A lack of transparency around the federal government’s $200 million digital identity scheme and process of accrediting third-party organisations could lead to increased security and privacy risks, according to an independent researcher.
The Digital Transformation Agency (DTA), which is leading the digital identity project GovPass, recently blocked the release of documents relating to the scheme, prompting concerns about a lack of information of how the scheme operates, and an inability for independent security researchers to identify flaws or vulnerabilities.
GovPass aims to become a whole-of-government way to verify identity across government and private sector services, using a federated model with many different options available for users to choose from. The project has already cost taxpayers more than $200 million over five years and is slowly emerging from the shadows this year.
A core facet of the project is the Trusted Digital Identity Framework (TDIF), the overarching policy governing the scheme. It consists of a set of rules and standards used to govern the entire scheme.
The framework is also used to accredit digital identity providers before they are allowed to enter the ecosystem and provide their services to Australians.
So far only two public sector organisations have been accredited: Australia Post and the Australian Taxation Office. But the framework has recently been updated to accommodate private sector organisations, and the DTA will soon start to assess applications from other entities.
With the scheme ramping up, cryptography expert and Thinking Cybersecurity chief executive Professor Vanessa Teague was looking to investigate the security protocols of the scheme and the tests used to accredit digital identity providers.
She suggested that University of Melbourne computer science student Ben Frengley investigate the issue for an educational exercise.
After being unable to get the information from the DTA, Mr Frengley eventually lodged a Freedom of Information request for documents relating to the accreditation of the ATO under the scheme. But request was rejected last week by the DTA.
The lack of transparency is a concern, Professor Teague said.
“It just seems to indicate that there’s not enough understanding of how a good process would work,” Professor Teague told InnovationAus. “A good process would be a transparent one that opens up both the documentation, code and accreditation process to public scrutiny so people like us can find the bugs they haven’t noticed.”
The DTA has published a lot of documents relating to the TDIF on its website explaining the rules for accreditation and settings for the digital ID framework, but it has not revealed any of the code behind the scheme or the exchange gateway, or the specifics for each organisations’ accreditation, Professor Teague said.
“There’s no code available for any of it. There’s no source code but there’s greatly detailed documentation about what compliant implementations are supposed to do. There’s a greatly detailed framework already posted on their website,” she said.
“We were trying to understand whether those implementations – ATO and Australia Post – had the security implementations that the framework was meant to have.
“We’re trying to understand whether the specific implementations have been accurately accredited as properly meeting the framework guidelines.”
“The goal was to see whether they were secure. The fundamental idea was to try to understand if it has the security properties that the framework specifies.”
The TDIF also allows companies to apply for an exemption from the rules included in the scheme. These need to be made public to ensure an exemption isn’t contributing to any potential security vulnerabilities, Professor Teague said.
“When talking about a very complex cryptographic protocol, the concern is that an exemption might undermine the security properties of the framework. We’re keen to understand whether any exemptions have been granted and if they have been, whether that was with the full implications for security being considered,” she said.
A spokesperson for the DTA said the agency is confident in its accreditation process.
“The DTA is confident that there is an extensive accreditation process that meets the requirements of the system as detailed in the TDIF Accreditation Process documentation available on the DTA’s website,” the spokesperson told InnovationAus.
“To maintain accreditation, participants need to continually demonstrate they meet their TDIF obligations by undergoing annual assessments.”
The DTA has previously listed a measure of success for the scheme being when the “identity federation’s governance body executes its roles and responsibilities in an effective and transparent manner”.
This was removed from a later version of the TDIF, as Mr Frengley pointed out, but “transparent” still remains as a guiding principle for GovPass.
The DTA said there are 11 documents relating to the ATO’s application to be a part of the digital identity scheme, including assessor findings reports, reports covering technical integration testing, assessment reports and exemption requests.
The agency declined to release the documents under a public interest conditional exemption relating to the operation of agencies, saying that releasing the information would “erode trust the community and agencies have in the DTA” and would have a “substantial adverse effect” on its work.
But Professor Teague questioned this justification, saying there is no risk in releasing the information if it is properly secure.
“One would think that releasing the material about a well run accreditation process would improve trust. It’s very confusing to me if they’re confident in the accreditation process that releasing the details would undermine community trust,” Professor Teague said.
The DTA also said that GovPass would be “undermined” if “it were generally known the details of the framework”, despite hundreds of pages of the TDIF being publicly available on its website.
“They said that disclosure of information contained in the 11 documents would have an adverse impact on development and implementation of the framework because they might possibly reveal vulnerabilities and operations of a provider. That’s even stranger because the details of the framework are on their website,” Professor Teague said.
In rejecting the FOI, the DTA also claimed that releasing the documents “would not increase public scrutiny of government’s processes or activities”.
But Professor Teague said this is exactly what being transparent about the operation of the scheme would allow for, with independent researchers identifying bugs and vulnerabilities before they can be exploited by malicious actors.
“The process of open examination and identification helps to get them fixed. Keeping them secret does not make them go away. Research groups have found vulnerabilities in voting systems and in COVIDSafe,” Professor Teague said.
The FOI request, originally lodged in early May, was for information regarding the accreditation of both the ATO and Australia Post, including a much wider range of technical information regarding the TDIF. This was rejected by the DTA, which claimed there were 48 documents in total that would take 138 hours to parse through.