Biometrically anchored digital identities would go a long way to preventing a repeat of the massive irreversible loss of identity information experienced with the Optus data breach, the Department of Home Affairs says.
Speaking at the Technology in Government conference in Canberra last week, acting assistant secretary for the identity and biometrics policy and strategy branch, Gudiya Riddell, offered up some of the department’s current thinking around identity.
As the lead agency for identity security, Home Affairs is continuing to explore improvements to the identity system in the absence of legislation that would enable businesses to further reduce the collection of information by using government systems.
A 2019 identity protection and management arrangements review that was shelved by the federal government until a Freedom of Information request earlier this year recommended an overhaul of identity verification, including greater use of biometrics.
Mr Riddell said the recent Optus and Medibank data breaches had demonstrated how the “unnecessary“ collection of identity documents can “increase the consequences of such an attack”, suggesting “digital identity proofed using biometrics” as an answer.
“Biometrically [anchored] digital identities and digital credentials can help to limit the amount of personal information that an organisation collects by enabling an individual to share only the minimum amount of information needed for a transaction,” he said.
“They remove the need for people to repeatedly provide cumbersome paper documents, reducing the number of organisations that might hold copies of those documents.
“Just moving to this kind of model would go a long way to improving data security and protecting privacy, and reducing those consequences.”
Mr Riddell said myGovID was an example of a digital identity that already allows Australians to “prove their identity by verifying their documents and their face”, and then authenticate themselves to government website and services.
As of July 2022, there were 8.7 million myGovID’s – more than three times as many as there were in June 2021, largely thanks to the requirements that company directors use the service to get a Director ID.
But even using the identity document checking system known as the Document Verification Service (DVS) — which public and private sector entities have had access to since 2009 — as a standalone service would have reduced the need to store identity information.
“For most transactions, there’s no need to collect and retain copies of identity documents like driver’s licences. The Home Affairs DVS offers a really good solution in that it enables the verification of attributes… against the records of an issuing agency like a road transport agency,” he said.
“Once you’ve verified that information, you can just keep the attribute, the DVS transaction number and the result. If that had had happened with Optus, then it would [still] be unfortunate but at least on the identity side the consequences would be very, very reduced.”
A similar approach to the collection of biometrics would be taken in the future to ensure “new stores” are not unnecessarily being created, he said.
A facial verification service (FVS) that allows a person’s photo to be matched against the imagine on their identity documents already exists for government agencies, but legislation for its use by the private sector remains stalled.
“Our rough view is that, where possible, we want to limit the storage of biometrics and any other information outside of the issuing agency, who necessarily has to have it, and the individuals themselves,” Mr Riddell said.
“So, for example, this might mean that digital identity is proofed against biometrics, but without keeping a copy of that biometric.”
Mr Riddell said this would have the added benefit of “making it easier for individuals to be in control of what [identity information] they share and… aware of how their identity is used”, possible through a real-time alerting service.
“What we’re thinking is that we really need probably an opt-in service where individuals can be alerted when their identity documents are used and by whom they’re being used,” he said.
“And that might be something that people opt-in when they’re particularly concerned – say they’re an Optus or a Medibank customer – or it might be something that some people turn on all the time.”
Individuals would also likely be able to update their information across government agencies and business “all at the same time” with consent, removing the need to update each identity document individually.
Do you know more? Contact James Riley via Email.
Unfortunately biometrics are a flawed solution. They can still be compromised – because they still have to be stored on a server somewhere – but you can’t change them because they’re part of your body. Passwords aren’t perfect but they’re better than biometrics.
Thanks Dave. Passwords are better, but your government is fully committed to the Australian Barcode. It’s bipartisan. We are protected at the moment by APS incompetence and their 80% project failure rates. But if the only way to get this over the line is to outsource the whole thing – that’s what will happen. Somehow government got it in its head that the responsibility for ID was its business. But nobody ever gave government that task. It just assumed it. Why?
Bio-metrics are easily spoofed once compromised they cannot be replaced. Biometrics are something you are and as such are in the public domain. Claims that this is secure are laughable and demonstrate the ignorance of those who are pretending to be cyber security experts in Government who are simply buying defective security systems from foreign multinationals.