Side-On shot, as requested.

Others, without the de-colouring

 Spider, Spider. 

Before I get started, a quick run down of the federal government’s “Access Card” plan is to have an all-purpose card, used for accessing government services. This card would contain a smart-card chip, which would store certain information, as required by each government agency you use.  There is also discussion that there will be a certain amount of capacity left on the card, which businesses and users could use for other functions.

I’ve been listening to Background Briefing from today titled “Getting smart: The Access Card”.

In it, Joe Hockey, MP (Minister for Human Services, Federal Minister for North Sydney) gives some comments in support of The Australia card.
“The only information we’re going to hold [in the government database connected to the card] is what’s already on the face of your drivers licence”,  Mr Hockey then goes on to say “So, if someone tries to break into that database, [...] if they try to break into this, the only thing they’re going to find out is what already they can find out by stealing your wallet”.

Great, Joe - I’m glad you’re an IT security expert. Oh, wait, you’re not. Infact, on his “Meet Joe” page on his site, I can’t find any sort of information to indicate that he has any sort of IT knowledge.  Joe repeatedly describes the card as a “mini ipod” , which demonstrate a stunning lack of understanding as to how the technology works.

There’s two parts to this ”Access card”:

Part 1: The back-end / central database - This will apparently only contain some basic information about you - at first.  It’ll be controlled by the government, with access to only government agencies.

Part 2: The actual card, or rather: the smartcard chip. - This will store all sorts of information. Initially, it’s slated to replace Medicare, Veterans Affairs, and Centrelink Benefits cards. Mr Hockey says however that people will be able to connect it to their home PC, and place information on the card - such as medical history/etc as desired.  Joe even says that you may choose to store other data: Bank account information, shopping lists, Australia Post, etc.

What relationship the card will have to the backend, is unclear as yet. Mr Hockey says that they don’t want to store anything beyond the basics (so, your basic stats - as per your drivers licence).

Ok, so lets go from here -

Someone breaking into the central database, will “simply” steal information on nearly 21 million people.   Sure, it’s “only” drivers licence info, but hey - it’s a great start.
With this information, I could call up Telstra, and connect or disconnect services. Yeah, I’ll probably need an account password - but, since I’ve got this huge database, I can probably quite easily dig up the names of family members. “Oh, sorry, was the password “Jimmy”, or maybe “Mary”? I’m so forgetful”.
OK, so it’ll be significantly better protected, but I doubt it can be secured quite like the ATO databases (which are, presumably, isolated from the public networks).

The main issues I have are to do with the card itself.  To allow confidential data to be stored on the card itself, is to encourage it’s wholesale misuse. I’m not talking about the card being used as an all-purpose identity card - that’s pretty much a given (just like a drivers licence is now).

There are promises that the data embedded by government agencies will be secured from duplication - it’ll need a pin code to be validated by the card itself, and will only be able to be decrypted by authorised users.

Regardless, I still don’t trust it - there will be (unsecured) space for others to store data on (video rental companies, supermarkets, whomever else asks for you to load your card on). Just having companies ask you for this card, which contains so much data (even if it is secure by today’s standards) is risky. 
You’re trusting that a business won’t look at any of the other data on the “public access” section of the card - either intentionally (spying on what other services you use, and grabbing all that other data), or unintentionally (say, by poor software design).

Implementing a card like this, is one thing - updating the cards in a timely fashion, when security issues arise is entirely another.  I’m certain that it’s a when, not an if - if we have learnt anything about IT Security, it’s that nothing is secure for any appreciable amount of time.

Already, someone has demonstrated that they can copy the content from the e-passports. They can’t modify the data, but they can load it onto another smartcard. Combined with some other functions, that person can then pass through the automated immigration control gate at places like Sydney Airport. 
What makes it worse, is that someone could quite easily do this without you ever knowing it. Since the e-passport is contactless (meaning there’s no electrical path from the chip to the reader), someone can walk past you with a specialised receiver, and duplicate the content of every e-passport within range (50 feet or more, if the right type of antenna was used).

What’s the solution? I’m not certain as yet.
Yeah, I criticise politicians who bag something out, without giving an alternative solution - but this is a major, wide reaching scheme. 
Do we need some sort of reform with regards to Identification to government agencies? I’m not sure - quite possibly. 

I am certain that we don’t need a central identity card which has such potential for misuse. We already have relatively secure means for identification - a Drivers Licence or Passport will suffice for all of those, that I can see.