State of Play 2020/wk14

Where to start.

Suppose I should mention coronavirus as everyone else is: so there you go I’ve mentioned it.

Protecting Identity

Government seems to have lost the plot. Single touch payroll (STP) requires more than a single touch, and is a time wasting exercise. Now Auskey is being replaced by MyGovID. So people need to get new phones, to make use of a more secure operating system. But then people need to be irresponsible and stupid enough to upload digital copies of their information as a substitute for anyone having seen the original. The ATO isn’t the only organisation doing this, paypal also does it: I rejected paypals request around 2 years ago.

The traditional approach original documents were viewed (witnessed) by an officer of an organisation. They took black and white copies, stamped with the word “COPY” in red ink, then signed and dated. The copy could not be used as a substitute. First original documents are not standard paper sizes, they are in colour, and are embossed or have water marks. More modern documents are on plastic or have plastic or metal security devices embedded into them. The photocopies likely spread across two sheets .

With improved photocopiers: color copies introduced, roll feed, and digital memory, along with wired and wireless networking. It thus became feasible for a copy to be mistaken for an original, unless have close scrutiny of the document. It thus became advisable not to allow such documents out of your sight.

No organisation requires a copy of identity documents, all they require is token evidence that they have witnessed the originals. The paypal and ATO systems however seem to be based on accepting the token evidence as an original.

To clarify, we have one or more organisations collecting digital copies of documents on their servers. These servers are declared as secure, just like the computer operating system and phone you had last year were supposedly secure. All is secure until the suppliers come to marketing this years piece of electronic junk.

So we have all these organisations with digital copies of identity documents. Copies which they use to identity you. Copies which can be taken from one organisation and presented to another organisation. No can’t do that because comes from phone over a secure network?

Where does it come from on the phone? The camera or scanner technology, takes a scan of an original, it creates a data block in memory or a file on permanent storage. The technology which transmits to the server, then grabs this data block from memory or storage and transmits. This data block or transmitted data stream can come from anywhere, it can be injected from anywhere. It does not require the original document and a camera, it only requires the digital copy, and knowledge of where the copy needs to reside in memory so that it can be transmitted. It is not a secure system: who cares about the encryption of data stream in transit, who cares about how secure they contend their servers are? No one should have any kind of substitute document for your identity documents.

For a population which opposed introduction of national identity number and national photographic identity card, the population sure has not shown any sense running out buying mobile phones (id: number), with cameras, and GPS tracking, then plastering photo’s of selves all over social networks: followed by complaining about loss of privacy and theft of identity.

STP and MyGovID seem to have been imposed without thought or consideration: and does pose questions of competence with regards to bookkeepers and tax accountants who have blindly jumped on the band wagon. They argue about getting new phones for security is not an issue: but they miss the point the system itself is defective: the expense of a new phone is irrelevant. This mob for example: ‘Reasonable expectation’: ATO explains myGovID change

I don’t have an issue with proof of identity. I just have an issue with the proof being real proof, that cannot be replicated by anyone else. If digital copies are being accumulated by every idiot organisation, then have plentiful supply of documents to use elsewhere. Drivers license not meant to be used as an identification document except for managing traffic.

Sure may consider only drivers license and medicare cards, and maybe not easy to replicate. However when these documents are used in there normal sense, no copy is produced, only data on the cards is used. Medicare card has a magnetic strip for example. Whilst bank accounts are opened in person, and identity documents witnessed in person. Thus ATM and Credit cards are somewhat better identity documents. Not the least of which is paypal for example carries out transaction with bank, which is used to confirm person using credit card has more access to the account than just knowing the number. How does ATO confirm person using a driving license is the owner of the license?

interrupted for tea …