government access cards: a key to fraud and identity theft reduction?

2008 RMAA Conference

Government Access Cards Paper Summary

GOVERNMENT ACCESS CARDS

A KEY TO FRAUD AND IDENTITY THEFT REDUCTION?

Paper Outline

Purpose:

1. To evaluate the potential for cost savings associated with the introduction of access cards across social services in Australia;

2. To evaluate the potential for cost savings associated with the introduction of access cards across all governmental services in Australia;

3. Potential for reduction (or elimination) of identity fraud and theft against governmental services; and

4. Compare and contrast the proposed Australian system with comparable systems overseas (particularly the United Kingdom and United States of America).

Methodology:

A review of literature on subject from governmental, non-governmental, private, academic, and other sources.

Abstract

During 2006, the Australian Commonwealth government introduced

legislation to establish a social services access card, requiring that possession

of the card to access certain government benefits and concessions. The

claimed benefits ranged from fraud reduction to improved access to benefits

and refunds associated with certain medical expenditure. Despite claims of

substantive savings over a long timeframe, no independent verification of the

savings claims have been produced.

The purpose of this paper is to compare and contrast Australia’s Access Card

system against the United States’ REAL-ID system and the United

Kingdom’s identity card system – and asks the question “Are identity card

systems worthwhile?”

2008 RMAA Conference

Government Access Cards Table of Contents

TABLE OF CONTENTS

Introduction.............................................................................................................1 Australian System Overview ...................................................................................4 United Kingdom System Overview .........................................................................9 United States System Overview.............................................................................11 Interplay Of Identity Theft And Fraud Overview ...................................................15 Interplay Of Identity Theft And Access Card Regimes ..........................................19 Conclusion – Is It Worthwhile? .............................................................................25 Biblographry .........................................................................................................28 Acronym List ........................................................................................................36 Appendix One – Timeline......................................................................................37

2008 RMAA National Conference Adopting and Adapting

Government Access Cards - A Key To Fraud And Identity Theft Reduction? Introduction

Page 1

INTRODUCTION

The underlying definition of identity theft is the appropriation of an

individual’s personal information with the aim of impersonating that

individual in a legal context (Vacca 2003, p. 4). The motivation to

perpetrate identity theft varies by individual case – it ranges from

vindictiveness to financial troubles. Possible sources of identity thieves

come from the most unlikely of sources including family, friends and, work

colleagues to more “traditional” category of total strangers.

A 2005 study by Javelin Research (Johnson 2006, p. 52) identified 11 areas

where information breaches occur that form the basis for identity theft:

Information Breach Source

Breach Percentage

Lost/Stolen wallet 30.0 Corrupt employee 15.0 Paper mail 8.0 Misuse of data 7.0 Other way 7.0 Finance company 6.0 Computer infiltration – General 5.0 Computer infiltration – Phishing 3.0 Garbage (Dumpster Diving) 1.0 Computer infiltration – Online transactions 0.3 Table 1-1 Information source types for identity theft (Johnson 2006: 52)

The growth and spread of technology over recent decades (particularly since

the 1980’s) have the potential to negatively influence the victim’s reputation

more quickly than before (Vacca 2003: 5). The speed of technology change

has facilitated the transformation of access to information by governmental

agencies, corporations and individuals – often at the expense of security and

verification.



Page 2

With personal information becoming increasingly accessible online through

registers and databases (connected directly to the internet or through private

networks) and personal disclosure all stakeholders and the government

require a clear understanding of the new paradigm operating –ensuring

critical information is accurately and securely retained and only accessible to

verifiable, authorised recipients – is paramount.

The costs associated with identity theft are startlingly. A Federal Trade

Commission (FTC) study (Aratia Jnr 2006) highlighted some of the costs

relating to identity theft affecting America from 1999 to 2004:

27.3 million Americans were victims of identity theft in the preceding five years;

The direct cost to American financial institutions was US$33 billion and US$5 billion to consumers;

Average consumer cost was approximately $500; Identity theft was the fastest growing crime; 50% of victims were unaware that personal information was stolen; The fraudster was known to victims in 25% of reported cases; and The fraudster was a direct family relative in 35% of reported cases.

A 2005 study conducted by Javelin Research (Johnson 2006) contended that

identity theft in America was stable, even declining in certain respects. The

study did highlight the following:

8.9 million people (4 percent of the adult population) suffered identity theft in 2006 – a 11.9 percent decline from their2003 survey;

Losses amounted to $6,383 per person – a 21.6 percent increase from 2003; and

Total amount defrauded through identity theft was $56.6 billion – a 6.4 percent increase from 2003.



Page 3

David Shenk outlined 13 laws of Data Smog (1997, p. 11) that can easily

underpin the implementation of the access card regimes:

1. Information, once rare and cherished like caviar, is now plentiful and taken for granted like potatoes;

2. Silicon chips evolve much more quickly than human genes; 3. Computers are neither human or humane; 4. Putting a computer in every classroom is like putting a power

plant in every home; 5. What they sell as information technology but information

anxiety; 6. Too many experts spoil the clarity; 7. All high-stim roads lead to Times Square; 8. Birds of a feather flock virtually together; 9. The electronic Town Hall allows for speedy communication and

bad decision-making; 10. Equifax is watching; 11. Beware stories that dissolve all complexity; 12. On the information superhighway, most roads bypass journalists;

and 13. Cyberspace breeds libertarianism.

For the three governmental card access systems subject of this paper, all of

these laws apply in various guises – some in how information is gathered,

digested and processed for stakeholders; others by effectively excluding

people from society by denying them elements that society has deemed

“essential”.

The purpose of this paper is to examine and contrast three governmental

identity management systems – United States Real-ID framework; United

Kingdom’s National Identity Card; and Australia’s Welfare Access Card1 -

with their stated role in minimising fraud against the public purse and

identity theft. The core question after this analysis is “is it worthwhile?” in

preventing such theft and fraud.

1 For the purposes of this paper, the Australian system refers to the Welfare Access Card proposed by the Howard Liberal/National coalition government on April 26 2006. The coalition was defeated at a general election on November 24 2007.


Government Access Cards – A Key To Fraud And Identity Theft Reduction? Australian Welfare Access Card

Page 4

AUSTRALIAN SYSTEM OVERVIEW2

The Australian system has had a chequered and laboured journey. The

genesis started in 1985 with the Hawke Labor government proposed The

Australia Card system that bears remarkable similarities to the 2006 Welfare

Access Card system proposal of the Howard coalition government.

The Australia Card proposal was abandoned after the 1987 double

dissolution election that saw the Hawke government returned with a reduced

majority, but enough to pass the proposal under a double sitting of

parliament if it chose.

A consequence of the failure of the Australia Card proposal, the introduction

of an alternative system called the Tax File Number (TFN). This system

initially was restricted to taxation-related payments but has since gradually

expanded to include Centrelink payments, interest earned on bank accounts,

investment transactions, and the higher education loans scheme (previously

HECS).

A major issue identified with the TFN system was the underlying

information framework that formed the backbone of its operation. A

parliamentary report found that in 1999 there were 3.2 million more Tax File

Numbers and 185,000 possible duplicate numbers compared with the total

population of Australia at the 1996 census (Numbers on the Run 2000, pp.

vii & 2).

The same report suggested that the modernisation project the Taxation

Office was conducting at the time (operating for 10 years at that point) “has

not delivered improvements commensurate with expectations and investment

in the project” (Numbers on the Run 2000, pp. vii & 7).

2 This section refers to the Welfare Access Card proposed by the Howard coalition government on 26 April 2006. Since the election of the Rudd government on 24 November 2007, this proposal has been scrapped.



Page 5

The committee made 26 recommendations for improvement to the TFN

system, covering areas from data security and integrity to cooperation with

AUSTRAC on certain matters (Numbers on the Run 2000, pp. xv-xx). To

date, the government is yet to respond to the report making an informed

review on any progress against the committee’s recommendations difficult.

The above history provides a backdrop of political developments since the

1980s – in essence the major political parties shifted positions completely

(ALP from support to opposition; Coalition from opposition to support)

whilst utilising the arguments their opponents used during The Australia

Card debate.

On 26 April 2006, the then-Prime Minister announced the launch of the

Health and Social Services Access Card (HASSAC) program with the

following project aims:

1. Reduce the complexity of access to Commonwealth benefits; 2. Facilitate a more convenient, user-friendly and reliable method of

accessing participating Commonwealth services; 3. Reduce fraud on the Commonwealth in relation to the provision of

Commonwealth benefits; 4. Improve access to federal government relief in emergency situations;

and 5. Permit card-holders to use their cards for such lawful purpose as they

so choose.

The card would serve as an identifier for a range of programs offered by:

Centrelink (unemployment, disability, veterans, study allowances); Health and Aging (Health Care Cards for seniors and general

population); Medicare Australia Pharmaceutical Benefits Scheme; CRS Australia Vocational Rehabilitation; and Child Support Agency;

Additional provisions of the enabling bill (section 7) included specifically

excluding the Access Card from being utilised as an identity card and

limiting interference with the privacy of individuals.



Page 6

The framework was to be underpinned by two software platforms:

1. Card Management System (CMS): aimed at tracking individual cards throughout the card life cycle (seven years); and

2. Key Management system (KMS): aimed towards providing security for data collected as part of the framework.

To complement the software platforms, the information architecture

comprised four major registries – customer, photo, biometric and Client

Management (Dept of Human Services Feb 2007, p. 57).

In February 2007, the coalition government formally introduced the Human

Services (Enhanced Service Delivery) Bill 2007 with the purpose of

establishing an “access card” to services offered by Centrelink, Medicare

Australia, CRS Australia, the Child Support Agency Australia and the

Department of Veterans Affairs. A consequence of the bill was the

consolidation of 17 separate concession cards across the above agencies

under a single agency.

Information on the Welfare Access Card covered 18 different categories

including:

The full legal and preferred name of the individual (including military ranks and awards bestowed under the Australian and United Kingdom honours systems);

Date of birth; Indigenous, citizenship and residency status; Contact details; Registration status; Proof of identity; Access card numbers of the individual; Access card currency (including exemptions under sections 15 and

16 plus information gained under sections 45, 54, 60 and 68); Digitised photo and signature; DVA information Information permitted under statute law including the Privacy Act

and the Freedom of Information Act; Benefit cards issued by participating agencies; Emergency payment number (if issued); and Death information (information concerning the death of the card-

holder).



Page 7

Registrations for the card were slated to commence during April 2008. All

persons wishing to access the designated government services were, in

effect, required to have the card within two years of the scheduled

commencement of the Act. The Department of Human Services anticipated

registering and issuing cards 16.1 million adult persons averaging 32,000 per

day at Commonwealth agencies (Department of Human Services 2007(3)),

assuming an average of 12 minutes per interview. Renewals of Access

Cards would be conducted at Australia Post outlets.

Ascendant programs including the Document Verification Service trialled by

Centrelink and the aborted HealthConnect trial conducted by the Department

of Health and Aging may be included as part of the Access Card program,

although no confirmation had been issued by these agencies when the

Access Card framework was scrapped.

A 2007 inquiry conducted by the Senate Standing Committee on Finance

and Public Administration found major flaws regarding establishment of the

Welfare Access Card system, access by government agencies (at all levels)

and privacy to participants. Yet the majority report recommended that the

proposal proceed without amendment.

The system, if enacted, ultimately would not have been limited to the

proposed range of services. The broader Governmental Authentication

Framework (AGAF), coupled with the prospect of function creep inherent

with any major system rollout, other federal governmental agencies not

included in the initial rollout were likely to insist on system access including

(but not limited to):



Page 8

Agency Purpose(s) Australian Taxation Office Taxation and Superannuation Australian Electoral Commission Integrity of electoral roll Department of Science Education and Training

Higher Education Loans Schemes (HECS-HELP & FEE-HELP)

Department of Transport and Regional Services

Airline Identity Cards

APRA Banking and superannuation, money transfer under AUSTRAC protocols

ASIC Company registrations Table 2.1 Incomplete listing of federal government ageincies potentially wanting access to Welfare Access Card if implemented

Coupled with function creep at the federal agency level, state government

agencies were likely to insist on access on issues ranging from licensing

(including transportation and gaming) to land transfers and payroll

deductions. In May 2006, the Queensland Transport Minister (now Deputy

Premier) Paul Lucas attempted to link the state’s driver and 18 plus licensing

administration into the access card regime citing cost pressures (Courier

Mail 2006, p. 7).

November 24 2007 saw the Howard coalition government defeated at a

general election, replaced by the ALP promising to scrap the scheme.

Consequent to the election result, the system as proposed by the former

coalition government was terminated during Christmas 2007.


Government Access Cards - A Key To Fraud And Identity Theft Reduction? United Kingdom Identity Card

Page 9

UNITED KINGDOM SYSTEM OVERVIEW

The enabling statute for the United Kingdom’s card program is the Identity

Card Act 2006. The program commenced during the early years of the

decade as something similar to the current Australian government’s Access

Card proposal (called an “Entitlement Card”). After the September 2001

terror attacks and the July 2005 London bombings, the system was

incrementally expanded to a fully-fledged identity card system.

A Home Office discussion paper on the 2002 proposal was issued with

public consultations closing in January 2003. The foundation for the 2006

Identity Card proposal occurred with the 2003 redesignation of the project as

an identity card by the former Home Office Minister David Blunkett, with

the aim of having 80% of the adult population holding the card by 2017.

According to publicly available documentation, the aims of the 2003

program as outlined by Mr Blunkett included:

1. Boost the fight against illegal working; 2. Tackle immigration abuse; 3. Disrupt the use of fake and multiple identities by terrorist

organisations and crime groups; 4. Ensure the delivery of free public services by those who are entitled

to use them; 5. Assist in the prevention of identity theft.

The 2006 proposal contains two core elements – a National Identity Register

(NIR) comprising information of all United Kingdom residents (both native

born and foreigners) and a card linked to the register. The NIR specifies 49

data categories including:

Fingerprints (all 10 if mandated); Digitised Facial Scan; Digitised Iris Scan; Current and previous places of residence – both in the

Kingdom and overseas; and Passport information (progressively integrated when applying

or renewing this document).


Government Access Cards - A Key To Fraud And Identity Theft Reduction? United Kingdom Identity Card

Page 10

The Act permits the government, through the Secretary of State for Home

Affairs, to establish additional information categories at the complete

discretion of the Secretary.

Initially, the data collected was to be stored on a single registry costing an

estimated £5.4 billion over a ten-year period. A decision in late 2006 by the

Home Office minister revoked this directive and data held under this system

will be held on three separate registries (British Broadcasting Corporation

(5) 2006) currently in operation. In addition, direct costs associated with the

program are now anticipated to rise above £5 billion (British Broadcasting

Corporation (1) 2007).

Media reports during November 2007 speculated that the incoming Gordon

Brown government would abandon the project due to cost and technical

issues – reports that proved unfounded. Further media speculation between

November 2007 and March 2008 (BBC Online 2007 and Castle 2008)

documented the following implementation timeline:

December 2008: Registration commencement of non-UK nationals and those UK citizens working in sensitive roles (e.g. airport and 2012 Olympic employees);

December 2009: Incentives for certain categories of UK citizens (e.g. students and public sector staff) to voluntary register;

June 2010: Deadline for formal parliamentary vote on whether program is compulsory for UK citizens;

December 2010: Commencement of incentive registration program for youth;

Calendar Year 2011: Mass registration commencement in conjunction with passport renewals with options for card only, passport only or both card and passport;

December 2017: Universal (i.e. 80% plus) coverage of resident population.


Government Access Cards - A Key To Fraud And Identity Theft Reduction? USA REAL ID

Page 11

UNITED STATES SYSTEM OVERVIEW

The REAL ID program was established under Division B of the Emergency

Supplemental Appropriations Act for Defence, the Global War on Terror and

Tsunami Relief Act 2005 (Public Law Number 109-3, 199 Statute 231).

Promulgation of the Act occurred on 21 May 2005, with DMV compliance

established for 11 May 2008. Registrations would commence by 2010 with

two deadlines:

1. Persons born after 1 December 1964 were required to have compliant cards by December 2014.

2. Persons born before 1 December 1964 were required to have compliant cards by December 2017.

The stated aims of the act were to deter terrorism and reduce identity theft

by:

o Establishing national standards for state-issued driver’s licences and non-driver’s identity documents;

o Updating and tightening laws on the application of asylum and the deportation of aliens for terrorist activity;

o Introducing rules covering delivery bonds; o Funding some reports and pilot projects related to border security;

and o Changing visa limits for temporary workers, nurses and Australians.

From 1 January 2010, the practical consequences of the statute include:

o Federal agencies may not accept for identification purposes identity cards or drivers licences unless the state is meeting the requirements of the Act;

o The Social Security Administration (42 USC s. 666(28)) requires that States maintain a new hire directory. Bearers of non-compliant documentation will be unable to secure employment.

o Bearers of non-compliant documentation will be unable to establish banking accounts with financial institutions.

The key data requirements for the program include:

o Full legal name; o Digitised signature; o Date of Birth; o Gender; o Driver Licence/Identity Card Number; and o Principal Place of Residence.



Page 12

To register for the card, persons are required to furnish identity documents

including:

1. A photographic identity card or a non-photographic identity document that includes legal name and birth-date of the cardholder;

2. Birth date; 3. Legal status and Social Security Number; and 4. Name and principal place of residence.

Access to the card will be by via common machine-readable technology of

defined data elements. The federal Secretaries of Homeland Security and

Transportation, in conjunction with participating states will oversee the

coordination and the oversight of the classification and regulation of data

elements, in addition to the integration of participating state’s registry into

the national scheme to provide a comprehensive record of individual driver’s

histories.

Provisions in the initial draft allowed participation by Canadian and Mexican

provincial authorities in the program, but were removed from the final

statute due to legal concerns. The broader issue of the involvement of

foreign sovereign governments and supranational entities – like the

European Union – is currently still unresolved.

A 2006 study conducted by the NGA, NCSL and the AAMVA highlighted

the cost blowouts of implementing such a substantive program. The study

stated that the costs of implementing REAL-ID would be in excess of US$11

billion over the initial five years of operations – with the majority of the

costs (US$10 billion) on recurrent expenditure items including support

mechanisms, re-enrolment of 245 million card-holders, design requirements

and document verification processes. This figure excludes additional

expenditures by state agencies and private citizens in compiling with State

DMV requirements (Swartz 2007 (1), p. 12).



Page 13

A separate study conducted on the District of Columbia’s OPLD highlighted

that the District’s business records were kept in “such disarray” that the

Inspector General could not review them for integrity or accuracy. The

disarray was so great that no indexing arrangements were available and the

digitisation project was significantly behind schedule. The consequence was

that was that the system was identified as a security breach as all employees

of the DCRA had access to the files, regardless of their access rights (Swartz

2007 (2), p. 12).

March 2007 saw two major developments – the Department of Homeland

Security (DHS) releasing its draft regulations under the REAL-ID Act for

comment (with the receipt of some 12,000 submissions) and the first major

delay to the program when the initial compliance delayed until December

2009.

In addition, Congress during May 2007 undertook debate on immigration

bills that significantly expand the utilisation of REAL-ID including the

creation of a National Employment Eligibility Verification Scheme. There

were differences between the House and Senate versions of the initial bill –

the Senate version excludes non-REAL-ID identification from 2013. The

major commonality of these programs is the authority of the DHS Secretary

to mandate the use of a national identity card as the sole acceptable

document to verify employment eligibility.

January 2008 saw the release of the departmental final rule and Privacy

Impact Assessment (PIA) on how REAL ID implementation, along with the

ability for states to apply for a second extension to March 2011 for

compliance (subject to these states receiving an extension to December

2009). States that have sought both extensions and are not ready to

participate by May 2011 will be deemed “not in full compliance” – the

consequence will be residents will not be able to enter federal buildings,

board aircraft and other activity covered by the act.



Page 14

During 2007, 44 states considered 145 legislative instruments on the REAL-

ID program, of which 25 states endorsed some form of instrument – 21 of

those passing some measure outlawing participation or urging repeal

(Sudeen & Meadows 2008, p. 26). As of May 2008, 17 states currently are

refusing to implement of REAL-ID (either through statute or parliamentary

resolution), casting doubt on the overall success of the program.

As at May 2008, a blanket extension was granted to all 50 states and the

District of Columbia in an attempt to placate opposition coupled with an

attempt to resolve underlying issues surrounding the program.


Government Access Cards - A Key To Fraud And Identity Theft Reduction? Identity Theft and Fraud Interplay

Page 15

INTERPLAY OF IDENTITY THEFT AND FRAUD OVERVIEW

Broadly defined, identity theft is the process of one person fraudulently

utilising another person’s identifiers to obtain financial or other benefit in the

other person’s name (Arata Jnr 2004, p. 5). The Identity Theft Resource

Centre has categorised identity theft into four principal themes:

1. Financial: The use of a person’s identifiers to improperly obtain goods or services;

2. Criminal: Posing as another person when apprehended for an alleged crime;

3. Cloning: Using another person’s identity for daily living; and 4. Business/Commercial: The use of corporate identifiers to defraud a

specific organisation.

In addition, New South Wales’ ICAC (2006, p. 15) further defined identity

fraud as being:

Dishonest misrepresentation of any major aspect of identity whether backed by documentation or not;

Fraudulent use of business or corporate identities; Misuse or theft of an individual’s username or password to assume

the individual’s identity on a computer system to procure information or benefits;

Public officials misusing position to: o Steal, alter or otherwise misuse electronic or paper records

pertaining to a third person held by the agency; o Fraudulently create identity documents; or o Create or assume false identities.

Acknowledgement of identity theft as the quickest growing crime in the

United States (Abagnale Jnr 2002; Arata Jnr 2004) and Australia (ICAC

2006) has occurred in the popular press and some governmental agencies

with a range of publications available on the subject. An estimate of the

worldwide cost of identity crime is at US$2 trillion (Department of Human

Services 2007(2)).



Page 16

Governmental agencies and private organisations actions have generally

been at best imprecise and at worst reckless in securing and storing critical

personal data, often resulting in media sensations when particular instances

of data loss occur. Since 2005, there has been a literally thousands of data

breaches across Australia, the United States and the United Kingdom

(amongst others) involving many millions of records containing personal

information. Some have been inadvertent (loss of laptops or external data

drives) to theft by insiders and external intrusions obtaining personal

information.

The impact of these breaches involve many untold millions of records

profiling thousands of persons across Australia, the United States and the

United Kingdom, allowing those with the contacts and opportunity to obtain

data via nefarious means to do so without significant difficulty.

In the United States, the Transport Security Administration (TSA) reported

during May 2007 about a loss of a computer hard drive containing personal

identifiers on 100,000 persons. Other governmental agencies – including the

Social Security Administration, Veterans Affairs and Defence Departments –

have suffered similar or greater losses over recent years. Private sector

organisations and educational institutions are just as careless – Choicepoint

had 160,000 plus records improperly accessed during 2004 and several

universities and schools have suffered data breaches since 2004.

The most high profile example of data loss was in October 2007 by the UK

Revenue and Customs. Two archive compact discs containing identifiers of

25 million persons (comprising 7.25 million family units) – about half of the

United Kingdom’s total population and families respectively was misplaced

as a consequence of this incident. The minister concerned, Alastair Darling,

attempted to assure the broader population of the supposed integrity of the

system without much success. Revelations during January 2008 documented

that the relevant security manual was restricted only to senior staffers with

junior staff only receiving a summary of the manual.



Page 17

The month prior to this incident – and in response to findings that 171,488

cases of identity theft costing £1.7 billion during 2006 – the United Kingdom

all party parliamentary group on identity fraud called for the establishment

of an ID Theft Tsar to coordinate corporate, governmental and police efforts

on identity theft (BBC 2007).

An Australian parliamentary inquiry (conducted during 1999 and 2000)

noted in the report Numbers on the Run that, as at 2000, an estimated 3.2

million additional Tax File Numbers (in addition to a total population of

16.1 million based on the 1996 census) with little effort by the Australian

Taxation Office to correct the imbalance.

The lackadaisical approach to data security occurs even on a personal level.

Identity thieves utilise a practice known as “dumpster diving” to obtain bills,

ATM receipts or other information that people throw away intact. With even

the most elementary information, it is possible for identity thieves to “ghost”

someone and milk unsuspecting victims for years.

Individuals need to be more proactive when dealing with their personal

information. Governmental agencies and corporations – even when utilising

the best information protection strategies – are liable to data corruption,

mismanagement, manipulation or other forms of information loss. Such pro-

activity requires vigilance



Page 18

Various publications promoting individual awareness and strategies to

combat identity theft are in the public domain. A 20-step plan developed by

Frank Abagnale Jr (2007, pp. 106-132) 3 provides a comprehensive guide for

individuals being proactive in protecting themselves from identity theft. A

7-step plan advocated by John Vacca (2003, pp. 19-21) covers broadly the

same ground:

1. Check credit reports regularly; 2. Do not issue social security number needlessly; 3. Protect computer; 4. Keep track of billing cycles; 5. Examine financial statements like an obsessed accountant; 6. Guard mail from theft; 7. Invest in a shredder; 8. Practice safe shopping; 9. Avoid sketchy Automatic Tellers; 10. Be suspicious of unexpected calls or letters; 11. Put real passwords on accounts; 12. Keep credit card close when shopping or eating out; 13. Use Safe Checks and use them sparingly; 14. Secure Home and Office fronts; 15. Carry only what you need; 16. Spring clean credit cards; 17. Opt Out; 18. Read privacy policies; 19. Protect a deceased relative; and 20. Place fraud alerts on credit reports.

3 This guide is designed primarily for a United States audience, but all points apply regardless of location.


Government Access Cards - A Key To Fraud And Identity Theft Reduction? Interplay of Identity Theft & Access Card Regimes

Page 19

INTERPLAY OF IDENTITY THEFT AND ACCESS CARD

REGIMES

A common aim of the three highlighted programs is the reduction of identity

theft generally and against government payments and services specifically.

While laudable, the challenges confronting the three national governments

are immense in achieving the stated aim. The major challenge relates to

three major integrity concerns:

Content: Ensuring that information held on individuals is accurate, timely and associated with the correct person;

Infrastructure: Ensuring that access points are secure; effective data security measures are in place; ensuring access controls are secure and relevant; and

Personnel: Ensuring effective background checks are relevant; maintaining timely review and rotation frameworks.

From a definitional perspective, the Australian Privacy Commissioner’s

Office classifies the occurrence of an information security breach (2008)

when “personal information held by an organisation (including governmental

agencies) is lost, misused, mistakenly disclosed or stolen”. Typical

examples of such breaches include:

1. The loss of laptops, removable storage devices or files (whether physical or electronic) containing personal identifier information;

2. The organisation mistakenly providing personal information to a person not entitled to said information;

3. A third party deceiving an organisation into improperly releasing personal information of others;

4. Databases containing personal information being illegally accessed by persons external to the organisation; and

5. Staff accessing personal information outside the scope of their employment.

The effectiveness of any identity card framework is dependent upon many

factors and issues ranging from information security (hardware and content);

personnel access and control infrastructure; information retention and

disposal to facilities and function management. Events over the past decade

in all three countries have highlighted the potential for major information

breaches by internal and external sources.



Page 20

Recent years have seen repeated incidences of public and private sector

organisations mislaying or misdirecting devices storing personal identifiers,

physical infrastructure not being as secure as required, staff corruption and

external interference amongst other catalysts.

An example of these threats was highlighted by a 2007 United States

Congress subcommittee investigation into the cyber-security efforts of the

Department of Homeland Security. During fiscal years 2005 and 2006, 844

cyber-security incidents were documented against the department (The

Australian IT Online 2007). The object of these incidents ranged from

unauthorised computer access, firewall mis-configurations, virus and Trojan

infestations, plus classified data “spillages”. Concerns were raised that a

digital Pearl Harbour attack could occur if serious efforts were not

undertaken to promote effective cyber-security within government agencies

and private organisations.

From an Australian perspective, the House of Representatives Standing

Committee on Economics, Finance and Public Administration during 1999

conducted a review on the administration of the Tax File Number (TFN)

system culminating in a report titled Numbers on the Run. As of this

writing, the previous coalition or the current ALP government has yet to

respond to the report, despite several members of the committee rising to

relatively senior parliamentary or executive roles.

The report is damning of the administration of the TFN system at the time.

Of a total population of 16.1 million4, there were 20.3 million TFN in

1999/2000 financial year and approximately 195,000 possible duplicate TFN

in circulation.

4 As at 1996 Census Night



Page 21

Despite a decade of modernisation by the Tax Office prior to and during the

committee inquiry process, there was major work still pending in

overhauling the framework that underpinned the TFN’s administration. The

lack of a response by the previous coalition government indicates that

despite the rhetoric of clampdown, there was little political will to undertake

serious remedial work to rectify identified program deficiencies.

Notwithstanding claims by proponents about possible legislated limitations

of any program, function creep is a near certainty. Even to register (and

verify the identifying documentation) the adult population would require

systems and policy integration of multiple state and federal agencies to

ensure effective document verification. The ACCI (2005: 2) has highlighted

this potential particularly in relation to increased costs for business in

complying with any program expansion. As highlighted by the Australian

TFN system, function creep beyond the initial scope of the enabling statute

will occur, as agencies demand access to the system for verification of

individual’s claims for specific services.

The ability of Australian federal governmental agencies to deal with the

underlying issues of recordkeeping is also an issue to the success of any

program. One driver for the adoption of some form of national standard is

the interdependence of state and commonwealth agencies during the Proof of

Identity (POI) process (ICAC 2006: 18). The potential for a fraudulent

document being accepted by an agency resulting in the issuance of a genuine

POI document resulting in a ghost identity is real.

A 2003 ANAO audit of selected Australian federal agencies5 found, despite

the agencies generally meeting various national standards, that there was

“significant risk of non-capture and unauthorised disposal of records”

(ANAO 2004) due to:

5 Agencies audited were Centrelink; Department of Agriculture Fisheries and Forestry; Department of Families and Community Services; Department of Health and Aging.



Page 22

Lack of attention on risks associated with recordkeeping, particularly relating to outsourced functions;

Formal records systems not being fully utilised; Limited controls over electronic records, particularly relating to

network drives and personal workspaces; and Formal long-term sentencing programs for records disposal were not

in place.

In addition, the audit identified instances of non-compliance with Disposal

Authorities including (ANAO 2004):

Contracts with outsourced providers failed to include all elements recommended by National Archive Australia (NAA) with minimal monitoring and review conducted to ensure compliance;

Physical records not in compliance with NAA standards; and Business Continuity Plans did not identify critical records.

An example of how the current Proof of Identity (POI) framework operates

was illustrated by a recent survey conducted by ICAC. As part of the

survey, ICAC utilised four categories under the Proof of Identity Framework

(POIF) adopted by the Standing Committee of Attorneys-General (ICAC

2006, p.41):

Category One: Evidence of right to be in Australia; Category Two: Linkage between identity and person; Category Three: Evidence of identity operating in community; and Category Four: Evidence of residential address.

Of one hundred public sector agencies6 invited to participate, 82 did so.

Table 6.1 illustrates what identity documents tendered by the public to the

responding agencies:

6 Excluding local government authorities and public schools



Page 23

Identity document Number of agencies (82 maximum)

Agency Percentage (100%=82)

Document verifying employment

56 68.29

Rates notice 0 0.00 Public utility notice 3 3.65 Education cards 11 13.41 Membership of trade or professional association

11 13.41

Birth Certificate 1 1.21 Public employee ID Card 56 68.29 State benefit card 1 1.21 Student ID card 8 9.75 Child: letter from school 1 1.21 Table 6-1 Results from ICAC survey on types of identity documents produced to NSW public service agencies7

In the United States, current iterations of state-issued documents (e.g. birth

certificates, driver licences) incorporate minimal, if any, security features

and the supporting information infrastructure is incomplete and aging

(Abagnale Jnr 2004). Recent efforts have started to correct these flaws –

time is needed to completely correct these deficiencies.

The biggest data breach of recent times was the inadvertent loss of two CD-

ROMs containing critical data elements of 25 million United Kingdom

residents receiving child benefits by Internal Revenue.

The resulting furore resulted in highlighting the sheer quantity of

information currently collected and collated from citizens by governments

for service delivery. Without the central index identifier of an identity card

regime, the ability to link disparate data elements is somewhat impaired.

The interplay of reducing identity theft with an overarching access card

regime would be illusionary. The examples highlighted in recent pages

reveal the challenges of maintaining information and system integrity across

current frameworks.

7 See note 3



Page 24

The costs associated with establishing any regime, coupled with ongoing

compliance and regulatory issues, would serve to outweigh any claimed

savings against the public purse. The ACCI has pointed out in 2005 that the

costs associated with the Australian system could rise to $5 billion – just

during the establishment phase.

Coupled with the infrastructure issues during the establishment and

operational phases, having one centralised repository has the potential to

encourage a “honey-pot tree” scenario, where staff (or external participants)

could be induced – by whatever means – to create false records, to delete (or

alter) genuine records or to access records in an unauthorised manner.

Identity theft, in part, feeds off a lack of systems integrity – the deployment

of an identity card regime will be of minimal consequence in negating, and

quite possibly aggravate, systemic integrity flaws.


Government Access Cards - A Key To Fraud And Identity Theft Reduction? Conclusion – Is it Worthwhile?

Page 25

CONCLUSION – IS IT WORTHWHILE?

The purpose of this paper has been twofold in providing:

1. An overview of identity card systems in the United States, Australia and the United Kingdom; and

2. An introduction on the interplay of identity theft with fraud generally and the specific programs.

David Shenk’s 1997 book Data Smog outlined 13 Laws of Data Smog as they

applied to technology developments, particularly of an online nature. The

following list has been adapted from that list as it applies to the identity

programs:

1. Personal information, once rare and cherished like diamonds, is now plentiful and taken for granted like sand;

2. Silicon chips evolve and adapt much more quickly than public service guidelines;

3. Computers are neither human or humane; 4. Putting a ID card in every wallet is like putting a tracking device on

every person; 5. What politicians sell as information security but information anxiety; 6. Too many experts spoil the clarity; 7. All high-stim roads lead to a public servant’s office; 8. Birds of a feather flock virtually together; 9. The electronic Town Hall allows for speedy communication and a wealth

of falsehoods; 10. The Prime Minister’s (or President’s) office is watching; 11. Beware stories that dissolve all complexity; 12. On the identity information superhighway, most roads pass through

public servants’ offices; 13. Cyberspace breeds scared politicians and nervous bureaucrats.

(Adapted from Shenk 1997, p.11).

The development of online technologies over the past decade has facilitated

enhanced opportunities for thieves and fraudsters – whether operating alone

or in groups – to appropriate innocent people’s identities with comparative

anonymity and uses them for criminal benefit quicker than in previous times.

Perversely, the consequences are also harder to detect and more challenging

to correct – even with the person being highly proactive on identity

management issues.



Page 26

Linking an individual citizen’s identity through a single identifier can

facilitate what can be termed a “honey-pot tree” scenario where previously

separate identifiers (TFN/SSN, Medicare number, drivers licence

information, Social Security number) are linked to the “master” number,

allowing much quicker access to a citizen’s identity and the misuse of

personal information and making recovery from identity theft more difficult.

From a strictly technical and technological perspective, the programs

outlined in the preceding pages – if properly resourced – may be feasible.

The challenges come from the following perspectives:

Policy and regulatory (oversight, accountability, ensuring only authorised access to information);

Accuracy (creation of false entries, deletion or unauthorised changes of “correct” entries);

Personnel (ensuring those with access do not abuse system or not open to blackmail);

Privacy (allowing persons to access only authorised information); Cost (all three programs have had major upward cost revisions as the

proposed scale of implementation becomes apparent).

Another aspect that supporters overlook or ignore is that, in effect, the

programs would serve as a backbone to identity management of citizens.

Examples of this include:

Access to US federal buildings would only be available to those carrying a REAL-ID compliant documentation;

Persons wishing to access Australian social services would, in effect, require the HASSAC as part of the identification process;

No replacement for the 17 concession cards that form a key element of Australia’s 100-point identity check framework;

Persons wishing to renew their UK passport or wishing to work in a “sensitive role” would be required to obtain a UK Identity Card.



Page 27

From a broader societal perspective, the core question of this paper – is it

worthwhile – is paradoxically complex and simple. Simple in the context of

allowing Big Brother to peep into every aspect of the lives of the citizenry.

Complex in the context by hinting at the benefits the alluring technological

solutions that the programs permit.

On balance, the proposed systems outlined in this paper do not meet the

stated program objectives on technological and outcome perspectives,

particularly for the following:

1. The programs reverse the onus of the core relationship between the democratic society (particularly its public institutions) and its citizens from one where the public institutions are accountable to the citizenry to one where the citizenry is held hostage by the public institutions;

2. The technological framework underpinning the program establishment and implementation are flawed, relying on information that can be manipulated or fraudulently obtained;

3. Overstating the promise of the solutions (reduced identity theft, fraud against government payments) against the cost of implementing and maintaining such programs;

4. Providing a “honey tree pot” for identity thieves to access details of innocent people or to generate false identities through one identifier.


Government Access Cards - A Key To Fraud And Identity Theft Reduction? Bibliography

Page 28

BIBLOGRAPHRY

Articles Anonymous (1) 2001. “Congress plants a time bomb in motor-vehicle offices”. Privacy Journal. vol. 27 no. 4 p. 3 February. Anonymous (2). “ID Card could cost Australia $15b: ACCI”. Sydney Morning Herald Online. 21-Dec-2005. Accessed March 5 2007. Apuzzo, Matt 2007. “TSA loses hard drive with personal information”. Huffington Post. Published 7-May-2007. Accessed 7-May-2007. URL: http://www.huffingtonpost.com/huffnews/20070507/tsa_missing_data.html Australian IT Online 2007. “US Homeland Security admits hacks”. Published 21/Jun/2007. Accessed 23/Jun/2007. URL: http://australianit.news.com.au/story/0,24897,21942911-5013040,00.html BBC Online 2008 (1). “Revised ID plans unveiled”. Published 06-Mar-2008. URL: http://news.bbc.co.uk/2/hi/uk_news/politics/7280495.stm BBC Online 2008 (2). “ID Cards ‘may not be compulsory’”. Published 08-Jan-2008. Accessed 06-Mar-2008. URL: http://news.bbc.co.uk/2/hi/uk_news/politics/7176901.stm BBC Online 2008 (3). “Brown ‘still supports ID Cards’”. Published 09-Jan-2008. Accessed 06-Mar-2008. URL: http://news.bbc.co.uk/2/hi/uk_news/politics/7179238.stm BBC Online 2008 (4). “Britons’ ID Cards ‘to be delayed’”. Published 23-Jan-2008. Accessed 06-Mar-2008. URL: http://news.bbc.co.uk/2/hi/uk_news/politics/7203740.stm BBC Online (8) 2008. “Is Brown cooling on ID Cards?” Published 23-Jan-2008. Accessed 06-Mar-2008. URL: http://news.bbc.co.uk/2/hi/uk_news/politics/7204229.stm BBC Online 2007 (5). “Cameron calls for ID cards halt”. Published 22-Nov-2007. Accessed 06-Mar-2008. URL: http://news.bbc.co.uk/2/hi/uk_news/politics/7105999.stm BBC Online 2007 (6). “ID Cards ‘not being scrapped’”. Published 04-Nov-2007. Accessed 06-Mar-2008. URL: http://news.bbc.co.uk/2/hi/uk_news/politics/7077550.stm BBC Online 2007 (7). “ID cards to be great UK instutition”. Published 19-Jun-2007. Accessed 06-Mar-2008. URL: http://news.bbc.co.uk/2/hi/uk_news/politics/6767083.stm



Page 29

British Broadcasting Corporation (1), 2007. “ID Card cost rises above £5Bn”. Accessed 11-May-2007. URL: http://newsvote.bbc.co.uk/2/hi/uk_news/politics/6642339.stm British Broadcasting Corporation (2), 2007. “ID fingerprints plan under fire”. Accessed 11-May-2007. URL: http://newsvote.bbc.co.uk/2/hi/uk_news/politics/6378999.stm British Broadcasting Corporation (3), 2006. “Blair goes on ID card offensive”. Accessed 11-May-2007. URL: http://newsvote.bbc.co.uk/2/hi/uk_news/politics/6120220.stm British Broadcasting Corporation (4), 2006. “ID cards to ‘safeguard liberties’”. Accessed 11-May-2007. URL: http://newsvote.bbc.co.uk/2/hi/uk_news/politics/6147806.stm British Broadcasting Corporation (5), 2006. “What will the ID card store?” Accessed 11-May-2007. URL: http://newsvote.bbc.co.uk/2/hi/uk_news/politics/4630045.stm British Broadcasting Corporation 2006. “MPs call for identity fraud tsar”. Published 06-Oct-2007. Accessed 03-Feb-2008. URL: http://news.bbc.co.uk/1/hi/business/7031137.stm British Broadcasting Corporation (6), 2005. “Talking Point – Do you support ID Cards?” Accessed 11-May-2007. URL: http://newsvote.bbc.co.uk/2/hi/talking_point/4625971.stm British Broadcasting Corporation (7), 2004. “ID cards in other countries”. Accessed 11-May-2007. URL: http://newsvote.bbc.co.uk/2/hi/uk_news/politics/3527612.stm Birch, David; Elliott, John and McEvoy, Neil 2005. “This is information retrieval: The UK can lead the way with a twenty-first century ID card”. European Business Review. vol. 17 no. 4. pp. 372-378. Castle, Tim 2008. “Britain to begin ID Card roll-out”. The Age Online. Published 08-Mar-2008. Accessed 08-Mar-2008. URL: http://www.theage.com.au/news/world/britain-to-begin-id-card-rollout/2008/03/07/1204780065785.html Clarke, Richard A 2006. “Real ID’s, Real Dangers”. New York Times Magazine. March 6. Clonnell, Andrew 2007. “$64 million Tcard fiasco over”. The Sydney Morning Herald Online. Posted 9 November 2007. URL: http://www.timesonline.co.uk/tol/news/uk/crime/article2983759.ece Published 09/Nov/2007, Accessed 10 November 2007.



Page 30

Derbyshire, John 2001. “Your papers please”. National Review. vol. 53 no 21. pp. 29-30. November 5. Fears, Darryl 2006. “ID Program will cost States $11 billion”. Washington Post. September 22. p. A04. Greenleaf, Graham 1987. “The Australia Card: Towards a national surveillance system”. Accessed 25-Jul-2005. URL: http://www2.austlii.edu.au/itlaw/articles/GGozcard.html Harris, Shane. “Identity Crisis”. Government Executive. vol. 37 no. 8. May 15. pp. 74-80. Hsu, Spencer S 2006. “Transit Worker ID Program Stalled”. Washington Post. September 17 p A03. Huleatt, Richard S 2002. “National Security ID Card and Database needed”. Information Intelligence Online Newsletter. Vol. 23 no. 1 pp. 1-4. January Jameson, Angela 2006. “ID fraudsters plunge tax system into chaos”. The Times Online (UK). Published 18/Jan/2006. Accessed 03/Feb/2008. URL: http://www.timesonline.co.uk/article/0,,2-1991229,00.html Johnson, Marv 2005. “Uniform Drivers Licence to be Federal ID”. Privacy Journal vol. 31 no. 3 January pp. 1-3. Johnson, Tripp 2006. “The state of ID Fraud”. Credit Union Management. July. pp 52-53. Kelderman, Eric “Too little time, too much cost for Real-ID”. Stateline.org 21-Sep-2006. Accessed 20-Mar-2007. Lewis, Paul 2007. “Thousands at risk after data loss”. British Broadcasting Corporation. Published 03-Nov-2007. Accessed 03-Feb-2008. URL: http://news.bbc.co.uk/2/hi/programmes/moneybox/7076106.stm Lloyd, Graham 2006. “Driver’s Licence links ID powers”. The Courier Mail (Brisbane). May 1 2006. Accessed 12/May/2007. Mandelblit, Bruce 2004. “Fake IDs, Genuine Risks”. Security. vol. 41 no 3. March p. 47. Matthews, William 2002. “Identity Crisis”. Federal Computer Week. vol. 16 no 17. pp.16-20. 27-May-2002 Ohr, Stephan “Cards conjure up fears of 1984”. Electronic Engineering Times Iss 1277 9 July 2003. pp. 18-21.



Page 31

Orr, Bill 2004. “Who are you – really?” ABA Banking Journal. vol 96. no 2. February p 86. Privacy Rights Clearing House, 2007. “A Chronology of Data Breaches” Accessed 26-Mar-2007. URL: http://www.privacyrights.org/ar/ChronDataBreaches.htm Privacy Rights Clearing House, 2000. “Identity Theft Victim Stories: Written Testimony of Michelle Brown”. Accessed 26-Mar-2007 URL: http://www.privacyrights.org/cases/victim8.htm Pulley, John 2006. “A real hard act to follow”. Federal Computer Week. vol. 20 no. 21 June 26. pp. 20-22. Radick, J 2001. “What’s required on a Driver’s Licence?” Privacy Journal. vol. 27 no 9. July pp. 3-4. Rodger, Will 2001. “This time, a national ID card?” Privacy Journal. vol. 27 no 12. October. pp. 6-7. Rotenberg, Marc 2006. “Real ID, Real Trouble?” Communications of the ACM. vol. 49 no 3. March p. 128. Swartz, N 2007 (1). “Real ID to cost $11 billion plus”. Information Management Journal. vol. 41 no 1. January/February p. 12. Swartz, N 2007 (2). “D.C. Business Records a mess”. Information Management Journal. vol. 41 no 1. January/February p. 12. Ungoed-Thomas, J 2007. “More financial discs lost”. The Times (UK) Online. URL: http://www.timesonline.co.uk/tol/news/uk/crime/article2983759.ece Published 03/Dec/2007, Accessed 04/Dec/2007.



Page 32

Books Abagnale, FW 2001. The Art of the Steal. Transworld Publishing, Milsons Point Australia. Abagnale, FW 2007. Stealing your life: The ultimate identity theft prevention plan. Random House USA. Arata Jnr, MJ 2004. Preventing Identity Theft for Dummies. Wiley Publishing New Jersey USA. Hamadi, R Identity Theft: What it is, How to prevent it and What to do if it happens to you. Vision USA. Hasting, G & Marcus, R 2006. Identity Theft Inc: A Wild Ride with the world’s number one identity thief. Disinformation Company USA. Shenk, D 1997. Data Smog: Surviving the Information Glut. HarperCollins Publishing New York USA. Sullivan, B 2004. Your Evil Twin: Behind the identity theft epidemic. Wiley USA. Vacca, JR 2003. Identity Theft. Prentice Hall PTR USA. Media Releases – Governmental Blunkett, D 2003. “National ID Card to be introduced” Issued 11/Nov/2003. Accessed 14/Jan/2008 URL: http://press.homeoffice.gov.uk/press-releases/David_Blunkett__National_Id_Card?version=1



Page 33

Papers and Submissions Department of Human Services Feb 2007 (1). Australian Government submission to the Senate Inquiry on the Human Services (Enhanced Service Delivery) Bill 2007. Canberra ACT Australia. Department of Human Services Feb 2007 (2). Supplementary submission to the Senate Inquiry on the Human Services (Enhanced Service Delivery) Bill 2007. Canberra ACT Australia. Department of Human Services 2006 (3). Access Card program Industry Briefing. Canberra ACT Australia. Presented 13/Dec/2006. Department of Human Services 2006 (4). Access Card program Consumer and Privacy Briefing. Canberra ACT Australia. Presented 13/Dec/2006. Dhamija, Racha; Tyger, J.D. and Hearst, Marti 2006. Why Phishing Works. Presented at 2006 CHI Conference April 22-27. Independent Commission against Corruption 2006. Protecting Identity Information and Documents: Guidelines for public service managers. Sydney New South Wales Australia. London School of Economics and Political Science 2005. The Identity Project: An Assessment of the UK Identity Cards Bill and its implications. Version 1.09 June 27. United Kingdom Home Office 2002. Entitlement Cards and Identity Fraud: A Consultation Paper. URL: http://www.homeoffice.gov.uk/documents/entitlement-cards?version=1 Published July 2002. Accessed 14/Jan/2008. Reports Australian Chamber of Commerce and Industry 2005. ACCI Review. Number 130 December. Government Accountability Office 2006. Electronic Government: Agencies face challenges in implementing federal employee identification standard. Washington DC USA. House of Representatives Standing Committee on Economics, Finance and Public Administration, 2000. Numbers on the Run: Review of the ANAO Report No. 37 1998-99 on the management of Tax File Numbers. Parliament House Canberra Australia. Office of Privacy Commissioner 2008. Draft Voluntary Information Security Breach Notification Guide Consultation Paper. April.



Page 34

Internet Sites Advocacy Groups Australian Privacy Foundation http://www.privacy.org.au/ Electronic Privacy Information Centre (USA) http://www.epic.org/ Identity Theft Resource Centre http://www.idtheftcenter.org/ Privacy (resource centre) http://www.privacy.org/ Privacy International http://www.privacyinternational.org/ Transparency International http://www.transparency.org/ Governmental – Australia. Department of Human Services URL: http://www.humanservices.gov.au/ Office of Access Card URL: http://www.accesscard.gov.au/ Governmental – United States. Department of Homeland Security URL: http://www.dhs.gov/index.shtm Department of Transportation URL: http://www.dot.gov/



Page 35

Parliamentary – Australia. House of Representatives Standing Committee on Economics, Finance and Public Administration Inquiry into the Tax File Number System URL: http://www.aph.gov.au/house/committee/efpa/tfnaudit/report.htm Senate Finance and Public Administration Committee Inquiry into Human Services (Enhanced Delivery) Bill 2007. URL: http://www.aph.gov.au/Senate/committee/fapa_ctte/access_card/index.htm Wikipedia (all accessed 29 April 2007 unless indicated). British Identity Card. URL: http://en.wikipedia.org/wiki/Identity_Card_Act Health and social services access card (Australia). URL: http://en.wikipedia.org/wiki/Health_and_social_services_access_card_%28Australia%29 Identity Theft URL: http://en.wikipedia.org/wiki/Identity_theft Real ID Act. URL: http://en.wikipedia.org/wiki/Real_id_act



Page 36

ACRONYM LIST

Note: The nationality of individual entities, if needed, is in parenthesises

Acronym Full Title AAMVA American Association of Motor Vehicle Administrators ANAO Australian National Audit Office DCRA Department of Consumer and Regulatory Affairs

(District of Columbia USA) DHS (Australian) Department of Human Services

(United States) Department of Homeland Security DMV Department of Motor Vehicles IG Inspector General NAA National Archives Australia NCSL (United States) National Conference of State Legislators NGA (United States) National Governors Association OAC (Australian) Office of the Access Card OPLD Occupational and Professional Licensing Department

(District of Columbia USA) SSA (United States) Social Security Administration TSA (United States) Transport Security Administration

2008 RMAA National Conference Adapting and Adoping

Government Access Cards - A Key To Fraud And Identity Theft Reduction? Appendix One - Timeline

Page 37

APPENDIX ONE - TIMELINE

The purpose of this appendix is to provide a timeline on the program

development of the systems outlined part of this paper. The timeline is not

intended as a comprehensive listing of all items associated with the

individual programs (including any ascendant programs) but as a overview

of major events of milestones.

The timeline is divided into two distinct groups – events to June 2008 and

those occurring from July 2008. Events that form part of the initial program

rollout are highlighted in bold typeface.



Page 38

Date Australian Access Card UK Identity Card USA Real ID

`3 July 2002 Consultation Paper release “Entitlement Cards and Identity Theft” by Home Office

24 June 2004 Program Launch – Medicare Smartcard

November 2004 – February 2005 Program announcement in Queens Speech

Bill Introduced into House of Commons (bill placed in abeyance due to 2005 general election)

Presidential/Congressional Election – George W Bush returned as President, Republicans retain control of Congress.

05 May 2005 General Election – UK Labour

returned to government

11 May 2005 Real ID statute formally enacted 25 May 2005 Identity Cards Bill introduced February 2006 Delivery of KPMG Business Case 30 March 2006 Identity Cards Act 2006

proclaimed.

26 April 2006 Program Launch May 2006 Launch – Consumer and Privacy

Taskforce (CPTF) chaired by Prof Alan Fels

June 2006 CPTF Taskforce releases Issues Paper

Nov 2006 CPTF Taskforce report delivered to government

13 December 2006 Draft bill released for comment



Date Australian Access Card UK Identity Card 28 February 2007 Bill passes House of

Representatives

2 March 2007

15 March 2007 Senate Committee report presented

4 & 5 June 2007 Minister and Dept of Human Services indicate bill will be delayed until after federal election

24 November 2007 Federal Election – change of government

December 2007 Welfare Access Card program abandoned

11 January 2008

April 2008 Registrations Commence

11 May 2008



Future Events

Date Australian Access Card UK Identity Card December 2008 Registration of non-UK citizens

and UK citizens involved in sensitive roles

December 2009 Incentive program for specific categories to register commencement

January 2010 Program commencement

June 2010 Formal parliamentary vote on compulsory nature of program

December 2010 Incentive program for youth to register commencement

January 2011 Mass registration program commencement in conjunction with passport renewals

11 May 2011 December 2014

December 2017 80% population registered

government access cards: a key to fraud and identity theft reduction?

Technology

introduction of access

identity theft reduction

interplay of identity

access card regimes

social services access

elimination of identity

united states system

united kingdom system