Experts warn using any single system could have its own cybersecurity weaknesses leaving data vulnerable to misuse
The Australian government is considering using myGov or its myGovID system to centralise digital identity authentication in the wake of the Optus data breach, but critics warn any single system could have its own cybersecurity weaknesses.
The former Telstra chief executive David Thodey was recruited to audit myGov when the Albanese government came into power, and his review would now examine whether myGov could be used to prevent people needing to present ID documents multiple times, a spokesperson for the government services minister, Bill Shorten, said.
The personal details of almost 10 million customers were exposed in the Optus breach, including millions of passport, driver’s licence and Medicare numbers, raising questions as to why companies need to collect and store so much personal information.
The federal government will now consider whether to develop a single digital identification service that businesses could use instead.
“Within the audit’s remit is to consider how myGov can deliver seamless services that will frequently involve private enterprise service providers,” Shorten’s spokesperson said. “This would prevent the need for citizens to provide sensitive data multiple times to multiple entities.”
There are more than 25m active myGov accounts and the spokesperson said it would be “the natural home for expanded citizen service”.
Separately, the finance minister, Katy Gallagher, has reportedly convened meetings to consider resurrecting digital ID legislation planned by the former government.
The Morrison government released draft legislation in October last year to expand the use of the myGovID system. It is currently used to authenticate ID via an app when people get a tax file number, deal with Centrelink or access myGov.
The government never brought the legislation before parliament, but now the shadow government services minister, Paul Fletcher, has called on the Albanese government to resurrect the project.
“The Albanese government’s failure to progress these important reforms has left a serious hole in our ability to protect Australians’ data and better improve digital services,” he said.
But critics of the proposal warn that the digital identity framework could have its own cybersecurity weaknesses, and is not fit for purpose as a secure form of ID authentication.
Cybersecurity researcher Prof Vanessa Teague raised concerns early in the development of the system that the storing of ID document numbers would mean those documents would still be at risk of exposure in the event of a cyber-attack or data breach. She said the system used an identity exchange that mediates all logins, so there was a single point of failure where one server could track every time a person logged in, and every service they logged in to.
“There’s no reason that the authority that issued your digital ID should get a constant update every time you log in,” she said.
Stephen Wilson, a digital identity and privacy consultant, said the digital ID system was meant to be a single login for government services, not a replacement for verifying someone’s identity.
“They aimed to give citizens a single key to access all federal government accounts, starting with tax, Medicare and Centrelink. The key proves you’re a citizen known to the ATO,” he said.
“But it wasn’t designed to verify anything else about you – especially the things outside the federal sphere.”
If the ID numbers were compromised, everyone would need to be issued with a new one, he said.
Wilson argued a better method would to put identification into the digital wallets on smartphones. It would protect the personal information stored in the card, and simply authenticate identification with the service you are using.
“IDs should go untouched by human hands. Credit cards, Medicare, driver’s licences, personal health identifiers – they should all be encapsulated within a personally controlled chip and presented with a hallmark, so the receiver knows each number comes from the real person and not an impostor.”
One complication in developing a digital ID is that responsibility for various aspects of the system sits with different departments and agencies.
MyGov sits with Services Australia, while myGovID is the responsibility of the Australian Taxation Office. The Digital Transformation Agency is responsible for leading proposed expansion of the digital ID system.
By 2024, the federal government will have spent $624m on developing the system since 2016, according to data published by the parliamentary library.
A spokesperson for the ATO said more than 6.5m verified myGovID identities had been created as of 6 October, and there were about 300,000 authentications a day.