What Australia’s proposed digital ID scheme really means

Published Nov 24, 2022 by Xiph

The Australian government is considering using myGov or the myGovID system to centralise digital identity authentication in the wake of cyber breaches impacting some of the country’s biggest companies like Optus and Medibank. However, a national ID scheme is no silver bullet to Australia’s inadequate cyber defences, and instead presents several cyber security risks of its own.

What is Australia’s digital ID schem

What is Australia’s proposed digital ID scheme?

A digital ID system already exists within myGov which allows Australians and businesses to verify their identity with one login when accessing government online services like Centrelink, Medicare, and the Australian Taxation Office (ATO). People can currently use their myGovID to access over 80 government services and agencies.

The latest data breaches involving Optus, Medibank, EnergyAustralia and the like, have renewed calls to expand this centralised system to the private sector. This would essentially remove the need for organisations like telecommunication companies and banks to hold on to people’s ID documents, and associated information in their databases for years.

A digital ID scheme would mean that only one login would be required to prove a person’s identity, rather than supplying paper documents like a passport or driver’s licences, and that once a person’s identity had been verified by a trusted provider, they would be able to link it across a range of services and products, including banking, healthcare providers, utility companies, hotels, airlines, and more. It would also remove the need to provide 100 points of ID to each institution individually.

Under the proposed scheme, people would be given several options to create their digital ID, which could be through a federal agency, a state or approved private providers like a bank. Users would then choose the services to use with their login.

Why the renewed calls for a national digital ID system?

The government and proponents of the federal ID scheme say that it would make it easier for businesses to verify a person’s identity and eliminate the need for companies to collect a person’s identification like driver’s licence or passport numbers in the first place. It also would reduce the risk of identity theft and finally put an end to our reliance on paper-based ID, although privacy advocates argue that current proposals for a federal ID scheme aren’t underpinned by good design and are likely to cause us more privacy problems in the future.

The national identity system would be built on new technology infrastructure. However, federal, state and territory governments would need to work together to establish national legislation for a trusted digital identity framework to be used more broadly. There’s already a draft Trusted Digital Identity Bill 2021 in review.

How would a digital identity scheme work?

The rationale behind a properly functioning digital ID scheme is that it would allow you to prove who you are online, and to re-use your digital identity whenever you need it. It would by extension remove the need for companies like banks and telcos to hold your personal and customer information and the onus on keeping this data safe from hackers.

Digital identity would require you to confirm your personal details, entitlements, and authorisations, such as proving you’re over 18, online or in person via your phone. You’ll need to provide a one-off verification like a photo of your driver’s licence by uploading the document to the centralised platform which could be checked against your biometrics. Your details would then be checked against the relevant government databases.

Your digital identity would be stored on a mobile application like myGov, which you’d be able to use anytime to transact with companies and businesses without needing to upload another set of documents. For example, you’d be able to enter your phone number on their website and allow permission to undertake the identity check via your digital identity mobile app.

Under the proposal, any Australian business can apply to join the Trusted Digital Identity Framework (TDIF) to become an identity accreditor. Australia Post, the ATO and OCR labs have already been granted accreditation.

Will digital ID be mandatory in Australia?

Creating or using a digital identity is not compulsory, although it offers unparalleled convenience. There are more than 25 million active myGov accounts, including businesses that use this system to log into and access government services online. The only alternative to that is to access government services via phone or in person at a government shopfront.

The digital ID system underpinned by the MyGov platform was initiated by the Coalition government in 2015 to streamline access to government services such as Medicare, Centrelink and the ATO.

Is the national digital ID scheme a security risk?

The national digital ID scheme has several pitfalls. Firstly, because the storing of ID document numbers on a single infrastructure exacerbates the risk of cyber attacks ─ having the population's data in a centralised database is a goldmine for hackers to target and state-sponsored hacking. Secondly, if the national ID scheme database was breached or misused, people can't simply change their biometrics, like they could with a password. Because of these reasons, this system must include an opt-in or opt-out feature that would allow other means of verifying people’s identities.

Is there a privacy risk?

The main concern with the proposed digital ID scheme is that it would essentially allow the linking of all your personal information, including tax history, welfare payments, driving record, and medical history (including your vaccination status), and enable iniquitous instances of discrimination, behaviour profiling, targeted advertising, or state surveillance. Laws would have to be passed that ensure privacy and consumer protections. As a worst-case scenario, the ongoing ‘datafication’ of the population could spearhead a social credit system similar to what China has. Security experts argue the scheme deserves as much scrutiny as the controversial Australia Card proposal of the 1980s.

Which countries are using a digital ID scheme?

Countries like Brazil, Estonia, and Greece have already implemented some type of digital ID framework which allows permanent residents and citizens to use documents such as driver’s licences and passports online and on their mobile devices. These countries are using slightly different models of digital identification systems. For example, Greece is using the Gov.gr Wallet for both Android and iOS devices, which enables citizens to generate digital documents that can be used in Greece in the same way as their physical ID card or driving licence and incorporate a QR code and unique document code that allow a document’s authenticity to be verified by officials. Meanwhile, Estonia uses an electronic identity system, called eID which allows its citizens to vote online, submit tax claims, check health records, organise prescriptions, and use digital signatures.

English-speaking countries including the UK, New-Zealand, and Canada are currently working on proposals, technical and identity standards, liability, and other policies.

A final word

The argument for a centralised digital ID scheme in Australia is shaky at best and leaves some important questions around privacy regulation and data protection still unanswered. For our thoughts and advice, contact us via email: enquiries@xiphcyber.com.


Posted in: Security