Earlier this month, the Minister for Employment, Workforce, Skills, Small and Family Business, Stuart Robert, released an exposure draft of the Trusted Digital Identity Bill to support the expansion of the Australian Government Digital Identity System.
The official line, as it were, is that legislation is required to expand this system to a whole-of-economy solution. This is so all levels of government and private sector – especially small and medium business, can participate and share in the efficiencies and benefits that gigital identity will bring for them and the community.
We are told that the proposed legislation will enshrine in law privacy and consumer safeguards for greater trust in the system as it expands. This includes more services and sectors, accelerating an economy-wide rollout.
The legislation also provides the necessary authority for government to expand, maintain and regulate the system. It establishes permanent governance arrangements for the system, to be guided by principles of independence, transparency and accountability.
As outlined in this overview, the Bill has two main aims:
- to simplify the process of proving and verifying the identities of individuals online whilst protecting their privacy and the security of their personal information; and
- to introduce a secure and trustworthy digital identity system that will facilitate the expansion of Australia’s digital economy.
The Bill legislates for the establishment and operation of a national Trusted Digital Identity System . The TDIS is a single Commonwealth Government operated platform where businesses and government agencies will be able to collect, verify and exchange digital identity information in a secure place. The TDIS will be operated and maintained by an oversight authority appointed by the relevant minister.
Some might see this proposed legislation as a necessary and important step. Currently, every provider of goods and services in the digital economy hosts its own decentralised and non-standard platform for verifying consumer identity. This raises the risks of fraud, identity theft and privacy breach. Having a central System run by the Government and supported by a network of accredited agencies could address many of these issues.
Many may have concerns about a government-run central database but it could be argued that it would be better for one’s identity to be stored by the government with all the necessary security and safeguards, rather than by hundreds of merchants individually, each with varying degrees of security and safeguards. As it is, those of us with smartphones and messaging apps are already handing over to large private companies our name, phone number, email, contact lists, location, and so forth, constantly.
Indeed, it is difficult to argue against the proposed system if you accept that, prior to accessing any government (executive agency) service, that agency needs to know it’s you before giving you Commonwealth services or money. All identity verification schemes, paper or digital, are subject to risk of ‘counterfeits’ and fraud, to a greater or lesser degree.
Concerns about central state storage of information are generally rebutted by the fact that intelligence agencies (and on occasion law enforcement) can access identity-providing information (phone data, etc.,) with little kickback.
It is the ‘risk of compromise’ argument, however, where concerns lie. In fact, the federal government was clearly informed in a frankly damning consultation submission by leading scholars Ben Frengley and Vanessa Teague in December 2020 that the TDIF as designed was seriously insecure.
They recommended the ‘use of a public key infrastructure-based system’ and a ‘simple, standard, pairwise OpenID Connect protocol’, rather than the ‘complex brokered model with poor privacy and security properties’ that was proposed. In their view:
PKI-based digital identity management is widespread and well understood, with published standards for international interoperability. It offers many of the security and privacy benefits that the TDIF aims to have, but with the added advantage that there is no entity who can meaningfully track user activity, as authentication occurs without the direct involvement of a central authority. As such, we believe this to be the most promising candidate to take the place of the TDIF.
They concluded their submission by stating:
The system should be abandoned and redesigned from scratch by people with some understanding of secure protocol design and some concern from protecting their fellow citizens from identity theft. Legislating to make [TDIS] secure by fiat will not stop organised crime, foreign gives or ordinary criminals from taking advantage of its design flaws.
Rather than act on this submission, the Federal Government’s response, it seems, has been to consult again, with a view to improving ‘accessibility, data protection (information privacy in Australia) and Information Commissioner oversight and remedies’, hence the introduction of the oversight authority.
All this ignores the fundamental Frengley-Teague critique (if you check their credentials, you will see they, significantly more than those of Stuart Robert, seemingly another shining example of the Peter Principle).
Perhaps under time pressure to deliver, or seeking to avoid having to concede blowing millions on building a TDIS with all the reassuring qualities of a French submarine, the government is selling us a Lada instead of a Lamborghini, but, at the same time, telling us the improved warranty will negate the impact of having to actually live with the poor product.
If this is the state’s approach to digital security for its customers, count us out.
Dr Rocco Loiacono is a Senior Lecturer at Curtin University Law School.
Dr Phil Glover is Lecturer at Curtin University Law School. His areas of research are: Comparative Communications & Data Investigation Regulation, and he is the author of: Protecting National Security: A History of British Communications Investigation Regulation (Routledge International, July 2021).
The views expressed in this article are those of the authors and do not necessarily reflect the views of Curtin University.
Got something to add? Join the discussion and comment below.