Finding The Delicate Balance In Security And Privacy

For some, the efficiency of authentication via identity has become a convenient necessity for our day-to-day lives. Then there are some who value their freedom of privacy even if it means foregoing said convenience. While eID card solutions have become indubitably instrumental towards further development of countries, there are still countries who are willing to opt out of it in the name of absolute confidentiality of each person’s personal information. CardsNow! hears from Identive and it task on the relevance of eID cards for the future as well as the possibility of co-existence between the security through authentication and privacy. Jokim Woo, its Regional Sales Manager talks about having the cake and eating it.

CN: While eID card solutions have come a long way, in terms of complexity & advancement in diversified methods of authentication & data storage, do you believe that eID technology is nearing the pinnacle of its evolution or that it still has more to offer?

Jokim: I still remember the world’s very first eID card which incorporated both photo ID and biometrics, the Malaysia MyKAD, and I was also involved in the Hong Kong ID card tendering in 2001. eID cards have continued to grow in sophistication, adding more and more security features from advanced chip and printing technologies. I believe they will keep evolving through time and new technologies will continue to be utilized to enhance the security of the eID document, as well as to preserve the documents holder’s privacy and authenticity. After all, an eID is necessary for citizens to exercise their rights and responsibilities and such rights needs to be protected securely in order to preserve trust; this builds confidence to the issuing and receiving ends as a trusted media to exchange sensitive information and to guarantee the identification of the document holders and the e-service providers.

The coming challenges I see are how chip and printing technologies will evolve to accommodate more information and storage, faster exchange and processing, with newer security algorithms and features, on a limited space – basically the size of a bank card or passport. In particular, I am expecting to see more powerful, higher memory chips with thinner layers of various security and storage features yet to come.

It may sound like science fiction, but ultimately, I believed each eID might even store our DNA one day, as our unique genetic information cannot be falsified or discarded, at least not with today’s technology. The challenges I see is not in strong it, but the reasonable time to extract DNA information from identifier, and each country’s privacy.

CN: We’ve seen a wide variety of ID applications in the card industry. Share with us what do you see as the upcoming trends & demands of eID card solutions. What is going to be the next big idea?

Jokim: There are three functions of importance for ID applications that link back to the computer security industry. They are Authentication, Authorisation and Auditing (AAA). I believe eID applications will revolve around these three pillars in order to provide us with needed security even as they enhance our personal and business lives by making electronic transactions more efficient and simpler. Furthermore, as e-government services evolve, there could be some interesting trends that develop in e-Service as a whole.

By combining the observations above, it is not difficult to predict that cloud-based eID AAA services may become an important trend. THis would allow our identification to be replicated securely (often in the form of the stored certificates). Depending on the level of accessibility and authentication required, one could access various e-services offered by different entities covering both private and business use without the card holder’s physical presence.

Having said that, it also depends on a country’s political climate. Take the EU as an example: the next big idea or urgent need maybe the interoperability of eID cards across all EU countries to facilitate citizens of the various member states to share, use and harmonize their national identities across virtual borders.

CN: While the importance of having a form of authentication of each individual is undeniable, there are still countries that believe having an ID system in place would be an intrusion of their citizens’ privacy. House would you address this fear/issue of the importance of verification versus the importance of privacy?

Jokim: Yes, you are absolutely right. Authentication sometimes can be a double-edged sword. Excessive disclosure of an identifier’s information can lead to serious privacy issues despite the initiative to protect access to that data through authentication. This is especially true when an individual’s information can be aggregated from distributed applications for both personal and business whereabouts. There are even some technology providers suggesting the use of GPS coordinates as one of the unjust to the authentication formula, which create additional issues and concerns for privacy.

There is a saying. “We fear what we don’t know, to overcome fear is to face it.” Government or other eID issuers need to take up the role to implement and discuss openly with their citizens on how they are addressing critical privacy issues. They must address the importance of authenticating an individual through the use of eID documents and systems, an dhow privacy can be protected at the same time. One possible way is to follow the German eID approach by supporting special functions on eID that allow unique identifiers and data disclosure to a certain extent, and at the same time restrict identification by using pseudonyms generated with a revocation feature. This prevents the service provider from being able to cross match the data and identify specific citizens. I believe there are many different ways to achieve a good balance, but the principle must be to address both authentication and privacy needs at the same time, at the same level of importance without compromising – and that’s the challenge.

CN: Can there be a balance between the importance of having and ID system and freedom of privacy? What would be the tipping point (like the terror attacks of 9/11 incident in USA)?

Jokim: It is an interesting question. However the US, Australia and New Zealand are the few countries (out of 42 countries excluding the EU 25) that are not planning to issue nationwide eIDs in the near future. The UK also chose to remove the ID card since 2010 and to use ePassports solely.

There are many factors and I do not see a common tipping impacting the launching or not of an eID system for each country. Privacy concerns have caused Canada and Australia to drop their eID projects. Budget and financial issues were the stumbling blocks for Korea and the UK. In the US, the unregulated environment for data protection as well as privacy concerns hinder eID initiatives. On the other end of the spectrum, for countries that have already implemented eID systems, eID can be a strong platform for both business and government as citizens become familiar with the system and new services are offered over time. This is true for example in China, Taiwan, Japan, Malaysia, Singapore and Hong Kong, where eID has successfully been in operation for more than a decade and services are keep evolving around the eID card and system.

This is the challenge for companies like Identive, to identify which approach should be used in particular scenarios as we address eID projects globally.

CN: Applications are making their way into personal handheld devices such as mobile phones, ID mobile solutions included. How would the physical smart cards remain an imperative if not undeniable as more users shift their preference into consolidating data into one device for convenience?

Jokim: We are in a multiple-dimensional ID world. We are facing identity diversification – with more and more applications and websites requiring a new registration and identity; and at the same time, many applications and websites requiring a new registration and identity; and at the same time, many applications and websites are converging – by using some commonly used identity such as Facebook, Google, Apple, MSN account as the means of identification. And yes, accessing the same information through one’s mobile or tablet makes the problem exponentially more complicated.

As mentioned earlier, I see a tench for eID in the cloud around AAA services. One’s ID or its derivatives can an will appear in different form with different strength for different application needs. It might not consolidate into one device but it would be more like a replication, and on a distributed form on the cloud in various systems. This may sound terrifying as one would think that one’s identity could spread everywhere. However the application and infrastructure will be properly implemented that such distribution and replication is seamlessly managed without the awareness of the identifier, while the right for revoking one’s identity (or its derivatives) still remains in the hands of the identifier. I believe this is where the future of identity will be; a distributed but centrally controlled identification scheme, where user convenience and application-user identification demands meet.

Source: CardsNow2U