Unless you’re an avid reader of federal budget statements, you probably missed the $92.4 million allocation in the 2018–19 Budget to build a digital identity scheme known as GovPass—the second one that taxpayers will now be funding. (Australia Post already has an operational scheme called Digital iD that cost $30–50 million to build; GovPass is being set up by the Digital Transformation Agency.) You probably also missed the establishment of the biometric template of your face that has been created to enable the new scheme.
To say communication about this far-reaching program has been limited is an understatement. It’s all the more surprising because the current plan is to roll out services to half a million Australians by the end of June 2019 and the enabling biometric database (the Face Verification Service, or FVS) is already up and running.
Digital identity checking is a critical enabler of a 21st-century economy that will unlock large productivity gains. It will allow you to quickly confirm your personal details, entitlements and authorisations—such as proving you’re over 18 years old or an Australian citizen—online or in person via your phone. Done properly, it will enhance personal privacy, reduce fraud and allow you to quickly interact with companies and government.
That’s why it’s so important to get digital identity right and to fix the serious problems with the current approach. A new report from ASPI’s International Cyber Policy Centre, Preventing another Australia Card fail: unlocking the potential of digital identity, released today, explains the challenges that need to be addressed.
First, the way digitalisation schemes are developed needs an overhaul. At present, they’re approached as mechanisms to solve parochial challenges faced by individual government departments and user experience is designed from within this narrow lens. The cumulative effect of this approach is that citizens are steadily disempowered, their rights eroded and trust in government diminished. ‘Opt in’ becomes ‘opt out’. ‘Safe and secure’, it’s later discovered, means warrantless police access. A 180-degree change in approach is needed that puts citizens, not government departments, at the centre.
That might sound obvious, but it’s tough to achieve. What’s needed is a root-and-branch review of how citizen protections can be made fit for purpose in the 21st century and of opportunities to take advantage of digitisation to simplify the web of rules that we created for our paper-based society. Those rules are often needlessly complicated due to misaligned incentives between competing bureaucracies and rent-seekers who have fed off complexity. To win in an age of hybrid warfare, people need to see that government is working for them and doing everything it can to serve as a trustworthy custodian of their data.
The second issue that needs addressing is oversight. There’s no legislation governing either GovPass or Digital iD. Existing laws like the Privacy Act obviously apply, but they’re ineffective to manage a system with digital identity’s far-reaching applications.
Australia’s laissez-faire approach to digital identity has led large multinational countries to identify it as a testing ground for creating attribute exchanges (systems that allow individuals’ personal data to be shared across organisations). Done properly, these could be very handy—for example, by allowing you to instantly prove you’re authorised to work with children or have a forklift licence. But done badly they could harness digital identity to create a westernised version of China’s social credit scheme. While detailed customer profiles can already be built through methods such as loyalty programs, digital identity will enable a vastly expanded range of activities to be linked to verified identities and so exponentially expand the scope for profile-building and ranking if left unchecked. Dedicated legislation is needed to oversee both GovPass and Digitial iD, and social credit-style schemes need to be expressly forbidden.
Third, there’s a need to explore whether the two government schemes can be joined. At a minimum, Australia Post should replace the Australian Taxation Office as the government identity provider under the GovPass scheme. This would be consistent with one of the Digital Transformation Agency’s own core procurement principles of avoiding duplication by not building platforms that other agencies have already built.
Fourth, the second- and third-order consequences of different aspects of the schemes haven’t been considered because they fall outside specific agency or departmental remits. Developments at the state and territory level and within the private sector also need to be considered as part of a national approach that puts citizens at the centre. A taskforce (federal, state and territory) that includes key private-sector and civil-society actors should be established to ensure that whole-of-nation implications are considered and addressed.
Finally, tighter controls need to be imposed on the use of biometric exchanges, the creation of which Australians never consented to. Legislation governing the biometric exchange that was established for law enforcement purposes (the Face Identification Service, or FIS) has serious flaws, including provisions that would allow any state to use it to police any offence regardless of the gravity of the act (that is, it could potentially be applied to a minor offence like littering). While the FIS is not used for digital identity, any overreach in its use is likely to contaminate public trust in a digital identity scheme.
Digital identity has a lot to offer, but it has to be done right.