The Minister for Justice and Customs, Senator Chris Ellison announced this week a feasibility study into linking the databases of government agencies together to create a single large database accessible to each government body. A spokesperson for the Minister told ZDNet Australia part of the feasibility study was to see whether it was appropriate to allow non-government organisations -- such as financial institutions -- to view the database.
"In combating fraud we need to ensure the privacy cure is not worse than the privacy disease," the Federal Privacy Commissioner, Malcolm Crompton, told ZDNet Australia . "Any proposals that come out of this feasibility work must include strong legal and technological protections from the very start. This includes possibly much stronger protections than currently in the Privacy Act and other legislation."
Roger Clarke, ebusiness consultant and board member of the Australian Privacy Federation -- which is formulating a policy position on the matter -- was less reserved, claiming the issue was being blown out of proportion.
"We're in the midst of a huge beat-up by the US and Australian governments," Clarke told ZDNet Australia . "Identity fraud is much as it's always been. It's there; it sometimes costs people money, inconvenience and embarrassment; and it's part of the economic system."
"The vast majority of what the two governments are talking about is once-off abuse of credit-card details to buy something on someone else's account. That's part of the design of Visa and MasterCard," said Clarke. To be fair, both Visa and Mastercard have recently attempted to combat misuse of the credit card system.
Clarke disagreed with Crompton that identity fraud was a 'gross' invasion of privacy, drawing a distinction between Identity Fraud, which encompasses several fraudulent credit card transactions over a short period of time, and Identity Theft, which is a long series of transactions over an extended period compromising a person's ability to continue using their identity. Clarke reserves the epithet for the second event.
However, Clarke said it was a reasonable idea to conduct a study of identity documents, so long as the study recognises the difference between authenticating a document and authenticating someone's identity.
Clarke listed the sorts of things that could be checked about documents:
- check that the document was actually issued by the appropriate organisation (e.g. a citizenship certificate by the Dept of Immigration) - to address the risk of forged documents used by a fraudster;
- check that the content of the document is the same as that recorded in the relevant organisation's database -- to address the risks of a genuine document being adapted, and of a document being created by a fraudster using a combination of legitimate and modified data;
- check whether the document has been previously used as evidence in support of an application (e.g. has this birth certificate been previously used as a basis for getting a passport?) - to address the risk of multiple people carrying documents derived from the same 'breeder' documents.
He warned care was needed in the process, citing the example of a criminal obtaining a passport using someone else's birth certificate, and the real person being treated like a criminal when they tried it.
"This all comes back to the critical point that, contrary to the Minister's assertion, birth certificates are not 'primary identification documents'," said Clarke. "There's absolutely nothing to tie a birth certificate to a person."
Clarke said that a Births Registrar did not have responsibility for an identification document. "Births Registrars simply record the facts of birth advised to them by an informant. They have a responsibility to provide copies of information in the Register to anyone who requests them unless they have grounds for suspicion," he said. "They are not part of Ellison's rampant national security apparatus."
Both Crompton and Clarke said there is not enough published detail about the feasibility study to determine whether it raises any privacy concerns in itself.
The ability to authenticate identity documents should have been made available long ago.
Counterfeit driver's licences, Citizenship documents, Medicare card, birth certificates, & any other 'official' government documents are readily available.
Go to any casino, any day of the week & you'll get anything you want.
I think if someone was to falsely use Roger Clarke's identity to obtain credit he might change his views. The fall-out for the individual whose identity has been 'stolen'
can last for years.
Quite apart from the difficulties for an individual, there is also the hidden cost of fraud carried by the community. Every purchase we make & each credit card transaction includes a cost element to cover the cost of fraud.
The purchase because retailers accept what they believe to be authentic documents (such as driver's licences & Medicare cards to confirm identity), and credit cards because the applicant has used counterfeit documents when they applied for their credit card to support their application.