In the rush to be seen to do something following the Optus data breach, we risk responding the wrong way.
It’s now obvious to everyone that businesses routinely retain too much personal information, and that the true cost of a data breach is far higher than expected. We all see how criminals exploit stolen data, what makes data valuable to them, and what motivates criminal hacking.
But the systemic problem no one is talking about is the way we use identifying information to begin with. If we don’t fix that properly, then the next big breach will be just as devastating.
Why should I be vulnerable just because a thief has my name and a number or two? Why is the onus on me to renew all those numbers? And what stops the new numbers being abused all over again?
The deep problem isn’t actually about identity at all. It’s about the way we use personal data.
Some people think that in an ideal world we’d have one reusable all-purpose identity, so we wouldn’t have to repeat the ID dance every time we open a bank account or register for a government service. Some people imagine that an all-purpose identity would let us log into any internet site.
No matter what you think, as a response to the Optus breach, it’s just not practical.
Any national identity system would take years to build. Just look at how long the DTA’s Trusted Digital Identity Framework has been taking, and that’s designed just for government use.
It would also involve untold changes to the legal arrangements that underpin businesses’ customer relations, such as the Know Your Customer Rules for banking.
And any new “digital identity” would be a tough sell to the public politically.
We shouldn’t rush to abandon the way we do customer identification today, because I don’t think it’s so badly broken.
We have a set of commonly used credentials which work reasonably well in the physical world. A bank teller can generally tell if a licence or passport is genuine, for example. If someone is holding a physical credential, we can usually be sure that the data is true.
But these credentials break down in the digital world for two connected reasons.
One, organisations hold on to copies of this ID data for years, creating honeypots of huge value to criminals. Cybersecurity is hard. It’s relatively easy for someone to get hold of the numbers.
Two, at the precise point we need to trust this data — when we type those numbers into a web form — it’s difficult to tell whether the real credential-holder is typing them or whether someone else has got hold of a copy.
This inability to tell copies of data from the original is the key risk.
Criminals don’t counterfeit ID documents. They copy innocent people’s ID numbers and use them at those vulnerable points in business.
We should take measured steps to improve peoples’ safety.
For the best bang for the buck, a minimal change would be to live with current ID rules but fix the points where stolen data is presented as if by the genuine customer.
The Australian states have been doing a great job phasing in digital service apps, including digitised driver licences.
Many of us are now used to presenting a digital licence from our phones, and even checking digital licence QR codes. That scenario is the secure physical presentation of a digital credential, from person to person.
What we now need is secure digital presentation, from person to computer. I need to be able to present, on request, any credential in my phone across the internet.
When a form asks for an ID number, the form could offer a digital option, where the data is presented by a click from the customer’s digital wallet.
Just as we can click-to-pay using credit cards in our digital wallets, we should be able to click-to-prove our driver licence, COVID vaccinations, age, plumbers licence, or working with children check.
With such verifiable digital credentials in a secure digital wallet, stolen ID data would be useless — because it couldn’t be presented by imposters. And there’d be no need to retain the raw ID data.
Most of the pieces of this solution already exist. There are recognised credential issuers, well trusted in the physical world. There are digital wallets that are already compatible with credit cards, concert tickets, boarding passes, and so on.
The next step should be for governments to take the lead in citizen data safety. Governments should provide the option of sending driver licences and Medicare numbers (for starters) over the internet with just a click in our mobile phones.
Proving my official documents online could be as easy as clicking to pay by credit card.
Stephen Wilson is managing director at Lockstep Consulting Australia and Lockstep Technologies, and is vice-president and principal at Constellation Research.
Do you know more? Contact James Riley via Email.
Unfortunately using personal identification data in authentication processes for authorisation exposes users to identity theft. Technology to authenticate without the need for use of personal information has been in existence for over 10 years now, it is disappointing to see such a slow rate of adoption in Government and Industry.
“Some people think that in an ideal world we’d have one reusable all-purpose identity ….” Those people are the APS and there’s bi-partisan agreement in the political class concerning an Australian Barcode – a unique identifier from birth to death. That links every life event to you and is to be “shared” with the private, for-profit sector to create value through Surveillance Capitalism (look for Shoshana Zuboff’s book title). There is no plan to reduce the collection of data concerning Australians. Both sides of politics will facilitate an increase. The fear of “identity fraud” is a marketing tool and a con job to gain support for a bad idea. No thank you … the answer is redundancy. Have many identifiers. Lose one and the rest are safe. Limit the downside.
“When a form asks for an ID number, the form could offer a digital option, where the data is presented by a click from the customer’s digital wallet.”
In order to reduce instances of identity fraud, the service provider / relying party should be *required* to offer a digital option, at least for certain kinds of sensitive transactions. But unless the service provider always requires the use of digital credentials for such transactions, an imposter can still replay someone’s identifying information when a digital credential is not required.
To reduce the likelihood of identity fraud, an obvious solution is for the government to require the use of appropriate digital credentials for anyone conducting certain kinds of sensitive online transactions. However, this may not be politically feasible. Yet even when digital credentials are not generally required, it’s my belief that security-minded consumers should still be able to take some action to minimize their risk of being impersonated.
How about if such consumers were able to register their ID numbers with some system, and if service providers were required to query this system when conducting certain kinds of sensitive transactions? If an ID number is not registered, the service provider who chooses not to require digital credentials could proceed as usual. But if an ID number is registered, the service provider would be required to use a digital credential for the transaction. This would provide consumers who have a digital credential with reasonable assurance that someone who possesses their identifying information as a result of a data breach would still not be able to impersonate them, even when digital credentials are not ordinarily required.