Over the coming months Australia will gamble all on a rollout of the biggest foray into biometrics to date. In the wake of the 2005 federal Budget, the government is banking on an integrated border security solution that will stretch across passports issued to Australian citizens, airport entry systems and immigration authorities.
Set to affect nearly all Australians, the new system is intended to drag passport control and border processing into the 21st century while securing the identity of millions of Australian citizens.
Known as ePassport, the new system, according to Foreign Minister Alexander Downer, will allow a person's passport photo to be used to create a "detailed electronic portrait of their face".
"The portrait will be stored on a tamper-proof microchip inside the passport. A computer will then compare this electronic portrait to the face of the person presenting a passport at an airport," Downer adds.
At the same time, the Australian Customs Service is pushing ahead with its SmartGate facial recognition scanner which aims to shake hands with the portrait of the newly Web-enabled travelling Australian.
So far the initial rollout for the government's big biometric push is slated to cost $67.53 million over four years for biometric passports, while SmartGate will receive $74.6 million to "automate border processing using ePassports", according to budget papers.
The Attorney General's department will also spend $5.9 million over two years to develop what it calls "a national identity security framework that is strong, consistent and interoperable" to help tie in what are known as breeder documents for passports from both vehicle licences and births, deaths and marriage registries across each of the states.
Add this to social welfare agencies such as Centrelink introducing fingerprint scanning for thousands of staff and it's not difficult to see why many groups' advocates are becoming increasingly concerned.
Global standards on the fly
One biometric authority who is not buying into paranoia is the former IT manager for Passports Australia, Terry Hartmann. Having chaired the United Nations accredited International Civil Aviation Organization's ePassport Task Force, and authored its Biometrics Deployment Technical Report (a biometric interoperability standard for 188 nations), Hartmann remains confident passport biometrics are, viable, cost-effective and a move forward.
Currently employed by Unisys as its Asia-Pacific director of homeland security, secure identification and biometrics, Hartmann said from where he sits, both biometric passports and SmartGate will realistically work and scale to the mass markets they are envisioned to serve.
"SmartGate is doing one-to-one verification. If you are talking about scaling with biometrics you are talking one-to-one. It doesn't matter how many people are enrolled, it's still [a single] comparison. It's not the be-all and end-all though and there are many other techniques customs officers follow in terms of making a decision," Hartmann says, adding it has already been working for two to three years.
Hartmann nominates July 2006 as the date by which wholesale biometrics will become a reality, by virtue of mandated biometric passport deadlines in the European Community. However, he concedes it may also take a decade for older passports to be updated with biometric versions.
"By the end of next year you will have quite a number of people with chips in passports. People will get used to it."
But Hartmann is also cautious about the appropriate use of biometrics, arguing its application to more domestic solutions such as the mooted Human Services card, or indeed the taxation system may not be warmly embraced by the general public.
Rather, he says integrity of so called "breeder documents" - such as registry certificates or drivers licences - needs to be improved. As for whether the $5.9 million budget allocation to tidy up identity frameworks and interoperability across state registries, federal agencies and the Tax Office will be enough, Hartmann is philosophical.
"If [breeder documents are] a mess, your identity documents will be a mess too," he says, adding the $5.9 million should suffice to identify the scale of current problems and devise a framework. Cleaning it up may cost more.
How soon is now?
If Hartmann is optimistic that biometrics will be kept in check from Orwellian tendencies, former Australian Federal Police computer forensics investigator Neil Campbell is more wary about potential abuses.
Similar to Hartmann, Campbell finds himself speaking frankly on such thorny topics only after leaving the government to join systems integrators, Dimension Data as national security practice manager.
Having seen the darker side of humanity firsthand, Campbell worries that biometrics may be another silver-plated bullet rather than a real solution, and also open to abuses.
"If you give up your fingerprint and a government doesn't have the best of intentions, it could use that fingerprint to mimic you...to validate that someone [else] is you," Campbell warns.
Openly sceptical about how such technology can be reverse-engineered, he warns people should not take promises of unique identifiers at face value.
"The issue with biometrics is that people tend to give it a greater level of credence than any other form of identification. So many biometrics systems have been shown to be fallible. If we are using facial recognition to recognize people walking in the street you're not as likely to be able to implement a second factor of identification. That might be enough for some bad things to happen," he says.
Moreover, Campbell feels misguided faith may lead to reliance on what he calls a flawed technology.
"If a fingerprint becomes compromised, how do you revoke it? You only have 10 fingers. I'd much rather see certificates or alternatives. We already use [biometrics] in the form of photographs in the context of a drivers licence or a passport.
"I don't then see why we have to extend [biometric identifiers] into as many fields as possible just because the technology lets us. At least with certificates you can revoke it, nobody can use it again and you can have a fresh certificate and start to re-authenticate," he argues.
While conceding large-scale PKI rollouts have largely failed, Campbell feels a valuable lesson could be to use digital certificates only for specific uses rather than as a single-size-fits-all solution.
In terms of protection, Campbell is particularly sceptical about the use of cryptography to protect biometric identities, saying the value encryption has been misinterpreted as a form of bulletproofing.
"The cryptography world accepts cryptography's job is to slow people down so by the time they get to the information, it is not worth anything. There's an acceptance that given enough grunt, you can crack anything. A combination of computing power and new attacks means we have to accept that cryptography is not a foolproof, long-term protection.
"If you are going to lock up my identity, make it safe ... don't just make it safe for now," he says.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.