In the rush to be seen to do something following the Optus data breach, we risk responding the wrong way.
It’s now obvious to everyone that businesses routinely retain too much personal information, and that the true cost of a data breach is far higher than expected. We all see how criminals exploit stolen data, what makes data valuable to them, and what motivates criminal hacking.
But the systemic problem no one is talking about is the way we use identifying information to begin with. If we don’t fix that properly, then the next big breach will be just as devastating.
Why should I be vulnerable just because a thief has my name and a number or two? Why is the onus on me to renew all those numbers? And what stops the new numbers being abused all over again?
The deep problem isn’t actually about identity at all. It’s about the way we use personal data.
Some people think that in an ideal world we’d have one reusable all-purpose identity, so we wouldn’t have to repeat the ID dance every time we open a bank account or register for a government service. Some people imagine that an all-purpose identity would let us log into any internet site.
No matter what you think, as a response to the Optus breach, it’s just not practical.
Any national identity system would take years to build. Just look at how long the DTA’s Trusted Digital Identity Framework has been taking, and that’s designed just for government use.
It would also involve untold changes to the legal arrangements that underpin businesses’ customer relations, such as the Know Your Customer Rules for banking.
And any new “digital identity” would be a tough sell to the public politically.
We shouldn’t rush to abandon the way we do customer identification today, because I don’t think it’s so badly broken.
We have a set of commonly used credentials which work reasonably well in the physical world. A bank teller can generally tell if a licence or passport is genuine, for example. If someone is holding a physical credential, we can usually be sure that the data is true.
But these credentials break down in the digital world for two connected reasons.
One, organisations hold on to copies of this ID data for years, creating honeypots of huge value to criminals. Cybersecurity is hard. It’s relatively easy for someone to get hold of the numbers.
Two, at the precise point we need to trust this data — when we type those numbers into a web form — it’s difficult to tell whether the real credential-holder is typing them or whether someone else has got hold of a copy.
This inability to tell copies of data from the original is the key risk.
Criminals don’t counterfeit ID documents. They copy innocent people’s ID numbers and use them at those vulnerable points in business.
We should take measured steps to improve peoples’ safety.
For the best bang for the buck, a minimal change would be to live with current ID rules but fix the points where stolen data is presented as if by the genuine customer.
The Australian states have been doing a great job phasing in digital service apps, including digitised driver licences.
Many of us are now used to presenting a digital licence from our phones, and even checking digital licence QR codes. That scenario is the secure physical presentation of a digital credential, from person to person.
What we now need is secure digital presentation, from person to computer. I need to be able to present, on request, any credential in my phone across the internet.
When a form asks for an ID number, the form could offer a digital option, where the data is presented by a click from the customer’s digital wallet.
Just as we can click-to-pay using credit cards in our digital wallets, we should be able to click-to-prove our driver licence, COVID vaccinations, age, plumbers licence, or working with children check.
With such verifiable digital credentials in a secure digital wallet, stolen ID data would be useless — because it couldn’t be presented by imposters. And there’d be no need to retain the raw ID data.
Most of the pieces of this solution already exist. There are recognised credential issuers, well trusted in the physical world. There are digital wallets that are already compatible with credit cards, concert tickets, boarding passes, and so on.
The next step should be for governments to take the lead in citizen data safety. Governments should provide the option of sending driver licences and Medicare numbers (for starters) over the internet with just a click in our mobile phones.
Proving my official documents online could be as easy as clicking to pay by credit card.
Stephen Wilson is managing director at Lockstep Consulting Australia and Lockstep Technologies, and is vice-president and principal at Constellation Research.
Do you know more? Contact James Riley via Email.