Version of 27 May 2017


For the last two decades, governments have been trying to establish online mechanisms whereby a person can affirm to a government agency that they are who they say they are, or that they have a particular characteristic(over 18, over 65, recipient of a disability pension, etc.).

Many of the proposed schemes have been extraordinarily privacy-invasive, because they would expose a vast amount more personal data than is justified, and to far more than just the relevant government agency.

The APF has made submissions in relation to many of the projects that have been initiated and later withdrawn. Those submissions are indexed here, including the most recent specific submission. They have been drawn onin order to express this short statement about how any such project shouldbe approached.


The APF proposes the following as necessary minimum principles for anyOnline Authentication Framework:

PROCESS

1. An Open, Participative Design Process

Any such scheme must not be conceived behind closed doors, and must not seek ‘security through obscurity’. It must involve and engage all relevant parties, including and especially representatives of and advocates for people, and information flows about the project must be open to all parties. Greater detail on the characteristics of an appropriate process are in the APF’s Policy Statement on Meta-Principles for Privacy Protection.

2. Comprehensive and Inclusive PIA

A Privacy Impact Assessment process must be intrinsic to the project, must be well-informed, must engage closely with advocacy organisations, and must result in not only a public report but also in a register of the privacy issues identified, and the specific features of the design that address those issues. Greater detail on the characteristics of a PIA process are in the APF Policy Statement on PIAs.

DESIGN

3. Minimisation of Exposure of Personal Data

Where all that is functionally necessary is confirmation that the person has a particular characteristic, attribute authentication should be performed, and the person’s identity should not be declared.

This can be achieved by the individual using a pseudonym, but signing the assertion that they are making (e.g. ‘I am a citizen or permanent resident’) in a manner that can be recognised by the authentication service provider that the individual nominates, and only by that provider. The organisation that seeks assurance provides the assertion details to an authentication services provider, and receives no data back other than a yes or no (or a ‘badly formatted request’ response).

4. Subject to the Individual’s Consent

The act of disclosure to the enquirer must not be based on the assumption that the enquirer is behaving appropriately. The individual must control thewhat and when of disclosure, in relation to each requested data-item.

5. Many Alternative Providers of Authentication Services

A centralised scheme is under no circumstances acceptable, because it concentrates power and will be abused, whether the operator is a government agency, a corporation or a ‘public-private partnership’.

A scheme must feature a sufficient number of providers of authentication services, such that people have a choice, and can use multiple of them.

Financial institutions are in a strong position to provide such services, because they already conduct sufficiently strong registration processes to pre-authenticate their clients.

6. Two-Sided Authentication

Trust-building is a two-way street. People must also be able to assure themselves that they are dealing with the government agency that they think they are communicating with.

7. Secure Transmission of Personal Data

Contemporary good practices must be applied, and specified minimum, baseline standards must be mandated.

8. Secure Storage of Personal Data

Contemporary good practices must be applied, and specified minimum, baseline standardsmust be mandated. See APF’s Policy Statement on InformationSecurity

9. Safeguards, Controls and Sanctions

The scheme must be designed to detect errors and abuse, with criminal offences and substantial sanctions enacted and applied to persons or organisations that fail to comply and that perform acts that breach security or privacy.

10. Tight Controls over All Access Other Than by Consent

All forms of data access other than with the individual’s consent, by any organisation, including and especially by law enforcement and national security agencies, must be subject to a properly-managed judicial warrant scheme, including online application by appropriate agencies to judges, but without exceptions for any agency or circumstance.

11. Certification

The security and privacy aspects of the scheme must be subject to review and public reporting by suitably-qualified third parties that have not been involved in the scheme’s design. This must include point-by-point evaluation of the extent to which the privacy issues identified by the PIA have been actually addressed.

REVIEW

12. Audit

The operation of the scheme must be subject to ongoing audit and public reporting, and periodic review, in order to ensure the identification and management of issues that arise, and the adaptation of the scheme to new needs and challenges.