Two-thirds of Australlians won’t use the federal government’s digital identity unless there is a significant public awareness campaign, and more needs to be done to improve security and privacy, according to the Digital Transformation Agency’s focus group testing.
The Digital Transformation Agency (DTA) is responsible for the GovPass project, a set of interconnecting policies aimed at provide a whole-of-government way to verify identity across a range of government and private sector services.
It adopts a federated ID model, with government offering its own digital identity service through the ATO, and numerous private sector and state government ID services to also be on offer.
In March this year the DTA conducted a series of focus group sessions on its digital identity project as a follow-up to previous user need validation and prioritisation workshops completed in April 2016.
The final report on these workshops, presented to the DTA in March, has now been released through a Freedom of Information Act request.
They reveal an overwhelming preoccupation with security and privacy from the focus group participants, and a reluctance to use the service at all unless these are fully explained and assured.
It also showed that not many people surveyed are aware of the government’s efforts in the space, or of what a digital identity actually is.
In early March the DTA ran six 90-minute “co-designing groups” with 33 members of the general public, with a mix across gender and age.
It found that 25 of the 33 participants had an “average to poor understanding” of what digital identity is in general, with 21 of them potentially not adopting the service because of this.
“People with either understanding based on false assumptions / no understanding are not going to know when they could potentially use digital identity or understand the benefits enough to want to try it,” the report said.
“Based on the sample size, nearly two-thirds of Australians will need information about digital identity before they will understand it well enough to use it. Current understanding of digital identity will impact adoption.”
The government has been previously criticised for rolling out the digital identity by stealth.
“They’ve tried to sneak this in without having discussions with the Australian people about it. The idea here is if they just keep really quiet about it and keep it on the low down then the Australian public won’t notice,” Australian Strategic Policy Institution’s International Cyber Policy Centre director Fergus Hanson told InnovationAus.com earlier this year.
“That isn’t necessarily the strongest argument to make. There needs to be a big public discussion about it,” he said.
DTA chief executive Randall Bruguead has said the lack of public communication around GovPass has been a deliberate tactic.
“We are being very deliberate in releasing this in a controlled way, testing it with users and refining as we go so we are progressively building the foundation for the digital identity environment in a way that is being incremented,” Mr Bruguead told a recent Senate Estimates hearing.
“Our intention is to progressively add more and more services. The value associated with having a digital identity comes when you can do something with it. Having the capacity to create a digital identity once for the government then reuse it multiple times is where the real benefit lies.”
The focus groups had a clear message: they do not trust the government to protect their personal data through policies such as digital identity.
“Participants do not trust government re security of data and privacy. From conversations, it is not trusted that government can build a system that can protect their data,” the report said.
“In regards to privacy / sharing of data, participants seemed to trust the intent of government for collecting information now, but were not sure how future government may choose to use / share their information.
“We need to consider user’s perceptions of security with every move that the program takes until the system and its actual security and privacy has had time to provide itself to users. Perceptions of security and proof that our system is secure is what will drive adoption rates while the product is maturing.”
The government needs to do more than just reassure the general public of the security of its digital identity efforts, the DTA was told.
“The security of the service, trustworthiness of staff, trustworthiness of system IT and trustworthiness of the provider, as well as the desire for transparency and control over their data were all key areas of security that were identified as important to participants,” it said.
“From the research, it appears that ‘reassurance’ of security isn’t enough. Participants want to know that their information is secure – they want it tested, tried and proven before they will commit to adopting.
“This was a common theme across the research, with 32 comments relating to the security of individuals information and trust in government to protect personal information.”
The focus group studies also found that only nine of the 33 participants would use their banking digital identity to login to myGov and vice versa, citing concerns over the trustworthiness of the banks and related security measures.
In half of the focus groups, not one of the participants said they would use a bank as their digital identity provider.
The government has made a big push recently to include the big banks in the federated identity model.
The DTA recently opened up new consultations on the Trusted Digital Identity Framework, the set of policies that providers must be accredited against to offer identity services, to include private sector organisations.
The Payment Systems Board also recently confirmed that it had completed its own TrustID digital identity framework earlier this year, and that this will be connected with GovPass.
When asked to rank the most important needs surrounding digital identity, the focus was again on security and privacy, rather than the convenience issues that have been flagged by the government when trying to sell the project.
“The most important needs were around security of data, control over how much information is given and trust over how their data is used. This theme was consistent throughout conversations in all sessions and sections of the workshop,” the report said.
Topics listed with lower importance included the need to enter information more than once, a simpler way regardless of device and a seamless process.
The focus groups were run to update previous market research completed by the then-Digital Transformation Office in April 2016.
With GovPass being an opt-in service, it’s important that its benefits are clearly conveyed to the general public, and all issues are addressed, the DTA said.
“Realisation of government benefits are dependent on take-up and re-use of this service. That means that if we don’t get the user experience right, users will not use it and the government will not realise their benefits,” it said.
“The GovPass program will need to align its messaging and user experience focus as the product matures so that we are able to meet user expectation of benefits. Failure to do this will hinder re-use and potentially lead to abandonment of digital identity users.”