Queensland Smartlicence, Part 3

Following up from the last response I received, I’ve asked for some more clarifications. Here they are:

From: Phil
To: newlicence@transport.qld.gov.au
CC: TTEIR@ministerial.qld.gov.au, email@efa.org.au
Date: 23 February 2009 09:20
Subject: Re: Details of measures to protect privacy, security and confidentiality of data contained in smart card drivers licences

Thank you for your reply. Please see below for comments, clarifications required and additional questions.

> Please be aware, at this point in time, the Department is not able to
> provide detailed answers to all your queries although it is anticipated
> this information will be available publicly in the future once procurement
> is completed and all the technical aspects of the project are finalised.
> Specifically with regard to the detailed technical specification you are
> seeking for the Public Key Infrastructure (PKI) to be used, the Department
> is still undertaking procurement for this and the relevant Certificate
> Policies are yet to be finalised.

Once this information is available, will there be a public review period? Will methodologies used in the evaluation process, with regards to the above issues be made available for scrutiny?

If it is found that the procured technologies are not satisfactory, what actions can be taken by the public?

While IS42 Principle 4 may have been applied, this does not specify (nor should it) actual methods or technologies to be used. In applying IS42 Principle 4, adequate review of used technologies should be
undertaken to ensure that the chosen solution satisfies the principle.

> The use of PKI on the smartchip enables functions such as:
> · authentication of the card to make it easier to identify
> fraudulent licences
> · control of access to information stored on the smartchip and
> · authentication of the cardholder to Queensland Transport systems.

How will the failure of a smartchip be handled? It is unreasonable to assume 100% reliability, and anecdotal evidence (use of smartchips in credit cards) suggests that failure rates can be quite high, due to
the harsh “wallet” environment that cards are subject to. Add to this a 5 year lifespan means that failure of a smartchip is a significant factor.

Will the failure of a smartchip mean a licence will be deemed invalid, or worse, a forgery? If the smartchip is relied upon to prove the authenticity of the card, then a failed chip will either be taken to indicate a fraudulent licence, or be common enough that it is not relied up. Either way, this does not add to the security, and could potentially lead to large inconvenience due to false assetions that licences are not valid.

> Queensland Police and Transport Inspectors will be able to insert the
> licence into a smartcard reader that will interact with the smartchip in
> the licence to confirm it is genuine. The reader will also enable them to
> view licensing information and the cardholder’s address stored on the
> smartchip. Queensland Police will also have access to emergency contact
> details in emergency situations if the licence holder chooses to include
> this information on their smartchip.

Again, what are the policies and procedures that apply if the smartchip is not functional? If this capability is used to verify the authenticity of a licence, then a failure of the smartchip may lead to the assumption that the licence is fraudulent. Alternatively, a fraudulent licence could be made with a non-functioning smartchip,
greatly reducing the “anti-fraud” advantages that the smartchip is supposed to grant.

> It is planned that licence holders will also have the option to insert the
> smartcard into a smartcard reader to allow third parties, such as
> businesses, to verify the authenticity of their licence. One of the most
> important security features of the smartcard driver licence will be the
> PIN, which will enable cardholders to control who they want to share their
> information with. If they are authorised by the cardholder, it is planned
> third parties, such as businesses, will only be able to ?read? specific
> stored information on the smartchip, namely the same information which is
> shown on the face of the smartcard plus address details. PKI will also be
> used in this instance to ensure data is transmitted securely between the
> smartcard and the third party application. There will also be an offence
> introduced to protect the cardholder?s secure information. A fine of up to
> $2000 will apply if information that is electronically stored on the
> smartcards has been unlawfully accessed

What policies are in place to ensure that businesses who do have access to licence information (through the use of smartcard reader/pin) are obliged to apply appropriate measures to ensure the privacy and security of data? Are they subject to IS42? If so, how is compliance managed?

Are there separate fines applicable to individuals and businesses who mis-use or unlawfully access information on the smartchip?

> Although it is technically feasible to store other information or
> Government authorisations on the smartchip, the Department has no current
> plans for the expansion of the smartcard to take on new applications. If
> this did occur in the future any additional or future functionality for
> the smartcard would have to undergo a rigorous individual assessment
> process consisting of a:
> · business case analysis;
> · individual privacy impact assessment;
> · analysis of impact on the consumer; and
> · review of current legislation and, if appropriate, legislative
> change.

A public consultation should be included in this assessment process.

Thank you.

Queensland Smartlicence, part 2 – first reply

Here’s the response I received to my first email regarding the new smartlicence. A number of points I’m not happy about, and will post my reply when I’ve sent it.

From: newlicence@transport.qld.gov.au
To: Phil
CC: TTEIR@ministerial.qld.gov.au, email@efa.org.au
Date: 9 February 2009 15:27
Subject: Re: Details of measures to protect privacy, security and confidentiality of data contained in smart card drivers licences

Dear Mr Cole

Thank you for your correspondence on 30 July 2008 and 23 January 2009 on the Queensland smartcard driver licence and apologies for this delayed response. The concerns you have raised have been noted by Queensland Transport and these are addressed individually below.

Please be aware, at this point in time, the Department is not able to provide detailed answers to all your queries although it is anticipated this information will be available publicly in the future once procurement
is completed and all the technical aspects of the project are finalised. Specifically with regard to the detailed technical specification you are seeking for the Public Key Infrastructure (PKI) to be used, the Department is still undertaking procurement for this and the relevant Certificate Policies are yet to be finalised.

When the smartcard licence is introduced, standard licensing information and conditions will appear on the face of the licence, along with the cardholder’s personal details. The cardholder’s address will be removed
from the face of the card and stored on the smartchip. Licence holders, particularly women, have indicated they would feel safer if their address was not on the face of their card, giving them greater control over who
they share this information with.

It is planned that the smartchip in the driver licence will contain:
· standard licensing information (which is also displayed on the card face) including the licence number, classes held, expiry date (or dates relating to various licence types and classes) and conditions
· the cardholder’s personal details, including their name, date of birth, sex, height and address
· digital certificates (allowing authentication of the card and cardholder and authorisation of access to information stored on the smartchip)
· the licence holder’s PIN
· the licence holder’s ‘shared secret’ to reset the PIN and
· an optional feature to include emergency contact details.

The use of PKI on the smartchip enables functions such as:
· authentication of the card to make it easier to identify fraudulent licences
· control of access to information stored on the smartchip and
· authentication of the cardholder to Queensland Transport systems.

As well as looking at the smartcard to verify its authenticity, Queensland Police and Queensland Transport Inspectors will have specially configured handheld smartcard readers to access the information stored on the
smartchip. Only Queensland Police and Queensland Transport Inspectors will have the specially configured smartcard readers and there will be strict procedures for their use and storage. The readers will have a Secure Access Module (SAM) card, like the smartchip in the licence, requiring PIN authentication and will also use PKI to allow access to information stored on the chip. The SAM card will be issued and administered by the Department and its effectiveness will have a finite lifespan to protect the integrity of the security arrangements governing its issue and use.

Queensland Police and Transport Inspectors will be able to insert the licence into a smartcard reader that will interact with the smartchip in the licence to confirm it is genuine. The reader will also enable them to
view licensing information and the cardholder’s address stored on the smartchip. Queensland Police will also have access to emergency contact details in emergency situations if the licence holder chooses to include
this information on their smartchip.

Police in other states will use their current processes to authenticate the new Queensland driver licence and will also have access to the National Exchange of Vehicle Data Information System (NEVDIS) if they need
to verify the address of a licence holder.

It is planned that licence holders will also have the option to insert the smartcard into a smartcard reader to allow third parties, such as businesses, to verify the authenticity of their licence. One of the most
important security features of the smartcard driver licence will be the PIN, which will enable cardholders to control who they want to share their information with. If they are authorised by the cardholder, it is planned
third parties, such as businesses, will only be able to ?read? specific stored information on the smartchip, namely the same information which is shown on the face of the smartcard plus address details. PKI will also be used in this instance to ensure data is transmitted securely between the smartcard and the third party application. There will also be an offence introduced to protect the cardholder?s secure information. A fine of up to $2000 will apply if information that is electronically stored on the smartcards has been unlawfully accessed

Advanced PKI technology will be used to keep all information stored on the smartchip safe and secure. Any attempt to crack the smartchip will be extremely expensive and would most likely only crack an individual card, not the whole card system. Each smartcard uses different keys to ensure that a breach of one card does not result in breaching the whole system. PKI arrangements will be in strict adherence to relevant legislation. Any authorisations issued will only be valid for a limited period before renewal is required.

Although it is technically feasible to store other information or Government authorisations on the smartchip, the Department has no current plans for the expansion of the smartcard to take on new applications. If
this did occur in the future any additional or future functionality for the smartcard would have to undergo a rigorous individual assessment process consisting of a:
· business case analysis;
· individual privacy impact assessment;
· analysis of impact on the consumer; and
· review of current legislation and, if appropriate, legislative change.

When the new smartcards are introduced, comprehensive information will be produced by Queensland Transport and made available to all cardholders. This will clearly describe how the smartcard works, the nature of any information stored on the smartchip, procedures to update the information and Queensland Transport’s Privacy Policy.

In addition, the Department has a Complaints Management Policy in place that will address any grievances. If, after contacting Queensland Transport, the complaint has not been resolved, members of the public will
be able to contact the Queensland Ombudsman.

Further information is also available on this initiative at www.transport.qld.gov.au/smartcardlicence

Yours sincerely,
The Queensland smartcard driver licence project team

Queensland Smart licence enquiries – part 1

Queensland Transport is introducing a new “Smart Licence” for Queensland. I think this is a BAD idea. Here’s the first (well, first that was responded to) email. I’ll post more as I get replies

From: Phil
To: newlicence@transport.qld.gov.au,
CC: TTEIR@ministerial.qld.gov.au, email@efa.org.au
Date: 23 January 2009 10:38
Subject: Details of measures to protect privacy, security and confidentiality of data contained in smart card drivers licences

To whom it may concern,

I have previously enquired about privacy, security and confidentiality of the proposed new Queensland Drivers Licence (30 July 2008). I have not yet received any response to this, hence the second contact, including the Minister for Transport, Trade, Employment and Industrial Relations. I have also include the Electronic Frontiers Australia group, as they are an important organisation representing on-line freedoms and rights for internet users. Due to the nature of electronic data storage, this is particuarly relevant.

I would like to have the following questions answered. As I will be a consumer of this technology when it is released, I, and the public of Queensland, have a right to know the details of the technology, to fully understand the implications that it will have for me. Given that a Queensland Drivers licence is a de-facto state identification document, the ability to “opt-out” is not realistic for the vast majority of the population.

It should be noted that the release of detailed technical specifications of encryption, data protection and access control measures does not compromise the security of such measures. Relying on the secrecy of security schemes, known as “security through obscurity” contrasts with “security by design” which relies on well designed algorithms and systems, in conjuntion with strong cryptographic keys to provide security. “Security through obscurity” requires systems and algorithms to be kept secret, which prevents peer-review of the system to ensure it is robust. See http://en.wikipedia.org/wiki/Security_through_obscurity and http://en.wikipedia.org/wiki/Security_by_design

1) Please provide details of access to personal information by police and other authorised parties. Detail the audit processes used to detect potential mis-use of access. Also detail the penalties that apply to such mis-use.

2) Provide detailed technical specifications of the scheme used to restrict access to data by the use of a PIN. If different protection mechanisms are used for different segments of memory, provide details here.

3) Provide detailed technical specifications of the public key infrastructure which allows authorised officers (such as police) access to information stored on the smartcard without the use of the PIN. Include the process for key revocation in the case a unit used for these purposes is lost or stolen, or keys are otherwise
compromised.

4) Provide details of any intended future uses, as mentioned as “Future applications”, of potential expansion of use.

Please do not hesitate to contact me via mail, email or phone, as detailed below. I look forward to your response.

Phil Cole