The Australian Strategic Policy Institute’s deep-dive through the hidden recesses of the federal government’s digital identity program is a timely contribution to an overdue discussion on data rights and the nature of privacy in the data economy.
ASPI’s International Cyber Policy Centre paints an alarming picture, counting the ways in which Australia is sleepwalking toward an identity regime that is not well understood by the public, and which has been developed in such a way to guarantee a backlash when they find out.
The report’s author Fergus Hanson – who heads the International Cyber Policy Centre at ASPI – says the digital ID program is governed largely by regulatory control rather than legislation, leaving it open to government over-reach in the future, and that privacy protections are based on the creaky Privacy Act 1988, leaving Australians’ data potentially exposed.
Most sensationally, the report contends that a lack of clarity over how the private sector will or will not be allowed to use the scheme will turbo-charge the efforts of smart companies in hoovering up data in order to profile individual Australians.
“Controls are needed to prevent a Western version of China’s ‘social credit’ scheme emerging,” it says.
As if this bogeyman were not enough, the report also raises the spectre of the failed Australia Card identity of the Hawke era, the recurring nightmare of governments ever since.
The central theme of the Preventing Another Australia Card Fail report is about the value to citizens, consumers, governments and taxpayers of a safe and secure digital identity infrastructure. It acknowledges significant benefits of a well-regulated national digital ID scheme to each of these constituent stakeholders.
It is an overwhelmingly positive document that nonetheless raises straight-forward concerns about the implementation and oversight of digital identity in Australia.
Given the digital identity program has been designed on the quiet, out of sight of the broader public, ASPI has done the government a favour by highlighting these concerns. You would think the architects might want to get out ahead of these issues.
The danger, of course, is that the public will loudly reject the digital identity program as having been dumped on them without consultation – just like the deadline for the opt-out was dumped on them in the My Health Record debacle. Opt-out? When did that happen? I thought it was opt-in!
It is surely better to have the discussion out in the open, rather than hidden from view.
The agency charged with developing the digital identity program is the maligned and troubled Digital Transformation Agency. The DTA has had several false starts since it was announced in early 2015 by the then-Communications Minister Malcolm Turnbull.
(As an aside, historians will remember this tremendous January 2015 announcement well, for it was followed several days later by the then Prime Minister Tony Abbott bestowing the great honour of an Australian knighthood on the Queen’s husband Prince Philip and taking a great big bite out of a raw onion on national television, the skin still on. How fabulous that our land is girt by sea.)
Since that time, if you include interim CEOs and acting CEOs, the DTA has had five chief executives in three years. Most recently Randall Brugeaud was been appointed to run the DTA in July, and put the agency through a restructure since joining.
Since its earliest days, the DTA has struggled with its communications function. But right now, it is shockingly bad at a moment in time when it needs to be shockingly good. Not only is the DTA terrible at bringing the public along with this great changes, it doesn’t seem to believe that’s it role. It is horrendous, and shameful.
There are enormous changes underway in the way we interact with government, and the way that we engage with the rest of the economy.
There is a change management role here for communications excellence in which the DTA is failing badly. It should not be allowed to continue failing.
Digital identity is a fundamental building block for the digital economy. It is a key to the further development of the data economy. Our broader society needs to understand what is being planned and they need to be told what the benefits are and where the trade-offs must be acknowledged.
The DTA complains that ASPI is connecting dots between the government’s Facial Verification Service and the Facial Identity Service where no dots exist. As if anyone, literally, will give a shit about that particular intellectual distinction when they read it for the first time in an outraged Facebook post.
Right now is when we get to design the system that we want as Australians. But we cannot do that with credibility if we cannot bring Australians on board with the program.
The concerns expressed in the ASPI report expose another issue – that data regulation is spread far and wide across government. From the outside at least, whatever whole-of-government thinking there is about data policy is not reflected in the way that data regulation is managed.
From the Office of the Australian Information Commissioner to the ACCC, to the newly appointed Chief Data Officer, to the DTA, to Treasury and the open banking regime, the responsibility for the management of data is diffused. And it’s not working for us anymore.
The regulatory environment needs an overhaul. There is an argument to be made to consolidate regulation of the different parts of the data ecosystem into a single organisation.
Digital identity is just one of the building blocks. Being buried in the tiny DTA makes it difficult for the issue to get the level of profile it needs for a meaningful engagement with the Australian community.
It would be great if the DTA were good of communicating the benefits of the digital identity architecture for all Australians, while noting where there are possible trade-offs that need to be made, and acknowledging systemic issues that are a reality in a digital environment.
But it is not good at this. It is terrible. The DTA was supposed to be an advocate for citizens in the development of services. It is not, and if there isn’t a degree of shame in the organisation there should be.
It is quite clear that citizens are not the first priority of this organisation. The government is. And then the public service. And whoever comes next can take a ticket.
The ASPI International Cyber Policy Centre report conflated a couple of terms, calling myGov a credential at one point, and confusing the nature of the GovPass system at another. The DTA used this to discredit the report in its entirety, and to attack its author.
The DTA labelled it as “opinion,” said it was “inaccurate and contained many factual errors” and that it “was not an informed or objective appraisal of the program.”
What the DTA did not do was engage with the specific and very obvious concerns outlined in the paper, or with the positive recommendations it made to assist with those specific and obvious concerns.
Which is a great shame, because whether they deal with these issues now in a serious way – and contribute to a positive discussion about how these concerns might be dealt with – or they can deal with them when it is too late, when they have blown-up, putting the whole program at risk.
Here is an example of a publication that specialises in public sector reporting attempting to understand the different parts of the DTA digital identity effort. This was published just last month.
InnovationAus.com contacted the DTA media team seeking a background interview with someone from the digital identity team to clarify a couple of points of confusion arising from a statement it published condemning the ASPI report. Naturally no-one was available.