The first private company has received accreditation from the federal government as a digital identity provider, with legislation facilitating a significant expansion of the digital ID program set to hit Parliament soon.
Sydney-based startup OCR Labs, which offers an automated, contactless identity verification platform used by a number of banks, has been accredited by the government after meeting its requirements for privacy and security.
The company was accredited under the Digital Transformation Agency’s Trusted Digital Identity Framework (TDIF), which sets out standards, rules and guidelines for digital identity services, and joins Australia Post and the ATO’s myGovID as the only services validated so far.
Responsibility for the wider digital identity was moved from the DTA to Services Australia earlier this year.
The TDIF requires applicants to meet a number of privacy protections, security and fraud control, risk management and technical integrity. OCR Labs will also have to continually show that it is meeting these obligations as part of annual assessments.
The company satisfied 262 requirements to get the accreditation, which took four a half months. This made it the second-fastest accreditation so far, out of the three completed.
“We want Australians to have confidence that their information is private and secure, regardless of who holds it. It has become increasingly important in this digital age to be able to establish trust, particularly online,” Employment Minister Stuart Robert said.
“Digital identity underpins the government’s Digital Economy Strategy that will allow Australian businesses like OCR Labs, and in particular small businesses, to capitalise on the opportunities that digital technologies are creating, enabling them to grow and create jobs as part of Australia’s economic recovery.”
But OCR Labs will not yet be actually in the government’s digital identity system and its services can’t be used to access government services for the time being. This will be made possible when legislation is passed by Parliament facilitating an expansion of the program to the private sector and state and territory governments.
The startup has also not received the higher Identity Proofing Level 2 Plus level, but will attempt to do so by the end of the year.
The government’s digital ID program has been running for six years at a cost of nearly $500 million. It aims to create a whole-of-economy federated digital identity scheme, where individuals can use a range of digital identity services to access services and products across the economy, including government services.
Legislation is required to expand the digital identity program to the private sector, and this is expected to be introduced to Parliament in the upcoming Spring sittings, although the government isn’t intending for it to be passed in this time.
The draft legislation, unveiled in June, also establishes permanent oversight and governance structures for the digital identity scheme, with a number of privacy and consumer protections to be enshrined in law.
A further $250 million was allocated to the scheme by the federal government in last year’s budget, more than doubling its entire funding across the previous five years.
But the centralised model adopted by the government for the program has been criticised, with Lockstep Consulting and Technologies’ Stephen Wilson saying it will leave Australia on “the wrong side of history”.
Security researchers have also raised concerns with the TDIF, with Thinking Cybersecurity CEO Vanessa Teague saying the framework is “very vague” and “counter-intuitive”, with too much left up to the providers.
“It leaves a lot of detail to the implementer. That’s the opposite of what a well-defined standard should be. The option standards and vague descriptions of how it might be done leaves a lot open to the implementer to potentially make a mistake,” Professor Teague said.
The DTA has previously said the TDIF is based upon the international standard OpenID Connect 1.0 and is “consistent” with the International Government Assurance Profile. But Professor Teague said it doesn’t stick to these best practice standards closely enough.
“It implements something a little similar to the OpenID Connect standard, but not quite. That ought to make you nervous to think that the DTA has taken an existing open standard quite carefully designed and then implemented something kind of similar,” she said.
“They should have implemented an existing standard. They should implement a real open standard that already exists. They shouldn’t have made up their own in the first place.”
Do you know more? Contact James Riley via Email.