Kelsie Nabben, RMIT University.
The federal government has been asking the public for feedback on proposed legislation to create a “trusted digital identity” system. The aim is for Australians to use it to prove their identity when accessing public services.
I first found out about the draft Trusted Digital Identity Bill not through my research at the intersection of society and technology, but through my mother-in-law. She found out about it in private social media channels, and her local women’s group was seeking support to craft their feedback, which emphasises concern for privacy and civil liberties in Australia.
After asking around among major stakeholders, it seems this piece of legislation has largely slipped under the radar since it was unveiled on October 1.
But what will a national digital identity system actually involve, who will it serve, and if we need it, how should it be implemented?
What does ‘digital identity’ mean?
The government’s proposed Digital Identity system promises a “safe, secure and convenient way to prove who you are online every time you access government services”. In other words, it aims to streamline your experience by avoiding the need to repeatedly identify yourself when accessing a range of government services.
Currently, you can create a digital identity using a “myGovID” to access 80 government services. This allows you to link your data across services such as Medicare, Centrelink and the Australian Tax Office. The new legislation proposes an expansion of powers to outsource the process of identity verification to approved Australian businesses. Presumably, this could lead to an expansion of acceptance of the digital ID system so it can be used more widely than just to access government services.
This would be done by linking your MyGov account on the MyGovID smartphone app, and providing an existing identity document (such as a passport, driver’s licence or birth certificate), to an identity provider. Under the proposal, any Australian business can apply to join the “Trusted Digital Identity Framework” to become an identity accreditor. The legislation would establish an agency to oversee these accreditations, and to govern how data will be handled in the scheme. The technical standards of the proposed scheme have not yet been published.
But this goes against all the standard advice about not linking all of your personal information, such as tax history and medical history, as it can lead to mass analytics, behaviour profiling, targeted advertising, and more (as we saw in the Cambridge Analytica scandal).
The proposal also comes amid the ongoing “datafication” of the population, which has been turbocharged by the COVID pandemic. Digital rights advocacy groups have already voiced alarm at the mass collection, collation and storage of personal data, often on a mandatory basis, using hastily implemented platforms such as contact-tracing apps.
Without a careful and measured approach, the digital identity proposal risks repeating the same mistakes.
The government says the proposed digital identity system will be entirely voluntary, and that the system is not designed to replace identification documents such as your birth certificate, visa, driver’s licence or passport.
It also says the system will not be used to access or record COVID vaccinations, and that the information collected will not be used for purposes such as consumer profiling or marketing.
Of course, Australians who opt to use the system are being asked to put their trust in the government to share their data with “verified” identity providers.
Ironically enough, there are quite a few issues that still need to be resolved before Australians can place their trust in the government’s plan to issue them with a “trusted digital identity”.
I have several concerns about the government’s digital identity legislation in its current form.
- It is opaque on details, particularly with regard to the proposed use of new technologies such as biometric matching (using biological characteristics to identity an individual) and automated decision-making.
- It potentially creates a “honeypot” of personal data stored in a centralised database that would offer a tempting target for cyber criminals or hostile nations. The government has promised the data will be “private and secure and protected by strict security protocols”. But government databases have suffered numerous previous hacks, such as the “cybersecurity incident” last year that led to the Australian Defence Force’s recruitment records being offline for ten days.
- It’s not clear how the trustworthiness of third-party identity verification providers who store these data will be verified and guaranteed, or what recourse would be available in the event of a breach.
- There is a potential lack of accountability for third-party access, onselling, and monetisation of data – precisely the problem that has blighted our relationship with Big Tech over the past few years.
- The establishment of a centralised “oversight authority” is an archaic approach that disempowers individuals from owning their personal information.
Australians can’t simply disengage from digitisation. But rather than blithely hand over our data, we should think carefully and collectively about the long-term effects of creating national, centralised databases of sensitive personal information.
The digital infrastructure to own and control access to our own digital identity already exists. Blockchain communities have built it; it’s time we used it.
Hope for alternatives
Senator Andrew Bragg last week tabled the final report of the Senate Select Committee on Australia as a Technology and Financial Centre. It recommends Australia embrace technologies such as blockchain and decentralised computing, in a bid to become an international hub for financial technology.
Despite this, there is still no apparent appetite to use this technology to encrypt the data stored by our domestic public services. Contrast that with Estonia, an international leader in digitisation, which maintains an immutable blockchain-based record of who in government has accessed medical health records.
Leaving aside the question of whether a digital identity system is even necessary or desirable, perhaps the biggest disappointment about the current legislation is the lack of creativity about data governance to determine how the system could be more safely implemented.
I’m not saying “don’t trust the government with your data”. What I am saying is that the digital identity data should be regarded as critical national infrastructure, and protected as such by giving people the ability to own their identity.
The broader context here is not one of legislation or technological architecture. It is a social question of collectively defining what a digital Australia should look like in the long term, and making it one that serves the public interest. Citizens should be able to own and govern their personal information with confidence, both now and into the future.
The opportunity for individuals and organisations to respond to the Digital Identity Bill closes on October 27.