“Digital Identity is having the ability for the government to trust that you are who you say you are,” is the explanation the Federal Government’s Digital Transformation Office (DTO) gives for the establishment of a singular digital profile that will allow you to access various government services.
But trust has to go both ways, and the Australian Privacy Foundation (APF) has expressed “serious concern” about federated identity, stating the process has been “seriously deficient” and conducted “in a context of increasing distrust of government” (Census, anyone?).
The DTO says the global trend of services moving online, and the economic benefits that produces, necessitates an online identity verification process — particularly in cases of sensitive data.
“Currently users have to identify themselves again and again when they interact with different government departments, and we want to find a solution that fixes this problem,” the DTO states.
The DTO uses the example of a Facebook identity as a form of digital identity, but is quick to say it’s not suggesting the government wants to start linking to your social media profiles, giving the reason that “some online identities are trusted more than others”.
The DTO is building both a verification model and a method for logins.
“Our project also involves developing a Trusted Digital Identity Framework (TDIF),” the DTO revealed at the commencement of the project, stating there would be consultation with “a wide range” of public and private sector stakeholders.
The APF’s concerns surround the fact that the Digital Identity project has now been running for over a year, has reached the beta stage, and statements are being made about deployment.
“Yet civil society has yet to be engaged,” APF says. “A single meeting has now been held, but materials were withheld until the last moment, and the very few advocates present had limited opportunity to gain clarifications, and virtually none to provide feedback”.
The APF says that by its nature the project “harbours enormous threats to individuals, and to society as a whole”, warning the whole thing has “a very high” risk of failure.
“This is the latest of many proposals that have come and gone over the last 30 years relating to citizen identifiers, accounts, authenticators and credentials,” the APF says.
“Apart from express ‘national identification schemes’, most notably the Australia Card, Medicare Card expansion and Access Card proposals, there has been a series of PKI-based schemes, commencing in 1998, and re-surfacing in varying forms form time to time. These proposals have often been associated with entry-point schemes, most recently MyGov”.
The APF goes on to say that the nature of the various proposals, and the processes adopted to developing them, have varied from authoritarian (Australia Card, AML-CTF, Access Card, the DVS expansion) to modestly but unsatisfactorily consultative (GPKA, NTIF).
During the last few years, public trust in corporations and government agencies has been seriously harmed.
Examples given by the APF include the substantial downgrading of the Privacy Act in 2012 in order to advantage the interests of corporations, and the eHealth record — nominally “personally-controlled” and “my” — but in fact designed to advantage public health, public servants and researchers, and “not at all oriented towards the needs of individuals.”
“Some projects have sought to ride roughshod over the interests of individuals and society as a whole,” it says, “whereas others have at least acknowledged the impacts on privacy, and on freedoms more generally.”
The APF says overall, there is a “lack of clarity” surrounding the scheme.
“Apart from a brief remark to the effect that the scheme could be implemented administratively, i.e. without parliamentary approval or even oversight, no information has been provided about applicable laws, and the impact of laws in such areas as data retention, data breach notification, cybersecurity, disestablishment of the OAIC, and a privacy right of action”.