The federal government’s digital identity program should be “abandoned and redesigned from scratch” according to researchers who last year discovered a significant flaw in the system’s design.
The Digital Transformation Agency (DTA) opened the first round of consultation on legislation surrounding the government’s federated digital identity scheme late last year, and last week released a “synthesis report” that claimed to represent the views of the submissions.
The DTA said they were “overwhelmingly positive” with “near uniform agreement on the immense value of the digital identity system”, despite one calling for the program to be scrapped and redesigned entirely, and others raising concerns about accessibility, the use of biometrics, and a lack of public trust.
The legislation aims to beef up privacy protection, establish a permanent oversight agency and allow state governments and the private sector to participate in the identity scheme.
The digital identity program aims to provide a whole-of-government service where users can utilise a range of digital identity providers in order to access government services and those offered by participating private companies.
It includes the Trusted Digital Identity Framework, which lays out the policies for the program, and the identity exchange gateway, along with digital identity services including the ATO’s myGovID.
The scheme has been running for five years and has received more than $450 million in government funding.
Despite the spruiking by the DTA, Thinking Cybersecurity chief executive and Australian National University adjunct professor Vanessa Teague, who late last year identified a “flaw” in the digital identity system which has still not been addressed, said the framing of this consultation was “misleading”.
“The first ‘primary reason for exploring legislation’ is ‘ensuring digital identity continues to meet the needs and expectations of the community’ when in fact we have already clearly shown that existing implementations do not meet the required security and privacy standards,” Professor Teague told InnovationAus.
“The synthesis report also completely fails to distinguish between support for the aspiration of a secure digital ID, and support for the DTA’s current design, which I have not heard from a single technically-literate person.”
The DTA has released 32 of the 44 submissions it received as part of the consultation, many of which are broadly supportive of the scheme, and offer in-principle support for the proposed legislation.
But the submissions did raise a number of significant concerns that are less positive, including that the underlying protocol for the program is irrevocably flawed, that the planned introduction of biometrics should be scrapped and that not enough detail has been provided on plans to charge for access to the program.
Last year, Professor Teague and Ben Frengley, who completed a thesis on the TDIF, alerted the government to a flaw in the protocol of the ATO’s digital identity service, myGovID, that would allow an attacker to easily trick a user into handing over access to their account and control of the linked government services, along with issues with the wider TDIF.
These concerns were brushed off by the government at the time, which said it was not a vulnerability but rather a public awareness issue.
In their submission to the DTA, Professor Teague and Mr Frengley said there are a “number of serious security and privacy failings in its design and its existing implementation”.
These include the vulnerability in myGovID, and the use of a secure exchange gateway which is a “single point of failure for privacy and authentication”.
This is an “extremely brittle architecture that would allow for large-scale identity fraud if that one component comes under the control of a malicious party”, the researchers said.
“The TDIF as currently designed and implemented does not meet its own guiding principles – it is not immediately obvious that a brokered model without technical means to preserve privacy even can meet them,” they said.
“We recommend a careful re-evaluation of the priorities of the TDIF, and a consideration of other options which may meet its goal. The system should be abandoned and redesigned from scratch by people with some understanding of secure protocol design and some concern for protecting their fellow citizens from identity theft.”
The proposed legislation does not adequately protect the secure information of Australians using a digital identity, Professor Teague said.
“We’ve demonstrated serious problems in both the DTA’s framework and the ATO’s implementation. I really don’t think it matters how many other people were ‘overwhelmingly positive’ unless they suggested bug-fixes and are going to get them implemented, their optimism is not going to protect them from the identity fraud that will follow from an insecure system,” she said.
“It doesn’t matter whether legislation makes identity fraud illegal – the people who commit it are criminals anyway.
“The legislation completely fails to guarantee genuine security and privacy standards, and the DTA and ATO have responded to the errors we have identified by telling us that they are not going to fix any of them.”
The Northern Territory government also raised concerns about how the digital identity program will impact those without ready access to the necessary identification documents.
“Substantial work is still required to address the details and issues for the community to ensure the digital identity system that is eventually implemented will meet the needs and protect the identities of all Australians,” the NT government’s submission said.
“There are many alternative pathways and potential unintended consequences of implementing such a significant change that needs to be fully considered and addressed prior to legislation being enacted.”
There is also a need for clarifications and further details around the scheme to ensure there is public trust in it, the territory government said.
“There is substantial history in Australia of well-intentioned national initiatives that require citizen data failing or falling well short of expected or required community take-up, despite extensive public communications programs and well understood, sound purposes for most,” it said.
A number of submissions also raised concerns with the government’s plans to charge state governments and private companies to be a part of the federated digital identity system.
While still consulting on the matter, the DTA has entered into contracts worth $3.5 million with private firms to develop a charging framework for the system.
The Office of the Victorian Information Commissioner (OVIC) said the government should be cautious in attempting to charge for use of the system.
“The key policy drivers for the digital identity system should be to provide efficient and economical access to government and private sector services and transactions, and a reduction in fraud and identity theft,” the OVIC submission said.
“These policy outcomes may be impacted if commercialising the digital identity system and seeking to involve multiple identity providers is prioritised,” it said.
Cybersecurity firm VeroGuard Systems said the charging model proposed presents “insurmountable challenges”.
“A transaction-based model is impossible to budget for as the volumes of requests are unpredictable,” the VeroGuard submission said.
“If the charging model is predefined to the relying party, it is unlikely that the right platforms or a competitive market will develop or be maintained and the entire burden as it is currently, will continue to fall on the federal government. A user pays model would rationalise use and drive a better cost / value acceptance of the program.”
The company also warned against the incorporation of biometrics in the digital identity play, something the government has already approached the market about multiple times.
“The use of biometrics at any point of authentication introduces substantial privacy and security risks. Avoiding biometrics altogether would be a substantially better approach,” VeroGuard said.
“The exploitation of any biometric system can be catastrophic for users. Once compromised, a user’s biometric cannot be simply replaced in the manner of a password or PIN…in open networks relying on variable hardware and software on user devices, the risks are substantial and cannot be effectively managed.
“There are better, more secure approaches that do not require biometric data to be used.”
There will now be a second round of consultations after the DTA releases a position paper, before the draft legislation is developed.