Personal Opinion by Allan Dyer
I would like to congratulate the organizers of the Smart HKID Forum, held on 6 January 2001, for arranging an excellent event. I was particularly struck by the quality of the questions from the floor. The audience obviously included people with practical experience and even expertise in many of the key technologies for the project: smartcards, encryption, biometrics and security planning.
It is because of this observed knowledge that I would like to repeat a request I made at the forum: that the Government should publish the security details throughout the project. The smooth response was that openness and transparency were good, but had to be balanced against the greater chance of “hackers” attacking if details were revealed.
However, I think that full publication will increase public confidence in the project and, ultimately, make it more secure. Security through obscurity is often flawed and fails; the DVD CSS protection scheme and the GSM encryption are just two examples of this. Just because the information is not published does not prevent criminals trying to obtain it by illegal methods, or reverse-engineering the systems. If a criminal discovers a flaw, s/he will exploit it for his/her own gain silently.
Conversely, if the details are published, there are two benefits. More knowledgeable people will look at them, giving a greater chance of finding flaws at an early stage when they can be fixed more cheaply. Secondly, those knowledgeable people will be able to assure their friends, “this is a good project, and it will work securely”. Without the published details, those knowledgeable people can only say, “I don’t know, there are so many things that could be done wrong”. This works for the privacy concerns too: if enough details are known, we can see the privacy protections are working correctly.