Finance Minister Katy Gallagher has called together all the digital ministers to kick-start the rollout of a national identity system, amid calls for the government to build a new technology infrastructure that would reduce the risk of identity theft, following the Optus data breach.
It comes as NSW Customer Service Minister Victor Dominello called for a decentralised identity system and the end of paper-based ID.
After drifting for years, the Optus breach has highlighted the need for a national digital identity system that would make it easier for businesses to verify a person’s identity and eliminate the need for companies to collect licence and passport numbers in the first place.
Canberra has established a digital identity system to streamline access to government services such as Medicare and the Tax Office, underpinned by the MyGov website.
But legislation that was drafted by the Morrison government still needs to be passed to allow the Digital ID to be used more broadly by the private sector.
Ms Gallagher said Digital Identity Legislation and related issues will be discussed by relevant Commonwealth, state and territory ministers at the upcoming Data and Digital Ministers Meeting in early November.
“Timing for passage of these laws will be informed by these important ministerial discussions,” Ms Gallagher said.
If this Optus saga is not a burning platform for change, then I don’t know what is.
— Victor Dominello, NSW minister for customer service and digital government.
“The Digital Identity System has been designed to protect the privacy of Australians and minimises the amount of personal information shared across services and is protected by strict security protocols set by the Australian government.”
The Trusted Digital Identity Framework (TDIF) has been iteratively developed by the Digital Transformation Agency, which now sits within the department of Finance, since 2015.
Proponents of digital identity say the world has changed since the Australia Card was shot down in the 1980s, and is a necessary step not only to reduce identity theft but also to streamline service delivery.
The scheme would mean that once a person’s identity had been verified by a trusted provider, they would be able to link it across a range of services and products.
The end of 100 ID points
Mr Dominello said federal, state and territory governments need to work together to establish national legislation for a trusted digital identity framework to be used more broadly.
“If this Optus saga is not a burning platform for change, then I don’t know what is,” he told The Australian Financial Review.
“If this is not a wake-up call for companies and government agencies, but more broadly, for the nation to get on board with protecting people’s personal information in the digital age, then I don’t know what is.”
The hack could also mark the beginning of the end for the 100-point ID check.
“Moving to a system of self sovereign digital identity would make the concept of 100 points of ID entirely redundant,” Mr Dominello said. “It also retires the need for organisations to hold on to people’s paper-based ID documents, and associated information, in their databases for years and years.”
In the absence of a national digital identity, states have pushed ahead with their own digital ID documents. NSW has developed its digital driver’s licence, and a trial of its digital birth certificate is due to start shortly.
Victorian Minister for Government Services Danny Pearson said digital identity is an important national issue and “it’s right that it will be a focus of the ministerial council meeting”.
Business Council of Australia president Tim Reed said the government should “get on with allowing Australians to verify their identity without having to hand over sensitive information, particularly through accelerating the government’s long-running digital identity project.”
All the downside, with no upside
Dr Vanessa Teague, a researcher at the ANU who specialises in cryptographic identity systems such as the Digital ID, said that since rejecting the Australia Card in the mid-1980s, Australia has found itself with all of the downside of a centralised identity system, but little of the upside.
“One of the things that people hated about the Australia Card was the idea that the data about them in different government databases was all going to be linked up. People didn’t want their health records linked up with their tax records,” she said.
“And I agree, that’s bad. But that’s happening anyway. All that linking has happened without an Australia Card.”
In any case, Australia has adopted de facto identity cards such as driver’s licences, passport and Medicare numbers, “which effectively have the same role as the Australia Card, but which are completely useless for properly authenticating yourself online,” she told the Financial Review.
“We have all of the bad things that people were afraid of when the Australia Card was so controversial, and yet we still don’t have secure online digital ID,” she said.
While Dr Teague agreed there was a need for something like the government’s Digital ID, she said it had been poorly implemented to date.
“The Digital Transformation Agency has had the job of setting up a secure digital ID for a long time, but they have not yet delivered a secure system that works,” she said.
“They have not, for example, seriously considered the option of creating multiple IDs, which would address at least some of the Australia Card-related concerns. There is absolutely no reason why you shouldn’t have multiple of these IDs, why not?”
Worse still, she said, Australia’s digital ID “is not designed in the simple cryptographic way that the European-style digital IDs are”, meaning there “are some pretty serious concerns with the basic security properties of the system,” Dr Teague said.
“The current attempts to solve the digital identity problem in Australia are not well-informed by good design, and are likely to cause us more privacy problems down the track,” she warned.