would need to make available low cost off-line "authorised readers", that include PIN entry pads and the relevant DHS approved software/module to enable access to PIN protected information when the cardholder consents to such access by a concession holder.

We also question whether the pictured "basic reader" devices, in the DHS Supplementary Submission (p.25-26), could in fact be used to view concessional status information on an Access Card given:

  • The first one appears to be a "balance reader" or "value checker" for an e-purse card, (normally used to display the monetary balance left on an e-purse card).
  • The second one is a Todos Value Checker[64] which is "used for displaying the balance on your electronic purse card (e.g. Proton, Mondex, Geldkarte, Visa Cash, Danmønt, Klink, Avant etc)". According to the Todos Technical Specifications[65] it can read and write to a card chip and there is no indication that it includes any security modules.

    If DHS maintain that this device is to be used for viewing concessional information, DHS should explain what will stop a person using such a device from writing to the chip, especially if the chip is to contain a so-called "customer controlled portion of the chip". If the card holder will be able to write voluntary information into that part of the chip, it appears likely that any person using a device capable of writing to a chip also could.

  • The third one is a Todos eCode Signature device[66], that is, a one time PIN generator device (such as provided by some banks to their customers for on-line banking log-in etc purposes).

It is quite concerning that DHS have evidently been unable to provide information or pictures of any low cost handheld smart card readers, other than e-purse value checkers, and a one time PIN generator device. Have they not been capable of finding any devices that are clearly designed/intended for the required purpose?

Whether or not suitable low cost card readers are readily available for purchase in Australia now, or DHS assumes they will be by April 2008, there is obviously no means of forcing third party concession providers to purchase and use same, which gives rise to the serious question of whether the Access Card will result in a reduced number of concessions being available, at least until smart card equipment becomes vastly more common for other purposes in Australia. To date discussions about third-party concessions have included mention of a very few concessions such as movie tickets and public transport. However, the "Guide to Centrelink Concession Cards" brochure lists an extensive number of concessions that may be available to Commonwealth Concession Card holders in the areas of "state, territory and private services" including household (council rates, electricity/gas, telephone line rental, housing), education (school fees, TAFE, state government education allowances, training progammes), transport (taxi fares, road transport registration fees, drivers licence fees, public transport fares), general (entertainment, shopping), etc.

Access to public transport provider concessions appears likely to be problematic in States intending to roll out smart card fare systems because these normally involve a contactless chip, not a contact chip as the Access Card will have. Whether or not States currently rolling out transport systems have budgetted for and/or are implementing card readers capable of reading both contactless chips and contact chips is unknown.

EFA recommends that advertising etc about the Access Card registration process discourage "non-stable" concession card holders from registering early in two year registration period due the high probability that many third-party concession providers will not have purchased equipment capable of reading the chip.

12. Additional Datasets / 'Customer Controlled part of the chip'

The Discussion Paper states:

"To date a number of additional datasets have been identified as ones which might potentially be included in some part of the card architecture, specifically in what the then Minister has described as the 'Customer Controlled part of the chip'. ...
In this Discussion Paper we wish to raise consideration of a number of potential datasets which might be suitable for inclusion in the Access Card."

EFA submits that the proposal to have space on the chip that could be written to by the card holder (if they have the necessary smart card reader/writer equipment) should be entirely scrapped.

It is most unfortunate that former DHS Minister Hockey has encouraged the general public to incorrectly believe that a smart card chip is like a mini-iPod.

The inclusion of voluntary use space will introduce design complexities, including potential security risks within the system architecture, and associated additional but unknown costs that are entirely unnecessary, and likely to put the success of whole project at greater risk, especially in view of the short, rushed timeframe for deployment of the cards and overall system (by April 2008).

We consider that the AGIMO Smartcard Framework[67] document: Section 2 - guidance at the project management level in important areas such as privacy, security and technology selection[68] (released on 30 March 2007) should be mandatory reading for every government-related person involved with the Access Card system, not only those actually attempting to design/implement the system but also any government people who intend to speak about the proposed system. Among other things they would be likely to learn why, as AGIMO states in the final section among other things, it is necessary to:

"set[ting] meaningful timelines for system development and deployment, taking note of the fact that large systems have been, almost without exception, years in planning and development prior to pilot and full deployment57

57 Projects that adopt unrealistic timeframes are at risk form impacts from 'design on the fly' and 'adopt without checking' decisions".

To date, numerous statements and claims made by government representatives about the proposed Access Card system, together with the very rushed timeframe, strongly suggest that it is at major risk from 'design on the fly' and 'adopt without checking' decisions.

However, it remains to be seen whether such decisions have been 'built in' yet, or whether flights of technological fantasy etc. can be reigned in, to minimise the potential for the Commonwealth Government's first attempt to roll out smart card technology to some 16.5 million citizens does not turn out to be a massive IT disaster.

Further, while the AGIMO document above warns that successful projects normally involve pilot deployment, there has been no indication that DHS intends to conduct pilot deployment of the proposed Access Card systems. It is of significant concern that DHS may not be planning to conduct a pilot due, perhaps, to former DHS Minister Hockey's view:

"...[W]hen I became Minister for Human Services and inherited Centrelink and Medicare and the Child Support Agency and a number of other agencies, even though we had a Medicare smart card trial in Tasmania, the overwhelming view was that we could not afford to proceed with more pilots. The pilots were for planes, not for technology in my view ..."
(Speech by Joe Hockey, The Government's Vision for a Single Health and Social Services Smartcard[69], at the Australian Smart Cards Summit 2006, 28 June 2006)

14. References

1. DHS Access Card Consumer and Privacy Taskforce, Discussion Paper No. 3: Registration

2. Senate Finance and Public Administration Committee, Inquiry Into Human Services (Enhanced Service Delivery) Bill 2007

3. AGIMO, Australian Governemnt Smartcard Framework - Section 2 - guidance at the project management level in important areas such as privacy, security and technology selection

4. DSD submission to Senate Committee

5. The Access Card System (13-Dec-2006)

6. Access Card Consumer and Privacy Presentation (13-Dec-2006)

7. Overview of the second access card procurement process (31-Jan-2007)


9. The Access Card System (13-Dec-2006)

10. Biometrics and Government

11. FVRT2002

12. FVRT2006

13. Biometrics at the Frontiers: Assessing the Impact on Society

14. An Introduction to Biometric Recognition

15. Feasibility Study on the Use of Biometrics in an Entitlement Scheme

16. LSE Identity Project 2005, The Identity Project

17. UK Biometrics Enrolment Trial Report

18. DHS written answer to Questions on Notice during the March 2007 Senate Committee Inquiry

19. Tampa drops face-recognition system

20. Developing a police perspective and exploring the use of biometrics and other emerging technologies as an investigative tool in identity crimes

21. Access Card Technology page

22. Regione Lombardia smartcard

23. DHS submissions to Senate Committee Inquiry:
Supplementary Submission

24. DHS testimony to Senate Committee Inquiry

25. Where your ID is at risk

26. Woman wanted over series of deceptions

27. Most-wanted woman taunts police

28. Australian Passport requirements - identity documents

29. Queensland proof of age card

30. Raids crack counterfeit identity ring, say police

31. ID fraud gang broken up

32. Police smash massive identity fraud syndicate

33. Police smash huge identity fraud ring

34. ID Crime Taskforce charges Sydney man

35. Bangladeshi arrested in Malaysia for selling fake work permit

36. One of Australia’s largest identity crime syndicates dismantled

37. Vigilant teller unmasks major identity theft ring

38. Where your ID is at risk

39. Duo nabbed for Mykad forgery

40. AUSTRAC Rules made pursuant to s229 of AML/CTF Act 2006

41. AUSTRAC media release, Rules assist industry with compliance under anti-money laundering laws, 30 March 2007

42. KPMG business case

43. Medicare eClaiming

44. PBS Online

45. Address to the AMA National Conference 2006, Minister Joe Hockey, 27 May 2006

46. Richard Kemp, University of NSW

47. When Seeing should not be Believing: Photographs, Credit Cards and Fraud, Richard Kemp, Nicola Towell and Graham Pike, Division of Psychology, University of Westminster, London, UK, published in Applied Cognitive Psychology, Vol. 11, 211-222 (1997).

48. Australian Capital Territory: Proof of Age Card

49. New South Wales: Photo Card

50. Northern Territory: 18 Plus Card

51. Queensland: 18 Plus Card

52. South Australia: Proof of Age Card

53. Tasmania: Proof of Age Card

54. Victoria: Proof of Age Card

55. Western Australia: Proof of Age Card

56. Medicare's National Compliance Program 2006-07 document

57. ANAO Audit Report: Administration of Health Care Cards, 2005
< binary_id=46ED4DE91560A6E8AAF53B454645BB55>

58. Charges over alleged Medicare card fraud

59. Address to the National Press Club on Future Directions for the Access Card, Minister Joe Hockey, 8 Nov 2006


61. Professor William J Caelli AO, Submission to Taskforce, July 2006

62. Centrelink brochure about the EBT Card

63. AUSTRAC Rules made pursuant to s229 of AML/CTF Act

64. Todos Value Checker

65. Todos Value Checker Technical Specifications

66. Todos eCode Signature

67. AGIMO, Australian Government Smartcard Framework

68. AGIMO, Australian Government Smartcard Framework, Section 2 - guidance at the project management level in important areas such as privacy, security and technology selection

69. The Government's Vision for a Single Health and Social Services Smartcard, Minister Joe Hockey, Australian Smart Cards Summit 2006, 28 June 2006

15. About EFA

Electronic Frontiers Australia Inc. ("EFA") is a non-profit national organisation representing Internet users concerned with on-line rights and freedoms. EFA was established in January 1994 and incorporated under the Associations Incorporation Act (S.A.) in May 1994.

EFA is independent of government and commerce, and is funded by membership subscriptions and donations from individuals and organisations with an altruistic interest in promoting online civil liberties. EFA members and supporters come from all parts of Australia and from diverse backgrounds.

Our major objectives are to protect and promote the civil liberties of users of computer based communications systems (such as the Internet) and of those affected by their use and to educate the community at large about the social, political and civil liberties issues involved in the use of computer based communications systems.

EFA policy formulation, decision making and oversight of organisational activities are the responsibility of the EFA Board of Management. The elected Board Members act in a voluntary capacity; they are not remunerated for time spent on EFA activities. The role of Executive Director was established in 1999 and reports to the Board.

EFA has long been an advocate for the privacy rights of users of the Internet and other telecommunications and computer based communication systems. EFA's Executive Director was an invited member of the Federal Privacy Commissioner's National Privacy Principles Guidelines Reference Group and the Research Reference Committee (2001) and the Privacy Consultative Group (2004-2005). EFA participated in NOIE's Privacy Impact Assessment Consultative Group relating to the development of a Commonwealth Government Authentication Framework (2003), Centrelink's Voice Authentication Initiative Privacy Impact Assessment Consultative Group (2004-2007), the ENUM Discussion Group and Privacy & Security Working Group convened by the Australian Communications and Media Authority ("ACMA" formerly ACA) (2003-2007), and the ACA's Consumer Consultative Forum meeting (April 2005). EFA has presented written and oral testimony to Federal Parliamentary Committee and government agency inquiries into privacy related matters, including amendments to the Privacy Act 1988 to cover the private sector, telecommunications interception laws, cybercrime, spam, etc.