The Australian Government’s Digital Identity Bill, which paves the way for a ‘whole-of-economy’ digital identity system, is expected to be tabled in Federal Parliament later this year.
After two rounds of public consultation, experts have, however, raised concerns around governance, cybersecurity, ethics and privacy blackspots within the Trusted Digital Identity Framework (TDIF) – the digital ID accreditation guidelines that underpin this legislation.
As the Government looks to expand the digital identity scheme, identity experts fear the entry of private businesses will open up more security and privacy fault lines. Some argue that the entire concept of identity-based authentication needs to be revisited, while others, including Australia Post, have questioned whether businesses that do implement Digital Identity will be able to get a return on their investment.
Who’s the system really for?
Since 2015, the Government has reportedly invested upwards of $500 million in developing its digital identity system.
However, technology experts, including the Australian Information Industry Association, have raised concerns over the scheme, with uncertainties around how both the digital identity system and TDIF accreditation system will be regulated.
Among the critics is Dr Greg Adamson, chair of the Digital Inclusion Identity Trust and Agency (part of IEEE Standards Association) a global body tasked with “identifying low-risk approaches to digital identity” and addressing current and future governance challenges for the technology.
Adamson argues that the Position Paper for the second phase of the public consultation on the Bill confirms that the Government’s focus remains squarely on transactions and industry development of digital ID as opposed to wider community benefit.
He is also concerned about the lack of clarity for retaining biometric data. While the latest position paper states that data will not be retained except for fraud detection activities, such data could conceivably be kept “forever”.
The need for greater protections was highlighted during the Data, and Digital Ministers’ Meeting held on 23 July. Attendees noted that the Digital Identity Bill needs to “enshrine into law a range of privacy and consumer protections, governance, and oversight arrangements” that could support the safe expansion of digital identity.
Adamson notes: “The Government is trying to create a structure to underpin the widely accepted digital identity without a solid, stable core of who will oversee, who will provide, and without a clear view of who needs a digital identity.
“Even if half a dozen service giants decide to really make a go of this, it’s unclear if they’ll be successful.”
Working within the guardrails
In July this year, Sydney-based digital ID developer OCR Labs became the first private business to gain accreditation under the TDIF to offer digital identity services to its clients, joining Federal Government agencies Services Australia (myGovID), the Australian Tax Office and Commonwealth entity Australia Post as accredited digital identity providers.
The company worked closely with the DTA to meet the agency’s 262 privacy, security, and resilience accreditation requirements. OCR, which has clients across the banking, finance, telecommunications, and government sectors, uses proprietary ID scanning and facial recognition technology on its automated, contactless identity verification platform.
OCR Lab’s head of risk and compliance, Paul Warren-Tape, says he understands community concerns around the use of a digital identity system. He hastens to add, however, that the Government has put guardrails in place.
“The TDI framework itself is very much principles-based – the same as the Privacy Act. So it gives us the ability to implement it as we deem fit. We prefer that and to overlay our tech with international standards around privacy and security.
NAB, Westpac, 86 400 and the ATO use OCR Lab’s platform so their customers can be digitally identified remotely, such as when applying for a mortgage or a phone plan.
OCR Labs provides a fully automated remote identity verification and fraud detection service by capturing images of physical identity documents, extracting the data, and matching the person through a live selfie video. It means consumers no longer need to visit branches or produce multiple forms of ID to complete an interaction with the bank, such as opening an account or making an application.
Keeping above board
The jury is out on whether private entities, such as OCR Labs, can do a better job than governments of offering a privacy- and security-conscious as well as transparent digital ID solution, says Professor Vanessa Teague, a cryptography expert at the Australian National University and chief executive of Thinking Cybersecurity.
There is a risk, however, that the introduction of private businesses into the DTA-led digital identity system could expose security and privacy fault lines within the scheme.
“Because of the way the TDIF is designed, the participation of a private organisation (depending on exactly what their role is) may give that entity complete access to a person’s government accounts.”
“This needs to be clearly communicated to users, and there needs to be serious penalties for the abuse of that power or negligence in the care of that data,” Teague says.
She adds that the “same strong incentives” should also be in place for government providers.
Perhaps most damningly, Teague fears that the Australian Government may lack the expertise to steer a digital identity system with the necessary privacy and security protocols in place.
“There is no chance that an unqualified group of people who have not even specified their protocol in sufficient detail for it to be examined thoroughly, have invented something secure,” Teague says.
Instead, she believes the Government should adopt a simple, existing standard for its digital ID system, such as the public-key infrastructure (PKI)-based system in use within many European countries. PKI offers a number of security and privacy benefits that the TDIF aims to have; however, as no central authority is involved in authentication, no entity can meaningfully track user activity.
Questions of viability
Cybersecurity expert Stephen Wilson also has concerns. Currently managing director of Sydney-based Lockstep Consulting, Wilson co-authored and wrote individual submissions to the public consultation on the Digital Identity Bill.
Wilson says it is “deeply significant” that UK and US free markets have no commercially sustainable ongoing identity provider businesses, despite substantial public-private investment.
“The DTA has overlooked international trends in identity, where the focus since 2013 has moved from authentication of identity to authentication of attributes.
‘Identity’ is too subjective, Wilson notes. We therefore need to focus on verifying objective pieces of information specific to each relationship, transaction, or context.
“If you ask ‘Who are you?’ online, it’s not the right question. The question should be, ‘What do I need to know about you? What are your credentials and attributes?’”
He says the Government has also failed to embed effective cryptographic methods, such as Verifiable Credentials and FIDO protocol, into the model. That is despite many big-name companies embracing these security standards. Wilson surmises the Australian public service has become “allergic to public key technology” even though it was a world leader.
“The TDIF is a nice big document with a lot of rules, and accreditation is a good place to start. But the framework is still a hypothetical model.
“It’s not going to lead us to a viable digital identity ecosystem or marketplace of identity services.”