Inside Australia’s digital identity journey

Nearly four decades have passed since the proposed Australia Card was dropped after heavy opposition from privacy advocates and politicians on all sides.

And almost two decades have passed since an all-in-one Medicare smartcard trial in 2005 and a proposed Access Card in 2007 were also abandoned after similar campaigns about privacy concerns.

Protecting people’s privacy is essential, although according to reports cited by the Department of Home Affairs, safeguarding identity is equally important.

A survey by the Australian Institute of Criminology in 2017 found a quarter of Australians will be victims of an identity crime at some point in their lives, and a recent SBS Insight episode highlighted the issue of unprotected identity credentials exposing people to fraud.

“As more of our lives are being played out in a digital environment the scope and demand for a robust digital ID increases,” explains Dr Ian Oppermann, NSW government chief data scientist and industry professor at UTS.

“We need the convenience and fluidity of digital engagement, but all that comes at a cost: if our identity credentials aren’t robust and secure we have a serious problem.”

Certainly, digital credentials help streamline interactions with government and commercial organisations, but there isn’t broad agreement across government and business on how to handle ID authentication. We might be closer with a recent truce called in digital identity turf wars between Canberra and states – we’re just not there yet.

“Digital identity is critical infrastructure, so we need to look at it holistically, not just from a federal or state government level, not just from an industry level,” adds Robert Morrish, co-CEO of cybersecurity firm Cybe, which consults with government and businesses on digital identity.

“We need to become collaborative in creating an ecosystem for digital IDs that enable people to securely prove who they are and securely evidence their claims, rather than still relying on physical presence to verify access to services. Pretty much all the economies around the world are driving hard towards digitisation because it can lower the cost while providing more efficient service to people.”

Oppermann remembers thumbing his parents’ paper driver’s licences and thinking how easy it would be for someone (not him) to forge. Still, as an avid collector of currency and stamps, he also points out that physical authentication marks used on modern currency and licences – such as holograms – are forgeable enough to trick people into accepting them at face value.

“When physical authentication marks become very sophisticated, you then have to rely on some sort of scanner, so the process becomes digital anyway,” he says. “Physical authentication marks are limited to a few layers but in the digital domain you have almost infinite degrees of freedom to introduce more layers of authentication and more layers of protection. Encryption is certainly a useful way to lock up data though you also need strict rules controlling access permissions – including how much data you share in an interaction and for how long.”

Governance to keep ID data safe

A huge issue in the digital ID challenge is that many organisations persist with collecting and holding an individual’s credentials, rather than just verifying an ID to permit interactions, notes Oppermann.

“Your credentials are needed to get you in, and you want to assume you can then safely interact, but you shouldn’t assume whichever environment you’re in is secure. It would be better if the data you shared had a strict lifecycle – it might only be needed for a single interaction – but if it’s collected and stored, then you no longer control it, which adds privacy and other security risks.”

Some nightclubs, for example, scan patrons’ driver’s licences or passports at the point of entry, capturing far more data than is necessary to verify people are of legal age or check if someone is banned because of past misbehaviour. One preventative measure against misuse and ID fraud is a rule that venues are prohibited from retrieving patrons’ personal details.

Morrish agrees individuals need more control over their personal information and shouldn’t have to share more than is necessary to prove identity:

“You should have the right to say: ‘You only need some information for me to prove who I am, but you don’t need to keep it’.”

Morrish has worked with several businesses focused on decentralising access controls over the years, using blockchain and other crypto technologies backed with multi-factor authentication (MFA). He’s presented to government departments and corporates, warning them they need to ‘shift the mindset away from having the right to own personal data’:

“It doesn’t matter how many millions of dollars these organisations pour into their cybersecurity defences: there are too many issues with the custodial business model of credentials, mainly because they centralise the data in one place, and those stores can be breached. Instead we can use what’s being called ‘genuine presence’ or ‘presence assurance’, which combines advanced biometric capabilities, sophisticated AI and electronic know-your-customer and know-your-business. So you can prove the face of the person with the phone matches the face of the person with the document, matches the face of the person with the data verification system at the back end – it triangulates proof of identity.”

The many examples of data management gone wrong should drive organisations to adopt better data governance end-to-end, says Opperman, adding that good progress is (finally) being made:

“Australian government organisations are investing serious time and effort into developing and using standards for cybersecurity and data governance, including AI governance.”

“There’s a National AI Centre working on some big things, there’s a NSW AI assurance framework, which is the first of its kind in the world for government, and several departments are developing digital identity frameworks with governance for end-to-end data lifecycles.”

Oppermann and Morrish both emphasise the need to shorten data lifecycles, along with reducing the amount of data shared to allow an interaction.

Governance for data lifecycles must include protections and prohibitions for what data is collected, how it’s used, how long it’s used for and what happens to it once it’s used.

Explains Oppermann: “In the world of digital service delivery, if you can empower people to identify themselves to the level that they need to, as opposed to credentialing themselves against a line and a big database, then by removing some of the risks associated with the revelation of personal data you can reimagine how services are delivered.”