The federal government’s push for an economy wide digital identity system will leave it on the “wrong side of history”, an identity and data protection expert has warned, as legislation is finalised for the expansion of the controversial program to state governments and the private sector.
The Digital Identity system has been developed by the Digital Transformation Agency (DTA) over the last six years at a cost of more than $450 million.
It allows users of federal government services to verify their identity and use it across multiple services by accessing an “identity framework” of identity and attribute providers, with Home Affairs verifying identity documents and biometrics.
It has faced criticism for repeated delays and a potentially major security flaw but will be pushed to state and territory services and the private sector as early as next year, with legislation enabling the extension and legal protections to be released by the end of 2020.
Independent researcher and consultant Stephen Wilson, whose Lockstep Consulting and Technologies firm has worked with Australian state, federal and US government agencies, said the program created a “house of cards” because it relies on a model that is fundamentally different to what citizens want and where digital service leaders are heading.
“The DTA are operating within a mindset and a model of identity that has been overtaken by events,” Mr Wilson told InnovationAus.
The government’s push for a centralised framework of identity verification across the public and private sector is inconsistent with what citizens want and where industry leaders have already shifted, he said, pointing to a growth in decentralised verifiable credentials like mobile wallets and digital drivers licences, and the failure of large scale identity programs overseas.
“If we could stop obsessing about identity and just equip people to digitise their credentials and their digital bits and pieces then I think you’d find the need for legislation and certainly the need for an identity exchange will disappear,” he said.
On Tuesday, lawyers for the DTA reiterated the legislation is needed to ensure privacy and security protections can also be expanded to new jurisdictions, and said an exposure draft will be released by early September.
During a webinar explaining the latest positions paper, DTA officials said their aim is to make user privacy and protections a defining characteristic of the scheme, which is being set up to “unlock economic efficiencies” across the Australian economy by allowing users to verify their identities more easily.
The Digital Identity system is open to a network of trusted and accredited organisations, and the proposed legislation will establish a new Oversight Authority to monitor the scheme while the Information Commissioner oversees privacy protections. The legislation will enshrine restrictions on how identity data can be accessed and used, including prohibiting one-to-many matching and imposing some restrictions on law enforcement access to data.
“It’s really well thought through and they’re doing a really good round of consultations,” Mr Wilson said.
“And it’s good work but I think they’re building a house of cards.”
Currently the government’s own identity provider myGovID, operated by the ATO, and Digital iD, operated by Australia Post, are the only accredited identity service providers.
The government expects more to join, including from the private sector, as the system expands. But Mr Wilson said it will struggle to attract identity service providers because of the identity exchange framework it relies on.
“The hypothesis is that this identity thing is such a good idea that we will have identity providers popping up all over the place in the market making money somehow,” he said.
But large-scale government-led digital identity programs in the US and UK which relied on an identity marketplace provider have “fizzled”, Mr Wilson said.
“The problem the DTA has is that they are really enshrining this idea of identity providers [and] identity exchanges. They’re enshrining a hypothetical model that just has failed to materialise. And that’s what I mean about history, I think that they’re certainly on the wrong side of history,” he said.