When the Digital Transformation Office takes the wraps off its identity framework at the end of the month it will feature a previously unannounced biometric component.
At an Identity Summit in Sydney this week, the DTO’s head of identity Rachel Dixon said that the verification framework that the Commonwealth identity service will use needs “well anchored” biometrics, though she didn’t specify which biometric data would be used.
While the identity platform will be opt-in rather than compulsory, it could still be a hard sell to the general public – particularly following the Census debacle.
The ABS found itself in strife just for keeping name and address data. But the standards underpinning the DTO’s new identity framework will require biometrics – a whole different can of worms as far as the public is concerned.
Ms Dixon acknowledged that; “The big mission for us is not to be creepy – particularly with biometrics this is really easy and with data it’s really easy. People freak out a little bit at the idea of the Government knowing anything, and certainly one of the interesting things to me was the degree to which people would seize on every little thing in a blog post and say ‘that’s Orwellian you can’t do that’. We’re not trying to be Orwellian we are trying to be completely privacy respecting.”
The experience with the Census this week however has demonstrated the public gulf that can open up between intent and perception.
Biometrics can remove friction from identity management and inject security. However while a quota of smartphone users are getting more comfortable using fingerprints and retina scans to unlock their phones, the general public may take more convincing.
Kat Lane, vice-chair of the Australian Privacy Foundation, said; “Adding biometric into the mix is a nightmare.”
She warned that before any such system was introduced; “The consultation has to be comprehensive or there will be a backlash.”
She said that public trust had already been severely eroded by the Census and metadata collection issues, and that it would be hard to rebuild that trust without proper consultation.
Ms Dixon was clear in her presentation about why identity management was so important to the DTO.
“Governments want this stuff because it goes to the heart of improving service experience when there are entitlements, and it avoids fraud,” she said, though she acknowledged that most fraud occurred due to false entitlement claims rather than fudged identity.
Besides convincing the public why biometrics are essential the Government will also have to explain why it is planning to allow the banks into the Australian Identity Federation.
Ms Dixon said that the DTO was currently planning on having one Commonwealth identity provider – owned and run by the Federal Government), with all agencies, the States and banks admitted to the Federation.
On the issue of security, she did say that to ensure the system is operating properly and all identity providers are complying with the standards, everyone in the identity ecosystem will face annual audits.
Graham Williamson senior analyst at KuppingerCole, who also presented at the Summit said that he did not believe Australia could have afforded to follow the UK model, where commercial identity providers handle identity issues for a raft of services.
Ms Dixon stressed the importance of affordability and noted that Australia wanted to make the identity service available to all agencies, even small ones, possibly providing an application programming interface to the identity service and software development kits, even connectors, to help smaller agencies develop their own identity related services and solutions.
Scarred from the failure of the Australia Card and the Access Card, the DTO is proposing an opt-in approach.
Opt-in systems however don’t have a great track record in Australia. The uptake of the digital health record for example was woeful until Government launched a couple of opt-out trials, and Ms Dixon acknowledged it could be an issue if compelling use cases weren’t made evident.
With the banks involved, the Government could however instantly have access to 8 million identities.
According to Ms Dixon; “Two of the banks see this as something that would be useful to consumers – if consumers could log-in for example to apply for unemployment benefits using their banking credentials – then one of the problems we solve is, bingo eight million registered consumers.”
Ms Lane said that the opt-in approach being taken by the DTO did not salve her concerns and warned of the opportunity for scope creep. She said that the fact that the digital health record which was once opt-in, is now opt-out in two trials, demonstrated how quickly things could change.
Whatever the public perceptions, the standards for the identity federation will be released at the end of this month with a public beta of the service is scheduled for July 2017.
Ahead of that DTO will release an RFP to a handful of organisations working in the identity management arena.
Identity management company ForgeRock which organised this week’s Summit responded to the DTO’s RFI earlier this year.
While Ms Dixon stressed that the DTO had not yet decided whether it would purchase commercial software for its hub, it is worth noting that ForgeRock’s July release of its Identity Management Platform already supports touch ID.
ForgeRock’s technology is also being used at the ATO, and it underpins New Zealand’s RealMe identity service which can be used by public and private organisations to do everything from opening a bank account or enrolling to vote.