Digital ID laws usher in quiet revolution
When it comes to a government and public service selling big ideas about change to the public, the clincher or the reveal in ad campaigns is that something happens.
With the NSW Opal public transit card, now more than a decade old, we all changed from paper to tapping a plastic credential like a credit or debit card and got to ‘top up’ online or link accounts.
Then came the ability to tap with regular payments cards and phones, eliminating another friction so that now you don’t even need to fire up a card to tap, thanks to Apple’s inbuilt transit functionality.
Now imagine trying to sell an idea or behavioural shift when something doesn’t happen, or just happens in the background and you don’t see it…
Welcome to the great digital identity marketing dilemma, now challenging policymakers and industry alike.
It may confound the marketers and communications gurus, but government and industry having to sell a bit of a ‘nothing burger’ to average Australians is actually a good problem to have, because it’s the hype and publicity where over-inflated promises start to lose air and buoyancy on the journey to delivery.
Legislative certainty
When the Digital ID Bill 2024 passed the Senate on March 27, it barely rated a mention in the mainstream press outside a few industry sections and wire service briefs.
Minister for Finance and the Public Service Katy Gallagher observed that “Digital ID makes it safer and easier for Australians to prove who they are online” and that “Australians will be sharing less personal information, which is held by fewer organisations, that are subject to stronger regulation – reducing the chance of identity theft online”.
There was obligatory tokenistic political sniping from both Labor and the Coalition, but it was minimal and inconsequential. The reality was that one of the most innately controversial pieces of legislation in more than three decades had made it through both houses intact to form the foundation of a new era in how we prove who we say we are.
This is not to say there is not opposition to both the digital identity laws and evolving ecosystem — Pauline Hanson’s One Nation is moving swiftly to weaponise the debate and — but both sides of politics have now recognised the need for businesses and agencies to stop hoarding data.
Again, what this looks like in practical effect means doing a lot less of something rather than a lot more. Less scanning of drivers’ licences, Medicare cards, birth certificates and utilities bills. Fewer vast buckets and troves of personally identifiable information (PII) for hackers to loot.
Less identity theft and hopefully fraud as systems are tightened and unauthorised ingress and egress points eliminated. Fewer delays in finalising regulated transactions like buying a phone, a house or changing utility accounts.
But it will be a gradual, incremental process rather than an overnight change, like, say, the introduction of the Goods and Services Tax or declarations for transactions over certain amounts. Indeed the initial building blocks are firmly centred on getting the government’s house in order, and for most users it will merely mean less manual process and repetition. Again, that’s a good thing.
Government takes first mover advantage
One of the main reasons the digital ID laws passed in the way that they did was through the exhaustion of political counter arguments and a massive and rapid escalation in costs and harms related to data hoarding, mainly ransomware attacks and huge data spills.
This moved the debate from what some close to negotiations say was an ‘it’s too hard’ position of ambivalence to ‘it’s too late’ position in terms of finding alternatives.
In the federal sphere, the initial gain will be the replacement of the so-called 100 points test that has long been the bain of regulated industries slugged with the $1 per transaction charge for the Document Verification Service that cross-checks government data for information integrity.
It’s now been a decade since National Identity Proofing Guidelines came into effect in 2014, a key step in ensuring integrity in identity matching that followed on from 2011 changes to how names were to be recorded on documents that forced passports and drivers licences to adopt what was recorded on a birth certificate, marriage certificate or change of name documents.
One of the reasons getting to an endpoint for useable and ubiquitous digital identity services has taken so long is the gradual national tidy-up of credential registries across all jurisdictions. This work ensures recorded names or credentials cannot be phoenixed by distilling credential provenance to a single or consistent source of truth.
It’s also one of the reasons former NSW Minister for Digital and Services Victor Dominello spent several years advocating for a digital birth certificate so that foundation documents and the data behind them have strong digital integrity from the outset.
Importantly, Dominello has remained on the digital services and identity scene as a trusted adviser to the federal government to help it navigate around some of the obstacles to greatly improved service delivery.
Those improvements include much smarter and self-aware transactions during well known life events that start from birth and early childhood and childcare (think vaccinations), through to education, sport, benefits and grants (like free driving lessons for young people in remote or underserviced areas) all the way through to employment and tax rebates.
The key reason there is a strong initial focus on government is that this is where a lot of the heavy lifting in terms of legacy renewal and systems optimisation need to occur, and now the gauge of digital identity rail has been decided, the tracks need to be standardised and re-laid.
Again, the uplift in this respect will be less friction and delay for customers in the same way as express trains move quickly between longer destinations, and high-frequency urban services means to just turn-up and jump on.
Identity-as-a-service takes a back seat
Other operators keen to get onto Australia’s new digital identity rails are banks payments providers who have been eyeing off the sector for several years, albeit with little progress.
The behaviour of the banks in jockeying for carveouts has been a little erratic and disjointed in that some operators called for fundamentally impossible concessions, like racial identifiers while industry groups tended to run quiet or dead on more contentious aspects.
Despite a full court press by banks to truncate a four-year phased digital identity rollout by the government in which private operators gained access to government rails last, the compromise extracted in the legislation was only half of what banks demanded, meaning it will take at least two years to gain access.
Banks had wanted immediate access so they could clip the ticket on identity transactions between the public and private sectors, a way of flipping the existing DVS $1 per-transaction model back to institutions and private processing infrastructure.
At a policy leadership level, there was immediate resistance to banks making digital identity into a cash cow, especially from Minister for Government Services Bill Shorten.
“I think generally banks are overcharging. Let’s be honest. Good on Westpac if you’re a shareholder — they made a $7.6 billion profit. But this is the time of inflation and mortgage rises,” Shorten said when asked last year if banks should be allowed to charge for digital identity transactions.
Notably, Shorten was speaking at the launch of the expert advisory panel on rolling out digital services across government, now headed by former New South Wales Minister for Digital and Customer Service Victor Dominello.
But the truth is the whole digital identity construct has had at least as many false dawns in banking as it has had in government, going more than 20 years when Westpac in the early noughties tried to establish an identity utility called the Trust Centre.
Since then the Commonwealth Bank tried its ill-fated project MaMBO (Me @ My Bank Online) that fell apart when other banks pulled out of the industry utility.
The Reserve Bank of Australia was a frequent agitator for banks to establish a digital identity system to no avail.
Facing the future
What happens next with the wealth of government services in line to get connected to Digital ID services and infrastructure over the next couple of years will be the need to integrate the credentials and rails into existing platforms so that queries and exchanges can be authorised.
For example, a probate process involving a transfer of a land title may include multiple beneficiaries, banks, creditors, land title registries and legal representatives. There will obviously be thresholds for identity verification, but ultimately many credentials will fall back on a biometric check coupled with other strong authentication features.
Most of these features and functions are already present in the bulk of contemporary smartphones, however a key question will be whose biometric check will be used: the mobile operating system platform’s (Apple or Google), the government’s or a credential provider.
Banks are especially unhappy with Apple, not least because Apple still controls the so-called ‘secure element’ of its iPhones that allow it to eat the profits banks usually make from interchange fees.
A similar pile-on for identity fees is also likely as banks try to wrest back fee territory and pocket the takings.
The big question is whether banks will eventually require digital identity credentials from merchants or account holders receiving funds, rather than those sending them, a much smarter way of fortifying higher value or risky transactions.
In the interim, everyday citizens will have to make themselves content with government services that finally just get their needs right without asking the same question across multiple agencies. And that in itself is a thing.
Protecting privacy in the digital ID age
- Move over big data: Data inventories are the next big thing
- Access to information: The $100m question
- Avoiding bias in automated decision-making
- The logical step towards reducing digital vulnerabilities
- What Australia can learn from Finland’s AI disaster
- Digital ID laws usher in quiet revolution
- Privacy by design: It’s soccer, not golf
- The social impact of digital ID
- ‘Attributes’ that could determine regulatory success
- Why Estonia leads the way in digital identity
- Australia’s overdue digital IDs will help fight online fraud