government access cards: a key to fraud and identity theft reduction?
TRANSCRIPT
2008 RMAA Conference
Government Access Cards Paper Summary
GOVERNMENT ACCESS CARDS
A KEY TO FRAUD AND IDENTITY THEFT REDUCTION?
Paper Outline
Purpose:
1. To evaluate the potential for cost savings associated with the introduction of access cards across social services in Australia;
2. To evaluate the potential for cost savings associated with the introduction of access cards across all governmental services in Australia;
3. Potential for reduction (or elimination) of identity fraud and theft against governmental services; and
4. Compare and contrast the proposed Australian system with comparable systems overseas (particularly the United Kingdom and United States of America).
Methodology:
A review of literature on subject from governmental, non-governmental, private, academic, and other sources.
Abstract
During 2006, the Australian Commonwealth government introduced
legislation to establish a social services access card, requiring that possession
of the card to access certain government benefits and concessions. The
claimed benefits ranged from fraud reduction to improved access to benefits
and refunds associated with certain medical expenditure. Despite claims of
substantive savings over a long timeframe, no independent verification of the
savings claims have been produced.
The purpose of this paper is to compare and contrast Australia’s Access Card
system against the United States’ REAL-ID system and the United
Kingdom’s identity card system – and asks the question “Are identity card
systems worthwhile?”
2008 RMAA Conference
Government Access Cards Table of Contents
TABLE OF CONTENTS
Introduction.............................................................................................................1 Australian System Overview ...................................................................................4 United Kingdom System Overview .........................................................................9 United States System Overview.............................................................................11 Interplay Of Identity Theft And Fraud Overview ...................................................15 Interplay Of Identity Theft And Access Card Regimes ..........................................19 Conclusion – Is It Worthwhile? .............................................................................25 Biblographry .........................................................................................................28 Acronym List ........................................................................................................36 Appendix One – Timeline......................................................................................37
2008 RMAA National Conference Adopting and Adapting
Government Access Cards - A Key To Fraud And Identity Theft Reduction? Introduction
Page 1
INTRODUCTION
The underlying definition of identity theft is the appropriation of an
individual’s personal information with the aim of impersonating that
individual in a legal context (Vacca 2003, p. 4). The motivation to
perpetrate identity theft varies by individual case – it ranges from
vindictiveness to financial troubles. Possible sources of identity thieves
come from the most unlikely of sources including family, friends and, work
colleagues to more “traditional” category of total strangers.
A 2005 study by Javelin Research (Johnson 2006, p. 52) identified 11 areas
where information breaches occur that form the basis for identity theft:
Information Breach Source
Breach Percentage
Lost/Stolen wallet 30.0 Corrupt employee 15.0 Paper mail 8.0 Misuse of data 7.0 Other way 7.0 Finance company 6.0 Computer infiltration – General 5.0 Computer infiltration – Phishing 3.0 Garbage (Dumpster Diving) 1.0 Computer infiltration – Online transactions 0.3 Table 1-1 Information source types for identity theft (Johnson 2006: 52)
The growth and spread of technology over recent decades (particularly since
the 1980’s) have the potential to negatively influence the victim’s reputation
more quickly than before (Vacca 2003: 5). The speed of technology change
has facilitated the transformation of access to information by governmental
agencies, corporations and individuals – often at the expense of security and
verification.
2008 RMAA National Conference Adopting and Adapting
Government Access Cards - A Key To Fraud And Identity Theft Reduction? Introduction
Page 2
With personal information becoming increasingly accessible online through
registers and databases (connected directly to the internet or through private
networks) and personal disclosure all stakeholders and the government
require a clear understanding of the new paradigm operating –ensuring
critical information is accurately and securely retained and only accessible to
verifiable, authorised recipients – is paramount.
The costs associated with identity theft are startlingly. A Federal Trade
Commission (FTC) study (Aratia Jnr 2006) highlighted some of the costs
relating to identity theft affecting America from 1999 to 2004:
27.3 million Americans were victims of identity theft in the preceding five years;
The direct cost to American financial institutions was US$33 billion and US$5 billion to consumers;
Average consumer cost was approximately $500; Identity theft was the fastest growing crime; 50% of victims were unaware that personal information was stolen; The fraudster was known to victims in 25% of reported cases; and The fraudster was a direct family relative in 35% of reported cases.
A 2005 study conducted by Javelin Research (Johnson 2006) contended that
identity theft in America was stable, even declining in certain respects. The
study did highlight the following:
8.9 million people (4 percent of the adult population) suffered identity theft in 2006 – a 11.9 percent decline from their2003 survey;
Losses amounted to $6,383 per person – a 21.6 percent increase from 2003; and
Total amount defrauded through identity theft was $56.6 billion – a 6.4 percent increase from 2003.
2008 RMAA National Conference Adopting and Adapting
Government Access Cards - A Key To Fraud And Identity Theft Reduction? Introduction
Page 3
David Shenk outlined 13 laws of Data Smog (1997, p. 11) that can easily
underpin the implementation of the access card regimes:
1. Information, once rare and cherished like caviar, is now plentiful and taken for granted like potatoes;
2. Silicon chips evolve much more quickly than human genes; 3. Computers are neither human or humane; 4. Putting a computer in every classroom is like putting a power
plant in every home; 5. What they sell as information technology but information
anxiety; 6. Too many experts spoil the clarity; 7. All high-stim roads lead to Times Square; 8. Birds of a feather flock virtually together; 9. The electronic Town Hall allows for speedy communication and
bad decision-making; 10. Equifax is watching; 11. Beware stories that dissolve all complexity; 12. On the information superhighway, most roads bypass journalists;
and 13. Cyberspace breeds libertarianism.
For the three governmental card access systems subject of this paper, all of
these laws apply in various guises – some in how information is gathered,
digested and processed for stakeholders; others by effectively excluding
people from society by denying them elements that society has deemed
“essential”.
The purpose of this paper is to examine and contrast three governmental
identity management systems – United States Real-ID framework; United
Kingdom’s National Identity Card; and Australia’s Welfare Access Card1 -
with their stated role in minimising fraud against the public purse and
identity theft. The core question after this analysis is “is it worthwhile?” in
preventing such theft and fraud.
1 For the purposes of this paper, the Australian system refers to the Welfare Access Card proposed by the Howard Liberal/National coalition government on April 26 2006. The coalition was defeated at a general election on November 24 2007.
2008 RMAA National Conference Adopting and Adapting
Government Access Cards – A Key To Fraud And Identity Theft Reduction? Australian Welfare Access Card
Page 4
AUSTRALIAN SYSTEM OVERVIEW2
The Australian system has had a chequered and laboured journey. The
genesis started in 1985 with the Hawke Labor government proposed The
Australia Card system that bears remarkable similarities to the 2006 Welfare
Access Card system proposal of the Howard coalition government.
The Australia Card proposal was abandoned after the 1987 double
dissolution election that saw the Hawke government returned with a reduced
majority, but enough to pass the proposal under a double sitting of
parliament if it chose.
A consequence of the failure of the Australia Card proposal, the introduction
of an alternative system called the Tax File Number (TFN). This system
initially was restricted to taxation-related payments but has since gradually
expanded to include Centrelink payments, interest earned on bank accounts,
investment transactions, and the higher education loans scheme (previously
HECS).
A major issue identified with the TFN system was the underlying
information framework that formed the backbone of its operation. A
parliamentary report found that in 1999 there were 3.2 million more Tax File
Numbers and 185,000 possible duplicate numbers compared with the total
population of Australia at the 1996 census (Numbers on the Run 2000, pp.
vii & 2).
The same report suggested that the modernisation project the Taxation
Office was conducting at the time (operating for 10 years at that point) “has
not delivered improvements commensurate with expectations and investment
in the project” (Numbers on the Run 2000, pp. vii & 7).
2 This section refers to the Welfare Access Card proposed by the Howard coalition government on 26 April 2006. Since the election of the Rudd government on 24 November 2007, this proposal has been scrapped.
2008 RMAA National Conference Adopting and Adapting
Government Access Cards – A Key To Fraud And Identity Theft Reduction? Australian Welfare Access Card
Page 5
The committee made 26 recommendations for improvement to the TFN
system, covering areas from data security and integrity to cooperation with
AUSTRAC on certain matters (Numbers on the Run 2000, pp. xv-xx). To
date, the government is yet to respond to the report making an informed
review on any progress against the committee’s recommendations difficult.
The above history provides a backdrop of political developments since the
1980s – in essence the major political parties shifted positions completely
(ALP from support to opposition; Coalition from opposition to support)
whilst utilising the arguments their opponents used during The Australia
Card debate.
On 26 April 2006, the then-Prime Minister announced the launch of the
Health and Social Services Access Card (HASSAC) program with the
following project aims:
1. Reduce the complexity of access to Commonwealth benefits; 2. Facilitate a more convenient, user-friendly and reliable method of
accessing participating Commonwealth services; 3. Reduce fraud on the Commonwealth in relation to the provision of
Commonwealth benefits; 4. Improve access to federal government relief in emergency situations;
and 5. Permit card-holders to use their cards for such lawful purpose as they
so choose.
The card would serve as an identifier for a range of programs offered by:
Centrelink (unemployment, disability, veterans, study allowances); Health and Aging (Health Care Cards for seniors and general
population); Medicare Australia Pharmaceutical Benefits Scheme; CRS Australia Vocational Rehabilitation; and Child Support Agency;
Additional provisions of the enabling bill (section 7) included specifically
excluding the Access Card from being utilised as an identity card and
limiting interference with the privacy of individuals.
2008 RMAA National Conference Adopting and Adapting
Government Access Cards – A Key To Fraud And Identity Theft Reduction? Australian Welfare Access Card
Page 6
The framework was to be underpinned by two software platforms:
1. Card Management System (CMS): aimed at tracking individual cards throughout the card life cycle (seven years); and
2. Key Management system (KMS): aimed towards providing security for data collected as part of the framework.
To complement the software platforms, the information architecture
comprised four major registries – customer, photo, biometric and Client
Management (Dept of Human Services Feb 2007, p. 57).
In February 2007, the coalition government formally introduced the Human
Services (Enhanced Service Delivery) Bill 2007 with the purpose of
establishing an “access card” to services offered by Centrelink, Medicare
Australia, CRS Australia, the Child Support Agency Australia and the
Department of Veterans Affairs. A consequence of the bill was the
consolidation of 17 separate concession cards across the above agencies
under a single agency.
Information on the Welfare Access Card covered 18 different categories
including:
The full legal and preferred name of the individual (including military ranks and awards bestowed under the Australian and United Kingdom honours systems);
Date of birth; Indigenous, citizenship and residency status; Contact details; Registration status; Proof of identity; Access card numbers of the individual; Access card currency (including exemptions under sections 15 and
16 plus information gained under sections 45, 54, 60 and 68); Digitised photo and signature; DVA information Information permitted under statute law including the Privacy Act
and the Freedom of Information Act; Benefit cards issued by participating agencies; Emergency payment number (if issued); and Death information (information concerning the death of the card-
holder).
2008 RMAA National Conference Adopting and Adapting
Government Access Cards – A Key To Fraud And Identity Theft Reduction? Australian Welfare Access Card
Page 7
Registrations for the card were slated to commence during April 2008. All
persons wishing to access the designated government services were, in
effect, required to have the card within two years of the scheduled
commencement of the Act. The Department of Human Services anticipated
registering and issuing cards 16.1 million adult persons averaging 32,000 per
day at Commonwealth agencies (Department of Human Services 2007(3)),
assuming an average of 12 minutes per interview. Renewals of Access
Cards would be conducted at Australia Post outlets.
Ascendant programs including the Document Verification Service trialled by
Centrelink and the aborted HealthConnect trial conducted by the Department
of Health and Aging may be included as part of the Access Card program,
although no confirmation had been issued by these agencies when the
Access Card framework was scrapped.
A 2007 inquiry conducted by the Senate Standing Committee on Finance
and Public Administration found major flaws regarding establishment of the
Welfare Access Card system, access by government agencies (at all levels)
and privacy to participants. Yet the majority report recommended that the
proposal proceed without amendment.
The system, if enacted, ultimately would not have been limited to the
proposed range of services. The broader Governmental Authentication
Framework (AGAF), coupled with the prospect of function creep inherent
with any major system rollout, other federal governmental agencies not
included in the initial rollout were likely to insist on system access including
(but not limited to):
2008 RMAA National Conference Adopting and Adapting
Government Access Cards – A Key To Fraud And Identity Theft Reduction? Australian Welfare Access Card
Page 8
Agency Purpose(s) Australian Taxation Office Taxation and Superannuation Australian Electoral Commission Integrity of electoral roll Department of Science Education and Training
Higher Education Loans Schemes (HECS-HELP & FEE-HELP)
Department of Transport and Regional Services
Airline Identity Cards
APRA Banking and superannuation, money transfer under AUSTRAC protocols
ASIC Company registrations Table 2.1 Incomplete listing of federal government ageincies potentially wanting access to Welfare Access Card if implemented
Coupled with function creep at the federal agency level, state government
agencies were likely to insist on access on issues ranging from licensing
(including transportation and gaming) to land transfers and payroll
deductions. In May 2006, the Queensland Transport Minister (now Deputy
Premier) Paul Lucas attempted to link the state’s driver and 18 plus licensing
administration into the access card regime citing cost pressures (Courier
Mail 2006, p. 7).
November 24 2007 saw the Howard coalition government defeated at a
general election, replaced by the ALP promising to scrap the scheme.
Consequent to the election result, the system as proposed by the former
coalition government was terminated during Christmas 2007.
2008 RMAA National Conference Adopting and Adapting
Government Access Cards - A Key To Fraud And Identity Theft Reduction? United Kingdom Identity Card
Page 9
UNITED KINGDOM SYSTEM OVERVIEW
The enabling statute for the United Kingdom’s card program is the Identity
Card Act 2006. The program commenced during the early years of the
decade as something similar to the current Australian government’s Access
Card proposal (called an “Entitlement Card”). After the September 2001
terror attacks and the July 2005 London bombings, the system was
incrementally expanded to a fully-fledged identity card system.
A Home Office discussion paper on the 2002 proposal was issued with
public consultations closing in January 2003. The foundation for the 2006
Identity Card proposal occurred with the 2003 redesignation of the project as
an identity card by the former Home Office Minister David Blunkett, with
the aim of having 80% of the adult population holding the card by 2017.
According to publicly available documentation, the aims of the 2003
program as outlined by Mr Blunkett included:
1. Boost the fight against illegal working; 2. Tackle immigration abuse; 3. Disrupt the use of fake and multiple identities by terrorist
organisations and crime groups; 4. Ensure the delivery of free public services by those who are entitled
to use them; 5. Assist in the prevention of identity theft.
The 2006 proposal contains two core elements – a National Identity Register
(NIR) comprising information of all United Kingdom residents (both native
born and foreigners) and a card linked to the register. The NIR specifies 49
data categories including:
Fingerprints (all 10 if mandated); Digitised Facial Scan; Digitised Iris Scan; Current and previous places of residence – both in the
Kingdom and overseas; and Passport information (progressively integrated when applying
or renewing this document).
2008 RMAA National Conference Adopting and Adapting
Government Access Cards - A Key To Fraud And Identity Theft Reduction? United Kingdom Identity Card
Page 10
The Act permits the government, through the Secretary of State for Home
Affairs, to establish additional information categories at the complete
discretion of the Secretary.
Initially, the data collected was to be stored on a single registry costing an
estimated £5.4 billion over a ten-year period. A decision in late 2006 by the
Home Office minister revoked this directive and data held under this system
will be held on three separate registries (British Broadcasting Corporation
(5) 2006) currently in operation. In addition, direct costs associated with the
program are now anticipated to rise above £5 billion (British Broadcasting
Corporation (1) 2007).
Media reports during November 2007 speculated that the incoming Gordon
Brown government would abandon the project due to cost and technical
issues – reports that proved unfounded. Further media speculation between
November 2007 and March 2008 (BBC Online 2007 and Castle 2008)
documented the following implementation timeline:
December 2008: Registration commencement of non-UK nationals and those UK citizens working in sensitive roles (e.g. airport and 2012 Olympic employees);
December 2009: Incentives for certain categories of UK citizens (e.g. students and public sector staff) to voluntary register;
June 2010: Deadline for formal parliamentary vote on whether program is compulsory for UK citizens;
December 2010: Commencement of incentive registration program for youth;
Calendar Year 2011: Mass registration commencement in conjunction with passport renewals with options for card only, passport only or both card and passport;
December 2017: Universal (i.e. 80% plus) coverage of resident population.
2008 RMAA National Conference Adopting and Adapting
Government Access Cards - A Key To Fraud And Identity Theft Reduction? USA REAL ID
Page 11
UNITED STATES SYSTEM OVERVIEW
The REAL ID program was established under Division B of the Emergency
Supplemental Appropriations Act for Defence, the Global War on Terror and
Tsunami Relief Act 2005 (Public Law Number 109-3, 199 Statute 231).
Promulgation of the Act occurred on 21 May 2005, with DMV compliance
established for 11 May 2008. Registrations would commence by 2010 with
two deadlines:
1. Persons born after 1 December 1964 were required to have compliant cards by December 2014.
2. Persons born before 1 December 1964 were required to have compliant cards by December 2017.
The stated aims of the act were to deter terrorism and reduce identity theft
by:
o Establishing national standards for state-issued driver’s licences and non-driver’s identity documents;
o Updating and tightening laws on the application of asylum and the deportation of aliens for terrorist activity;
o Introducing rules covering delivery bonds; o Funding some reports and pilot projects related to border security;
and o Changing visa limits for temporary workers, nurses and Australians.
From 1 January 2010, the practical consequences of the statute include:
o Federal agencies may not accept for identification purposes identity cards or drivers licences unless the state is meeting the requirements of the Act;
o The Social Security Administration (42 USC s. 666(28)) requires that States maintain a new hire directory. Bearers of non-compliant documentation will be unable to secure employment.
o Bearers of non-compliant documentation will be unable to establish banking accounts with financial institutions.
The key data requirements for the program include:
o Full legal name; o Digitised signature; o Date of Birth; o Gender; o Driver Licence/Identity Card Number; and o Principal Place of Residence.
2008 RMAA National Conference Adopting and Adapting
Government Access Cards - A Key To Fraud And Identity Theft Reduction? USA REAL ID
Page 12
To register for the card, persons are required to furnish identity documents
including:
1. A photographic identity card or a non-photographic identity document that includes legal name and birth-date of the cardholder;
2. Birth date; 3. Legal status and Social Security Number; and 4. Name and principal place of residence.
Access to the card will be by via common machine-readable technology of
defined data elements. The federal Secretaries of Homeland Security and
Transportation, in conjunction with participating states will oversee the
coordination and the oversight of the classification and regulation of data
elements, in addition to the integration of participating state’s registry into
the national scheme to provide a comprehensive record of individual driver’s
histories.
Provisions in the initial draft allowed participation by Canadian and Mexican
provincial authorities in the program, but were removed from the final
statute due to legal concerns. The broader issue of the involvement of
foreign sovereign governments and supranational entities – like the
European Union – is currently still unresolved.
A 2006 study conducted by the NGA, NCSL and the AAMVA highlighted
the cost blowouts of implementing such a substantive program. The study
stated that the costs of implementing REAL-ID would be in excess of US$11
billion over the initial five years of operations – with the majority of the
costs (US$10 billion) on recurrent expenditure items including support
mechanisms, re-enrolment of 245 million card-holders, design requirements
and document verification processes. This figure excludes additional
expenditures by state agencies and private citizens in compiling with State
DMV requirements (Swartz 2007 (1), p. 12).
2008 RMAA National Conference Adopting and Adapting
Government Access Cards - A Key To Fraud And Identity Theft Reduction? USA REAL ID
Page 13
A separate study conducted on the District of Columbia’s OPLD highlighted
that the District’s business records were kept in “such disarray” that the
Inspector General could not review them for integrity or accuracy. The
disarray was so great that no indexing arrangements were available and the
digitisation project was significantly behind schedule. The consequence was
that was that the system was identified as a security breach as all employees
of the DCRA had access to the files, regardless of their access rights (Swartz
2007 (2), p. 12).
March 2007 saw two major developments – the Department of Homeland
Security (DHS) releasing its draft regulations under the REAL-ID Act for
comment (with the receipt of some 12,000 submissions) and the first major
delay to the program when the initial compliance delayed until December
2009.
In addition, Congress during May 2007 undertook debate on immigration
bills that significantly expand the utilisation of REAL-ID including the
creation of a National Employment Eligibility Verification Scheme. There
were differences between the House and Senate versions of the initial bill –
the Senate version excludes non-REAL-ID identification from 2013. The
major commonality of these programs is the authority of the DHS Secretary
to mandate the use of a national identity card as the sole acceptable
document to verify employment eligibility.
January 2008 saw the release of the departmental final rule and Privacy
Impact Assessment (PIA) on how REAL ID implementation, along with the
ability for states to apply for a second extension to March 2011 for
compliance (subject to these states receiving an extension to December
2009). States that have sought both extensions and are not ready to
participate by May 2011 will be deemed “not in full compliance” – the
consequence will be residents will not be able to enter federal buildings,
board aircraft and other activity covered by the act.
2008 RMAA National Conference Adopting and Adapting
Government Access Cards - A Key To Fraud And Identity Theft Reduction? USA REAL ID
Page 14
During 2007, 44 states considered 145 legislative instruments on the REAL-
ID program, of which 25 states endorsed some form of instrument – 21 of
those passing some measure outlawing participation or urging repeal
(Sudeen & Meadows 2008, p. 26). As of May 2008, 17 states currently are
refusing to implement of REAL-ID (either through statute or parliamentary
resolution), casting doubt on the overall success of the program.
As at May 2008, a blanket extension was granted to all 50 states and the
District of Columbia in an attempt to placate opposition coupled with an
attempt to resolve underlying issues surrounding the program.
2008 RMAA National Conference Adopting and Adapting
Government Access Cards - A Key To Fraud And Identity Theft Reduction? Identity Theft and Fraud Interplay
Page 15
INTERPLAY OF IDENTITY THEFT AND FRAUD OVERVIEW
Broadly defined, identity theft is the process of one person fraudulently
utilising another person’s identifiers to obtain financial or other benefit in the
other person’s name (Arata Jnr 2004, p. 5). The Identity Theft Resource
Centre has categorised identity theft into four principal themes:
1. Financial: The use of a person’s identifiers to improperly obtain goods or services;
2. Criminal: Posing as another person when apprehended for an alleged crime;
3. Cloning: Using another person’s identity for daily living; and 4. Business/Commercial: The use of corporate identifiers to defraud a
specific organisation.
In addition, New South Wales’ ICAC (2006, p. 15) further defined identity
fraud as being:
Dishonest misrepresentation of any major aspect of identity whether backed by documentation or not;
Fraudulent use of business or corporate identities; Misuse or theft of an individual’s username or password to assume
the individual’s identity on a computer system to procure information or benefits;
Public officials misusing position to: o Steal, alter or otherwise misuse electronic or paper records
pertaining to a third person held by the agency; o Fraudulently create identity documents; or o Create or assume false identities.
Acknowledgement of identity theft as the quickest growing crime in the
United States (Abagnale Jnr 2002; Arata Jnr 2004) and Australia (ICAC
2006) has occurred in the popular press and some governmental agencies
with a range of publications available on the subject. An estimate of the
worldwide cost of identity crime is at US$2 trillion (Department of Human
Services 2007(2)).
2008 RMAA National Conference Adopting and Adapting
Government Access Cards - A Key To Fraud And Identity Theft Reduction? Identity Theft and Fraud Interplay
Page 16
Governmental agencies and private organisations actions have generally
been at best imprecise and at worst reckless in securing and storing critical
personal data, often resulting in media sensations when particular instances
of data loss occur. Since 2005, there has been a literally thousands of data
breaches across Australia, the United States and the United Kingdom
(amongst others) involving many millions of records containing personal
information. Some have been inadvertent (loss of laptops or external data
drives) to theft by insiders and external intrusions obtaining personal
information.
The impact of these breaches involve many untold millions of records
profiling thousands of persons across Australia, the United States and the
United Kingdom, allowing those with the contacts and opportunity to obtain
data via nefarious means to do so without significant difficulty.
In the United States, the Transport Security Administration (TSA) reported
during May 2007 about a loss of a computer hard drive containing personal
identifiers on 100,000 persons. Other governmental agencies – including the
Social Security Administration, Veterans Affairs and Defence Departments –
have suffered similar or greater losses over recent years. Private sector
organisations and educational institutions are just as careless – Choicepoint
had 160,000 plus records improperly accessed during 2004 and several
universities and schools have suffered data breaches since 2004.
The most high profile example of data loss was in October 2007 by the UK
Revenue and Customs. Two archive compact discs containing identifiers of
25 million persons (comprising 7.25 million family units) – about half of the
United Kingdom’s total population and families respectively was misplaced
as a consequence of this incident. The minister concerned, Alastair Darling,
attempted to assure the broader population of the supposed integrity of the
system without much success. Revelations during January 2008 documented
that the relevant security manual was restricted only to senior staffers with
junior staff only receiving a summary of the manual.
2008 RMAA National Conference Adopting and Adapting
Government Access Cards - A Key To Fraud And Identity Theft Reduction? Identity Theft and Fraud Interplay
Page 17
The month prior to this incident – and in response to findings that 171,488
cases of identity theft costing £1.7 billion during 2006 – the United Kingdom
all party parliamentary group on identity fraud called for the establishment
of an ID Theft Tsar to coordinate corporate, governmental and police efforts
on identity theft (BBC 2007).
An Australian parliamentary inquiry (conducted during 1999 and 2000)
noted in the report Numbers on the Run that, as at 2000, an estimated 3.2
million additional Tax File Numbers (in addition to a total population of
16.1 million based on the 1996 census) with little effort by the Australian
Taxation Office to correct the imbalance.
The lackadaisical approach to data security occurs even on a personal level.
Identity thieves utilise a practice known as “dumpster diving” to obtain bills,
ATM receipts or other information that people throw away intact. With even
the most elementary information, it is possible for identity thieves to “ghost”
someone and milk unsuspecting victims for years.
Individuals need to be more proactive when dealing with their personal
information. Governmental agencies and corporations – even when utilising
the best information protection strategies – are liable to data corruption,
mismanagement, manipulation or other forms of information loss. Such pro-
activity requires vigilance
2008 RMAA National Conference Adopting and Adapting
Government Access Cards - A Key To Fraud And Identity Theft Reduction? Identity Theft and Fraud Interplay
Page 18
Various publications promoting individual awareness and strategies to
combat identity theft are in the public domain. A 20-step plan developed by
Frank Abagnale Jr (2007, pp. 106-132) 3 provides a comprehensive guide for
individuals being proactive in protecting themselves from identity theft. A
7-step plan advocated by John Vacca (2003, pp. 19-21) covers broadly the
same ground:
1. Check credit reports regularly; 2. Do not issue social security number needlessly; 3. Protect computer; 4. Keep track of billing cycles; 5. Examine financial statements like an obsessed accountant; 6. Guard mail from theft; 7. Invest in a shredder; 8. Practice safe shopping; 9. Avoid sketchy Automatic Tellers; 10. Be suspicious of unexpected calls or letters; 11. Put real passwords on accounts; 12. Keep credit card close when shopping or eating out; 13. Use Safe Checks and use them sparingly; 14. Secure Home and Office fronts; 15. Carry only what you need; 16. Spring clean credit cards; 17. Opt Out; 18. Read privacy policies; 19. Protect a deceased relative; and 20. Place fraud alerts on credit reports.
3 This guide is designed primarily for a United States audience, but all points apply regardless of location.
2008 RMAA National Conference Adopting and Adapting
Government Access Cards - A Key To Fraud And Identity Theft Reduction? Interplay of Identity Theft & Access Card Regimes
Page 19
INTERPLAY OF IDENTITY THEFT AND ACCESS CARD
REGIMES
A common aim of the three highlighted programs is the reduction of identity
theft generally and against government payments and services specifically.
While laudable, the challenges confronting the three national governments
are immense in achieving the stated aim. The major challenge relates to
three major integrity concerns:
Content: Ensuring that information held on individuals is accurate, timely and associated with the correct person;
Infrastructure: Ensuring that access points are secure; effective data security measures are in place; ensuring access controls are secure and relevant; and
Personnel: Ensuring effective background checks are relevant; maintaining timely review and rotation frameworks.
From a definitional perspective, the Australian Privacy Commissioner’s
Office classifies the occurrence of an information security breach (2008)
when “personal information held by an organisation (including governmental
agencies) is lost, misused, mistakenly disclosed or stolen”. Typical
examples of such breaches include:
1. The loss of laptops, removable storage devices or files (whether physical or electronic) containing personal identifier information;
2. The organisation mistakenly providing personal information to a person not entitled to said information;
3. A third party deceiving an organisation into improperly releasing personal information of others;
4. Databases containing personal information being illegally accessed by persons external to the organisation; and
5. Staff accessing personal information outside the scope of their employment.
The effectiveness of any identity card framework is dependent upon many
factors and issues ranging from information security (hardware and content);
personnel access and control infrastructure; information retention and
disposal to facilities and function management. Events over the past decade
in all three countries have highlighted the potential for major information
breaches by internal and external sources.
2008 RMAA National Conference Adopting and Adapting
Government Access Cards - A Key To Fraud And Identity Theft Reduction? Interplay of Identity Theft & Access Card Regimes
Page 20
Recent years have seen repeated incidences of public and private sector
organisations mislaying or misdirecting devices storing personal identifiers,
physical infrastructure not being as secure as required, staff corruption and
external interference amongst other catalysts.
An example of these threats was highlighted by a 2007 United States
Congress subcommittee investigation into the cyber-security efforts of the
Department of Homeland Security. During fiscal years 2005 and 2006, 844
cyber-security incidents were documented against the department (The
Australian IT Online 2007). The object of these incidents ranged from
unauthorised computer access, firewall mis-configurations, virus and Trojan
infestations, plus classified data “spillages”. Concerns were raised that a
digital Pearl Harbour attack could occur if serious efforts were not
undertaken to promote effective cyber-security within government agencies
and private organisations.
From an Australian perspective, the House of Representatives Standing
Committee on Economics, Finance and Public Administration during 1999
conducted a review on the administration of the Tax File Number (TFN)
system culminating in a report titled Numbers on the Run. As of this
writing, the previous coalition or the current ALP government has yet to
respond to the report, despite several members of the committee rising to
relatively senior parliamentary or executive roles.
The report is damning of the administration of the TFN system at the time.
Of a total population of 16.1 million4, there were 20.3 million TFN in
1999/2000 financial year and approximately 195,000 possible duplicate TFN
in circulation.
4 As at 1996 Census Night
2008 RMAA National Conference Adopting and Adapting
Government Access Cards - A Key To Fraud And Identity Theft Reduction? Interplay of Identity Theft & Access Card Regimes
Page 21
Despite a decade of modernisation by the Tax Office prior to and during the
committee inquiry process, there was major work still pending in
overhauling the framework that underpinned the TFN’s administration. The
lack of a response by the previous coalition government indicates that
despite the rhetoric of clampdown, there was little political will to undertake
serious remedial work to rectify identified program deficiencies.
Notwithstanding claims by proponents about possible legislated limitations
of any program, function creep is a near certainty. Even to register (and
verify the identifying documentation) the adult population would require
systems and policy integration of multiple state and federal agencies to
ensure effective document verification. The ACCI (2005: 2) has highlighted
this potential particularly in relation to increased costs for business in
complying with any program expansion. As highlighted by the Australian
TFN system, function creep beyond the initial scope of the enabling statute
will occur, as agencies demand access to the system for verification of
individual’s claims for specific services.
The ability of Australian federal governmental agencies to deal with the
underlying issues of recordkeeping is also an issue to the success of any
program. One driver for the adoption of some form of national standard is
the interdependence of state and commonwealth agencies during the Proof of
Identity (POI) process (ICAC 2006: 18). The potential for a fraudulent
document being accepted by an agency resulting in the issuance of a genuine
POI document resulting in a ghost identity is real.
A 2003 ANAO audit of selected Australian federal agencies5 found, despite
the agencies generally meeting various national standards, that there was
“significant risk of non-capture and unauthorised disposal of records”
(ANAO 2004) due to:
5 Agencies audited were Centrelink; Department of Agriculture Fisheries and Forestry; Department of Families and Community Services; Department of Health and Aging.
2008 RMAA National Conference Adopting and Adapting
Government Access Cards - A Key To Fraud And Identity Theft Reduction? Interplay of Identity Theft & Access Card Regimes
Page 22
Lack of attention on risks associated with recordkeeping, particularly relating to outsourced functions;
Formal records systems not being fully utilised; Limited controls over electronic records, particularly relating to
network drives and personal workspaces; and Formal long-term sentencing programs for records disposal were not
in place.
In addition, the audit identified instances of non-compliance with Disposal
Authorities including (ANAO 2004):
Contracts with outsourced providers failed to include all elements recommended by National Archive Australia (NAA) with minimal monitoring and review conducted to ensure compliance;
Physical records not in compliance with NAA standards; and Business Continuity Plans did not identify critical records.
An example of how the current Proof of Identity (POI) framework operates
was illustrated by a recent survey conducted by ICAC. As part of the
survey, ICAC utilised four categories under the Proof of Identity Framework
(POIF) adopted by the Standing Committee of Attorneys-General (ICAC
2006, p.41):
Category One: Evidence of right to be in Australia; Category Two: Linkage between identity and person; Category Three: Evidence of identity operating in community; and Category Four: Evidence of residential address.
Of one hundred public sector agencies6 invited to participate, 82 did so.
Table 6.1 illustrates what identity documents tendered by the public to the
responding agencies:
6 Excluding local government authorities and public schools
2008 RMAA National Conference Adopting and Adapting
Government Access Cards - A Key To Fraud And Identity Theft Reduction? Interplay of Identity Theft & Access Card Regimes
Page 23
Identity document Number of agencies (82 maximum)
Agency Percentage (100%=82)
Document verifying employment
56 68.29
Rates notice 0 0.00 Public utility notice 3 3.65 Education cards 11 13.41 Membership of trade or professional association
11 13.41
Birth Certificate 1 1.21 Public employee ID Card 56 68.29 State benefit card 1 1.21 Student ID card 8 9.75 Child: letter from school 1 1.21 Table 6-1 Results from ICAC survey on types of identity documents produced to NSW public service agencies7
In the United States, current iterations of state-issued documents (e.g. birth
certificates, driver licences) incorporate minimal, if any, security features
and the supporting information infrastructure is incomplete and aging
(Abagnale Jnr 2004). Recent efforts have started to correct these flaws –
time is needed to completely correct these deficiencies.
The biggest data breach of recent times was the inadvertent loss of two CD-
ROMs containing critical data elements of 25 million United Kingdom
residents receiving child benefits by Internal Revenue.
The resulting furore resulted in highlighting the sheer quantity of
information currently collected and collated from citizens by governments
for service delivery. Without the central index identifier of an identity card
regime, the ability to link disparate data elements is somewhat impaired.
The interplay of reducing identity theft with an overarching access card
regime would be illusionary. The examples highlighted in recent pages
reveal the challenges of maintaining information and system integrity across
current frameworks.
7 See note 3
2008 RMAA National Conference Adopting and Adapting
Government Access Cards - A Key To Fraud And Identity Theft Reduction? Interplay of Identity Theft & Access Card Regimes
Page 24
The costs associated with establishing any regime, coupled with ongoing
compliance and regulatory issues, would serve to outweigh any claimed
savings against the public purse. The ACCI has pointed out in 2005 that the
costs associated with the Australian system could rise to $5 billion – just
during the establishment phase.
Coupled with the infrastructure issues during the establishment and
operational phases, having one centralised repository has the potential to
encourage a “honey-pot tree” scenario, where staff (or external participants)
could be induced – by whatever means – to create false records, to delete (or
alter) genuine records or to access records in an unauthorised manner.
Identity theft, in part, feeds off a lack of systems integrity – the deployment
of an identity card regime will be of minimal consequence in negating, and
quite possibly aggravate, systemic integrity flaws.
2008 RMAA National Conference Adopting and Adapting
Government Access Cards - A Key To Fraud And Identity Theft Reduction? Conclusion – Is it Worthwhile?
Page 25
CONCLUSION – IS IT WORTHWHILE?
The purpose of this paper has been twofold in providing:
1. An overview of identity card systems in the United States, Australia and the United Kingdom; and
2. An introduction on the interplay of identity theft with fraud generally and the specific programs.
David Shenk’s 1997 book Data Smog outlined 13 Laws of Data Smog as they
applied to technology developments, particularly of an online nature. The
following list has been adapted from that list as it applies to the identity
programs:
1. Personal information, once rare and cherished like diamonds, is now plentiful and taken for granted like sand;
2. Silicon chips evolve and adapt much more quickly than public service guidelines;
3. Computers are neither human or humane; 4. Putting a ID card in every wallet is like putting a tracking device on
every person; 5. What politicians sell as information security but information anxiety; 6. Too many experts spoil the clarity; 7. All high-stim roads lead to a public servant’s office; 8. Birds of a feather flock virtually together; 9. The electronic Town Hall allows for speedy communication and a wealth
of falsehoods; 10. The Prime Minister’s (or President’s) office is watching; 11. Beware stories that dissolve all complexity; 12. On the identity information superhighway, most roads pass through
public servants’ offices; 13. Cyberspace breeds scared politicians and nervous bureaucrats.
(Adapted from Shenk 1997, p.11).
The development of online technologies over the past decade has facilitated
enhanced opportunities for thieves and fraudsters – whether operating alone
or in groups – to appropriate innocent people’s identities with comparative
anonymity and uses them for criminal benefit quicker than in previous times.
Perversely, the consequences are also harder to detect and more challenging
to correct – even with the person being highly proactive on identity
management issues.
2008 RMAA National Conference Adopting and Adapting
Government Access Cards - A Key To Fraud And Identity Theft Reduction? Conclusion – Is it Worthwhile?
Page 26
Linking an individual citizen’s identity through a single identifier can
facilitate what can be termed a “honey-pot tree” scenario where previously
separate identifiers (TFN/SSN, Medicare number, drivers licence
information, Social Security number) are linked to the “master” number,
allowing much quicker access to a citizen’s identity and the misuse of
personal information and making recovery from identity theft more difficult.
From a strictly technical and technological perspective, the programs
outlined in the preceding pages – if properly resourced – may be feasible.
The challenges come from the following perspectives:
Policy and regulatory (oversight, accountability, ensuring only authorised access to information);
Accuracy (creation of false entries, deletion or unauthorised changes of “correct” entries);
Personnel (ensuring those with access do not abuse system or not open to blackmail);
Privacy (allowing persons to access only authorised information); Cost (all three programs have had major upward cost revisions as the
proposed scale of implementation becomes apparent).
Another aspect that supporters overlook or ignore is that, in effect, the
programs would serve as a backbone to identity management of citizens.
Examples of this include:
Access to US federal buildings would only be available to those carrying a REAL-ID compliant documentation;
Persons wishing to access Australian social services would, in effect, require the HASSAC as part of the identification process;
No replacement for the 17 concession cards that form a key element of Australia’s 100-point identity check framework;
Persons wishing to renew their UK passport or wishing to work in a “sensitive role” would be required to obtain a UK Identity Card.
2008 RMAA National Conference Adopting and Adapting
Government Access Cards - A Key To Fraud And Identity Theft Reduction? Conclusion – Is it Worthwhile?
Page 27
From a broader societal perspective, the core question of this paper – is it
worthwhile – is paradoxically complex and simple. Simple in the context of
allowing Big Brother to peep into every aspect of the lives of the citizenry.
Complex in the context by hinting at the benefits the alluring technological
solutions that the programs permit.
On balance, the proposed systems outlined in this paper do not meet the
stated program objectives on technological and outcome perspectives,
particularly for the following:
1. The programs reverse the onus of the core relationship between the democratic society (particularly its public institutions) and its citizens from one where the public institutions are accountable to the citizenry to one where the citizenry is held hostage by the public institutions;
2. The technological framework underpinning the program establishment and implementation are flawed, relying on information that can be manipulated or fraudulently obtained;
3. Overstating the promise of the solutions (reduced identity theft, fraud against government payments) against the cost of implementing and maintaining such programs;
4. Providing a “honey tree pot” for identity thieves to access details of innocent people or to generate false identities through one identifier.
2008 RMAA National Conference Adopting and Adapting
Government Access Cards - A Key To Fraud And Identity Theft Reduction? Bibliography
Page 28
BIBLOGRAPHRY
Articles Anonymous (1) 2001. “Congress plants a time bomb in motor-vehicle offices”. Privacy Journal. vol. 27 no. 4 p. 3 February. Anonymous (2). “ID Card could cost Australia $15b: ACCI”. Sydney Morning Herald Online. 21-Dec-2005. Accessed March 5 2007. Apuzzo, Matt 2007. “TSA loses hard drive with personal information”. Huffington Post. Published 7-May-2007. Accessed 7-May-2007. URL: http://www.huffingtonpost.com/huffnews/20070507/tsa_missing_data.html Australian IT Online 2007. “US Homeland Security admits hacks”. Published 21/Jun/2007. Accessed 23/Jun/2007. URL: http://australianit.news.com.au/story/0,24897,21942911-5013040,00.html BBC Online 2008 (1). “Revised ID plans unveiled”. Published 06-Mar-2008. URL: http://news.bbc.co.uk/2/hi/uk_news/politics/7280495.stm BBC Online 2008 (2). “ID Cards ‘may not be compulsory’”. Published 08-Jan-2008. Accessed 06-Mar-2008. URL: http://news.bbc.co.uk/2/hi/uk_news/politics/7176901.stm BBC Online 2008 (3). “Brown ‘still supports ID Cards’”. Published 09-Jan-2008. Accessed 06-Mar-2008. URL: http://news.bbc.co.uk/2/hi/uk_news/politics/7179238.stm BBC Online 2008 (4). “Britons’ ID Cards ‘to be delayed’”. Published 23-Jan-2008. Accessed 06-Mar-2008. URL: http://news.bbc.co.uk/2/hi/uk_news/politics/7203740.stm BBC Online (8) 2008. “Is Brown cooling on ID Cards?” Published 23-Jan-2008. Accessed 06-Mar-2008. URL: http://news.bbc.co.uk/2/hi/uk_news/politics/7204229.stm BBC Online 2007 (5). “Cameron calls for ID cards halt”. Published 22-Nov-2007. Accessed 06-Mar-2008. URL: http://news.bbc.co.uk/2/hi/uk_news/politics/7105999.stm BBC Online 2007 (6). “ID Cards ‘not being scrapped’”. Published 04-Nov-2007. Accessed 06-Mar-2008. URL: http://news.bbc.co.uk/2/hi/uk_news/politics/7077550.stm BBC Online 2007 (7). “ID cards to be great UK instutition”. Published 19-Jun-2007. Accessed 06-Mar-2008. URL: http://news.bbc.co.uk/2/hi/uk_news/politics/6767083.stm
2008 RMAA National Conference Adopting and Adapting
Government Access Cards - A Key To Fraud And Identity Theft Reduction? Bibliography
Page 29
British Broadcasting Corporation (1), 2007. “ID Card cost rises above £5Bn”. Accessed 11-May-2007. URL: http://newsvote.bbc.co.uk/2/hi/uk_news/politics/6642339.stm British Broadcasting Corporation (2), 2007. “ID fingerprints plan under fire”. Accessed 11-May-2007. URL: http://newsvote.bbc.co.uk/2/hi/uk_news/politics/6378999.stm British Broadcasting Corporation (3), 2006. “Blair goes on ID card offensive”. Accessed 11-May-2007. URL: http://newsvote.bbc.co.uk/2/hi/uk_news/politics/6120220.stm British Broadcasting Corporation (4), 2006. “ID cards to ‘safeguard liberties’”. Accessed 11-May-2007. URL: http://newsvote.bbc.co.uk/2/hi/uk_news/politics/6147806.stm British Broadcasting Corporation (5), 2006. “What will the ID card store?” Accessed 11-May-2007. URL: http://newsvote.bbc.co.uk/2/hi/uk_news/politics/4630045.stm British Broadcasting Corporation 2006. “MPs call for identity fraud tsar”. Published 06-Oct-2007. Accessed 03-Feb-2008. URL: http://news.bbc.co.uk/1/hi/business/7031137.stm British Broadcasting Corporation (6), 2005. “Talking Point – Do you support ID Cards?” Accessed 11-May-2007. URL: http://newsvote.bbc.co.uk/2/hi/talking_point/4625971.stm British Broadcasting Corporation (7), 2004. “ID cards in other countries”. Accessed 11-May-2007. URL: http://newsvote.bbc.co.uk/2/hi/uk_news/politics/3527612.stm Birch, David; Elliott, John and McEvoy, Neil 2005. “This is information retrieval: The UK can lead the way with a twenty-first century ID card”. European Business Review. vol. 17 no. 4. pp. 372-378. Castle, Tim 2008. “Britain to begin ID Card roll-out”. The Age Online. Published 08-Mar-2008. Accessed 08-Mar-2008. URL: http://www.theage.com.au/news/world/britain-to-begin-id-card-rollout/2008/03/07/1204780065785.html Clarke, Richard A 2006. “Real ID’s, Real Dangers”. New York Times Magazine. March 6. Clonnell, Andrew 2007. “$64 million Tcard fiasco over”. The Sydney Morning Herald Online. Posted 9 November 2007. URL: http://www.timesonline.co.uk/tol/news/uk/crime/article2983759.ece Published 09/Nov/2007, Accessed 10 November 2007.
2008 RMAA National Conference Adopting and Adapting
Government Access Cards - A Key To Fraud And Identity Theft Reduction? Bibliography
Page 30
Derbyshire, John 2001. “Your papers please”. National Review. vol. 53 no 21. pp. 29-30. November 5. Fears, Darryl 2006. “ID Program will cost States $11 billion”. Washington Post. September 22. p. A04. Greenleaf, Graham 1987. “The Australia Card: Towards a national surveillance system”. Accessed 25-Jul-2005. URL: http://www2.austlii.edu.au/itlaw/articles/GGozcard.html Harris, Shane. “Identity Crisis”. Government Executive. vol. 37 no. 8. May 15. pp. 74-80. Hsu, Spencer S 2006. “Transit Worker ID Program Stalled”. Washington Post. September 17 p A03. Huleatt, Richard S 2002. “National Security ID Card and Database needed”. Information Intelligence Online Newsletter. Vol. 23 no. 1 pp. 1-4. January Jameson, Angela 2006. “ID fraudsters plunge tax system into chaos”. The Times Online (UK). Published 18/Jan/2006. Accessed 03/Feb/2008. URL: http://www.timesonline.co.uk/article/0,,2-1991229,00.html Johnson, Marv 2005. “Uniform Drivers Licence to be Federal ID”. Privacy Journal vol. 31 no. 3 January pp. 1-3. Johnson, Tripp 2006. “The state of ID Fraud”. Credit Union Management. July. pp 52-53. Kelderman, Eric “Too little time, too much cost for Real-ID”. Stateline.org 21-Sep-2006. Accessed 20-Mar-2007. Lewis, Paul 2007. “Thousands at risk after data loss”. British Broadcasting Corporation. Published 03-Nov-2007. Accessed 03-Feb-2008. URL: http://news.bbc.co.uk/2/hi/programmes/moneybox/7076106.stm Lloyd, Graham 2006. “Driver’s Licence links ID powers”. The Courier Mail (Brisbane). May 1 2006. Accessed 12/May/2007. Mandelblit, Bruce 2004. “Fake IDs, Genuine Risks”. Security. vol. 41 no 3. March p. 47. Matthews, William 2002. “Identity Crisis”. Federal Computer Week. vol. 16 no 17. pp.16-20. 27-May-2002 Ohr, Stephan “Cards conjure up fears of 1984”. Electronic Engineering Times Iss 1277 9 July 2003. pp. 18-21.
2008 RMAA National Conference Adopting and Adapting
Government Access Cards - A Key To Fraud And Identity Theft Reduction? Bibliography
Page 31
Orr, Bill 2004. “Who are you – really?” ABA Banking Journal. vol 96. no 2. February p 86. Privacy Rights Clearing House, 2007. “A Chronology of Data Breaches” Accessed 26-Mar-2007. URL: http://www.privacyrights.org/ar/ChronDataBreaches.htm Privacy Rights Clearing House, 2000. “Identity Theft Victim Stories: Written Testimony of Michelle Brown”. Accessed 26-Mar-2007 URL: http://www.privacyrights.org/cases/victim8.htm Pulley, John 2006. “A real hard act to follow”. Federal Computer Week. vol. 20 no. 21 June 26. pp. 20-22. Radick, J 2001. “What’s required on a Driver’s Licence?” Privacy Journal. vol. 27 no 9. July pp. 3-4. Rodger, Will 2001. “This time, a national ID card?” Privacy Journal. vol. 27 no 12. October. pp. 6-7. Rotenberg, Marc 2006. “Real ID, Real Trouble?” Communications of the ACM. vol. 49 no 3. March p. 128. Swartz, N 2007 (1). “Real ID to cost $11 billion plus”. Information Management Journal. vol. 41 no 1. January/February p. 12. Swartz, N 2007 (2). “D.C. Business Records a mess”. Information Management Journal. vol. 41 no 1. January/February p. 12. Ungoed-Thomas, J 2007. “More financial discs lost”. The Times (UK) Online. URL: http://www.timesonline.co.uk/tol/news/uk/crime/article2983759.ece Published 03/Dec/2007, Accessed 04/Dec/2007.
2008 RMAA National Conference Adopting and Adapting
Government Access Cards - A Key To Fraud And Identity Theft Reduction? Bibliography
Page 32
Books Abagnale, FW 2001. The Art of the Steal. Transworld Publishing, Milsons Point Australia. Abagnale, FW 2007. Stealing your life: The ultimate identity theft prevention plan. Random House USA. Arata Jnr, MJ 2004. Preventing Identity Theft for Dummies. Wiley Publishing New Jersey USA. Hamadi, R Identity Theft: What it is, How to prevent it and What to do if it happens to you. Vision USA. Hasting, G & Marcus, R 2006. Identity Theft Inc: A Wild Ride with the world’s number one identity thief. Disinformation Company USA. Shenk, D 1997. Data Smog: Surviving the Information Glut. HarperCollins Publishing New York USA. Sullivan, B 2004. Your Evil Twin: Behind the identity theft epidemic. Wiley USA. Vacca, JR 2003. Identity Theft. Prentice Hall PTR USA. Media Releases – Governmental Blunkett, D 2003. “National ID Card to be introduced” Issued 11/Nov/2003. Accessed 14/Jan/2008 URL: http://press.homeoffice.gov.uk/press-releases/David_Blunkett__National_Id_Card?version=1
2008 RMAA National Conference Adopting and Adapting
Government Access Cards - A Key To Fraud And Identity Theft Reduction? Bibliography
Page 33
Papers and Submissions Department of Human Services Feb 2007 (1). Australian Government submission to the Senate Inquiry on the Human Services (Enhanced Service Delivery) Bill 2007. Canberra ACT Australia. Department of Human Services Feb 2007 (2). Supplementary submission to the Senate Inquiry on the Human Services (Enhanced Service Delivery) Bill 2007. Canberra ACT Australia. Department of Human Services 2006 (3). Access Card program Industry Briefing. Canberra ACT Australia. Presented 13/Dec/2006. Department of Human Services 2006 (4). Access Card program Consumer and Privacy Briefing. Canberra ACT Australia. Presented 13/Dec/2006. Dhamija, Racha; Tyger, J.D. and Hearst, Marti 2006. Why Phishing Works. Presented at 2006 CHI Conference April 22-27. Independent Commission against Corruption 2006. Protecting Identity Information and Documents: Guidelines for public service managers. Sydney New South Wales Australia. London School of Economics and Political Science 2005. The Identity Project: An Assessment of the UK Identity Cards Bill and its implications. Version 1.09 June 27. United Kingdom Home Office 2002. Entitlement Cards and Identity Fraud: A Consultation Paper. URL: http://www.homeoffice.gov.uk/documents/entitlement-cards?version=1 Published July 2002. Accessed 14/Jan/2008. Reports Australian Chamber of Commerce and Industry 2005. ACCI Review. Number 130 December. Government Accountability Office 2006. Electronic Government: Agencies face challenges in implementing federal employee identification standard. Washington DC USA. House of Representatives Standing Committee on Economics, Finance and Public Administration, 2000. Numbers on the Run: Review of the ANAO Report No. 37 1998-99 on the management of Tax File Numbers. Parliament House Canberra Australia. Office of Privacy Commissioner 2008. Draft Voluntary Information Security Breach Notification Guide Consultation Paper. April.
2008 RMAA National Conference Adopting and Adapting
Government Access Cards - A Key To Fraud And Identity Theft Reduction? Bibliography
Page 34
Internet Sites Advocacy Groups Australian Privacy Foundation http://www.privacy.org.au/ Electronic Privacy Information Centre (USA) http://www.epic.org/ Identity Theft Resource Centre http://www.idtheftcenter.org/ Privacy (resource centre) http://www.privacy.org/ Privacy International http://www.privacyinternational.org/ Transparency International http://www.transparency.org/ Governmental – Australia. Department of Human Services URL: http://www.humanservices.gov.au/ Office of Access Card URL: http://www.accesscard.gov.au/ Governmental – United States. Department of Homeland Security URL: http://www.dhs.gov/index.shtm Department of Transportation URL: http://www.dot.gov/
2008 RMAA National Conference Adopting and Adapting
Government Access Cards - A Key To Fraud And Identity Theft Reduction? Bibliography
Page 35
Parliamentary – Australia. House of Representatives Standing Committee on Economics, Finance and Public Administration Inquiry into the Tax File Number System URL: http://www.aph.gov.au/house/committee/efpa/tfnaudit/report.htm Senate Finance and Public Administration Committee Inquiry into Human Services (Enhanced Delivery) Bill 2007. URL: http://www.aph.gov.au/Senate/committee/fapa_ctte/access_card/index.htm Wikipedia (all accessed 29 April 2007 unless indicated). British Identity Card. URL: http://en.wikipedia.org/wiki/Identity_Card_Act Health and social services access card (Australia). URL: http://en.wikipedia.org/wiki/Health_and_social_services_access_card_%28Australia%29 Identity Theft URL: http://en.wikipedia.org/wiki/Identity_theft Real ID Act. URL: http://en.wikipedia.org/wiki/Real_id_act
2008 RMAA National Conference Adopting and Adapting
Government Access Cards - A Key To Fraud And Identity Theft Reduction? Bibliography
Page 36
ACRONYM LIST
Note: The nationality of individual entities, if needed, is in parenthesises
Acronym Full Title AAMVA American Association of Motor Vehicle Administrators ANAO Australian National Audit Office DCRA Department of Consumer and Regulatory Affairs
(District of Columbia USA) DHS (Australian) Department of Human Services
(United States) Department of Homeland Security DMV Department of Motor Vehicles IG Inspector General NAA National Archives Australia NCSL (United States) National Conference of State Legislators NGA (United States) National Governors Association OAC (Australian) Office of the Access Card OPLD Occupational and Professional Licensing Department
(District of Columbia USA) SSA (United States) Social Security Administration TSA (United States) Transport Security Administration
2008 RMAA National Conference Adapting and Adoping
Government Access Cards - A Key To Fraud And Identity Theft Reduction? Appendix One - Timeline
Page 37
APPENDIX ONE - TIMELINE
The purpose of this appendix is to provide a timeline on the program
development of the systems outlined part of this paper. The timeline is not
intended as a comprehensive listing of all items associated with the
individual programs (including any ascendant programs) but as a overview
of major events of milestones.
The timeline is divided into two distinct groups – events to June 2008 and
those occurring from July 2008. Events that form part of the initial program
rollout are highlighted in bold typeface.
2008 RMAA National Conference Adapting and Adoping
Government Access Cards - A Key To Fraud And Identity Theft Reduction? Appendix One - Timeline
Page 38
Date Australian Access Card UK Identity Card USA Real ID
`3 July 2002 Consultation Paper release “Entitlement Cards and Identity Theft” by Home Office
24 June 2004 Program Launch – Medicare Smartcard
November 2004 – February 2005 Program announcement in Queens Speech
Bill Introduced into House of Commons (bill placed in abeyance due to 2005 general election)
Presidential/Congressional Election – George W Bush returned as President, Republicans retain control of Congress.
05 May 2005 General Election – UK Labour
returned to government
11 May 2005 Real ID statute formally enacted 25 May 2005 Identity Cards Bill introduced February 2006 Delivery of KPMG Business Case 30 March 2006 Identity Cards Act 2006
proclaimed.
26 April 2006 Program Launch May 2006 Launch – Consumer and Privacy
Taskforce (CPTF) chaired by Prof Alan Fels
June 2006 CPTF Taskforce releases Issues Paper
Nov 2006 CPTF Taskforce report delivered to government
13 December 2006 Draft bill released for comment
2008 RMAA National Conference Adapting and Adoping
Government Access Cards - A Key To Fraud And Identity Theft Reduction? Appendix One - Timeline
Date Australian Access Card UK Identity Card 28 February 2007 Bill passes House of
Representatives
2 March 2007
15 March 2007 Senate Committee report presented
4 & 5 June 2007 Minister and Dept of Human Services indicate bill will be delayed until after federal election
24 November 2007 Federal Election – change of government
December 2007 Welfare Access Card program abandoned
11 January 2008
April 2008 Registrations Commence
11 May 2008
2008 RMAA National Conference Adapting and Adoping
Government Access Cards - A Key To Fraud And Identity Theft Reduction? Appendix One - Timeline
Future Events
Date Australian Access Card UK Identity Card December 2008 Registration of non-UK citizens
and UK citizens involved in sensitive roles
December 2009 Incentive program for specific categories to register commencement
January 2010 Program commencement
June 2010 Formal parliamentary vote on compulsory nature of program
December 2010 Incentive program for youth to register commencement
January 2011 Mass registration program commencement in conjunction with passport renewals
11 May 2011 December 2014
December 2017 80% population registered